Microsoft Visio 2010 – Crash (PoC)

• Exploit Database
• 108 阅读

• 作者： coolkaveh
  日期： 2012-11-13
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/22679/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74

  Title :Microsoft Visio 2010 memory corruption Version :Microsoft Visio Premium 2010 SP1 Date:2012-11-12 Vendor:http://office.microsoft.com Impact:Med/High Contact :coolkaveh [at] rocketmail.com Twitter :@coolkaveh tested:Windows XP SP3 ENG ############################################################################### Bug : ---- memory corruption during the handling of the vsd files a context-dependent attacker can execute arbitrary code. ---- ################################################################################ (c18.c0c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=05ddd70c ecx=05db01cc edx=00000000 esi=6095f708 edi=6095f708 eip=600c7b69 esp=0012de78 ebp=0012de78 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\VISLIB.dll - VISLIB!Ordinal1+0xc029b: 600c7b69 6683780218cmp word ptr [eax+2],18h ds:0023:00000002=???? ----------------------------------------------------------------------------------------- HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found.Defaulted to export symbols for ntdll.dll - Exception Faulting Address: 0x2 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation   Faulting Instruction:600c7b69 cmp word ptr [eax+2],18h Missing image name, possible paged-out or corrupt data.   Basic Block: 600c7b69 cmp word ptr [eax+2],18h Tainted Input Operands: eax 600c7b6e sbb eax,eax 600c7b70 and eax,offset <unloaded_l32.dll>+0x7f (00000080) Tainted Input Operands: eax 600c7b75 pop ebp 600c7b76 ret 4 Tainted Input Operands: eax   Exception Hash (Major/Minor): 0x05626b64.0x04025a3c   Stack Trace: VISLIB!Ordinal1+0xc029b VISLIB!Ordinal1+0xc5d91 VISLIB!Ordinal1+0xc01ea VISLIB!Ordinal1+0xbfe27 VISLIB!Ordinal1+0xbfd8f VISLIB!Ordinal1+0xbff8b VISLIB!Ordinal1+0xbfe8e VISLIB!Ordinal1+0x28f325 ################################################################################ Proof of concept included.   http://www24.zippyshare.com/v/85134950/file.html https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22679.rar