Microsoft Word Document - malformed pointer Proof of Concept

2006-12-12T00:00:00
ID EDB-ID:2922
Type exploitdb
Reporter DiscoJonny
Modified 2006-12-12T00:00:00

Description

Microsoft Word Document (malformed pointer) Proof of Concept. CVE-2006-6561,CVE-2006-6628. Dos exploit for windows platform

                                        
                                            =====
The file I have attached is a very basic two stage bug.  stage 1 (the
first mod) forces the code down a wrong path.  the second mod by
itsself is harmless, however when used with the first it will be the
first and part of the second overwrite.

I have use 41414141 as a marker to make it easier for you to see.

I have made it crash the wordviewer again to make it more obvious

Weight,
location: 00000274
value   : 00000022 - just so it crashes, values 00000001 -> 00000006
are probably the most useful for trying to overwrite a pointer. notice
that neighbouring areas can be weighted the same.

marker,
location: 000027e4
value   : 41414141

the weight destination address == ((weight * 4[this is EDI]) + 4 [ECX*4]) + source memory offest[ESI].

[also the meta data is microsofts, not mine]
======

bug hugs,

disco.

poc: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/2922.doc (12122006-djtest.doc)

# milw0rm.com [2006-12-12]