The Enigma Group

Microsoft Office OneNote 2010 Crash PoC


Title     :  Microsoft Office OneNote 2010 WriteAV Vulnerability 

Version   :  Microsoft Office professional Plus 2010

Date      :  2012-11-19

Vendor    :  http://office.microsoft.com 

Impact    :  Med/High 

Contact   :  coolkaveh [at] rocketmail.com 

Twitter   :  @coolkaveh 

tested    :  XP SP3 ENG 

############################################################################### 

Bug : 

---- 

memory corruption during the handling of the one files



How can i make sure a crash is not exploitable? (( The short answer is

simple assume every crash is exploitable and just fix it.))



Or



"defective software is OK."



----  

################################################################################ 

(b70.998): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=00000000 ebx=05eb3701 ecx=062baa08 edx=00005b3f esi=062baa08 edi=00000000

eip=3acdee22 esp=00125dbc ebp=00125dc4 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\ONMain.DLL - 

ONMain!MsoCF::Frame::Finish+0x14bd2:

3acdee22 c7050000000001000000 mov dword ptr ds:[0],1  ds:0023:00000000=????????

---------------------------------------------------------------------------------



First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)

Exception Sub-Type: Write Access Violation



Exception Hash (Major/Minor): 0x3c300459.0x3c6c1674



Stack Trace:

ONMain!MsoCF::Frame::Finish+0x14bd2

ONMain!MsoCF::GetScaledValue+0x429c

ONMain!MsoCF::GetScaledValue+0x39d5

ONMain!MsoCF::GetScaledValue+0x384b

ONMain!Jot::IQueryScope::CreateInstance+0x1716

ONMain!MsoCF::GetScaledValue+0x3060

ONMain!MsoCF::GetScaledValue+0x2dce

ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0xa4d

ONMain!Jot::ITextSearchPlugin::CreateQuotedTextSearchPlugin+0x44a

ONMain!Jot::UseRegistryCache+0x6fb

ONMain!Jot::IQueryScope::CreateInstance+0x1716

ONMain!Jot::HasFileOneExtension+0xf4e

ONMain!Jot::GetBackupRootFolderPath+0x109e

ONMain!Jot::GetBackupRootFolderPath+0xf01

ONMain!Jot::TheBackgroundScheduler::FAddJobForThread+0x1e57

ONMain!Jot::TheBackgroundScheduler::FAddJobForThread+0x1da3

ONMain!Jot::System::IsTabletPC+0x1c7e

ONMain!Jot::System::IsTabletPC+0x1439

ONMain!MsoCF::PerfMetrics::Mark+0x107e

ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0x1432

ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0xe4a

ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0xc6b

ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0x8f9

ONMain!MsoCF::TheZeroAtom+0xba1

ONMain!Jot::TheBackgroundScheduler::FExists+0x52e1

ONMain!Jot::TheBackgroundScheduler::FExists+0x51f5

ONMain!MsoCF::Properties::FGet+0xdc9

ONMain!Jot::TheBackgroundScheduler::FExists+0x1e0

ONMain!Jot::TheBackgroundScheduler::FExists+0x4e

onenote+0x1efcf

ONMain!MsoCF::TheZeroAtom+0x99b

onenote+0x212f

onenote+0x2054

onenote+0x201e

kernel32!RegisterWaitForInputIdle+0x49

Instruction Address: 0x000000003acdee22



Short Description: WriteAV



###############################################################################

Proof of concept included.

http://www43.zippyshare.com/v/27372192/file.html

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22850.rar