Microsoft Word 2010 – Crash (PoC)

• Exploit Database
• 99 阅读

• 作者： coolkaveh
  日期： 2012-10-24
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/22215/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131

  Title :Microsoft Office Word 2010 Stack Overflow Version :Microsoft Office professional Plus 2010 Date:2012-10-23 Vendor:http://office.microsoft.com Impact:Med/High Contact :coolkaveh [at] rocketmail.com Twitter :@coolkaveh tested:XP SP3 ENG ############################################################################### Bug : ---- StackOverflow during the handling of the doc files a context-dependent attacker can execute arbitrary code. ---- ################################################################################ (be0.59c): Stack overflow - code c00000fd (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00032000 ebx=00000000 ecx=00032fe4 edx=000024bc esi=008b8974 edi=0753e000 eip=316d458e esp=000380f0 ebp=000380f8 iopl=0 nv up ei pl nz na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206 *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\wwlib.dll - wwlib+0x458e: 316d458e 8500testdword ptr [eax],eaxds:0023:00032000=00000000 0:000>!exploitable -v eax=00032000 ebx=00000000 ecx=00032fe4 edx=000024bc esi=008b8974 edi=0753e000 eip=316d458e esp=000380f0 ebp=000380f8 iopl=0 nv up ei pl nz na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206 wwlib+0x458e: 316d458e 8500testdword ptr [eax],eaxds:0023:00032000=00000000 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found.Defaulted to export symbols for ntdll.dll - *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL - Exception Faulting Address: 0x316d458e First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD)   Faulting Instruction:316d458e test dword ptr [eax],eax   Basic Block: 316d458e test dword ptr [eax],eax Tainted Input Operands: eax 316d4590 jmp wwlib+0x4585 (316d4585)   Exception Hash (Major/Minor): 0x7513030e.0x2d6c2e72   Stack Trace: wwlib+0x458e wwlib!GetAllocCounters+0x78520 wwlib!GetAllocCounters+0x90f89 wwlib!GetAllocCounters+0x134cf wwlib!DllGetLCID+0x6451eb wwlib!DllGetLCID+0x645c74 wwlib!DllGetLCID+0x29b461 wwlib!DllGetLCID+0x531d6 wwlib!DllGetLCID+0x2c1272 wwlib!DllGetLCID+0x141bf9 wwlib!DllGetLCID+0x1d1144 wwlib!DllGetLCID+0x1d05ae MSPTLS!LsLwMultDivR+0x101e7 MSPTLS!LsLwMultDivR+0x10afb MSPTLS!LsLwMultDivR+0x10c5e MSPTLS!LsLwMultDivR+0x10ec8 MSPTLS!FsTransformBbox+0xe137 MSPTLS!LsLwMultDivR+0x24ac6 MSPTLS!LsLwMultDivR+0x27d0 MSPTLS!LsLwMultDivR+0x25470 MSPTLS!LsLwMultDivR+0x25642 MSPTLS!LsLwMultDivR+0x259ad MSPTLS!LsLwMultDivR+0x2a64 MSPTLS!LsLwMultDivR+0x3201 MSPTLS!FsTransformBbox+0x74ae MSPTLS!FsTransformBbox+0x7e28 MSPTLS!FsCreateSubpageFinite+0xad wwlib!DllGetLCID+0x541fc wwlib!DllGetLCID+0x54037 MSPTLS!LsLwMultDivR+0x4e92 MSPTLS!LsLwMultDivR+0x29070 MSPTLS!LsLwMultDivR+0x285b0 MSPTLS!LsLwMultDivR+0x5fa3 MSPTLS!LsLwMultDivR+0x6816 MSPTLS!FsTransformBbox+0xb8c1 MSPTLS!FsQueryTableObjFigureListWord+0x2a0 MSPTLS!LsLwMultDivR+0x101e7 MSPTLS!LsLwMultDivR+0x10afb MSPTLS!LsLwMultDivR+0x10c5e MSPTLS!LsLwMultDivR+0x10ec8 MSPTLS!FsTransformBbox+0xe137 MSPTLS!LsLwMultDivR+0x24ac6 MSPTLS!LsLwMultDivR+0x27d0 MSPTLS!LsLwMultDivR+0x25470 MSPTLS!LsLwMultDivR+0x25642 MSPTLS!LsLwMultDivR+0x259ad MSPTLS!LsLwMultDivR+0x2a64 MSPTLS!LsLwMultDivR+0x3201 MSPTLS!FsTransformBbox+0x74ae MSPTLS!FsTransformBbox+0x7e28 MSPTLS!FsCreateSubpageFinite+0xad wwlib!DllGetLCID+0x1d07f0 MSPTLS!LsLwMultDivR+0x101e7 MSPTLS!LsLwMultDivR+0x10afb MSPTLS!LsLwMultDivR+0x10c5e MSPTLS!LsLwMultDivR+0x10ec8 MSPTLS!FsTransformBbox+0xe137 MSPTLS!LsLwMultDivR+0x24ac6 MSPTLS!LsLwMultDivR+0x27d0 MSPTLS!LsLwMultDivR+0x25470 MSPTLS!LsLwMultDivR+0x25642 MSPTLS!LsLwMultDivR+0x259ad MSPTLS!LsLwMultDivR+0x2a64 MSPTLS!LsLwMultDivR+0x3201 Instruction Address: 0x00000000316d458e Description: Stack Overflow Short Description: StackOverflow Recommended Bug Title: Stack Overflow starting at wwlib+0x000000000000458e (Hash=0x7513030e.0x2d6c2e72) ############################################################################################################## Proof of concept poc.doc included. Exploit-DB Note: This also works on Word 2007   PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22215.tar.gz