The file I have attached is a very basic two stage bug. stage 1 (the
first mod) forces the code down a wrong path. the second mod by
itsself is harmless, however when used with the first it will be the
first and part of the second overwrite.
I have use 41414141 as a marker to make it easier for you to see.
I have made it crash the wordviewer again to make it more obvious
value : 00000022 - just so it crashes, values 00000001 -> 00000006
are probably the most useful for trying to overwrite a pointer. notice
that neighbouring areas can be weighted the same.
value : 41414141
the weight destination address == ((weight * 4[this is EDI]) + 4 [ECX*4]) + source memory offest[ESI].
[also the meta data is microsofts, not mine]
poc: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/2922.doc (12122006-djtest.doc)
# milw0rm.com [2006-12-12]