Microsoft Windows - '.doc' Malformed Pointers Denial of Service

EDB-ID:

3419

Author:

Marsu

Type:

dos

Platform:

Windows

Published:

2007-03-06

/*****************************************************************************\
*            Microsoft Windows .doc File Malformed Pointers DoS               *
*                                                                             *
*                                                                             *
*                                                                             *
* Just move your mouse on the file and explorer crashes. If it does not try   *
* to look at file properties.                                                 *
* Bug comes from Ole32.dll:                                                   *
* CMP DWORD PTR DS:[EAX+EBX],3 and we can set EAX, EDX and ESI with arbitrary *
* values.                                                                     *
*                                                                             *
* Check the file, magic offsets are                                           *
* 4460 -> EDX                                                                 *
* 4519 -> ESI                                                                 *
*                                                                             *
*                                                                             *
* Successfully tested on Windows 2000 SP4 FR and XP SP2 FR.                   *
*                                                                             *
*                Coded by Marsu <MarsupilamiPowa@hotmail.fr>                  *
\*****************************************************************************/

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/3419.tar (03062007-Explorer_Crasher.tar)

# milw0rm.com [2007-03-06]