Re: Re: Flaw in OpenOffice.org 2.1: OpenOffice 2.1 is vulnerable to MS Word 0 day vulnerability!!!
Do you happen to have a printout of the register states at the time of the
crash. Also, is ncpN user definable?? as you seemed to be correct in your
calculation of 6*587202560+4=3523215364 and that amount of zero's being
written. But i guess you never know, if you will notice also maybe something
else is going on here because at the look of this the buffer is always .75(in
decimal) over, ex: if ncpN were userdefineable(as i havent tested yet) and lets
say the value was just for shits 500, then the ultimate calculated value of the
allocated pPLCF_PosArray == 500.75, same as if it were 600 it would ultimatly
== 600.75. why they did such weird buffer allocation im lost on though,
(problem == either me sleep deprived or microsoft itself, you decide :-) ). The
original had to do with i think an argument overflow from when the 5th argument
was passed to sub_304536D3 from offset 0x274 in the original testcase. The
value there is 0x23000000, from there that value was multiplied by
4, and then subtracted by 1 at address 030193fd6 and then added to a pointer
at 0x3019300b. this is actually contrary to the post at
http://research.eeye.com/html/alerts/zeroday/20061212.html where it was stated
that the address was first subtracted and then multiplied if in fact the
resulting return address is 0x8bfffffc or even remotely close to it would have
meant that 0x23000000*4-1=0x8bffffff, but from the way they explained it
0x23000000-1*4=0x22fffffc... maybe im wrong or something....... If this is the
case then exploitation would only mean changing the address at 0x274 to fit for
the calculation and then be pointed at the address of shellcode stored where
the "AAAA" is at in the document in memory. if this is the exact same flaw that
is. But as again im just rambling and need register addresses if someone could
give me some. Thank you. WARNING: some info contained in this post could be
wrong. Don't hold it against me :-)