This is very probably known and fixed, as I published about the many BoFs and formatstring vulns in comand line handling in Windows applications in 2004 (http://seclists.org/bugtraq/2004/Oct/45), after which most if not all of them got fixed. I cannot reproduce in XP sp3.
If you still want to exploit it, why don't you encode your shellcode to lowercase alphanumeric using ALPHA3? http://code.google.com/p/alpha3/ Berend-Jan Wever <[email protected]> http://skypher.com/SkyLined On Wed, Mar 17, 2010 at 3:20 PM, sachin shinde <[email protected]>wrote: > hi, > > > There is classic buffer/Stack overflow in wordpad.exe testing on winxp > sp 2.(is it already known?) > > on text console wordpad.exe takes argument as a filename and there it > happens. > > but writing shellcode for it is very hard,Because wordpad changes > uppercase chars to lower case chars. if anyone any idea about this > please reply! > > Though it looks like local vulnerability we can trigger it remotely > with ActiveX and Javascript.I can give full demonstration but cant > write shellcode because of too many bad characters( of course can show > you int 3 (0xcc)) but would like 2 show the full proof of concept > demonstration. > > > Regards, > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
