=====
The file I have attached is a very basic two stage bug. stage 1 (the
first mod) forces the code down a wrong path. the second mod by
itsself is harmless, however when used with the first it will be the
first and part of the second overwrite.
I have use 41414141 as a marker to make it easier for you to see.
I have made it crash the wordviewer again to make it more obvious
Weight,
location: 00000274
value : 00000022 - just so it crashes, values 00000001 -> 00000006
are probably the most useful for trying to overwrite a pointer. notice
that neighbouring areas can be weighted the same.
marker,
location: 000027e4
value : 41414141
the weight destination address == ((weight * 4[this is EDI]) + 4 [ECX*4]) + source memory offest[ESI].
[also the meta data is microsofts, not mine]
======
bug hugs,
disco.
poc: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/2922.doc (12122006-djtest.doc)
# milw0rm.com [2006-12-12]