Full Disclosure mailing list archives
Re: 2x 0day Microsoft Windows Excel
From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Thu, 12 Jan 2006 23:26:43 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was joking you know , this hole is a fake but shhh ;) Amit Sharma wrote:
ad, don't you think it would be a good idea if you either post your PoC with complete details otherwise do not post it. I mean from the "excel_like_hell.swf" demo, I do not see anything that one would infer. I can see that a xls file is created and on opening it (as per the demo), it makes a registry entry. Now how true is this? If you are posting no more info here they how is it going to help us otherwise what was the intent of the post? - Amit */"ad () heapoverflow com" <ad () heapoverflow com>/* wrote: I have got many questions about the severity of the bug , you can show a demo yourself here: http://heapoverflow.com/excelol/excel_like_hell.swf ms will fixe this issue soon I'm sure, for me , job done, bye :> ad () heapoverflow com wrote:after many hours working on excel I have found a critical excel bug exploitable. This is not a stack bof nor a heap bof , a bug extremely hard to find and trigger , but it conduct excel to execute any arbitrary codes while opening a malicious .xls file.note: the bug isn't related to both excel dos that I have already published but shows similiar to a null pointer bug at a first look. much infos won't be disclosed publicly or privately and this will be transmitted to ms before the spyware loosers catch it :)I have said so this is only null pointer bugs but the way I trigger the bug might be modded for a remote code execution who know , I'm not a guru and maybe did an error triggering the flaw who knows :) but I bet many are already reasearching on this hehe, happy job!Let's go on the fast publishing :) I wont bother to message microsoft about this because they wont patch it for sure according that they can't patch fully exploitable bugs in a decent time, they do not patch IE dos (http://heapoverflow.com/IEcrash.htm), so no way to bother them, we should let them sleep a bit shhh ;) Bugs 1 and Bugs 2 are quite similiar but NOT, both are null pointer bugs . In bug1 you should mod a grafic's pointer to point to a bad area, and in bug 2 you should null out the size of the page name. attached are the 2 pocs, nor here are direct links http://heapoverflow.com/excelol/bug1.xls http://heapoverflow.com/excelol/bug2.xls Credits: AD [at] heapoverflow.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Send instant messages to your online friends http://in.messenger.yahoo.com
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ8bXoq+LRXunxpxfAQKUDxAA6TuBrXW1X9UFWcEcqm5nIkknfk0SHZVd oqEerf4f1xXuvmQOauMnkBMM5p8nxpAVMN2/0yYeyHOpuO9Xv+ZKzsz4rn4XBB78 0nIITxy4w57U/tj7qXI7whG+798MMgse5iNFWzEmJltSlo8Wi8RTSKSEfOz06Cei vNCIOYUF3lZG8xrwygbqJgapVKwXX0A9U9A0xwvfykpLLwQCLOZsYp3bQi8C9R4M EhdrOXTlz10J5i4wusYAbBoOW08FbJn1OQLOp3HhUoYXZlgq/n8IBvatwxNceTVo 1gU97IYdSHpRpGkgjLas0RSHEB+L3KbSkTL/JqbuIr2cF7Dxz/sUbvZLOWBtIn6x sc6/g1a0xWq3jG0LtfotGGmtUfJ+KSumlxm0YR3NtVoOCbqXdbfxMgiHDmxF8Aag SfELl40jeIboPqrGoblaMhz7OWquVVfFjmfkIuyiwzUuNBSP9QcvarkMWdTZavbQ JcBunpP3Hw4aE3zNp7i3aHPTGoBNaEcu6Fgfvaa9CA7pmUaehgoYW4QBdGa6j0JW 4CtGFhFSFrMddgtDWKoEU/vlzkvbl8QaaYwjXby6VU+kMoKthW1btD0SU4ue7uM5 Ke3HSh1ZrXhch4GqbaQKPV0/XlaRy8/GUQ3JulbKaHqMp834FhOMrEekXxsQH1VW pk71ohqJHbM= =g+EB -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: 2x 0day Microsoft Windows Excel ad () heapoverflow com (Jan 08)
- Re: 2x 0day Microsoft Windows Excel Georgi Guninski (Jan 08)
- Re: 2x 0day Microsoft Windows Excel ad () heapoverflow com (Jan 08)
- Re: 2x 0day Microsoft Windows Excel Georgi Guninski (Jan 08)
- Re: 2x 0day Microsoft Windows Excel ad () heapoverflow com (Jan 08)
- Re: 2x 0day Microsoft Windows Excel ad () heapoverflow com (Jan 10)
- SecurID with Active Directory ? Steven (Jan 10)
- Re: 2x 0day Microsoft Windows Excel Amit Sharma (Jan 12)
- Re: 2x 0day Microsoft Windows Excel Stan Bubrouski (Jan 12)
- Re: 2x 0day Microsoft Windows Excel ad () heapoverflow com (Jan 12)
- Re: 2x 0day Microsoft Windows Excel Georgi Guninski (Jan 08)