Microsoft Windows .doc File Malformed Pointers DoS

vendor:

Windows

by:

Marsu

7.5

CVSS

HIGH

Denial of Service

CWE

Product Name: Windows

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 2000 SP4 FR, Windows XP SP2 FR

2007

Microsoft Windows .doc File Malformed Pointers DoS

This exploit causes a denial of service (DoS) by crashing the Windows Explorer when a user hovers the mouse over a .doc file or views its properties. The vulnerability is present in the Ole32.dll file, specifically in the CMP DWORD PTR DS:[EAX+EBX],3 instruction, which allows arbitrary values to be set for EAX, EDX, and ESI registers. The exploit utilizes magic offsets at 4460 (EDX) and 4519 (ESI) to trigger the crash. It has been successfully tested on Windows 2000 SP4 FR and XP SP2 FR.

Mitigation:

Source

Exploit-DB raw data:

/*****************************************************************************\
*            Microsoft Windows .doc File Malformed Pointers DoS               *
*                                                                             *
*                                                                             *
*                                                                             *
* Just move your mouse on the file and explorer crashes. If it does not try   *
* to look at file properties.                                                 *
* Bug comes from Ole32.dll:                                                   *
* CMP DWORD PTR DS:[EAX+EBX],3 and we can set EAX, EDX and ESI with arbitrary *
* values.                                                                     *
*                                                                             *
* Check the file, magic offsets are                                           *
* 4460 -> EDX                                                                 *
* 4519 -> ESI                                                                 *
*                                                                             *
*                                                                             *
* Successfully tested on Windows 2000 SP4 FR and XP SP2 FR.                   *
*                                                                             *
*                Coded by Marsu <MarsupilamiPowa@hotmail.fr>                  *
\*****************************************************************************/

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3419.tar (03062007-Explorer_Crasher.tar)

# milw0rm.com [2007-03-06]