Title : Microsoft Visio 2010 memory corruption
Version : Microsoft Visio Premium 2010 SP1
Date : 2012-11-12
Vendor : http://office.microsoft.com
Impact : Med/High
Contact : coolkaveh [at] rocketmail.com
Twitter : @coolkaveh
tested : Windows XP SP3 ENG
###############################################################################
Bug :
----
memory corruption during the handling of the vsd files a context-dependent attacker
can execute arbitrary code.
----
################################################################################
(c18.c0c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000
ebx=05ddd70c
ecx=05db01cc
edx=00000000
esi=6095f708
edi=6095f708
eip=600c7b69
esp=0012de78
ebp=0012de78 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Symbol file could not be found.
Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\VISLIB.dll -
VISLIB!Ordinal1+0xc029b:
600c7b69 6683780218 cmp word ptr [eax+2],18h ds:0023:00000002=????
-----------------------------------------------------------------------------------------
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
Exception Faulting Address: 0x2
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:600c7b69 cmp word ptr [eax+2],18h
Missing image name, possible paged-out or corrupt data.
Basic Block:
600c7b69 cmp word ptr [eax+2],18h
Tainted Input Operands: eax
600c7b6e sbb eax,eax
600c7b70 and eax,offset <unloaded_l32.dll>+0x7f (00000080)
Tainted Input Operands: eax
600c7b75 pop ebp
600c7b76 ret 4
Tainted Input Operands: eax
Exception Hash (Major/Minor): 0x05626b64.0x04025a3c
Stack Trace:
VISLIB!Ordinal1+0xc029b
VISLIB!Ordinal1+0xc5d91
VISLIB!Ordinal1+0xc01ea
VISLIB!Ordinal1+0xbfe27
VISLIB!Ordinal1+0xbfd8f
VISLIB!Ordinal1+0xbff8b
VISLIB!Ordinal1+0xbfe8e
VISLIB!Ordinal1+0x28f325
################################################################################
Proof of concept included.
http://www24.zippyshare.com/v/85134950/file.html
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22679.rar