Microsoft Excel 2010 – Crash (PoC) (2)

• Exploit Database
• 13 阅读

• 作者： HauntIT
  日期： 2016-05-16
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39819/

• Microsoft Office is prone to a remote denial-of-service vulnerability. 
  
  Attackers can exploit this issue to crash the affected application.
  ----------------------------------------------------------------------
  Found: 11.05.2016
  More: http://HauntIT.blogspot.com
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39819.zip
  
  ----------------------------------------------------------------------
  Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
  Copyright (c) Microsoft Corporation. All rights reserved.
  
  CommandLine: "c:\Program Files\Microsoft Office\Office14\excel.EXE" C:\crash\sf_e626c69c89ab9e683eed52eeaaac93ca-109922.xlsx
  Symbol search path is: *** Invalid ***
  ****************************************************************************
  * Symbol loading may be unreliable without a symbol search path. *
  * Use .symfix to have the debugger choose a symbol path. *
  * After setting your symbol path, use .reload to refresh symbol locations. *
  ****************************************************************************
  Executable search path is: 
  ModLoad: 30000000 313d1000 Excel.exe
  ModLoad: 7c900000 7c9af000 ntdll.dll
  ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
  (...)
  ModLoad: 6bdc0000 6be7c000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL
  ModLoad: 65100000 6519e000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\USP10.DLL
  (cb4.854): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d
  eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\OFFICE14\OGL.DLL - 
  OGL!GdipGetImageThumbnail+0x1118e:
  44175083 ff7104pushdword ptr [ecx+4]ds:0023:00000004=????????
  
  0:000> r;!exploitable -v;r;ub;kv;q
  eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d
  eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202
  OGL!GdipGetImageThumbnail+0x1118e:
  44175083 ff7104pushdword ptr [ecx+4]ds:0023:00000004=????????
  
  !exploitable 1.6.0.0
  HostMachine\HostUser
  Executing Processor Architecture is x86
  Debuggee is in User Mode
  Debuggee is a live user mode debugging session on the local machine
  Event Type: Exception
  (...)
  Exception Faulting Address: 0x4
  First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
  Exception Sub-Type: Read Access Violation
  
  Faulting Instruction:44175083 push dword ptr [ecx+4]
  
  Basic Block:
  44175083 push dword ptr [ecx+4]
   Tainted Input operands: 'ecx'
  44175086 push dword ptr [ecx]
   Tainted Input operands: 'ecx'
  44175088 mov ecx,dword ptr [ebp+8]
  4417508b mov eax,dword ptr [ecx]
  4417508d call dword ptr [eax+4]
   Tainted Input operands: 'StackContents'
  
  Exception Hash (Major/Minor): 0xd8abe4f2.0x3a6d64a1
  
   Hash Usage : Stack Trace:
  Major+Minor : OGL!GdipGetImageThumbnail+0x1118e
  Major+Minor : OGL!GdipGetPathPointsI+0x2da6
  Major+Minor : OGL!GdipGetPathPointsI+0x2b0e
  Major+Minor : OGL!GdipGetPathPointsI+0x2a98
  Major+Minor : GDI32!SetMetaRgn+0x87
  Minor : OGL!GdipCreateMetafileFromWmfFile+0x652
  Minor : OGL!GdipGetPathPointsI+0x2d1b
  Minor : OGL!GdipGetPathPointsI+0x2b73
  Minor : OGL!GdipCreateMetafileFromWmfFile+0x573
  Minor : OGL!GdipGetVisibleClipBoundsI+0x1c6
  Minor : OGL!GdipDrawImageRectRect+0x111
  Minor : gfx+0x147d74
  Minor : gfx+0x4f9f
  Minor : gfx+0x13ec8
  Minor : gfx+0x13ec8
  Minor : gfx+0x13ec8
  Minor : gfx+0x4ecd
  Minor : gfx+0xed1a
  Minor : gfx+0xecef
  Minor : gfx+0xecc3
  Minor : gfx+0xf6fc
  Minor : gfx+0xe84d
  Minor : gfx+0xf4db
  Minor : gfx+0xe84d
  Minor : gfx+0xf685
  Minor : gfx+0xe817
  Minor : gfx+0xebd8
  Minor : oart!Ordinal3680+0xb8
  Minor : oart!Ordinal1491+0x156
  Minor : Excel!Ordinal40+0x20d620
  Minor : Excel!Ordinal40+0x1f8e2c
  Minor : Excel!Ordinal40+0x60961
  Minor : Excel!Ordinal40+0x607aa
  Minor : Excel!Ordinal40+0x5e95b
  Minor : Excel!Ordinal40+0x5e76f
  Minor : Excel!Ordinal40+0x2f054
  Minor : Excel!Ordinal40+0x1763d
  Minor : USER32!GetDC+0x6d
  Minor : USER32!GetDC+0x14f
  Minor : USER32!IsWindowUnicode+0xa1
  Minor : USER32!CallWindowProcW+0x1b
  Minor : Comctl32!Ordinal11+0x328
  Minor : Comctl32!RemoveWindowSubclass+0x17e
  Minor : Comctl32!DefSubclassProc+0x46
  Minor : mso!Ordinal1888+0x38e
  Minor : mso!Ordinal4894+0x24b
  Minor : Comctl32!RemoveWindowSubclass+0x17e
  Minor : Comctl32!DefSubclassProc+0xa9
  Minor : USER32!GetDC+0x6d
  Minor : USER32!GetDC+0x14f
  Minor : USER32!DefWindowProcW+0x180
  Minor : USER32!DefWindowProcW+0x1cc
  Minor : ntdll!KiUserCallbackDispatcher+0x13
  Minor : USER32!DispatchMessageW+0xf
  Minor : Excel!Ordinal40+0x24572
  Minor : Excel!Ordinal40+0x24441
  Minor : Excel!Ordinal40+0x424b
  Minor : Excel!Ordinal40+0x3f0a
  Minor : kernel32!RegisterWaitForInputIdle+0x49
  Instruction Address: 0x0000000044175083
  
  Description: Read Access Violation near NULL
  Short Description: ReadAVNearNull
  
  Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
  Recommended Bug Title: Read Access Violation near NULL starting at OGL!GdipGetImageThumbnail+0x000000000001118e (Hash=0xd8abe4f2.0x3a6d64a1)
  
  This is a user mode read access violation near null, and is probably not exploitable.
  ----------------------------------------------------------------------
  More:
  
  > r
  eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d
  eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202
  OGL!GdipGetImageThumbnail+0x1118e:
  44175083 ff7104pushdword ptr [ecx+4]ds:0023:00000004=????????
  
  > ub
  OGL!GdipGetImageThumbnail+0x1117b:
  44175070 8b01mov eax,dword ptr [ecx]
  44175072 ff5004calldword ptr [eax+4]
  44175075 8bc8mov ecx,eax
  44175077 e88e4af0ffcallOGL!GdipGetPathPointsI+0x40d5 (44079b0a)
  4417507c 5dpop ebp
  4417507d c21000ret 10h
  44175080 55pushebp
  44175081 8becmov ebp,esp
  
  > kv
  ChildEBP RetAddrArgs to Child
  WARNING: Stack unwind information not available. Following frames may be wrong.
  0013e3a8 440787db 0ab4aea0 0000401d 00000000 OGL!GdipGetImageThumbnail+0x1118e
  0013e3c8 44078543 0000401d 00000000 00000000 OGL!GdipGetPathPointsI+0x2da6
  0013e3f8 440784cd 0000015c 07915974 07915028 OGL!GdipGetPathPointsI+0x2b0e
  0013e410 77f2067f 2f011136 012f2750 07915904 OGL!GdipGetPathPointsI+0x2a98
  0013e490 44074c79 2f011136 404ccccc 4407840d GDI32!SetMetaRgn+0x87
  0013e4c8 44078750 2f011136 3e460aa3 0013e548 OGL!GdipCreateMetafileFromWmfFile+0x652
  0013e568 440785a8 43487fff 3e460aa3 0013e6a0 OGL!GdipGetPathPointsI+0x2d1b
  0013e6b8 44074b9a 00000000 42c00000 42c00000 OGL!GdipGetPathPointsI+0x2b73
  0013e7b4 4402cfc4 0ab4a320 00000000 00000000 OGL!GdipCreateMetafileFromWmfFile+0x573
  0013e818 4403e16f 0ab4a320 0013e840 0013e850 OGL!GdipGetVisibleClipBoundsI+0x1c6
  0013e888 438e7d74 00000000 00000000 00000000 OGL!GdipDrawImageRectRect+0x111
  0013e998 437a4f9f 0874a780 07aeec68 ad01865f gfx+0x147d74
  0013ea64 437b3ec8 0874a780 00000001 0722b898 gfx+0x4f9f
  0013ea78 437b3ec8 0874a780 00000000 0722b848 gfx+0x13ec8
  0013ea8c 437b3ec8 0874a780 0013eb40 0b06f120 gfx+0x13ec8
  0013eaa0 437a4ecd 0874a780 ad018713 0013ee04 gfx+0x13ec8
  0013eb28 437aed1a 0722b848 0013eb40 0013f194 gfx+0x4ecd
  0013eb70 437aecef 0b06f120 0013ebac 0013f194 gfx+0xed1a
  0013eb88 437aecc3 086f2410 0013ebac 0013f194 gfx+0xecef
  0013ebf4 437af6fc 0013ec80 086f2410 00000002 gfx+0xecc3
  ----------------------------------------------------------------------
  
  0:000> u eip
  OGL!GdipGetImageThumbnail+0x1118e:
  44175083 ff7104pushdword ptr [ecx+4]
  44175086 ff31pushdword ptr [ecx]
  44175088 8b4d08mov ecx,dword ptr [ebp+8]
  4417508b 8b01mov eax,dword ptr [ecx]
  4417508d ff5004calldword ptr [eax+4]
  44175090 8bc8mov ecx,eax
  44175092 e8922bebffcallOGL!GdipDeletePen+0x115 (44027c29)
  44175097 5dpop ebp
  
  
  0:000> kvn1
   # ChildEBP RetAddrArgs to Child
  00 0013e308 440787db 08f22870 0000401d 00000000 OGL!GdipGetImageThumbnail+0x1118e
  
  0:000> dd ecx+4
  00000004???????? ???????? ???????? ????????
  00000014???????? ???????? ???????? ????????
  00000024???????? ???????? ???????? ????????
  00000034???????? ???????? ???????? ????????
  00000044???????? ???????? ???????? ????????
  00000054???????? ???????? ???????? ????????
  00000064???????? ???????? ???????? ????????
  00000074???????? ???????? ???????? ????????
  
  
  0:000> u eip-11
  OGL!GdipGetImageThumbnail+0x1117d:
  44175072 ff5004calldword ptr [eax+4]
  44175075 8bc8mov ecx,eax
  44175077 e88e4af0ffcallOGL!GdipGetPathPointsI+0x40d5 (44079b0a)
  4417507c 5dpop ebp
  4417507d c21000ret 10h
  44175080 55pushebp
  44175081 8becmov ebp,esp
  44175083 ff7104pushdword ptr [ecx+4] <= crash
  
  OGL!GdipGetImageThumbnail+0x1118e:
  44175083 ff7104pushdword ptr [ecx+4]ds:0023:00000004=????????
  
  ----------------------------------------------------------------------
  By: HauntIT Blog @ 2016