To Anyone With Word 2000 [Archive]

patochan

10-15-2003, 01:20 AM

i've downloaded the program, the installer, the instmsi file from the microsoft page, i've tried to unzip, unrar, un-everything the file and nothing works. i have 2 different versions and neither does anything when clicked. i appreciate the help from folks yesterday, but it didn't work and i'm hoping that someone who has downloaded winword.exe off of kazaa can tell me how to install it. much much much obliged.

and why is it that when i tried sending a message to people asking how to install the program i was downloading from their computer, no one would accept messages? does everyone have that option turned off?

razorsharp013

10-15-2003, 01:24 AM

I've been using Works 2000 Deluxe, (it has Word), for a long time now with no problems. Easily available on eMule, I am sharing on Kazaa as well.

edit: There's a link on this page: http://www.klboard.ath.cx/index.php?showtopic=68713

I.am

10-15-2003, 02:49 AM

Most people turn that feature off.

cwctv

10-16-2003, 05:21 PM

i've downloaded the program, the installer, the instmsi file from the microsoft page
Microsoft won't give you the program lol how big is the file. !!!

ObiWan

10-16-2003, 07:17 PM

you could always get office 2000 there are lots of sources for it

nikita69

10-16-2003, 08:15 PM

FYI. A friend of mine at ms just send me this. so be careful. :)

From:  SpAmC0der //PRiZM <roman2_@_inbox.ru>
To:
Date: 15 октября 2003 г.
Subject: Microsoft Word Macro Buffer Overflow

Topic: Buffer overflow on Macro structure processing
[b]Vulnerable: Microsoft Office 97, Microsoft Office 2000 (any service pack)[b]
Not Vulnerable: Microsoft Office XP

Description:

During  processing  of  document  with  embedded macros Microsoft Office
family products are vulnerable to buffer overflow.

Details:

Macros  information  is  stored  in  internal  struture.  This structure
contains  internal  and  external  Macro names in Unicode and length for
each  name  (number  of Unicode characters). During processing specified
number  of  Unicode  characters  is  copied  to internal buffer of fixed
length  (256  Unicode  characters),  but  length  of Macro name is never
checked. A part of code from winword.exe below explains the problem:

esi contains number of characters from string

3019460B                lea    eax, [esi+esi]

now eax has number of bytes (esi*2)

3019460E                add    [ebp+var_4], eax
30194611                mov    ecx, [ebp+var_4]
30194614                cmp    ecx, [ebp+var_14]

now we check if we do not leave input stream of data:(?)

30194617                jg      loc_30194B2B
3019461D                push    0
3019461F                push    eax

eax contains number of bytes to copy

30194620                lea    eax, [ebp+var_44A]

now eax contains pointer to buffer

30194626                jmp    short loc_30194640

30194628 loc_30194628:
30194628                add    [ebp+var_4], esi
3019462B                mov    eax, [ebp+var_4]
3019462E                cmp    eax, [ebp+var_14]
30194631                jg      loc_30194B2B
30194637                push    0
30194639                push    esi
3019463A                lea    eax, [ebp+var_133]

30194640 loc_30194640:
30194640                push    eax
30194641                push    [ebp+arg_24]
30194644                push    [ebp+arg_0]
30194647                call    sub_30193323
                                ^^^^^^^^^^^^

This  function is used very often :) In this case it copies full name of
the  macro  from stream to buffer. In this case copying is not something
like  rep  movsd  but  is  more  complicated process defined by document
structure.

To  test  it  in practice we have to create document. Now, record macro.
Make  sure  Macro  is  recorded  in  current document, not in normal.dot
template. Save document and open it in hex editor (I use BIEW Written by
Nick Kurshev, perfect free editor). Try to locate this:

000013C8: 10 FF FF 01  00 02 00 00  03 50 00 72  00 6F 00 6A    ЪЪ   P r o j
000013D8: 00 65 00 63  00 74 00 2E  00 4E 00 65  00 77 00 4D    e c t . N e w M
000013E8: 00 61 00 63  00 72 00 6F  00 73 00 2E  00 73 00 70    a c r o s . s p
000013F8: 00 61 00 6D  00 63 00 6F  00 64 00 65  00 72 00 01    a m c o d e r
00001408: 00 11 01 00  0A 00 1B 00  50 00 52 00  4F 00 4A 00      P R O J
00001418: 45 00 43 00  54 00 2E 00  4E 00 45 00  57 00 4D 00    E C T . N E W M
00001428: 41 00 43 00  52 00 4F 00  53 00 2E 00  53 00 50 00    A C R O S . S P
00001438: 41 00 4D 00  43 00 4F 00  44 00 45 00  52 00 00 00    A M C O D E R
00001448: 40 00 80 01  00 06 00 00  00 06 00 00  00 8C 24 AD    @ Ђ     Њ$

Take a look into first string:

10 FF FF 01  00 02 00 25  02 50 00 72  00 6F 00 6A
                      ^^  ^^

2502  (0225h, decimal 549) is number of characters in Unicode string. In
you  case  it will be smaller, try to change it on larger value. Because
stack  frame  size  is  1100  to overflow buffer at least 549 characters
required. I was not able to exploit this problem, may be you can.

As  it  was  told  before,  function  in  question  is  called  in  few
situations, so there are may be different overflows.

См. так же: