- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 18078
- Проверка EDB
-
- Пройдено
- Автор
- LUIGI AURIEMMA
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- null
- Дата публикации
- 2011-11-04
Код:
#######################################################################
Luigi Auriemma
Application: Microsoft Excel
http://office.microsoft.com/en-us/excel/
http://office.microsoft.com/en-us/downloads/CD001022531.aspx
Versions: tested Office 2003 11.8335.8333 SP3
Platforms: Windows
Bug: use after free
Exploitation: file
Date: 03 Nov 2011 (found 24 Aug 2011)
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Excel 2003 is a spreadsheet program, part of the Office 2003 suite
still supported by Microsoft.
#######################################################################
======
2) Bug
======
Use-after-free probably located in the code that handles the vbscript
macros:
eax=00492d78 ebx=00000000 ecx=feeefeee edx=00185ff8 esi=004c72b8 edi=00492478
eip=65058591 esp=00185fd0 ebp=0018601c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
VBE6!DllVbeInit+0x40f6f:
65058591 ff11 call dword ptr [ecx] ds:002b:feeefeee=????????
0:000:x86> k
ChildEBP RetAddr
0018601c 6501c0dd VBE6!DllVbeInit+0x40f6f
00186074 6505dee2 VBE6!DllVbeInit+0x4abb
001860a8 6505e21c VBE6!DllVbeInit+0x468c0
00186220 767cbc9c VBE6!DllVbeInit+0x46bfa
00000000 00000000 ole32!StgIsStorageFile+0x764
How to replicate:
- open the proof-of-concept via web or manually
- "An error occurred while loading 'Module1'. Do you want to continue loading the project?"
select No, if you select Yes then the bug doesn't seem to be
replicable
- "Unexpected error (32790)"
select OK
- "Excel found unreadable content in ..."
Yes or No is the same
- now reopen the proof-of-concept and the bug will happen immediately
The reopening of the same file seems necessary probably because the
Office suite uses only one instance of its programs and performs a
particular reallocation of the resources when a file gets reopened.
Note that I have tested only the latest version of Office 2003 on
Windows 7.
The proof-of-concept is NOT optimized.
Modified bytes:
excel_1a.xls:
0006FCA4 AA 01
excel_1b.xls:
0006FCB0 AD 40
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/excel_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18078.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################- Источник
- www.exploit-db.com
