[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vuln-dev
Subject:    WordPad exploit development: executing arbitary code on Win98
From:       Pauli Ojanpera <pauli_ojanpera () HOTMAIL ! COM>
Date:       1999-11-30 20:19:20
[Download RAW message or body]


So I did further investigation as no one came up with ideas.

If the crashing tag is of type

\dummy-5342      (where -5342 is a numeric parameter for the tag)

and there is EOF immediately after the last number (2), we have
ECX = --5342 when the faulty function reaches its RET. I didn't
check if it works without negation.

So I supplied ECX with suitable value and RETed to location
4800525A which has this code:
MOV EAX, [ECX]
CALL [EAX+68]

I'm bad at explaining things. If somebody wants to do it be my guest.
Single step through the exploit... You can start at third occurence
of 48030D65 (RET from the faulty function).

The attached example file has extension .WRI even it is a .RTF file
so that on machines who have MSOffice installed still open the file
in WordPad.

The file has binary characters in it so you must edit it using a
hex editor..

I'm not responsible for the behavior or misbehavior of the attached
file.

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
["wordpad-exploit-development.zip" (application/x-zip-compressed)]

[prev in list] [next in list] [prev in thread] [next in thread]