Title     :  Microsoft Office OneNote 2010 WriteAV Vulnerability 
Version   :  Microsoft Office professional Plus 2010
Date      :  2012-11-19
Vendor    :  http://office.microsoft.com 
Impact    :  Med/High 
Contact   :  coolkaveh [at] rocketmail.com 
Twitter   :  @coolkaveh 
tested    :  XP SP3 ENG 
############################################################################### 
Bug : 
---- 
memory corruption during the handling of the one files

How can i make sure a crash is not exploitable? (( The short answer is
simple assume every crash is exploitable and just fix it.))

Or

"defective software is OK."

----  
################################################################################ 
(b70.998): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=05eb3701 ecx=062baa08 edx=00005b3f esi=062baa08 edi=00000000
eip=3acdee22 esp=00125dbc ebp=00125dc4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\ONMain.DLL - 
ONMain!MsoCF::Frame::Finish+0x14bd2:
3acdee22 c7050000000001000000 mov dword ptr ds:[0],1  ds:0023:00000000=????????
---------------------------------------------------------------------------------

First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x3c300459.0x3c6c1674

Stack Trace:
ONMain!MsoCF::Frame::Finish+0x14bd2
ONMain!MsoCF::GetScaledValue+0x429c
ONMain!MsoCF::GetScaledValue+0x39d5
ONMain!MsoCF::GetScaledValue+0x384b
ONMain!Jot::IQueryScope::CreateInstance+0x1716
ONMain!MsoCF::GetScaledValue+0x3060
ONMain!MsoCF::GetScaledValue+0x2dce
ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0xa4d
ONMain!Jot::ITextSearchPlugin::CreateQuotedTextSearchPlugin+0x44a
ONMain!Jot::UseRegistryCache+0x6fb
ONMain!Jot::IQueryScope::CreateInstance+0x1716
ONMain!Jot::HasFileOneExtension+0xf4e
ONMain!Jot::GetBackupRootFolderPath+0x109e
ONMain!Jot::GetBackupRootFolderPath+0xf01
ONMain!Jot::TheBackgroundScheduler::FAddJobForThread+0x1e57
ONMain!Jot::TheBackgroundScheduler::FAddJobForThread+0x1da3
ONMain!Jot::System::IsTabletPC+0x1c7e
ONMain!Jot::System::IsTabletPC+0x1439
ONMain!MsoCF::PerfMetrics::Mark+0x107e
ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0x1432
ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0xe4a
ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0xc6b
ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0x8f9
ONMain!MsoCF::TheZeroAtom+0xba1
ONMain!Jot::TheBackgroundScheduler::FExists+0x52e1
ONMain!Jot::TheBackgroundScheduler::FExists+0x51f5
ONMain!MsoCF::Properties::FGet+0xdc9
ONMain!Jot::TheBackgroundScheduler::FExists+0x1e0
ONMain!Jot::TheBackgroundScheduler::FExists+0x4e
onenote+0x1efcf
ONMain!MsoCF::TheZeroAtom+0x99b
onenote+0x212f
onenote+0x2054
onenote+0x201e
kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x000000003acdee22

Short Description: WriteAV

###############################################################################
Proof of concept included.
http://www43.zippyshare.com/v/27372192/file.html
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22850.rar