[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <44A1B181.3080603@gmx.de>
Date: Tue Jun 27 23:30:39 2006
From: FistFuXXer at gmx.de (FistFuXXer)
Subject: "Microsoft Office Excel 2003" Hlink Stack/SEH
Overflow Exploit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A list member asked me on Tuesday for PoC code to learn more about SEH
exploitation. So I wrote the exploit that's attached to this email. I
think that it can be useful for other people, too.
The generated .xls file has been successfully tested against the latest
Microsoft Office Excel 2003 version (German; 11.8012.6568; SP2) running
on the latest Windows versions (Win 2000/XP/2003). Hardware side NX-Bit
protection and software side Windows DEP protection was enabled on the
test machine.
Other public exploits for this issue aren't able to bypass this
protections because they use addresses that get filtered by the SEH
frame protection. They also use an old technique that executes the
shellcode on the stack that isn't marked as executable. This exploit
executes the code in the executable .data section. The only problem is
that the offset could be different from version to version.
Note that I filled the whole stack with the shellcode address and that
this isn't a sign that I'm too stupid to predict the SEH offset. :-) I
did this because the stack layout is different when you execute it on
another Windows version.
Sincerely yours,
Manuel Santamarina Suarez
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
iD8DBQFEobGBPF/cBnCBnL0RArnxAKCNcodzwhqYv/sbncNhxKz2XLvDawCfYr6n
w1cKaE+xIKXKU8Ye0OERF9Y=
=J9ZI
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: latest_version.jpg
Type: image/jpeg
Size: 53277 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060628/84e0cfc4/latest_version-0001.jpg
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: hlink_exploit.pl
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060628/84e0cfc4/hlink_exploit-0001.pl
Powered by blists - more mailing lists