The Enigma Group

Microsoft Office Excel 2007 - WriteAV Crash PoC


Title     :  Microsoft Office Excel 2007 WriteAV Vulnerability 

Version   :  Microsoft Office professional Plus 2007 SP2

Date      :  2012-11-08

Vendor    :  http://office.microsoft.com 

Impact    :  Med/High 

Contact   :  coolkaveh [at] rocketmail.com 

Twitter   :  @coolkaveh 

tested    :  XP SP3 ENG 

############################################################################### 

Bug : 

---- 

memory corruption during the handling of the xls files a context-dependent attacker  

can execute arbitrary code. 

----  

################################################################################ 

(59c.2fc): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=02f88e00 

ebx=023ef000 

ecx=00000000 

edx=009d0a04 

esi=023ef000 

edi=02f88e28

eip=302d68ca esp=00132eb0 ebp=00132ec0 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Excel.exe - 

Excel!Ordinal40+0x2d68ca:

302d68ca 894106          mov     dword ptr [ecx+6],eax ds:0023:00000006=????????

First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)

Exception Sub-Type: Write Access Violation



Stack Trace:

Excel!Ordinal40+0x2d68ca

Excel!Ordinal40+0x2da3cd

Excel!Ordinal40+0x2da33a

mso!Ordinal6953+0x1b2

mso!Ordinal3625+0x15a

mso!Ordinal8415+0x41c

mso!Ordinal748+0x6cf

mso!Ordinal2494+0x18d

Excel!Ordinal40+0x265814

Excel!Ordinal40+0x2650d3

Excel!Ordinal40+0x1a1125

Excel!Ordinal40+0x1a2cd5

Excel!Ordinal40+0x1a25f4

Excel!Ordinal40+0x1ac175

Excel!Ordinal40+0x1a3943

Excel!Ordinal40+0x1a3d30

Excel!Ordinal40+0x1a336e

Excel!Ordinal40+0x18f398

Excel!Ordinal40+0x18f0ff

Excel!Ordinal40+0x3093d

Excel!Ordinal40+0x6f630

Excel!Ordinal40+0x6f4db

mso!Ordinal1701+0xebd

mso!Ordinal1701+0xddc

mso!Ordinal1584+0x304

mso!Ordinal1482+0x316

mso!Ordinal9308+0x4bb

mso!Ordinal8194+0x4cf

mso!Ordinal888+0x9d

mso!Ordinal2594+0x538

mso!Ordinal7865+0x125

mso!Ordinal5169+0xa5

mso!Ordinal4629+0x820

mso!Ordinal4369+0xd0

mso!Ordinal3268+0x3ff

mso!Ordinal7696+0x139

mso!Ordinal3268+0x3c0

mso!Ordinal4424+0x663

mso!Ordinal4960+0x1e2

mso!Ordinal387+0x60b

mso!Ordinal3989+0x13c

mso!Ordinal754+0x72

mso!Ordinal3910+0x47

mso!Ordinal4360+0x23c

mso!Ordinal3804+0x3f

mso!Ordinal9064+0x21ed3

mso!Ordinal3594+0x3db

mso!Ordinal387+0x60b

mso!Ordinal3989+0x13c

mso!Ordinal6715+0xa2

mso!Ordinal2180+0x665

mso!Ordinal4294+0x14

mso!Ordinal4620+0x38c

mso!Ordinal6136+0x68a

mso!Ordinal1585+0xb5

USER32!GetDC+0x6d

USER32!GetDC+0x14f

USER32!GetWindowLongW+0x127

USER32!DispatchMessageW+0xf

Excel!Ordinal40+0x28db4

Excel!Ordinal40+0x28ac7

Excel!Ordinal40+0x3b58

Excel!Ordinal40+0x386c

kernel32!RegisterWaitForInputIdle+0x49

Instruction Address: 0x00000000302d68ca



0:000> kd

00132ec0  00132ef8 <Unloaded_ion.dll>+0x132ef7

00132ec4  302da3cd Excel!Ordinal40+0x2da3cd

00132ec8  00132f88 <Unloaded_ion.dll>+0x132f87

00132ecc  0357e5a0 <Unloaded_ion.dll>+0x357e59f

00132ed0  00133180 <Unloaded_ion.dll>+0x13317f

00132ed4  0357e5a0 <Unloaded_ion.dll>+0x357e59f

00132ed8  03332400 <Unloaded_ion.dll>+0x33323ff

00132edc  00000008 <Unloaded_ion.dll>+0x7

00132ee0  03332400 <Unloaded_ion.dll>+0x33323ff

00132ee4  30101614 Excel!Ordinal40+0x101614

00132ee8  00000000

00132eec  30267f92 Excel!Ordinal40+0x267f92

00132ef0  00133194 <Unloaded_ion.dll>+0x133193

00132ef4  00132f1c <Unloaded_ion.dll>+0x132f1b

00132ef8  00132f0c <Unloaded_ion.dll>+0x132f0b

00132efc  302da33a Excel!Ordinal40+0x2da33a

00132f00  023ef000 <Unloaded_ion.dll>+0x23eefff

00132f04  00132f88 <Unloaded_ion.dll>+0x132f87

00132f08  0357e5a0 <Unloaded_ion.dll>+0x357e59f

00132f0c  00132fb8 <Unloaded_ion.dll>+0x132fb7

################################################################################ 

Proof of concept included.



http://www19.zippyshare.com/v/5620945/file.html 

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22591.rar