Microsoft Excel 2010 – Crash (PoC) (2)

• Exploit Database
• 111 阅读

• 作者： HauntIT
  日期： 2016-05-16
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39819/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229

  Microsoft Office is prone to a remote denial-of-service vulnerability.   Attackers can exploit this issue to crash the affected application. ---------------------------------------------------------------------- Found: 11.05.2016 More: http://HauntIT.blogspot.com   Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39819.zip   ---------------------------------------------------------------------- Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 Copyright (c) Microsoft Corporation. All rights reserved.   CommandLine: "c:\Program Files\Microsoft Office\Office14\excel.EXE" C:\crash\sf_e626c69c89ab9e683eed52eeaaac93ca-109922.xlsx Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 30000000 313d1000 Excel.exe ModLoad: 7c900000 7c9af000 ntdll.dll ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll (...) ModLoad: 6bdc0000 6be7c000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL ModLoad: 65100000 6519e000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\USP10.DLL (cb4.854): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202 *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\OFFICE14\OGL.DLL - OGL!GdipGetImageThumbnail+0x1118e: 44175083 ff7104pushdword ptr [ecx+4]ds:0023:00000004=????????   0:000> r;!exploitable -v;r;ub;kv;q eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202 OGL!GdipGetImageThumbnail+0x1118e: 44175083 ff7104pushdword ptr [ecx+4]ds:0023:00000004=????????   !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception (...) Exception Faulting Address: 0x4 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation   Faulting Instruction:44175083 push dword ptr [ecx+4]   Basic Block: 44175083 push dword ptr [ecx+4] Tainted Input operands: &apos;ecx&apos; 44175086 push dword ptr [ecx] Tainted Input operands: &apos;ecx&apos; 44175088 mov ecx,dword ptr [ebp+8] 4417508b mov eax,dword ptr [ecx] 4417508d call dword ptr [eax+4] Tainted Input operands: &apos;StackContents&apos;   Exception Hash (Major/Minor): 0xd8abe4f2.0x3a6d64a1   Hash Usage : Stack Trace: Major+Minor : OGL!GdipGetImageThumbnail+0x1118e Major+Minor : OGL!GdipGetPathPointsI+0x2da6 Major+Minor : OGL!GdipGetPathPointsI+0x2b0e Major+Minor : OGL!GdipGetPathPointsI+0x2a98 Major+Minor : GDI32!SetMetaRgn+0x87 Minor : OGL!GdipCreateMetafileFromWmfFile+0x652 Minor : OGL!GdipGetPathPointsI+0x2d1b Minor : OGL!GdipGetPathPointsI+0x2b73 Minor : OGL!GdipCreateMetafileFromWmfFile+0x573 Minor : OGL!GdipGetVisibleClipBoundsI+0x1c6 Minor : OGL!GdipDrawImageRectRect+0x111 Minor : gfx+0x147d74 Minor : gfx+0x4f9f Minor : gfx+0x13ec8 Minor : gfx+0x13ec8 Minor : gfx+0x13ec8 Minor : gfx+0x4ecd Minor : gfx+0xed1a Minor : gfx+0xecef Minor : gfx+0xecc3 Minor : gfx+0xf6fc Minor : gfx+0xe84d Minor : gfx+0xf4db Minor : gfx+0xe84d Minor : gfx+0xf685 Minor : gfx+0xe817 Minor : gfx+0xebd8 Minor : oart!Ordinal3680+0xb8 Minor : oart!Ordinal1491+0x156 Minor : Excel!Ordinal40+0x20d620 Minor : Excel!Ordinal40+0x1f8e2c Minor : Excel!Ordinal40+0x60961 Minor : Excel!Ordinal40+0x607aa Minor : Excel!Ordinal40+0x5e95b Minor : Excel!Ordinal40+0x5e76f Minor : Excel!Ordinal40+0x2f054 Minor : Excel!Ordinal40+0x1763d Minor : USER32!GetDC+0x6d Minor : USER32!GetDC+0x14f Minor : USER32!IsWindowUnicode+0xa1 Minor : USER32!CallWindowProcW+0x1b Minor : Comctl32!Ordinal11+0x328 Minor : Comctl32!RemoveWindowSubclass+0x17e Minor : Comctl32!DefSubclassProc+0x46 Minor : mso!Ordinal1888+0x38e Minor : mso!Ordinal4894+0x24b Minor : Comctl32!RemoveWindowSubclass+0x17e Minor : Comctl32!DefSubclassProc+0xa9 Minor : USER32!GetDC+0x6d Minor : USER32!GetDC+0x14f Minor : USER32!DefWindowProcW+0x180 Minor : USER32!DefWindowProcW+0x1cc Minor : ntdll!KiUserCallbackDispatcher+0x13 Minor : USER32!DispatchMessageW+0xf Minor : Excel!Ordinal40+0x24572 Minor : Excel!Ordinal40+0x24441 Minor : Excel!Ordinal40+0x424b Minor : Excel!Ordinal40+0x3f0a Minor : kernel32!RegisterWaitForInputIdle+0x49 Instruction Address: 0x0000000044175083   Description: Read Access Violation near NULL Short Description: ReadAVNearNull   Exploitability Classification: PROBABLY_NOT_EXPLOITABLE Recommended Bug Title: Read Access Violation near NULL starting at OGL!GdipGetImageThumbnail+0x000000000001118e (Hash=0xd8abe4f2.0x3a6d64a1)   This is a user mode read access violation near null, and is probably not exploitable. ---------------------------------------------------------------------- More:   > r eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202 OGL!GdipGetImageThumbnail+0x1118e: 44175083 ff7104pushdword ptr [ecx+4]ds:0023:00000004=????????   > ub OGL!GdipGetImageThumbnail+0x1117b: 44175070 8b01mov eax,dword ptr [ecx] 44175072 ff5004calldword ptr [eax+4] 44175075 8bc8mov ecx,eax 44175077 e88e4af0ffcallOGL!GdipGetPathPointsI+0x40d5 (44079b0a) 4417507c 5dpop ebp 4417507d c21000ret 10h 44175080 55pushebp 44175081 8becmov ebp,esp   > kv ChildEBP RetAddrArgs to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0013e3a8 440787db 0ab4aea0 0000401d 00000000 OGL!GdipGetImageThumbnail+0x1118e 0013e3c8 44078543 0000401d 00000000 00000000 OGL!GdipGetPathPointsI+0x2da6 0013e3f8 440784cd 0000015c 07915974 07915028 OGL!GdipGetPathPointsI+0x2b0e 0013e410 77f2067f 2f011136 012f2750 07915904 OGL!GdipGetPathPointsI+0x2a98 0013e490 44074c79 2f011136 404ccccc 4407840d GDI32!SetMetaRgn+0x87 0013e4c8 44078750 2f011136 3e460aa3 0013e548 OGL!GdipCreateMetafileFromWmfFile+0x652 0013e568 440785a8 43487fff 3e460aa3 0013e6a0 OGL!GdipGetPathPointsI+0x2d1b 0013e6b8 44074b9a 00000000 42c00000 42c00000 OGL!GdipGetPathPointsI+0x2b73 0013e7b4 4402cfc4 0ab4a320 00000000 00000000 OGL!GdipCreateMetafileFromWmfFile+0x573 0013e818 4403e16f 0ab4a320 0013e840 0013e850 OGL!GdipGetVisibleClipBoundsI+0x1c6 0013e888 438e7d74 00000000 00000000 00000000 OGL!GdipDrawImageRectRect+0x111 0013e998 437a4f9f 0874a780 07aeec68 ad01865f gfx+0x147d74 0013ea64 437b3ec8 0874a780 00000001 0722b898 gfx+0x4f9f 0013ea78 437b3ec8 0874a780 00000000 0722b848 gfx+0x13ec8 0013ea8c 437b3ec8 0874a780 0013eb40 0b06f120 gfx+0x13ec8 0013eaa0 437a4ecd 0874a780 ad018713 0013ee04 gfx+0x13ec8 0013eb28 437aed1a 0722b848 0013eb40 0013f194 gfx+0x4ecd 0013eb70 437aecef 0b06f120 0013ebac 0013f194 gfx+0xed1a 0013eb88 437aecc3 086f2410 0013ebac 0013f194 gfx+0xecef 0013ebf4 437af6fc 0013ec80 086f2410 00000002 gfx+0xecc3 ----------------------------------------------------------------------   0:000> u eip OGL!GdipGetImageThumbnail+0x1118e: 44175083 ff7104pushdword ptr [ecx+4] 44175086 ff31pushdword ptr [ecx] 44175088 8b4d08mov ecx,dword ptr [ebp+8] 4417508b 8b01mov eax,dword ptr [ecx] 4417508d ff5004calldword ptr [eax+4] 44175090 8bc8mov ecx,eax 44175092 e8922bebffcallOGL!GdipDeletePen+0x115 (44027c29) 44175097 5dpop ebp     0:000> kvn1 # ChildEBP RetAddrArgs to Child 00 0013e308 440787db 08f22870 0000401d 00000000 OGL!GdipGetImageThumbnail+0x1118e   0:000> dd ecx+4 00000004???????? ???????? ???????? ???????? 00000014???????? ???????? ???????? ???????? 00000024???????? ???????? ???????? ???????? 00000034???????? ???????? ???????? ???????? 00000044???????? ???????? ???????? ???????? 00000054???????? ???????? ???????? ???????? 00000064???????? ???????? ???????? ???????? 00000074???????? ???????? ???????? ????????     0:000> u eip-11 OGL!GdipGetImageThumbnail+0x1117d: 44175072 ff5004calldword ptr [eax+4] 44175075 8bc8mov ecx,eax 44175077 e88e4af0ffcallOGL!GdipGetPathPointsI+0x40d5 (44079b0a) 4417507c 5dpop ebp 4417507d c21000ret 10h 44175080 55pushebp 44175081 8becmov ebp,esp 44175083 ff7104pushdword ptr [ecx+4] <= crash   OGL!GdipGetImageThumbnail+0x1118e: 44175083 ff7104pushdword ptr [ecx+4]ds:0023:00000004=????????   ---------------------------------------------------------------------- By: HauntIT Blog @ 2016