Analysis of the EXCEL 2000XP Table Length Buffer Overflow Analysis Vulnerability

xiaoxiao2021-03-14  228

Author: Ilsy

Email:

Ilsy@whitecell.org

Homepage:

http://www.whitecell.org

Date: 2005-12-2

Analysis time: 2005-01-28

It has been tested that Excel has a buffer overflow vulnerability when processing the table length, which can cause any code.

It is estimated that this vulnerability is the vulnerability reported by MS04-033, which is not confirmed.

Vulnerability Principle:

Hand-building a .xls file, use the HEX Editing Software View the two bytes in front of the Sheet1 table,

Modify to FF FF, open with Excel, causing the program to crash. After analysis, this is an integer overflow

The stack caused by overflows. The process is as follows:

: 3003FBD3 8B400C MOV EAX, DWORD PTR [EAX 0C]

: 3003FBD6 FF7008 PUSH [Eax 08]

: 3003FBD9 8D8560FCFFFFLE EAX, DWORD PTR [EBP FFFFFC60]

Calculated the copy length of the length of the Sheet1 table, because the shaping overflow causes this value error

: 3003FBDF 50 Push EAX

: 3003FBE0 E85953FFFF CALL 30034F3E

: 30034F3e 55 Push EBP

: 30034F3F 8BEC MOV EBP, ESP

: 30034F41 81EC04020000 SUB ESP, 00000204; Assign 0x204 bytes buffer

: 30034F47 53 PUSH EBX

: 30034F48 56 PUSH ESI

: 30034F49 8B7508 MOV ESI, DWORD PTR [EBP 08]

: 30034F4C 57 Push EDI

: 30034F4D 33FF XOR EDI, EDI

: 30034F4F 3BF7 CMP ESI, EDI

: 30034F51 897DFC MOV DWORD PTR [EBP-04], EDI

: 30034F54 742D JE 30034F83

: 30034F56 8D85FCFDFFFFFFFDFC]

: 30034F5C 8945FC MOV DWORD PTR [EBP-04], EAX

: 30034F5F 0fb706 Movzx Eax, Word PTR [ESI]

: 30034F62 8D4440002 Lea Eax, DWORD PTR [EAX EAX 02]

: 30034F66 50 Push EAX

: 30034F67 8D85FCFDffff Lea Eax, DWORD PTR [EBP FFFFFDFC]

: 30034F6D 56 Push ESI

: 30034F6E 50 Push EAX

* Reference to: mso9.ordinal: 03c0, ORD: 03C0H

|

: 30034F6F E8C4AEFDFF Call MSO9.MMMOVE

; Call the mso9.memove copy string, due to length errors, and cause the overlay function to return to the address vulnerability utilization:

After analysis, this vulnerability is related to the length of the file name, which is generated by default.

When "New Microsoft Excel Worksheet. XLS", that is, through MultibyToWideChar conversion

When the length is 44 bytes, the 4-byte at the offset 0x344 overrides the return address, and the offset 0x33c needs

A local variable that can be read.

Create a content in the file as "Aaaa ...", a long length for a long length, used to store Shellcode.

Open the file and find that the EBX 0xA30 will point to Shellcode from JMP ESP, so use Add EBX,

A30H then JMP EBX jumps on shellcode.

转载请注明原文地址:https://www.9cbs.com/read-129343.html

New Post(0)