Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: 2x 0day Microsoft Windows Excel
From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Thu, 12 Jan 2006 23:26:43 +0100

Hash: SHA1
I was joking you know , this hole is a fake but shhh ;)

Amit Sharma wrote:
ad, don't you think it would be a good idea if you either post your
PoC with complete details otherwise do not post it. I mean from the
"excel_like_hell.swf" demo, I do not see anything that one would

I can see that a xls file is created and on opening it (as per the
demo), it makes a registry entry. Now how true is this? If you are
posting no more info here they how is it going to help us otherwise
what was the intent of the post?

- Amit

*/"ad () heapoverflow com" <ad () heapoverflow com>/* wrote:

I have got many questions about the severity of the bug , you can
show a demo yourself here:


ms will fixe this issue soon I'm sure, for me , job done, bye :>

ad () heapoverflow com wrote:
after many hours working on excel I have found a critical excel
bug exploitable. This is not a stack bof nor a heap bof , a bug
extremely hard to find and trigger , but it conduct excel to
execute any arbitrary codes while opening a malicious .xls file.

note: the bug isn't related to both excel dos that I have already
 published but shows similiar to a null pointer bug at a first
look. much infos won't be disclosed publicly or privately and
this will be transmitted to ms before the spyware loosers catch
it :)

I have said so this is only null pointer bugs but the way I
trigger the bug might be modded for a remote code execution
who know , I'm not a guru and maybe did an error triggering
the flaw who knows :) but I bet many are already reasearching
on this hehe, happy job!

Let's go on the fast publishing :) I wont bother to message
microsoft about this because they wont patch it for sure
according that they can't patch fully exploitable bugs in a
decent time, they do not patch IE dos
(http://heapoverflow.com/IEcrash.htm), so no way to bother
them, we should let them sleep a bit shhh ;)

Bugs 1 and Bugs 2 are quite similiar but NOT, both are null
pointer bugs . In bug1 you should mod a grafic's pointer to
point to a bad area, and in bug 2 you should null out the
size of the page name.

attached are the 2 pocs, nor here are direct links




AD [at] heapoverflow.com

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Send instant messages to your online friends

Version: GnuPG v1.4.2 (MingW32)

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]