PowerPoint 2003 SP2 (updated) french version execution of arbitrary code vulnerability -------------------------------------------------------------------------------------- by NSRocket on 02.08.2006 This exploit is based on memory corruption (DoS) vulnerability discovered by Naveed Afzal on 15th July (you can find it at http://packetstormsecurity.org/0607-exploits/mspp-poc3.txt). Unfortunately, I didn't find a trick to execute arbitrary code on all language versions of PowerPoint 2003 SP2 (with latest patchs). If you've got the french version, I can guarantee you it will work anytime (I tested it many and many times on 4 different machines). Now, it's evident with few modifications, this exploit is adaptable on any other language version. I don't think that Win XP language version is important. OK... I explain my work. Don't remember that all absolute addresses are different for you if you haven't got the french version of PowerPoint 2003 SP2 patched. Let's go... The file mspp-poc3.txt from Naveed Afzaal cause an access violation when PPT file is closed. At this moment, eip=0x3004e256 and we've got : mov [ecx+0x4c],ebx -> with ecx = dword placed at offset 0x6900 in PPT file That's the first interesting point because you can replace it by any value. If you wanna use my method to execute arbitrary code, you haven't to cause an access violation. More interesting point (but more complex) is coming... :) Next instruction is a call to a subroutine which begin like this : dec dword ptr [ecx+4] je 0x30021aff ret You must cooked your PPT file to have 0x00000001 at [ecx+4] because you MUST jump to 0x30021aff. The space [0x00126000 - 0x00142fff] is interesting because it contains some parts of your PPT file. These parts are always at same address if your PPT file is read-only (very important !). I found a part (but I think there is a better part) which can unfortunately be overwritten if your PPT filename + path name exceed a certain numbers of characters. This part was originally the Unicode font name "L u c i d a S a n s U n i c o d e" followed of few null words. This part can be overwritten without affect correct opening of your PPT file. To offer possibility to have a maximum number of characters in PPT filename + path name, I choose an address which originally contain the character 'n' of string "U n i c o d e" to store the dword 0x00000001 (stored as 0x01000000 -reversed dword- in my PPT file at offset 0x4d62). As you control ecx... :p :p Well... arrived at 0x30021aff : mov eax,[ecx] If your brain is fast :) you already understand that offset 0x4d5e in my PPT file must contain the same value as offset 0x6900 ;) This value is the address which originally contain character before string "U n i c o d e". In my french version of PP2003, this address is 0x00133f72. OK, let's resume : First DWORD = DWORD contain at 0x4d5e offset in my PPT file = DWORD contain at address 0x00133f72 when PPT file is closed by PowerPoint = 0x723f1300 (reversed address) Second DWORD = DWORD contain at 0x4d62 offset in my PPT file = DWORD contain at address 0x00133f76 when PPT file is closed by PowerPoint = 0x01000000 After... push 0x00000001 -> we don't care ! call dword ptr [eax+8] Now, let's talk about shellcode. Firstly, the little shellcode and secondly, the user shellcode (you can see this last and replace it in my C++ source at http://milw0rm.com/exploits/2091). As the first instruction of my little shellcode must follow, we've got : Third DWORD = DWORD contain at 0x4d66 offset in my PPT file = DWORD contain at address 0x00133f7a when PPT file is closed by PowerPoint = 0x7e3f1300 Yes ! We can insert little shellcode at 0x4d6a offset in my PPT file (it will be at address 0x00133f7e when PPT file is closed). Problem is the length of this little shellcode :( It cannot contain many bytes. Well, if you insert 0x00000000 at 0x6900 offset of my PPT file (or Naveed Afzal PPT file), you can modify propertys of this document without crash PowerPoint. In the 9th line (web directory) of propertys, I insert few hundreds of characters which are stored in Unicode format at 0x1196 offset in my PPT file. You guess the user shellcode can replace theses characters. Problem is this packet of characters (or the user shellcode) is not always at the same address when you closed PPT file but it is always in the same space [0x008b0000 - 0x008b5fff]. Then, little shellcode must research the user shellcode in this space. I insert string "SCBG" (or any probably unique dword which will be stored in space [0x008b0000 - 0x008b5fff]) just before user shellcode at 0x1196 offset in my PPT file to enable to little shellcode to find user shellcode and call it !!! o: /(Hack is exciting !)\ :o any question goes to john2jenny@hotmail.com bye... NSRocket