Your Ad Here Your Ad Here
Results 1 to 6 of 6

Thread: To Anyone With Word 2000

  1. #1
    i've downloaded the program, the installer, the instmsi file from the microsoft page, i've tried to unzip, unrar, un-everything the file and nothing works. i have 2 different versions and neither does anything when clicked. i appreciate the help from folks yesterday, but it didn't work and i'm hoping that someone who has downloaded winword.exe off of kazaa can tell me how to install it. much much much obliged.

    and why is it that when i tried sending a message to people asking how to install the program i was downloading from their computer, no one would accept messages? does everyone have that option turned off?

  2. Software & Hardware   -   #2
    razorsharp013's Avatar Fountain of Wit
    Join Date
    May 2003
    I've been using Works 2000 Deluxe, (it has Word), for a long time now with no problems. Easily available on eMule, I am sharing on Kazaa as well.

    edit: There's a link on this page:

  3. Software & Hardware   -   #3
    Most people turn that feature off.
    <span style='color:black'> I am a part of all that I have met - Lord Tennyson</span>
    <span style='color:blue'>Try not to let your mind is too small and fragile to be out by itself</span>

  4. Software & Hardware   -   #4
    Join Date
    Sep 2003
    Leeds - Yorkshire - UK
    i&#39;ve downloaded the program, the installer, the instmsi file from the microsoft page
    Microsoft won&#39;t give you the program lol how big is the file. &#33;&#33;&#33;

  5. Software & Hardware   -   #5
    you could always get office 2000 there are lots of sources for it
    There are 10 types of people in the world those who understand binary and those who dont

  6. Software & Hardware   -   #6
    FYI. A friend of mine at ms just send me this. so be careful.

    [b]From:&nbsp; SpAmC0der //PRiZM <>
    Date: 15 октября 2003 г.
    Subject: Microsoft Word Macro Buffer Overflow

    Topic: Buffer overflow on Macro structure processing
    [b]Vulnerable: Microsoft Office 97, Microsoft Office 2000 (any service pack)
    Not Vulnerable: Microsoft Office XP


    During&nbsp; processing&nbsp; of&nbsp; document&nbsp; with&nbsp; embedded macros Microsoft Office
    family products are vulnerable to buffer overflow.


    Macros&nbsp; information&nbsp; is&nbsp; stored&nbsp; in&nbsp; internal&nbsp; struture.&nbsp; This structure
    contains&nbsp; internal&nbsp; and&nbsp; external&nbsp; Macro names in Unicode and length for
    each&nbsp; name&nbsp; (number&nbsp; of Unicode characters). During processing specified
    number&nbsp; of&nbsp; Unicode&nbsp; characters&nbsp; is&nbsp; copied&nbsp; to internal buffer of fixed
    length&nbsp; (256&nbsp; Unicode&nbsp; characters),&nbsp; but&nbsp; length&nbsp; of Macro name is never
    checked. A part of code from winword.exe below explains the problem:

    esi contains number of characters from string

    3019460B&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lea&nbsp; &nbsp; eax, [esi+esi]

    now eax has number of bytes (esi*2)

    3019460E&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; add&nbsp; &nbsp; [ebp+var_4], eax
    30194611&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov&nbsp; &nbsp; ecx, [ebp+var_4]
    30194614&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cmp&nbsp; &nbsp; ecx, [ebp+var_14]

    now we check if we do not leave input stream of data?)

    30194617&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jg&nbsp; &nbsp; &nbsp; loc_30194B2B
    3019461D&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push&nbsp; &nbsp; 0
    3019461F&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push&nbsp; &nbsp; eax

    eax contains number of bytes to copy

    30194620&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lea&nbsp; &nbsp; eax, [ebp+var_44A]

    now eax contains pointer to buffer

    30194626&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jmp&nbsp; &nbsp; short loc_30194640

    30194628 loc_30194628:
    30194628&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; add&nbsp; &nbsp; [ebp+var_4], esi
    3019462B&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov&nbsp; &nbsp; eax, [ebp+var_4]
    3019462E&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cmp&nbsp; &nbsp; eax, [ebp+var_14]
    30194631&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jg&nbsp; &nbsp; &nbsp; loc_30194B2B
    30194637&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push&nbsp; &nbsp; 0
    30194639&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push&nbsp; &nbsp; esi
    3019463A&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lea&nbsp; &nbsp; eax, [ebp+var_133]

    30194640 loc_30194640:
    30194640&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push&nbsp; &nbsp; eax
    30194641&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push&nbsp; &nbsp; [ebp+arg_24]
    30194644&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push&nbsp; &nbsp; [ebp+arg_0]
    30194647&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; call&nbsp; &nbsp; sub_30193323
    &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ^^^^^^^^^^^^

    This&nbsp; function is used very often In this case it copies full name of
    the&nbsp; macro&nbsp; from stream to buffer. In this case copying is not something
    like&nbsp; rep&nbsp; movsd&nbsp; but&nbsp; is&nbsp; more&nbsp; complicated process defined by document

    To&nbsp; test&nbsp; it&nbsp; in practice we have to create document. Now, record macro.
    Make&nbsp; sure&nbsp; Macro&nbsp; is&nbsp; recorded&nbsp; in&nbsp; current document, not in
    template. Save document and open it in hex editor (I use BIEW Written by
    Nick Kurshev, perfect free editor). Try to locate this:

    000013C8: 10 FF FF 01&nbsp; 00 02 00 00&nbsp; 03 50 00 72&nbsp; 00 6F 00 6A&nbsp; &nbsp; ЪЪ &nbsp; P r o j
    000013D8: 00 65 00 63&nbsp; 00 74 00 2E&nbsp; 00 4E 00 65&nbsp; 00 77 00 4D&nbsp; &nbsp; e c t . N e w M
    000013E8: 00 61 00 63&nbsp; 00 72 00 6F&nbsp; 00 73 00 2E&nbsp; 00 73 00 70&nbsp; &nbsp; a c r o s . s p
    000013F8: 00 61 00 6D&nbsp; 00 63 00 6F&nbsp; 00 64 00 65&nbsp; 00 72 00 01&nbsp; &nbsp; a m c o d e r 
    00001408: 00 11 01 00&nbsp; 0A 00 1B 00&nbsp; 50 00 52 00&nbsp; 4F 00 4A 00&nbsp; &nbsp; &nbsp;  P R O J
    00001418: 45 00 43 00&nbsp; 54 00 2E 00&nbsp; 4E 00 45 00&nbsp; 57 00 4D 00&nbsp; &nbsp; E C T . N E W M
    00001428: 41 00 43 00&nbsp; 52 00 4F 00&nbsp; 53 00 2E 00&nbsp; 53 00 50 00&nbsp; &nbsp; A C R O S . S P
    00001438: 41 00 4D 00&nbsp; 43 00 4F 00&nbsp; 44 00 45 00&nbsp; 52 00 00 00&nbsp; &nbsp; A M C O D E R
    00001448: 40 00 80 01&nbsp; 00 06 00 00&nbsp; 00 06 00 00&nbsp; 00 8C 24 AD&nbsp; &nbsp; @ Ђ &nbsp; &nbsp; Њ&#036;*

    Take a look into first string:

    10 FF FF 01&nbsp; 00 02 00 25&nbsp; 02 50 00 72&nbsp; 00 6F 00 6A
    &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ^^&nbsp; ^^

    2502&nbsp; (0225h, decimal 549) is number of characters in Unicode string. In
    you&nbsp; case&nbsp; it will be smaller, try to change it on larger value. Because
    stack&nbsp; frame&nbsp; size&nbsp; is&nbsp; 1100&nbsp; to overflow buffer at least 549 characters
    required. I was not able to exploit this problem, may be you can.

    As&nbsp; it&nbsp; was&nbsp; told&nbsp; before,&nbsp; function&nbsp; in&nbsp; question&nbsp; is&nbsp; called&nbsp; in&nbsp; few
    situations, so there are may be different overflows.

    См. так же:


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts