首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Office Excel 2007 WriteAV Vulnerability
来源:coolkaveh [at] rocketmail.com 作者:coolkaveh 发布时间:2012-11-09  
Title     :  Microsoft Office Excel 2007 WriteAV Vulnerability 
Version   :  Microsoft Office professional Plus 2007 SP2
Date      :  2012-11-08
Vendor    :  http://office.microsoft.com 
Impact    :  Med/High 
Contact   :  coolkaveh [at] rocketmail.com 
Twitter   :  @coolkaveh 
tested    :  XP SP3 ENG 
############################################################################### 
Bug : 
---- 
memory corruption during the handling of the xls files a context-dependent attacker  
can execute arbitrary code. 
----  
################################################################################ 
(59c.2fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02f88e00 
ebx=023ef000 
ecx=00000000 
edx=009d0a04 
esi=023ef000 
edi=02f88e28
eip=302d68ca esp=00132eb0 ebp=00132ec0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Excel.exe - 
Excel!Ordinal40+0x2d68ca:
302d68ca 894106          mov     dword ptr [ecx+6],eax ds:0023:00000006=????????
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Stack Trace:
Excel!Ordinal40+0x2d68ca
Excel!Ordinal40+0x2da3cd
Excel!Ordinal40+0x2da33a
mso!Ordinal6953+0x1b2
mso!Ordinal3625+0x15a
mso!Ordinal8415+0x41c
mso!Ordinal748+0x6cf
mso!Ordinal2494+0x18d
Excel!Ordinal40+0x265814
Excel!Ordinal40+0x2650d3
Excel!Ordinal40+0x1a1125
Excel!Ordinal40+0x1a2cd5
Excel!Ordinal40+0x1a25f4
Excel!Ordinal40+0x1ac175
Excel!Ordinal40+0x1a3943
Excel!Ordinal40+0x1a3d30
Excel!Ordinal40+0x1a336e
Excel!Ordinal40+0x18f398
Excel!Ordinal40+0x18f0ff
Excel!Ordinal40+0x3093d
Excel!Ordinal40+0x6f630
Excel!Ordinal40+0x6f4db
mso!Ordinal1701+0xebd
mso!Ordinal1701+0xddc
mso!Ordinal1584+0x304
mso!Ordinal1482+0x316
mso!Ordinal9308+0x4bb
mso!Ordinal8194+0x4cf
mso!Ordinal888+0x9d
mso!Ordinal2594+0x538
mso!Ordinal7865+0x125
mso!Ordinal5169+0xa5
mso!Ordinal4629+0x820
mso!Ordinal4369+0xd0
mso!Ordinal3268+0x3ff
mso!Ordinal7696+0x139
mso!Ordinal3268+0x3c0
mso!Ordinal4424+0x663
mso!Ordinal4960+0x1e2
mso!Ordinal387+0x60b
mso!Ordinal3989+0x13c
mso!Ordinal754+0x72
mso!Ordinal3910+0x47
mso!Ordinal4360+0x23c
mso!Ordinal3804+0x3f
mso!Ordinal9064+0x21ed3
mso!Ordinal3594+0x3db
mso!Ordinal387+0x60b
mso!Ordinal3989+0x13c
mso!Ordinal6715+0xa2
mso!Ordinal2180+0x665
mso!Ordinal4294+0x14
mso!Ordinal4620+0x38c
mso!Ordinal6136+0x68a
mso!Ordinal1585+0xb5
USER32!GetDC+0x6d
USER32!GetDC+0x14f
USER32!GetWindowLongW+0x127
USER32!DispatchMessageW+0xf
Excel!Ordinal40+0x28db4
Excel!Ordinal40+0x28ac7
Excel!Ordinal40+0x3b58
Excel!Ordinal40+0x386c
kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x00000000302d68ca

0:000> kd
00132ec0  00132ef8 <Unloaded_ion.dll>+0x132ef7
00132ec4  302da3cd Excel!Ordinal40+0x2da3cd
00132ec8  00132f88 <Unloaded_ion.dll>+0x132f87
00132ecc  0357e5a0 <Unloaded_ion.dll>+0x357e59f
00132ed0  00133180 <Unloaded_ion.dll>+0x13317f
00132ed4  0357e5a0 <Unloaded_ion.dll>+0x357e59f
00132ed8  03332400 <Unloaded_ion.dll>+0x33323ff
00132edc  00000008 <Unloaded_ion.dll>+0x7
00132ee0  03332400 <Unloaded_ion.dll>+0x33323ff
00132ee4  30101614 Excel!Ordinal40+0x101614
00132ee8  00000000
00132eec  30267f92 Excel!Ordinal40+0x267f92
00132ef0  00133194 <Unloaded_ion.dll>+0x133193
00132ef4  00132f1c <Unloaded_ion.dll>+0x132f1b
00132ef8  00132f0c <Unloaded_ion.dll>+0x132f0b
00132efc  302da33a Excel!Ordinal40+0x2da33a
00132f00  023ef000 <Unloaded_ion.dll>+0x23eefff
00132f04  00132f88 <Unloaded_ion.dll>+0x132f87
00132f08  0357e5a0 <Unloaded_ion.dll>+0x357e59f
00132f0c  00132fb8 <Unloaded_ion.dll>+0x132fb7
################################################################################ 
Proof of concept included.
http://www19.zippyshare.com/v/5620945/file.html 

					

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Invision Power Board 3.3.4 Uns
·Zoner Photo Studio 15 Buffer O
·LibreOffice Suite 3.5.5.3 Deni
·Microsoft Office Excel 2013 me
·GOM Video Converter Buffer Ove
·Microsoft Publisher 2013 memor
·BigAnt Server 2.52 Stack Overf
·Microsoft Visio 2010 memory co
·WinRM VBS Remote Code Executio
·A-PDF All to MP3 Converter v.2
·EMC Networker Format String
·Apache downloader patch auto E
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved