Exploit Microsoft Excel 2003 11.8335.8333 - Use-After-Free

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
18078
Проверка EDB
  1. Пройдено
Автор
LUIGI AURIEMMA
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
null
Дата публикации
2011-11-04
Код:
#######################################################################

                             Luigi Auriemma

Application:  Microsoft Excel
              http://office.microsoft.com/en-us/excel/
              http://office.microsoft.com/en-us/downloads/CD001022531.aspx
Versions:     tested Office 2003 11.8335.8333 SP3
Platforms:    Windows
Bug:          use after free
Exploitation: file
Date:         03 Nov 2011 (found 24 Aug 2011)
Author:       Luigi Auriemma
              e-mail: [email protected]
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Excel 2003 is a spreadsheet program, part of the Office 2003 suite
still supported by Microsoft.


#######################################################################

======
2) Bug
======


Use-after-free probably located in the code that handles the vbscript
macros:

  eax=00492d78 ebx=00000000 ecx=feeefeee edx=00185ff8 esi=004c72b8 edi=00492478
  eip=65058591 esp=00185fd0 ebp=0018601c iopl=0         nv up ei pl nz na pe nc
  cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
  VBE6!DllVbeInit+0x40f6f:
  65058591 ff11            call    dword ptr [ecx]      ds:002b:feeefeee=????????
  0:000:x86> k
  ChildEBP RetAddr  
  0018601c 6501c0dd VBE6!DllVbeInit+0x40f6f
  00186074 6505dee2 VBE6!DllVbeInit+0x4abb
  001860a8 6505e21c VBE6!DllVbeInit+0x468c0
  00186220 767cbc9c VBE6!DllVbeInit+0x46bfa
  00000000 00000000 ole32!StgIsStorageFile+0x764

How to replicate:
- open the proof-of-concept via web or manually
- "An error occurred while loading 'Module1'. Do you want to continue loading the project?"
  select No, if you select Yes then the bug doesn't seem to be
  replicable
- "Unexpected error (32790)"
  select OK
- "Excel found unreadable content in ..."
  Yes or No is the same
- now reopen the proof-of-concept and the bug will happen immediately

The reopening of the same file seems necessary probably because the
Office suite uses only one instance of its programs and performs a
particular reallocation of the resources when a file gets reopened.

Note that I have tested only the latest version of Office 2003 on
Windows 7.

The proof-of-concept is NOT optimized.

Modified bytes:
excel_1a.xls:
0006FCA4   AA       01

excel_1b.xls:
0006FCB0   AD       40


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/excel_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18078.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
 
Источник
www.exploit-db.com

Похожие темы