lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Jun 27 23:30:39 2006 From: FistFuXXer at gmx.de (FistFuXXer) Subject: "Microsoft Office Excel 2003" Hlink Stack/SEH Overflow Exploit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A list member asked me on Tuesday for PoC code to learn more about SEH exploitation. So I wrote the exploit that's attached to this email. I think that it can be useful for other people, too. The generated .xls file has been successfully tested against the latest Microsoft Office Excel 2003 version (German; 11.8012.6568; SP2) running on the latest Windows versions (Win 2000/XP/2003). Hardware side NX-Bit protection and software side Windows DEP protection was enabled on the test machine. Other public exploits for this issue aren't able to bypass this protections because they use addresses that get filtered by the SEH frame protection. They also use an old technique that executes the shellcode on the stack that isn't marked as executable. This exploit executes the code in the executable .data section. The only problem is that the offset could be different from version to version. Note that I filled the whole stack with the shellcode address and that this isn't a sign that I'm too stupid to predict the SEH offset. :-) I did this because the stack layout is different when you execute it on another Windows version. Sincerely yours, Manuel Santamarina Suarez -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) iD8DBQFEobGBPF/cBnCBnL0RArnxAKCNcodzwhqYv/sbncNhxKz2XLvDawCfYr6n w1cKaE+xIKXKU8Ye0OERF9Y= =J9ZI -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: latest_version.jpg Type: image/jpeg Size: 53277 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060628/84e0cfc4/latest_version-0001.jpg -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: hlink_exploit.pl Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060628/84e0cfc4/hlink_exploit-0001.pl
Powered by blists - more mailing lists