Microsoft Reader 2.1.1.3143 – Integer Overflow (2)

• Exploit Database
• 15 阅读

• 作者： Luigi Auriemma
  日期： 2011-04-12
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17162/

• Source: http://aluigi.org/adv/msreader_3-adv.txt
  
  #######################################################################
  
   Luigi Auriemma
  
  Application:Microsoft Reader
  http://www.microsoft.com/reader
  Versions: <= 2.1.1.3143 (PC version)
  <= 2.6.1.7169 (Origami version)
  the non-PC versions have not been tested
  Platforms:Windows, Windows Mobile, Tablet PC and UMPC devices
  Bug:integer overflow
  Date: 11 Apr 2011
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bug
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  Microsoft Reader is a software needed to read and catalog the ebooks in
  LIT format and the Audible audio books bought via internet, indeed the
  homepage acts also as online store for these protected contents.
  
  
  #######################################################################
  
  ======
  2) Bug
  ======
  
  
  Heap overflow caused by controlled memmove:
  
  0107100D/$ 55 PUSH EBP
  0107100E|. 8BEC MOV EBP,ESP
  01071010|. 83EC 38SUB ESP,38
  01071013|. 8B45 08MOV EAX,DWORD PTR SS:[EBP+8]
  01071016|. 53 PUSH EBX
  01071017|. 8B5D 14MOV EBX,DWORD PTR SS:[EBP+14]
  0107101A|. 56 PUSH ESI
  0107101B|. 8B40 20MOV EAX,DWORD PTR DS:[EAX+20]
  0107101E|. 57 PUSH EDI
  0107101F|. 3B58 2CCMP EBX,DWORD PTR DS:[EAX+2C]
  01071022|. 72 07JB SHORT msreader.0107102B
  01071024|. 33C0 XOR EAX,EAX
  01071026|. E9 38020000JMP msreader.01071263
  0107102B|> 8BF3 MOV ESI,EBX
  0107102D|. 8B40 20MOV EAX,DWORD PTR DS:[EAX+20] ; 0x00002000
  01071030|. C1E6 05SHL ESI,5
  01071033|. 0375 10ADD ESI,DWORD PTR SS:[EBP+10]
  01071036|. 83E8 10SUB EAX,10; 0x00001ff0
  01071039|. 8945 F0MOV DWORD PTR SS:[EBP-10],EAX
  0107103C|. 8B7E 08MOV EDI,DWORD PTR DS:[ESI+8]
  0107103F|. 8B4E 14MOV ECX,DWORD PTR DS:[ESI+14]
  01071042|. 894D F4MOV DWORD PTR SS:[EBP-C],ECX
  01071045|. 8B57 04MOV EDX,DWORD PTR DS:[EDI+4]
  01071048|. 8955 ECMOV DWORD PTR SS:[EBP-14],EDX
  0107104B|. 8D5439 10LEA EDX,DWORD PTR DS:[ECX+EDI+10]
  0107104F|. 8955 FCMOV DWORD PTR SS:[EBP-4],EDX
  01071052|. 33D2 XOR EDX,EDX
  01071054|. 3BDA CMP EBX,EDX
  01071056|. 8B5D 0CMOV EBX,DWORD PTR SS:[EBP+C]
  01071059|. 8955 F8MOV DWORD PTR SS:[EBP-8],EDX
  0107105C|. 75 2DJNZ SHORT msreader.0107108B
  0107105E|. 8B4D 08MOV ECX,DWORD PTR SS:[EBP+8]
  01071061|. 8345 FC 20 ADD DWORD PTR SS:[EBP-4],20
  01071065|. 83E8 20SUB EAX,20; 0x00001fd0
  01071068|. 3951 38CMP DWORD PTR DS:[ECX+38],EDX
  0107106B|. 8945 F0MOV DWORD PTR SS:[EBP-10],EAX
  0107106E|. 74 2EJE SHORT msreader.0107109E
  01071070|. FF73 0CPUSH DWORD PTR DS:[EBX+C]
  01071073|. 8D45 E4LEA EAX,DWORD PTR SS:[EBP-1C]
  01071076|. 50 PUSH EAX
  01071077|. E8 E7450100CALL msreader.01085663
  0107107C|. 59 POP ECX
  0107107D|. 59 POP ECX
  0107107E|. 8D4D E4LEA ECX,DWORD PTR SS:[EBP-1C]
  01071081|. 2BC1 SUB EAX,ECX
  01071083|. 8945 F8MOV DWORD PTR SS:[EBP-8],EAX
  01071086|. 8B45 F0MOV EAX,DWORD PTR SS:[EBP-10]
  01071089|. EB 13JMP SHORT msreader.0107109E
  0107108B|> 3955 18CMP DWORD PTR SS:[EBP+18],EDX
  0107108E|. 74 0EJE SHORT msreader.0107109E
  01071090|. 8B56 1CMOV EDX,DWORD PTR DS:[ESI+1C]
  01071093|. 0356 18ADD EDX,DWORD PTR DS:[ESI+18]
  01071096|. 03CA ADD ECX,EDX
  01071098|. 0155 FCADD DWORD PTR SS:[EBP-4],EDX
  0107109B|. 894D F4MOV DWORD PTR SS:[EBP-C],ECX
  0107109E|> 8B4B 0CMOV ECX,DWORD PTR DS:[EBX+C]
  010710A1|. 034B 08ADD ECX,DWORD PTR DS:[EBX+8]
  010710A4|. 034D F8ADD ECX,DWORD PTR SS:[EBP-8]
  010710A7|. 3B4D ECCMP ECX,DWORD PTR SS:[EBP-14]
  010710AA|. 894D 0CMOV DWORD PTR SS:[EBP+C],ECX
  010710AD|. 0F87 61010000JA msreader.01071214
  010710B3|. 2B45 ECSUB EAX,DWORD PTR SS:[EBP-14] ; substract AOLL size
  010710B6|. 2B45 F4SUB EAX,DWORD PTR SS:[EBP-C]; substract the size at the end of the chunk
  010710B9 >|. 74 24JE SHORT msreader.010710DF
  010710BB|. 50 PUSH EAX
  010710BC|. 8B45 FCMOV EAX,DWORD PTR SS:[EBP-4]
  010710BF|. 03C8 ADD ECX,EAX
  010710C1|. 50 PUSH EAX
  010710C2|. 51 PUSH ECX
  010710C3|. E8 103C0200CALL <JMP.&MSVCRT.memmove>; memmove
  
  So through the controlling of the 32bit value after the AOLL tag and/or
  the 16bit one at the end of the chunk (offset 0x23ba of the provided
  PoC) is possible to exploit the integer overflow for performing the
  memmove of an arbitrary amount of data.
  
  In the proof-of-concept I have set the amount of bytes to move to
  0xffffffff for a quick and easy demonstration.
  
  Modified bytes in the proof-of-concept:
  000003DC 2B 6A; little endian 32bit value
  000003DD 17 18
  from offset 0xb6e till 0x23b0 I have replaced the original data with a
  sequence of 'A's.
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/poc/msreader_3.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17162.zip
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################