Vulnerability Development mailing list archives

Re: development of wordpad exploit

From: core.lists.exploit-dev () CORE-SDI COM (Gerardo Richarte)
Date: Fri, 19 Nov 1999 15:15:10 -0300


"hypoclear - lUSt - (Linux Users Strike Today)" wrote:


I light of the latest windows vulnerability in wordpad, it would be great if in this forum we could develop an exploit

for it.  As of now details of the vulnerability are on the net, however
no exploit exists yet.  This would be an
excellent opportunity for all of us who don't really know how to code
exploits (yet) to see all the details of developing
one.  Anyone else like this idea?!?

        I've been playing with this since yesterday. Just today could
make the
buffer overflow with EIP pointing to 0x61616161, BUT... (of course, what
did you expected?), first what's first:

demo:

---------- kk.rtf -----------------------------
{\rtf1\abcdefghijklmnaabbstuvwxyzabcdefghijklmnccddstuvwxyzabcdefghijklmneeffstuvwxyzabcdefghijklmngghhstuvwxyzabcdefghijklmniijjstuvwxyzabcdefghijklmnkkllstuvwxyzabcdefghijklmnmmnnstuvwxyzansi\deff0\deftab720{\fonttbl{\f0\fswiss
MS Sans Serif;}{\f1\froman\fcharset2 Symbol;}{\f2\froman Times New
Roman;}}
{\colortbl\red0\green0\blue0;}
\deflang1033\pard\plain\f2\fs20 hola
\par }
^@
-----------------------------------------------
        [lines finishing in '}}',';}','hola',' }','^@']

        It's a standard RTF file for the text 'hola', plus, an inserted
string
('abcde....xyz') befor the string 'ansi'.   [there's almost a
bufferoverflow in every parameter in the RTF]

        'ccdd' is the return address (EIP)
        If the string ansi is missing (i tested with some other strings,
not
every other string...) nothing 'good' happens.
        Any non letter character befor the string 'ccdd' makes nothing
happen.
I'm not sure which characters can be in this section of the .RTF.
        If uppercase letters are used, they are lowercased (at least the
return
address)  (!!! It's what looks like, but in the original post, it says
EIP = 0x41414141, what I couldn't reproduce...)

        I can't find the [reminding or original] string in memory...

        I'll continue some more time with this, but it doesn't look too
easy to
exploit...

        richie

PS:if you have Word installed, this is the default opener for RTFs
(which doesn't crash), what makes it a little harder to exploit remotley
PPS: I found another buffer overflow that affects Word, use a .RTF file
like
{\rtf\AAAAAAAAAAAA..............}       (more that 5000 As)

        this doesn't make EIP = 0x41414141, it makes ESI = 0x41414141,
and if
you use more than 10.000 As, it makes EDI = 0x41414141. It may be
exploitable, but doesn't look easy.

--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com
<HR>
<UL>
<LI>application/rtf attachment: kk.rtf
</UL>

Current thread:

development of wordpad exploit Linux Users Strike Today (Nov 18)
- RES: development of wordpad exploit Marlon Jabbur (Nov 19)
- Re: development of wordpad exploit Gerardo Richarte (Nov 19)
- Re: development of wordpad exploit Gerardo Richarte (Nov 19)
- <Possible follow-ups>
- Re: development of wordpad exploit Larry W. Cashdollar (Nov 19)
  - Re: development of wordpad exploit Taneli Huuskonen (Nov 19)
- Re: development of wordpad exploit Jason Paulson (Nov 19)
- Re: development of wordpad exploit Riley, Steven (Nov 19)
- Re: development of wordpad exploit Thomas Dullien (Nov 19)
- Re: development of wordpad exploit Harlan Carvey (Nov 19)
- Re: development of wordpad exploit Vanna P. Rella (Nov 19)
  - Re: development of wordpad exploit Witold Chrabaszcz (Nov 19)
    - Re: development of wordpad exploit Blue Boar (Nov 19)
    - Re: development of wordpad exploit Rodrick Brown (Nov 19)

(Thread continues...)