OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Exploit-Dev Archives: Re: development of wordpad exploit

Re: development of wordpad exploit

Aubrey Smith (bwricsANTIONLINE.ORG)
Sat, 20 Nov 1999 01:37:47 -0800

('binary' encoding is not supported, stored as-is)

Gerardo, for those of us who are less exploit-savvy, could you please explain how your hack works? The only text that I saw in your attached kk.rtf file was "hola".

While Spanish has been know to overflow my buffers (being and english-only speaker), I would like to know how you are using the overflow and how I could duplicate your hack (for educational purposes only, except possibly where my mother-in-law is concerned).

Thanks

>Date: Fri, 19 Nov 1999 13:40:45 -0300
>Reply-To: Gerardo Richarte <core.lists.exploit-devCORE-SDI.COM>
>From: Gerardo Richarte <core.lists.exploit-devCORE-SDI.COM>
>Subject: Re: development of wordpad exploit
>To: VULN-DEVSECURITYFOCUS.COM
>
>"hypoclear - lUSt - (Linux Users Strike Today)" wrote:
>>
>> I light of the latest windows vulnerability in wordpad, it would be great if in this forum we could develop an exploit for it. As of now details of the vulnerability are on the net, however no exploit exists yet. This would be an excellent opportunity for all of us who don't really know how to code exploits (yet) to see all the details of developing one. Anyone else like this idea?!?
>
> I've been playing with this since yesterday. Just today could make the
>buffer overflow with EIP pointing to 0x61616161, BUT... (of course, what
>did you expected?), first what's first:
>
>demo:
>
>---------- kk.rtf -----------------------------
>{\rtf1\abcdefghijklmnaabbstuvwxyzabcdefghijklmnccddstuvwxyzabcdefghijklmneeffstuvwxyzabcdefghijklmngghhstuvwxyzabcdefghijklmniijjstuvwxyzabcdefghijklmnkkllstuvwxyzabcdefghijklmnmmnnstuvwxyzansi\deff0\deftab720{\fonttbl{\f0\fswiss
>MS Sans Serif;}{\f1\froman\fcharset2 Symbol;}{\f2\froman Times New
>Roman;}}
>{\colortbl\red0\green0\blue0;}
>\deflang1033\pard\plain\f2\fs20 hola
>\par }
>^
>-----------------------------------------------
> [lines finishing in '}}',';}','hola',' }','^']
>
> It's a standard RTF file for the text 'hola', plus, an inserted string
>('abcde....xyz') befor the string 'ansi'.
>
> 'ccdd' is the return address (EIP)
> If the string ansi is missing (i tested with some other strings, not
>every other string...) nothing 'good' happens.
> Any non letter character befor the string 'ccdd' makes nothing happen.
>I'm not sure which characters can be in this section of the .RTF.
> If uppercase letters are used, they are lowercased (at least the return
>address) (!!! It's what looks like, but in the original post, it says
>EIP = 0x41414141, what I couldn't reproduce...)
>
> I can't find the [reminding or original] string in memory...
>
> I'll continue some more time with this, but it doesn't look too easy to
>exploit...
>
> richie
>
>PS:if you have Word installed, this is the default opener for RTFs
>(which doesn't crash), what makes it a little harder to exploit remotley
>PPS: I found another buffer overflow that affects Word, use a .RTF file
>like
>{\rtf\AAAAAAAAAAAA..............} (more that 5000 As)
>
> this doesn't make EIP = 0x41414141, it makes ESI = 0x41414141, and if
>you use more than 10.000 As, it makes EDI = 0x41414141. It may be
>exploitable, but doesn't look easy.
>
>--
>A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
>Investigacion y Desarrollo - CoreLabs - Core SDI
>http://www.core-sdi.com
><< kk.rtf >>

------------------------------------------------------------
I Got My Free E-mail Account, Get Yours! - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!

This archive was generated by hypermail 2.0b3 on Sat Nov 20 1999 - 17:30:37 CST