PowerPoint 2003 SP2 (updated) french version execution of arbitrary code 
vulnerability
--------------------------------------------------------------------------------------
by NSRocket on 02.08.2006


This exploit is based on memory corruption (DoS) vulnerability discovered by 
Naveed Afzal on 15th July (you can find it at 
http://packetstormsecurity.org/0607-exploits/mspp-poc3.txt).

Unfortunately, I didn't find a trick to execute arbitrary code on all 
language versions of PowerPoint 2003 SP2 (with latest patchs). If you've got 
the french version, I can guarantee you it will work anytime (I tested it 
many and many times on 4 different machines). Now, it's evident with few 
modifications, this exploit is adaptable on any other language version. I 
don't think that Win XP language version is important.




OK... I explain my work. Don't remember that all absolute addresses are 
different for you if you haven't got the french version of PowerPoint 2003 
SP2 patched.

Let's go...

The file mspp-poc3.txt from Naveed Afzaal cause an access violation when PPT 
file is closed. At this moment, eip=0x3004e256 and we've got :

			mov	[ecx+0x4c],ebx
				-> with ecx = dword placed at offset 0x6900 in PPT file

That's the first interesting point because you can replace it by any value. 
If you wanna use my method to execute arbitrary code, you haven't to cause 
an access violation.

More interesting point (but more complex) is coming... :)

Next instruction is a call to a subroutine which begin like this :

			dec	dword ptr [ecx+4]
			je	0x30021aff
			ret

You must cooked your PPT file to have 0x00000001 at [ecx+4] because you MUST 
jump to 0x30021aff. The space [0x00126000 - 0x00142fff] is interesting 
because it contains some parts of your PPT file. These parts are always at 
same address if your PPT file is read-only (very important !).

I found a part (but I think there is a better part) which can unfortunately 
be overwritten if your PPT filename + path name exceed a certain numbers of 
characters. This part was originally the Unicode font name "L u c i d a  S a 
n s  U n i c o d e" followed of few null words. This part can be overwritten 
without affect correct opening of your PPT file. To offer possibility to 
have a maximum number of characters in PPT filename + path name, I choose an 
address which originally contain the character 'n' of string "U n i c o d e" 
to store the dword 0x00000001 (stored as 0x01000000 -reversed dword- in my 
PPT file at offset 0x4d62). As you control ecx... :p :p

Well... arrived at 0x30021aff :

			mov	eax,[ecx]

If your brain is fast :) you already understand that offset 0x4d5e in my PPT 
file must contain the same value as offset 0x6900 ;) This value is the 
address which originally contain <space> character before string "U n i c o 
d e". In my french version of PP2003, this address is 0x00133f72.

OK, let's resume :
First DWORD = DWORD contain at 0x4d5e offset in my PPT file = DWORD contain 
at address 0x00133f72 when PPT file is closed by PowerPoint = 0x723f1300 
(reversed address)
Second DWORD = DWORD contain at 0x4d62 offset in my PPT file = DWORD contain 
at address 0x00133f76 when PPT file is closed by PowerPoint = 0x01000000


After...		push	0x00000001	-> we don't care !

			call	dword ptr [eax+8]

Now, let's talk about shellcode. Firstly, the little shellcode and secondly, 
the user shellcode (you can see this last and replace it in my C++ source at 
http://milw0rm.com/exploits/2091). As the first instruction of my little 
shellcode must follow, we've got :
Third DWORD = DWORD contain at 0x4d66 offset in my PPT file = DWORD contain 
at address 0x00133f7a when PPT file is closed by PowerPoint = 0x7e3f1300

Yes ! We can insert little shellcode at 0x4d6a offset in my PPT file (it 
will be at address 0x00133f7e when PPT file is closed). Problem is the 
length of this little shellcode :( It cannot contain many bytes. Well, if 
you insert 0x00000000 at 0x6900 offset of my PPT file (or Naveed Afzal PPT 
file), you can modify propertys of this document without crash PowerPoint. 
In the 9th line (web directory) of propertys, I insert few hundreds of 
characters which are stored in Unicode format at 0x1196 offset in my PPT 
file. You guess the user shellcode can replace theses characters. Problem is 
this packet of characters (or the user shellcode) is not always at the same 
address when you closed PPT file but it is always in the same space 
[0x008b0000 - 0x008b5fff]. Then, little shellcode must research the user 
shellcode in this space. I insert string "SCBG" (or any probably unique 
dword which will be stored in space [0x008b0000 - 0x008b5fff]) just before 
user shellcode at 0x1196 offset in my PPT file to enable to little shellcode 
to find user shellcode and call it !!!




o: /(Hack is exciting !)\ :o

any question goes to john2jenny@hotmail.com
bye...

NSRocket