Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Publisher 2010 - Crash (PoC)

🗓️ 28 Oct 2012 00:00:00Reported by coolkavehType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 32 Views

Microsoft Office Publisher 2010 memory corruption, impact Med/High, allows arbitrary code execution

Code
Title     :  Microsoft Office Publisher 2010 memory corruption
Version   :  Microsoft Office professional Plus 2010
Date      :  2012-10-25
Vendor    :  http://office.microsoft.com
Impact    :  Med/High
Contact   :  coolkaveh [at] rocketmail.com
Twitter   :  @coolkaveh
tested    :  XP SP3 ENG
###############################################################################
Bug :
----
memory corruption during the handling of the pub files a context-dependent attacker
can execute arbitrary code.
----
################################################################################
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000012 ebx=00000002 ecx=00000004 edx=00000002 esi=00000000 edi=0012f7e4
eip=7855b450 esp=0012f7a4 ebp=0012f7ac iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210297
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\MSVCR90.dll
-
MSVCR90!memmove+0x140:
7855b450 8b448ef0        mov     eax,dword ptr [esi+ecx*4-10h]
ds:0023:00000000=????????
0:000>!exploitable -v
eax=00000012 ebx=00000002 ecx=00000004 edx=00000002 esi=00000000 edi=0012f7e4
eip=7855b450 esp=0012f7a4 ebp=0012f7ac iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210297
MSVCR90!memmove+0x140:
7855b450 8b448ef0        mov     eax,dword ptr [esi+ecx*4-10h]
ds:0023:00000000=????????
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for ntdll.dll -
*** ERROR: Module load completed but symbols could not be loaded for mspub.exe
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\Program Files\Common Files\Microsoft
Shared\office14\mso.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\WINDOWS\system32\USER32.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\WINDOWS\system32\kernel32.dll -
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:7855b450 mov eax,dword ptr [esi+ecx*4-10h]

Basic Block:
7855b450 mov eax,dword ptr [esi+ecx*4-10h]
Tainted Input Operands: ecx, esi
7855b454 mov dword ptr [edi+ecx*4-10h],eax
Tainted Input Operands: eax, ecx
7855b458 mov eax,dword ptr [esi+ecx*4-0ch]
Tainted Input Operands: ecx, esi
7855b45c mov dword ptr [edi+ecx*4-0ch],eax
Tainted Input Operands: eax, ecx
7855b460 mov eax,dword ptr [esi+ecx*4-8]
Tainted Input Operands: ecx, esi
7855b464 mov dword ptr [edi+ecx*4-8],eax
Tainted Input Operands: eax, ecx
7855b468 mov eax,dword ptr [esi+ecx*4-4]
Tainted Input Operands: ecx, esi
7855b46c mov dword ptr [edi+ecx*4-4],eax
Tainted Input Operands: eax, ecx
7855b470 lea eax,[ecx*4]
Tainted Input Operands: ecx
7855b477 add esi,eax
Tainted Input Operands: eax, esi
7855b479 add edi,eax
Tainted Input Operands: eax
7855b47b jmp dword ptr msvcr90!memmove+0x174 (7855b484)[edx*4]

Exception Hash (Major/Minor): 0x56372064.0x42094b36

Stack Trace:
MSVCR90!memmove+0x140
mspub+0x83638
mspub+0x63f02
mspub+0x64189
mspub+0x64c1b
mso!Ordinal5220+0x676
mso!Ordinal7862+0x547
mspub+0x98ca5
mspub+0x953fe
USER32!GetDC+0x6d
USER32!GetDC+0x14f
USER32!DefWindowProcW+0x180
USER32!DefWindowProcW+0x1cc
ntdll!KiUserCallbackDispatcher+0x13
USER32!DispatchMessageW+0xf
mso!Ordinal9774+0x23
mspub+0x341c0
mspub+0x212d
mspub+0x20d0
mspub+0x2083
kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x000000007855b450

Description: Data from Faulting Address controls subsequent Write Address
Short Description: TaintedDataControlsWriteAddress
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting
Address controls subsequent Write Address starting at
MSVCR90!memmove+0x0000000000000140 (Hash=0x56372064.0x42094b36)

The data from the faulting address is later used as the target for a
later write.
################################################################################
Proof of concept included.
http://www31.zippyshare.com/v/29089672/file.html
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22310.rar

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Oct 2012 00:00Current
7.4High risk
Vulners AI Score7.4
memory corruptionmed/high impactarbitrary code executionxp sp3 engmicrosoft office publisher 2010vendor website
32