Re: 2x 0day Microsoft Windows Excel

["ad () heapoverflow com" <ad () heapoverflow com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I was joking you know , this hole is a fake but shhh ;)

Amit Sharma wrote:
> ad, don't you think it would be a good idea if you either post your
> PoC with complete details otherwise do not post it. I mean from the
> "excel_like_hell.swf" demo, I do not see anything that one would
> infer.
>
> I can see that a xls file is created and on opening it (as per the
> demo), it makes a registry entry. Now how true is this? If you are
> posting no more info here they how is it going to help us otherwise
> what was the intent of the post?
>
> - Amit
>
>
> */"ad () heapoverflow com" <ad () heapoverflow com>/* wrote:
>
> I have got many questions about the severity of the bug , you can
> show a demo yourself here:
>
> http://heapoverflow.com/excelol/excel_like_hell.swf
>
> ms will fixe this issue soon I'm sure, for me , job done, bye :>
>
> ad () heapoverflow com wrote:
> > after many hours working on excel I have found a critical excel
> > bug exploitable. This is not a stack bof nor a heap bof , a bug
> > extremely hard to find and trigger , but it conduct excel to
> > execute any arbitrary codes while opening a malicious .xls file.
>
> > note: the bug isn't related to both excel dos that I have already
> >  published but shows similiar to a null pointer bug at a first
> > look. much infos won't be disclosed publicly or privately and
> > this will be transmitted to ms before the spyware loosers catch
> > it :)
>
> > > > I have said so this is only null pointer bugs but the way I
> > > > trigger the bug might be modded for a remote code execution
> > > > who know , I'm not a guru and maybe did an error triggering
> > > > the flaw who knows :) but I bet many are already reasearching
> > > > on this hehe, happy job!
>
>
>
> > > > Let's go on the fast publishing :) I wont bother to message
> > > > microsoft about this because they wont patch it for sure
> > > > according that they can't patch fully exploitable bugs in a
> > > > decent time, they do not patch IE dos
> > > > (http://heapoverflow.com/IEcrash.htm), so no way to bother
> > > > them, we should let them sleep a bit shhh ;)
> > > >
> > > > Bugs 1 and Bugs 2 are quite similiar but NOT, both are null
> > > > pointer bugs . In bug1 you should mod a grafic's pointer to
> > > > point to a bad area, and in bug 2 you should null out the
> > > > size of the page name.
> > > >
> > > >
> > > > attached are the 2 pocs, nor here are direct links
> > > >
> > > >
> > > > http://heapoverflow.com/excelol/bug1.xls
> > > >
> > > > http://heapoverflow.com/excelol/bug2.xls
> > > >
> > > >
> > > >
> > > >
> > > > Credits:
> > > >
> > > > AD [at] heapoverflow.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


> Send instant messages to your online friends
> http://in.messenger.yahoo.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8bXoq+LRXunxpxfAQKUDxAA6TuBrXW1X9UFWcEcqm5nIkknfk0SHZVd
oqEerf4f1xXuvmQOauMnkBMM5p8nxpAVMN2/0yYeyHOpuO9Xv+ZKzsz4rn4XBB78
0nIITxy4w57U/tj7qXI7whG+798MMgse5iNFWzEmJltSlo8Wi8RTSKSEfOz06Cei
vNCIOYUF3lZG8xrwygbqJgapVKwXX0A9U9A0xwvfykpLLwQCLOZsYp3bQi8C9R4M
EhdrOXTlz10J5i4wusYAbBoOW08FbJn1OQLOp3HhUoYXZlgq/n8IBvatwxNceTVo
1gU97IYdSHpRpGkgjLas0RSHEB+L3KbSkTL/JqbuIr2cF7Dxz/sUbvZLOWBtIn6x
sc6/g1a0xWq3jG0LtfotGGmtUfJ+KSumlxm0YR3NtVoOCbqXdbfxMgiHDmxF8Aag
SfELl40jeIboPqrGoblaMhz7OWquVVfFjmfkIuyiwzUuNBSP9QcvarkMWdTZavbQ
JcBunpP3Hw4aE3zNp7i3aHPTGoBNaEcu6Fgfvaa9CA7pmUaehgoYW4QBdGa6j0JW
4CtGFhFSFrMddgtDWKoEU/vlzkvbl8QaaYwjXby6VU+kMoKthW1btD0SU4ue7uM5
Ke3HSh1ZrXhch4GqbaQKPV0/XlaRy8/GUQ3JulbKaHqMp834FhOMrEekXxsQH1VW
pk71ohqJHbM=
=g+EB
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/