ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] "Microsoft Office Excel 2003" Hlink Stack/SEH Overflow Exploit




Message: 8
Date: Wed, 28 Jun 2006 00:30:25 +0200
From: FistFuXXer <FistFuXXer@xxxxxx>
Subject: [Full-disclosure] "Microsoft Office Excel 2003" Hlink
        Stack/SEH       Overflow Exploit
To: "[Full-Disclosure]" <full-disclosure@xxxxxxxxxxxxxxxxx>
Message-ID: <44A1B181.3080603@xxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A list member asked me on Tuesday for PoC code to learn more about SEH
exploitation. So I wrote the exploit that's attached to this email. I
think that it can be useful for other people, too.

The generated .xls file has been successfully tested against the latest
Microsoft Office Excel 2003 version (German; 11.8012.6568; SP2) running
on the latest Windows versions (Win 2000/XP/2003). Hardware side NX-Bit
protection and software side Windows DEP protection was enabled on the
test machine.

Other public exploits for this issue aren't able to bypass this
protections because they use addresses that get filtered by the SEH
frame protection. They also use an old technique that executes the
shellcode on the stack that isn't marked as executable. This exploit
executes the code in the executable .data section. The only problem is
that the offset could be different from version to version.

Note that I filled the whole stack with the shellcode address and that
this isn't a sign that I'm too stupid to predict the SEH offset. :-) I
did this because the stack layout is different when you execute it on
another Windows version.


Sincerely yours,
Manuel Santamarina Suarez
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)

iD8DBQFEobGBPF/cBnCBnL0RArnxAKCNcodzwhqYv/sbncNhxKz2XLvDawCfYr6n
w1cKaE+xIKXKU8Ye0OERF9Y=
=J9ZI
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: latest_version.jpg
Type: image/jpeg
Size: 53277 bytes
Desc: not available
Url :
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060628/
84e0cfc4/latest_version.jpg
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: hlink_exploit.pl
Url:
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060628/
84e0cfc4/hlink_exploit.pl




 




Copyright © Lexa Software, 1996-2009.