Microsoft Word Document - malformed pointer Proof of Concept

ID EDB-ID:2922
Type exploitdb
Reporter DiscoJonny
Modified 2006-12-12T00:00:00


Microsoft Word Document (malformed pointer) Proof of Concept. CVE-2006-6561,CVE-2006-6628. Dos exploit for windows platform

The file I have attached is a very basic two stage bug.  stage 1 (the
first mod) forces the code down a wrong path.  the second mod by
itsself is harmless, however when used with the first it will be the
first and part of the second overwrite.

I have use 41414141 as a marker to make it easier for you to see.

I have made it crash the wordviewer again to make it more obvious

location: 00000274
value   : 00000022 - just so it crashes, values 00000001 -> 00000006
are probably the most useful for trying to overwrite a pointer. notice
that neighbouring areas can be weighted the same.

location: 000027e4
value   : 41414141

the weight destination address == ((weight * 4[this is EDI]) + 4 [ECX*4]) + source memory offest[ESI].

[also the meta data is microsofts, not mine]

bug hugs,


poc: (12122006-djtest.doc)

# [2006-12-12]