<<< Date Index >>>     <<< Thread Index >>>

Re: Re: Flaw in OpenOffice.org 2.1: OpenOffice 2.1 is vulnerable to MS Word 0 day vulnerability!!!



Do you happen to have a printout of the register states at the time of the 
crash.  Also, is ncpN user definable?? as you seemed to be correct in your 
calculation of 6*587202560+4=3523215364 and that amount of zero's being 
written.  But i guess you never know, if you will notice also maybe something 
else is going on here because at the look of this the buffer is always .75(in 
decimal) over, ex: if ncpN were userdefineable(as i havent tested yet) and lets 
say the value was just for shits 500, then the ultimate calculated value of the 
allocated pPLCF_PosArray == 500.75, same as if it were 600 it would ultimatly 
== 600.75.  why they did such weird buffer allocation im lost on though, 
(problem == either me sleep deprived or microsoft itself, you decide :-) ). The 
original had to do with i think an argument overflow from when the 5th argument 
was passed to sub_304536D3 from offset 0x274 in the original testcase. The 
value there is 0x23000000, from there that value was multiplied by
  4, and then subtracted by 1 at address 030193fd6 and then added to a pointer 
at 0x3019300b.  this is actually contrary to the post at 
http://research.eeye.com/html/alerts/zeroday/20061212.html where it was stated 
that the address was first subtracted and then multiplied if in fact the 
resulting return address is 0x8bfffffc or even remotely close to it would have 
meant that 0x23000000*4-1=0x8bffffff, but from the way they explained it 
0x23000000-1*4=0x22fffffc... maybe im wrong or something....... If this is the 
case then exploitation would only mean changing the address at 0x274 to fit for 
the calculation and then be pointed at the address of shellcode stored where 
the "AAAA" is at in the document in memory. if this is the exact same flaw that 
is. But as again im just rambling and need register addresses if someone could 
give me some.  Thank you. WARNING: some info contained in this post could be 
wrong. Don't hold it against me :-)