No description provided by source.
===== The file I have attached is a very basic two stage bug. stage 1 (the first mod) forces the code down a wrong path. the second mod by itsself is harmless, however when used with the first it will be the first and part of the second overwrite. I have use 41414141 as a marker to make it easier for you to see. I have made it crash the wordviewer again to make it more obvious Weight, location: 00000274 value : 00000022 - just so it crashes, values 00000001 -> 00000006 are probably the most useful for trying to overwrite a pointer. notice that neighbouring areas can be weighted the same. marker, location: 000027e4 value : 41414141 the weight destination address == ((weight * 4[this is EDI]) + 4 [ECX*4]) + source memory offest[ESI]. [also the meta data is microsofts, not mine] ====== bug hugs, disco. poc: http://www.milw0rm.com/sploits/12122006-djtest.doc