32 lines
No EOL
970 B
Text
32 lines
No EOL
970 B
Text
=====
|
|
The file I have attached is a very basic two stage bug. stage 1 (the
|
|
first mod) forces the code down a wrong path. the second mod by
|
|
itsself is harmless, however when used with the first it will be the
|
|
first and part of the second overwrite.
|
|
|
|
I have use 41414141 as a marker to make it easier for you to see.
|
|
|
|
I have made it crash the wordviewer again to make it more obvious
|
|
|
|
Weight,
|
|
location: 00000274
|
|
value : 00000022 - just so it crashes, values 00000001 -> 00000006
|
|
are probably the most useful for trying to overwrite a pointer. notice
|
|
that neighbouring areas can be weighted the same.
|
|
|
|
marker,
|
|
location: 000027e4
|
|
value : 41414141
|
|
|
|
the weight destination address == ((weight * 4[this is EDI]) + 4 [ECX*4]) + source memory offest[ESI].
|
|
|
|
[also the meta data is microsofts, not mine]
|
|
======
|
|
|
|
bug hugs,
|
|
|
|
disco.
|
|
|
|
poc: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/2922.doc (12122006-djtest.doc)
|
|
|
|
# milw0rm.com [2006-12-12] |