Microsoft Reader 2.1.1.3143 – Integer Overflow (1)

• Exploit Database
• 17 阅读

• 作者： Luigi Auriemma
  日期： 2011-04-12
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17160/

• Source: http://aluigi.org/adv/msreader_1-adv.txt
  
  #######################################################################
  
   Luigi Auriemma
  
  Application:Microsoft Reader
  http://www.microsoft.com/reader
  Versions: <= 2.1.1.3143 (PC version)
  the Origami 2.6.1.7169 version doesn't seem vulnerable
  the non-PC versions have not been tested
  Platforms:Windows, Windows Mobile, Tablet PC and UMPC devices
  Bug:integer overflow
  Date: 11 Apr 2011
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bug
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  Microsoft Reader is a software needed to read and catalog the ebooks in
  LIT format and the Audible audio books bought via internet, indeed the
  homepage acts also as online store for these protected contents.
  
  
  #######################################################################
  
  ======
  2) Bug
  ======
  
  
  The software is affected by an integer overflow just during the
  handling of the number of pieces of the initial ITLS header at offset
  0x10:
  
  0108306E|> 8B7B 68MOV EDI,DWORD PTR DS:[EBX+68]
  01083071 >|. 8BF7 MOV ESI,EDI
  01083073|. C1E6 04SHL ESI,4
  01083076|. 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
  0108307A|. 7C 78JL SHORT MSReader.010830F4
  0108307C|. 8BC7 MOV EAX,EDI
  0108307E|. C1E0 04SHL EAX,4
  01083081|. 50 PUSH EAX
  01083082|. E8 A1870000CALL MSReader.0108B828; LocalAlloc
  01083087|. 85C0 TEST EAX,EAX
  01083089|. 59 POP ECX
  0108308A|. 74 06JE SHORT MSReader.01083092
  0108308C|. 4F DEC EDI
  0108308D|. 897D 08MOV DWORD PTR SS:[EBP+8],EDI
  01083090|. EB 02JMP SHORT MSReader.01083094
  01083092|> 33C0 XOR EAX,EAX
  01083094|> 8943 44MOV DWORD PTR DS:[EBX+44],EAX
  01083097|. 8B43 68MOV EAX,DWORD PTR DS:[EBX+68]
  0108309A|. C1E0 02SHL EAX,2
  0108309D|. 50 PUSH EAX
  0108309E|. E8 85870000CALL MSReader.0108B828; LocalAlloc
  010830A3|. 837B 44 00 CMP DWORD PTR DS:[EBX+44],0
  010830A7|. 59 POP ECX
  010830A8|. 8943 48MOV DWORD PTR DS:[EBX+48],EAX
  010830AB|. 74 40JE SHORT MSReader.010830ED
  010830AD|. 85C0 TEST EAX,EAX
  010830AF|. 74 3CJE SHORT MSReader.010830ED
  010830B1|. 8B4B 68MOV ECX,DWORD PTR DS:[EBX+68]
  010830B4|. C1E1 02SHL ECX,2
  010830B7|. 51 PUSH ECX
  010830B8|. 6A 00PUSH 0
  010830BA|. 50 PUSH EAX
  010830BB|. E8 0D6DFEFFCALL MSReader.01069DCD; memset
  010830C0|. 6A 28PUSH 28
  010830C2|. 8B43 3CMOV EAX,DWORD PTR DS:[EBX+3C]
  010830C5|. 59 POP ECX
  010830C6|. 8D55 FCLEA EDX,DWORD PTR SS:[EBP-4]
  010830C9|. 8B38 MOV EDI,DWORD PTR DS:[EAX]
  010830CB|. 52 PUSH EDX
  010830CC|. 56 PUSH ESI
  010830CD|. 33D2 XOR EDX,EDX
  010830CF|. FF73 44PUSH DWORD PTR DS:[EBX+44]
  010830D2|. 52 PUSH EDX
  010830D3|. 51 PUSH ECX
  010830D4|. 50 PUSH EAX
  010830D5|. FF57 0CCALL DWORD PTR DS:[EDI+C] ; ReadFile
  ...
  01082CD8 >|. 8B5E 68MOV EBX,DWORD PTR DS:[ESI+68]
  01082CDB|> 8BC3 /MOV EAX,EBX
  01082CDD|. 4B |DEC EBX
  01082CDE|. 85C0 |TEST EAX,EAX
  01082CE0|. 74 1C|JE SHORT MSReader.01082CFE
  01082CE2|. 8B46 48|MOV EAX,DWORD PTR DS:[ESI+48]
  01082CE5|. 8B3C98 |MOV EDI,DWORD PTR DS:[EAX+EBX*4]
  01082CE8|. 3BFD |CMP EDI,EBP
  01082CEA|.^74 EF|JE SHORT MSReader.01082CDB
  01082CEC|> 8B07 |/MOV EAX,DWORD PTR DS:[EDI]
  01082CEE|. 57 ||PUSH EDI
  01082CEF|. FF50 08||CALL DWORD PTR DS:[EAX+8] ; exploitation
  ...
  010832D0|> 8B4E 48MOV ECX,DWORD PTR DS:[ESI+48]
  010832D3|. 8BD8 MOV EBX,EAX
  010832D5|. C1E3 02SHL EBX,2
  010832D8|. 8B3C19 MOV EDI,DWORD PTR DS:[ECX+EBX]
  010832DB|. 85FF TEST EDI,EDI
  010832DD|. 74 0FJE SHORT MSReader.010832EE
  010832DF|. 8B07 MOV EAX,DWORD PTR DS:[EDI]
  010832E1|. 57 PUSH EDI
  010832E2|. FF50 04CALL DWORD PTR DS:[EAX+4] ; exploitation
  
  For exploiting the vulnerability there are some things to consider.
  Exists a minimal heap spray that can be performed on the memory because
  the pieces (the number involved in the integer overflow) or the
  secondary data block with the size specified at offset 0x14 get loaded
  correctly.
  So it's necessary to tune the exploit for having a chance of EAX (or
  another register, because there is also another location for the
  exploitation) pointing to our code.
  
  I have provided two examples written from scratch that show the usage
  of the first (number of pieces) and second field (0200000098000000...)
  for loading data.
  This simple technique can be used as help also for exploiting the other
  vulnerabilities reported in this software.
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/poc/msreader_1.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17160.zip
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################