Two Stage Bug

vendor:

WordViewer

by:

Disco

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: WordViewer

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

This exploit is a two stage bug which forces the code down a wrong path. The first mod forces the code down a wrong path and the second mod by itself is harmless, however when used with the first it will be the first and part of the second overwrite. The weight destination address is calculated by weight * 4[EDI] + 4[ECX*4] + source memory offset[ESI]. The marker is located at 000027e4 with a value of 41414141.

Mitigation:

Input validation and proper sanitization of user input should be done to prevent buffer overflow.

Source

Exploit-DB raw data:

=====
The file I have attached is a very basic two stage bug.  stage 1 (the
first mod) forces the code down a wrong path.  the second mod by
itsself is harmless, however when used with the first it will be the
first and part of the second overwrite.

I have use 41414141 as a marker to make it easier for you to see.

I have made it crash the wordviewer again to make it more obvious

Weight,
location: 00000274
value   : 00000022 - just so it crashes, values 00000001 -> 00000006
are probably the most useful for trying to overwrite a pointer. notice
that neighbouring areas can be weighted the same.

marker,
location: 000027e4
value   : 41414141

the weight destination address == ((weight * 4[this is EDI]) + 4 [ECX*4]) + source memory offest[ESI].

[also the meta data is microsofts, not mine]
======

bug hugs,

disco.

poc: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/2922.doc (12122006-djtest.doc)

# milw0rm.com [2006-12-12]