Microsoft Publisher 2010 – Crash (PoC)

• Exploit Database
• 109 阅读

• 作者： coolkaveh
  日期： 2012-10-28
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/22310/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119

  Title :Microsoft Office Publisher 2010 memory corruption Version :Microsoft Office professional Plus 2010 Date:2012-10-25 Vendor:http://office.microsoft.com Impact:Med/High Contact :coolkaveh [at] rocketmail.com Twitter :@coolkaveh tested:XP SP3 ENG ############################################################################### Bug : ---- memory corruption during the handling of the pub files a context-dependent attacker can execute arbitrary code. ---- ################################################################################ First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000012 ebx=00000002 ecx=00000004 edx=00000002 esi=00000000 edi=0012f7e4 eip=7855b450 esp=0012f7a4 ebp=0012f7ac iopl=0 nv up ei ng nz ac pe cy cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00210297 *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\MSVCR90.dll - MSVCR90!memmove+0x140: 7855b450 8b448ef0mov eax,dword ptr [esi+ecx*4-10h] ds:0023:00000000=???????? 0:000>!exploitable -v eax=00000012 ebx=00000002 ecx=00000004 edx=00000002 esi=00000000 edi=0012f7e4 eip=7855b450 esp=0012f7a4 ebp=0012f7ac iopl=0 nv up ei ng nz ac pe cy cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00210297 MSVCR90!memmove+0x140: 7855b450 8b448ef0mov eax,dword ptr [esi+ecx*4-10h] ds:0023:00000000=???????? HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found.Defaulted to export symbols for ntdll.dll - *** ERROR: Module load completed but symbols could not be loaded for mspub.exe *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll - *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll - *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll - Exception Faulting Address: 0x0 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation   Faulting Instruction:7855b450 mov eax,dword ptr [esi+ecx*4-10h]   Basic Block: 7855b450 mov eax,dword ptr [esi+ecx*4-10h] Tainted Input Operands: ecx, esi 7855b454 mov dword ptr [edi+ecx*4-10h],eax Tainted Input Operands: eax, ecx 7855b458 mov eax,dword ptr [esi+ecx*4-0ch] Tainted Input Operands: ecx, esi 7855b45c mov dword ptr [edi+ecx*4-0ch],eax Tainted Input Operands: eax, ecx 7855b460 mov eax,dword ptr [esi+ecx*4-8] Tainted Input Operands: ecx, esi 7855b464 mov dword ptr [edi+ecx*4-8],eax Tainted Input Operands: eax, ecx 7855b468 mov eax,dword ptr [esi+ecx*4-4] Tainted Input Operands: ecx, esi 7855b46c mov dword ptr [edi+ecx*4-4],eax Tainted Input Operands: eax, ecx 7855b470 lea eax,[ecx*4] Tainted Input Operands: ecx 7855b477 add esi,eax Tainted Input Operands: eax, esi 7855b479 add edi,eax Tainted Input Operands: eax 7855b47b jmp dword ptr msvcr90!memmove+0x174 (7855b484)[edx*4]   Exception Hash (Major/Minor): 0x56372064.0x42094b36   Stack Trace: MSVCR90!memmove+0x140 mspub+0x83638 mspub+0x63f02 mspub+0x64189 mspub+0x64c1b mso!Ordinal5220+0x676 mso!Ordinal7862+0x547 mspub+0x98ca5 mspub+0x953fe USER32!GetDC+0x6d USER32!GetDC+0x14f USER32!DefWindowProcW+0x180 USER32!DefWindowProcW+0x1cc ntdll!KiUserCallbackDispatcher+0x13 USER32!DispatchMessageW+0xf mso!Ordinal9774+0x23 mspub+0x341c0 mspub+0x212d mspub+0x20d0 mspub+0x2083 kernel32!RegisterWaitForInputIdle+0x49 Instruction Address: 0x000000007855b450   Description: Data from Faulting Address controls subsequent Write Address Short Description: TaintedDataControlsWriteAddress Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at MSVCR90!memmove+0x0000000000000140 (Hash=0x56372064.0x42094b36)   The data from the faulting address is later used as the target for a later write. ################################################################################ Proof of concept included. http://www31.zippyshare.com/v/29089672/file.html https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22310.rar