LLegoLLaS Posted November 10, 2012 Report Share Posted November 10, 2012 Title : Microsoft Office Excel 2007 WriteAV VulnerabilityVersion : Microsoft Office professional Plus 2007 SP2Date : 2012-11-08Vendor : http://office.microsoft.comImpact : Med/HighContact : coolkaveh [at] rocketmail.comTwitter : @coolkavehtested : XP SP3 ENG###############################################################################Bug :----memory corruption during the handling of the xls files a context-dependent attackercan execute arbitrary code.----################################################################################(59c.2fc): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=02f88e00ebx=023ef000ecx=00000000edx=009d0a04esi=023ef000edi=02f88e28eip=302d68ca esp=00132eb0 ebp=00132ec0 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246*** ERROR: Symbol file could not be found. Defaulted to export symbols for Excel.exe -Excel!Ordinal40+0x2d68ca:302d68ca 894106 mov dword ptr [ecx+6],eax ds:0023:00000006=????????First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)Exception Sub-Type: Write Access ViolationStack Trace:Excel!Ordinal40+0x2d68caExcel!Ordinal40+0x2da3cdExcel!Ordinal40+0x2da33amso!Ordinal6953+0x1b2mso!Ordinal3625+0x15amso!Ordinal8415+0x41cmso!Ordinal748+0x6cfmso!Ordinal2494+0x18dExcel!Ordinal40+0x265814Excel!Ordinal40+0x2650d3Excel!Ordinal40+0x1a1125Excel!Ordinal40+0x1a2cd5Excel!Ordinal40+0x1a25f4Excel!Ordinal40+0x1ac175Excel!Ordinal40+0x1a3943Excel!Ordinal40+0x1a3d30Excel!Ordinal40+0x1a336eExcel!Ordinal40+0x18f398Excel!Ordinal40+0x18f0ffExcel!Ordinal40+0x3093dExcel!Ordinal40+0x6f630Excel!Ordinal40+0x6f4dbmso!Ordinal1701+0xebdmso!Ordinal1701+0xddcmso!Ordinal1584+0x304mso!Ordinal1482+0x316mso!Ordinal9308+0x4bbmso!Ordinal8194+0x4cfmso!Ordinal888+0x9dmso!Ordinal2594+0x538mso!Ordinal7865+0x125mso!Ordinal5169+0xa5mso!Ordinal4629+0x820mso!Ordinal4369+0xd0mso!Ordinal3268+0x3ffmso!Ordinal7696+0x139mso!Ordinal3268+0x3c0mso!Ordinal4424+0x663mso!Ordinal4960+0x1e2mso!Ordinal387+0x60bmso!Ordinal3989+0x13cmso!Ordinal754+0x72mso!Ordinal3910+0x47mso!Ordinal4360+0x23cmso!Ordinal3804+0x3fmso!Ordinal9064+0x21ed3mso!Ordinal3594+0x3dbmso!Ordinal387+0x60bmso!Ordinal3989+0x13cmso!Ordinal6715+0xa2mso!Ordinal2180+0x665mso!Ordinal4294+0x14mso!Ordinal4620+0x38cmso!Ordinal6136+0x68amso!Ordinal1585+0xb5USER32!GetDC+0x6dUSER32!GetDC+0x14fUSER32!GetWindowLongW+0x127USER32!DispatchMessageW+0xfExcel!Ordinal40+0x28db4Excel!Ordinal40+0x28ac7Excel!Ordinal40+0x3b58Excel!Ordinal40+0x386ckernel32!RegisterWaitForInputIdle+0x49Instruction Address: 0x00000000302d68ca0:000> kd00132ec0 00132ef8 <Unloaded_ion.dll>+0x132ef700132ec4 302da3cd Excel!Ordinal40+0x2da3cd00132ec8 00132f88 <Unloaded_ion.dll>+0x132f8700132ecc 0357e5a0 <Unloaded_ion.dll>+0x357e59f00132ed0 00133180 <Unloaded_ion.dll>+0x13317f00132ed4 0357e5a0 <Unloaded_ion.dll>+0x357e59f00132ed8 03332400 <Unloaded_ion.dll>+0x33323ff00132edc 00000008 <Unloaded_ion.dll>+0x700132ee0 03332400 <Unloaded_ion.dll>+0x33323ff00132ee4 30101614 Excel!Ordinal40+0x10161400132ee8 0000000000132eec 30267f92 Excel!Ordinal40+0x267f9200132ef0 00133194 <Unloaded_ion.dll>+0x13319300132ef4 00132f1c <Unloaded_ion.dll>+0x132f1b00132ef8 00132f0c <Unloaded_ion.dll>+0x132f0b00132efc 302da33a Excel!Ordinal40+0x2da33a00132f00 023ef000 <Unloaded_ion.dll>+0x23eefff00132f04 00132f88 <Unloaded_ion.dll>+0x132f8700132f08 0357e5a0 <Unloaded_ion.dll>+0x357e59f00132f0c 00132fb8 <Unloaded_ion.dll>+0x132fb7################################################################################Proof of concept included.http://www19.zippyshare.com/v/5620945/file.htmlhttp://www.exploit-db.com/sploits/22591.rarCopyright 2012 - BugSearchsursa:bugsearch Quote Link to comment Share on other sites More sharing options...