View Full Version : To Anyone With Word 2000
patochan
10-15-2003, 01:20 AM
i've downloaded the program, the installer, the instmsi file from the microsoft page, i've tried to unzip, unrar, un-everything the file and nothing works. i have 2 different versions and neither does anything when clicked. i appreciate the help from folks yesterday, but it didn't work and i'm hoping that someone who has downloaded winword.exe off of kazaa can tell me how to install it. much much much obliged.
and why is it that when i tried sending a message to people asking how to install the program i was downloading from their computer, no one would accept messages? does everyone have that option turned off?
razorsharp013
10-15-2003, 01:24 AM
I've been using Works 2000 Deluxe, (it has Word), for a long time now with no problems. Easily available on eMule, I am sharing on Kazaa as well.
edit: There's a link on this page: http://www.klboard.ath.cx/index.php?showtopic=68713
Most people turn that feature off.
cwctv
10-16-2003, 05:21 PM
i've downloaded the program, the installer, the instmsi file from the microsoft page
Microsoft won't give you the program lol how big is the file. !!!
ObiWan
10-16-2003, 07:17 PM
you could always get office 2000 there are lots of sources for it
nikita69
10-16-2003, 08:15 PM
FYI. A friend of mine at ms just send me this. so be careful. :)
From: SpAmC0der //PRiZM <roman2_@_inbox.ru>
To:
Date: 15 октября 2003 г.
Subject: Microsoft Word Macro Buffer Overflow
Topic: Buffer overflow on Macro structure processing
[b]Vulnerable: Microsoft Office 97, Microsoft Office 2000 (any service pack)[b]
Not Vulnerable: Microsoft Office XP
Description:
During processing of document with embedded macros Microsoft Office
family products are vulnerable to buffer overflow.
Details:
Macros information is stored in internal struture. This structure
contains internal and external Macro names in Unicode and length for
each name (number of Unicode characters). During processing specified
number of Unicode characters is copied to internal buffer of fixed
length (256 Unicode characters), but length of Macro name is never
checked. A part of code from winword.exe below explains the problem:
esi contains number of characters from string
3019460B lea eax, [esi+esi]
now eax has number of bytes (esi*2)
3019460E add [ebp+var_4], eax
30194611 mov ecx, [ebp+var_4]
30194614 cmp ecx, [ebp+var_14]
now we check if we do not leave input stream of data:(?)
30194617 jg loc_30194B2B
3019461D push 0
3019461F push eax
eax contains number of bytes to copy
30194620 lea eax, [ebp+var_44A]
now eax contains pointer to buffer
30194626 jmp short loc_30194640
30194628 loc_30194628:
30194628 add [ebp+var_4], esi
3019462B mov eax, [ebp+var_4]
3019462E cmp eax, [ebp+var_14]
30194631 jg loc_30194B2B
30194637 push 0
30194639 push esi
3019463A lea eax, [ebp+var_133]
30194640 loc_30194640:
30194640 push eax
30194641 push [ebp+arg_24]
30194644 push [ebp+arg_0]
30194647 call sub_30193323
^^^^^^^^^^^^
This function is used very often :) In this case it copies full name of
the macro from stream to buffer. In this case copying is not something
like rep movsd but is more complicated process defined by document
structure.
To test it in practice we have to create document. Now, record macro.
Make sure Macro is recorded in current document, not in normal.dot
template. Save document and open it in hex editor (I use BIEW Written by
Nick Kurshev, perfect free editor). Try to locate this:
000013C8: 10 FF FF 01 00 02 00 00 03 50 00 72 00 6F 00 6A ЪЪ P r o j
000013D8: 00 65 00 63 00 74 00 2E 00 4E 00 65 00 77 00 4D e c t . N e w M
000013E8: 00 61 00 63 00 72 00 6F 00 73 00 2E 00 73 00 70 a c r o s . s p
000013F8: 00 61 00 6D 00 63 00 6F 00 64 00 65 00 72 00 01 a m c o d e r
00001408: 00 11 01 00 0A 00 1B 00 50 00 52 00 4F 00 4A 00 P R O J
00001418: 45 00 43 00 54 00 2E 00 4E 00 45 00 57 00 4D 00 E C T . N E W M
00001428: 41 00 43 00 52 00 4F 00 53 00 2E 00 53 00 50 00 A C R O S . S P
00001438: 41 00 4D 00 43 00 4F 00 44 00 45 00 52 00 00 00 A M C O D E R
00001448: 40 00 80 01 00 06 00 00 00 06 00 00 00 8C 24 AD @ Ђ Њ$
Take a look into first string:
10 FF FF 01 00 02 00 25 02 50 00 72 00 6F 00 6A
^^ ^^
2502 (0225h, decimal 549) is number of characters in Unicode string. In
you case it will be smaller, try to change it on larger value. Because
stack frame size is 1100 to overflow buffer at least 549 characters
required. I was not able to exploit this problem, may be you can.
As it was told before, function in question is called in few
situations, so there are may be different overflows.
См. так же:
Powered by vBulletin® Version 4.2.3 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.