Login Register






SMTPMart - Buy Inbox SMTP | Leads | Shell | cPanel 100% Bonus on 1st deposit | Instant Refunds
ProxyByte $2/GB | Residential IPv4 - No Logs - 26M+ IPs - All unblocked
REFUNDING.GG | #1 REFUND SERVICE | SAME DAY REFUNDS | WORLDWIDE ORDERS | GET ITEMS 85% OFF
The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact.
Thread Rating:
  • 0 Vote(s) - 0 Average


Microsoft Office Word 2010 Crash PoC filter_list
Author
Message
Stricker Offline
Member
Twelve Years of Service
Posts: 203
Threads: 78
Reputation: 0

Points: 0NSP
Microsoft Office Word 2010 Crash PoC 10-27-2012, 12:29 PM #1
Code:
Title : MicrosoftOfficeWord
2010StackOverflow
Version : MicrosoftOffice
professionalPlus2010
Date : 2012-10-23
Vendor : http://
office.microsoft.com
Impact : Med/High
Contact : coolkaveh[at]
rocketmail.com
Twitter : @coolkaveh
tested : XPSP3ENG
###############################################################################
Bug:
----
StackOverflowduringthehandlingof
thedocfilesacontext-dependent
attacker
canexecutearbitrarycode.
----
################################################################################
(be0.59c):Stackoverflow-code
c00000fd(firstchance)
Firstchanceexceptionsarereported
beforeanyexceptionhandling.
Thisexceptionmaybeexpectedand
handled.
eax=00032000
ebx=00000000
ecx=00032fe4
edx=000024bc
esi=008b8974
edi=0753e000
eip=316d458e
esp=000380f0
ebp=000380f8iopl=0 nvupei
plnznapenc
cs=001b ss=0023 ds=0023 es=0023
fs=003b gs=0000
efl=00010206
***ERROR:Symbolfilecouldnotbe
found. Defaultedtoexportsymbols
forC:\ProgramFiles\MicrosoftOffice
\Office14\wwlib.dll-
wwlib+0x458e:
316d458e8500 test dword
ptr[eax],eax
ds:0023:00032000=00000000
0:000>!exploitable-v
eax=00032000ebx=00000000ecx=00032fe4
edx=000024bcesi=008b8974edi=0753e000
eip=316d458eesp=000380f0ebp=000380f8
iopl=0 nvupeiplnznapenc
cs=001b ss=0023 ds=0023 es=0023
fs=003b gs=0000
efl=00010206
wwlib+0x458e:
316d458e8500 test dword
ptr[eax],eax
ds:0023:00032000=00000000
HostMachine\HostUser
ExecutingProcessorArchitectureis
x86
DebuggeeisinUserMode
Debuggeeisaliveusermodedebugging
sessiononthelocalmachine
EventType:Exception
***ERROR:Symbolfilecouldnotbe
found. Defaultedtoexportsymbols
forntdll.dll-
***ERROR:Symbolfilecouldnotbe
found. Defaultedtoexportsymbols
forC:\ProgramFiles\CommonFiles
\MicrosoftShared\OFFICE14\MSPTLS.DLL
-
ExceptionFaultingAddress:0x316d458e
FirstChanceExceptionType:
STATUS_STACK_OVERFLOW(0xC00000FD)
FaultingInstruction:316d458etest
dwordptr[eax],eax
BasicBlock:
316d458etestdwordptr[eax],eax
TaintedInputOperands:eax
316d4590jmpwwlib+0x4585
(316d4585)
ExceptionHash(Major/Minor):
0x7513030e.0x2d6c2e72

StackTrace:
wwlib+0x458e
wwlib!GetAllocCounters+0x78520
wwlib!GetAllocCounters+0x90f89
wwlib!GetAllocCounters+0x134cf
wwlib!DllGetLCID+0x6451eb
wwlib!DllGetLCID+0x645c74
wwlib!DllGetLCID+0x29b461
wwlib!DllGetLCID+0x531d6
wwlib!DllGetLCID+0x2c1272
wwlib!DllGetLCID+0x141bf9
wwlib!DllGetLCID+0x1d1144
wwlib!DllGetLCID+0x1d05ae
MSPTLS!LsLwMultDivR+0x101e7
MSPTLS!LsLwMultDivR+0x10afb
MSPTLS!LsLwMultDivR+0x10c5e
MSPTLS!LsLwMultDivR+0x10ec8
MSPTLS!FsTransformBbox+0xe137
MSPTLS!LsLwMultDivR+0x24ac6
MSPTLS!LsLwMultDivR+0x27d0
MSPTLS!LsLwMultDivR+0x25470
MSPTLS!LsLwMultDivR+0x25642
MSPTLS!LsLwMultDivR+0x259ad
MSPTLS!LsLwMultDivR+0x2a64
MSPTLS!LsLwMultDivR+0x3201
MSPTLS!FsTransformBbox+0x74ae
MSPTLS!FsTransformBbox+0x7e28
MSPTLS!FsCreateSubpageFinite+0xad
wwlib!DllGetLCID+0x541fc
wwlib!DllGetLCID+0x54037
MSPTLS!LsLwMultDivR+0x4e92
MSPTLS!LsLwMultDivR+0x29070
MSPTLS!LsLwMultDivR+0x285b0
MSPTLS!LsLwMultDivR+0x5fa3
MSPTLS!LsLwMultDivR+0x6816
MSPTLS!FsTransformBbox+0xb8c1
MSPTLS!FsQueryTableObjFigureListWord
+0x2a0
MSPTLS!LsLwMultDivR+0x101e7
MSPTLS!LsLwMultDivR+0x10afb
MSPTLS!LsLwMultDivR+0x10c5e
MSPTLS!LsLwMultDivR+0x10ec8
MSPTLS!FsTransformBbox+0xe137
MSPTLS!LsLwMultDivR+0x24ac6
MSPTLS!LsLwMultDivR+0x27d0
MSPTLS!LsLwMultDivR+0x25470
MSPTLS!LsLwMultDivR+0x25642
MSPTLS!LsLwMultDivR+0x259ad
MSPTLS!LsLwMultDivR+0x2a64
MSPTLS!LsLwMultDivR+0x3201
MSPTLS!FsTransformBbox+0x74ae
MSPTLS!FsTransformBbox+0x7e28
MSPTLS!FsCreateSubpageFinite+0xad
wwlib!DllGetLCID+0x1d07f0
MSPTLS!LsLwMultDivR+0x101e7
MSPTLS!LsLwMultDivR+0x10afb
MSPTLS!LsLwMultDivR+0x10c5e
MSPTLS!LsLwMultDivR+0x10ec8
MSPTLS!FsTransformBbox+0xe137
MSPTLS!LsLwMultDivR+0x24ac6
MSPTLS!LsLwMultDivR+0x27d0
MSPTLS!LsLwMultDivR+0x25470
MSPTLS!LsLwMultDivR+0x25642
MSPTLS!LsLwMultDivR+0x259ad
MSPTLS!LsLwMultDivR+0x2a64
MSPTLS!LsLwMultDivR+0x3201
InstructionAddress:
0x00000000316d458e
Description:StackOverflow
ShortDescription:StackOverflow
RecommendedBugTitle:StackOverflow
startingatwwlib+0x000000000000458e
(Hash=0x7513030e.0x2d6c2e72)
##############################################################################################################

Proof of concept poc.doc included.
Exploit-DBNote:This also works on
Word 2007

PoC:http://www.exploit-db.com/sploits/22215.tar.gz
[Image: deceptionorangeoverlay.png]

Reply

unknownAttacker Offline
Senior Member
Twelve Years of Service
Posts: 333
Threads: 24
Reputation: 0

Points: 0NSP
RE: Microsoft Office Word 2010 Crash PoC 10-27-2012, 12:52 PM #2
stack overflow, awesome. I hope it doesn't use macros as it would make it quite easy to make macroless .docx malware

Reply

Stricker Offline
Member
Twelve Years of Service
Posts: 203
Threads: 78
Reputation: 0

Points: 0NSP
RE: Microsoft Office Word 2010 Crash PoC 10-27-2012, 01:07 PM #3
your the best bro,i will post more exploit soon...Smile
[Image: deceptionorangeoverlay.png]

Reply







Users browsing this thread: 1 Guest(s)