Microsoft Visio 2010 – Crash (PoC)

• Exploit Database
• 14 阅读

• 作者： coolkaveh
  日期： 2012-11-13
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/22679/

• Title :Microsoft Visio 2010 memory corruption
  Version :Microsoft Visio Premium 2010 SP1
  Date:2012-11-12
  Vendor:http://office.microsoft.com
  Impact:Med/High
  Contact :coolkaveh [at] rocketmail.com
  Twitter :@coolkaveh
  tested:Windows XP SP3 ENG
  ###############################################################################
  Bug :
  ----
  memory corruption during the handling of the vsd files a context-dependent attacker 
  can execute arbitrary code.
  ---- 
  ################################################################################
  (c18.c0c): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00000000 
  ebx=05ddd70c 
  ecx=05db01cc 
  edx=00000000 
  esi=6095f708 
  edi=6095f708
  eip=600c7b69 
  esp=0012de78 
  ebp=0012de78 iopl=0 nv up ei pl nz na po nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202
  *** ERROR: Symbol file could not be found.
  Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\VISLIB.dll - 
  VISLIB!Ordinal1+0xc029b:
  600c7b69 6683780218cmp word ptr [eax+2],18h ds:0023:00000002=????
  -----------------------------------------------------------------------------------------
  HostMachine\HostUser
  Executing Processor Architecture is x86
  Debuggee is in User Mode
  Debuggee is a live user mode debugging session on the local machine
  Event Type: Exception
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for ntdll.dll - 
  Exception Faulting Address: 0x2
  First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
  Exception Sub-Type: Read Access Violation
  
  Faulting Instruction:600c7b69 cmp word ptr [eax+2],18h
  Missing image name, possible paged-out or corrupt data.
  
  Basic Block:
  600c7b69 cmp word ptr [eax+2],18h
   Tainted Input Operands: eax
  600c7b6e sbb eax,eax
  600c7b70 and eax,offset <unloaded_l32.dll>+0x7f (00000080)
   Tainted Input Operands: eax
  600c7b75 pop ebp
  600c7b76 ret 4
   Tainted Input Operands: eax
  
  Exception Hash (Major/Minor): 0x05626b64.0x04025a3c
  
  Stack Trace:
  VISLIB!Ordinal1+0xc029b
  VISLIB!Ordinal1+0xc5d91
  VISLIB!Ordinal1+0xc01ea
  VISLIB!Ordinal1+0xbfe27
  VISLIB!Ordinal1+0xbfd8f
  VISLIB!Ordinal1+0xbff8b
  VISLIB!Ordinal1+0xbfe8e
  VISLIB!Ordinal1+0x28f325
   
  ################################################################################
  Proof of concept included.
  
  http://www24.zippyshare.com/v/85134950/file.html
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22679.rar