Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WPS Office 'Wpsio.dll'栈缓冲区溢出漏洞

🗓️ 07 May 2013 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 52 Views

WPS Office 'Wpsio.dll' Stack Buffer Overflow Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
0day.today		WPS Office Wpsio.dll - Stack Buffer Overflow Vulnerability
1 May 201300:00
zdt
Circl		CVE-2012-4886
1 May 201300:00
circl
CVE		CVE-2012-4886
24 Mar 201414:00
cve
Cvelist		CVE-2012-4886
24 Mar 201414:00
cvelist
Exploit DB		WPS Office - 'Wpsio.dll' Stack Buffer Overflow
1 May 201300:00
exploitdb
exploitpack		WPS Office - Wpsio.dll Stack Buffer Overflow
1 May 201300:00
exploitpack
NVD		CVE-2012-4886
24 Mar 201416:43
nvd
Prion		Stack overflow
24 Mar 201416:43
prion

                                                摘录自
http://seclists.org/fulldisclosure/2013/Apr/247

POC
==================
http://seclists.org/fulldisclosure/2013/Apr/att-247/poc_zip.bin

崩溃信息
==================
crash info:
(b70.eb8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012c0a4 ebx=770f4b39 ecx=90909090 edx=0012be00 esi=0012c0a4 edi=0018bd54
eip=45e25208 esp=0012bdec ebp=0012bdf8 iopl=0  nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
wpsio!TxExport+0x37b1:
45e25208 ff5114  call    dword ptr [ecx+14h] ds:0023:909090a4=????????

module info:
start    end        module name
45e00000 4606f000   wpsio      (export symbols)       C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
    Loaded symbol image file: C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
    Image path: C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
    Image name: wpsio.dll
    Timestamp:        Mon May 28 04:10:12 2012 (4FC28A24)
    CheckSum:         0026D933
    ImageSize:        0026F000
    File version:     8.1.0.3238
    Product version:  8.1.0.3238
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        0.0 Unknown
    File date:        00000000.00000000
    Translations:     0000.04b0
    CompanyName:      Zhuhai Kingsoft Office-software Co.,Ltd
    ProductName:      Kingsoft Office
    InternalName:     wpsio
    OriginalFilename: wpsio.dll
    ProductVersion:   8,1,0,3238
    FileVersion:      8,1,0,3238
    FileDescription:  wpsio
    LegalCopyright:   Copyright©1988-2011 Kingsoft Corporation.  All rights reserved.

溢出点代码
==================
In sub_45E2CC84:

.text:45E2CC84 var_210         = byte ptr -210h ;buffer size 0x200
.text:45E2CC84 var_4           = dword ptr -4


.text:45E2CDB3                 push    [ebp+Src]       ; BSTR
.text:45E2CDB9                 call    esi ; SysStringLen
.text:45E2CDBB                 mov     [ebp+var_244], eax
.text:45E2CDC1                 add     eax, eax        ;size is 0x170
.text:45E2CDC3                 push    eax             ; Size
.text:45E2CDC4                 push    [ebp+Src]       ; Src
.text:45E2CDCA                 lea     eax, [ebp+var_210]
.text:45E2CDD0                 push    eax             ; Dst
.text:45E2CDD1                 call    memcpy

First time,copy 0x170 bytes to buffer var_210.

.text:45E2CE16                 push    edi             ; BSTR
.text:45E2CE17                 mov     [ebp+var_234], ax
.text:45E2CE1E                 call    esi ; SysStringLen
.text:45E2CE20                 add     eax, eax
.text:45E2CE22                 push    eax             ; Size
.text:45E2CE23                 movzx   eax, [ebp+var_234] ;length
.text:45E2CE2A                 lea     eax, [ebp+eax*2+var_210]
.text:45E2CE31                 push    edi             ; Src
.text:45E2CE32                 push    eax             ; Dst
.text:45E2CE33                 call    memcpy

Second time,copy the same string, placed after the first string. var_234 is the length of the string. Total copy 0x2e0
bytes.
After copy,return address and SEH record has been overwritten.

0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c070 90909090 wpsio!TxExport+0xb3e1
0012c148 45e2a113 0x90909090

0:000> !exchain
0012c064: 90909090
Invalid exception stack at 90909090

The source data of memcpy is from the file poc.wps,offset 0x41d7.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 May 2013 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.53436
wps officewpsio.dllstack buffer overflowvulnerabilitypoccrash infomodule infoexploitkingsoft office
52