Adobe Reader 10.1.4 – JP2KLib&CoolType Crash (PoC)

• Exploit Database
• 14 阅读

• 作者： coolkaveh
  日期： 2012-11-21
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/22878/

• Title:Adobe Reader 10.1.4 JP2KLib&CoolType WriteAV Vulnerability
  Version:10.1.4.38
  Date :2012-11-20
  Vendor :http://www.adobe.com/
  Impact :Med/High
  Contact:coolkaveh [at] rocketmail.com
  Twitter:@coolkaveh
  tested :XP SP3 ENG
  Author :coolkaveh
  ================================================================================
  Thanks to @Binjo and others for all support and help
  ================================================================================
  Details:
  ================================================================================
  The parsing routine is really complicated :D
  Write AV by some kind of not properly initialized array
  But the parameters of memmove, the counter
  And destiny pointer seems controllable with data from flatedecoded data.
  The wierd thing is the stream encoded with flatedecode can't decode properly
  via zlib.decompress, but Adobe seems decode it correctly,
  The esi points to a 0x10 length buffer, which contains word or dword calculated
  from decoded data, after some integrity checks, it'll reach the memove.
  .text:08088FCEmoveax, esi; jumptable 08087D44 case 8
  .text:08088FD0leaecx, [ebp+64h+var_1E0]
  .text:08088FD6subeax, ecx
  .text:08088FD8andeax, 0FFFFFFFCh
  .text:08088FDBcmpeax, 10h
  .text:08088FDEjlloc_8088496; jumptable 08087D2D cases 0,2
  .text:08088FE4push4
  .text:08088FE6popeax
  .text:08088FE7subesi, eax
  .text:08088FE9movsxedi, word ptr [esi+2] ; ff6b -> ffffff6b
  .text:08088FEDsubesi, eax
  .text:08088FEFmovsxecx, word ptr [esi+2] ; 0
  .text:08088FF3subesi, eax
  .text:08088FF5movsxedx, word ptr [esi+2] ; 0
  .text:08088FF9subesi, eax
  .text:08088FFBmoveax, [ebx+358h]
  .text:08089001mov[ebp+64h+var_68], edx
  .text:08089004movsxedx, word ptr [esi+2] ; 0
  .text:08089008mov[ebp+64h+var_88], ecx
  .text:0808900Bmov[ebp+64h+var_98], edx ; index
  [...]
  .text:0808906Acmpedx, 3; var_98, can't great than 3
  .text:0808906Djaloc_8087D00; jumptable 08087D7F case 2
  .text:08089073testecx, ecx
  .text:08089075jlloc_8087D00; jumptable 08087D7F case 2
  .text:0808907Baddecx, edi
  .text:0808907Dcmpecx, [ebx+360h]
  .text:08089083jgloc_8087D00; jumptable 08087D7F case 2
  .text:08089089movecx, [ebp+64h+var_68]
  .text:0808908Ctestecx, ecx
  .text:0808908Ejlloc_8087D00; jumptable 08087D7F case 2
  .text:08089094addecx, edi
  .text:08089096cmpecx, [ebx+edx*8+38Ch]
  .text:0808909Djgloc_8087D00; jumptable 08087D7F case 2
  .text:080890A3movecx, edi
  .text:080890A5shlecx, 2
  .text:080890A8pushecx; size_t
  .text:080890A9movecx, [ebp+64h+var_88]
  .text:080890ACleaeax, [eax+ecx*4]
  .text:080890AFmovecx, [ebp+64h+var_68]
  .text:080890B2pusheax; void *
  .text:080890B3moveax, [ebp+64h+var_98]
  .text:080890B6moveax, [ebx+eax*8+390h] ; ebx+390h seems a array pointer
  .text:080890BD
  .text:080890BD loc_80890BD:; CODE XREF: sub_80875AE+1A1B
  .text:080890BDleaeax, [eax+ecx*4]
  .text:080890C0pusheax; void *
  .text:080890C1callds:memmove
  
  Here, ecx points to a buffer, which contains data the routine used to parse.
  
  .text:0808B103cmpeax, 0FEh
  .text:0808B108jgshort loc_808B12A
  .text:0808B10Amovzxedx, byte ptr [ecx] ; byte ptr [ecx] = 0x29
  .text:0808B10Daddeax, 0FFFFFF05h
  .text:0808B112shleax, 8
  .text:0808B115incecx
  .text:0808B116mov[ebp+64h+var_78], ecx
  .text:0808B119push0FFFFFF94h
  .text:0808B11Boreax, edx
  .text:0808B11Dpopecx
  .text:0808B11Esubecx, eax
  .text:0808B120shlecx, 10h
  .text:0808B123mov[esi], ecx; ecx = ff6b
  .text:0808B125jmploc_80889B5
  
  This issue needs more investigation , so
  Stay in touch
  ============================================================================================
  first memory corruption @ CoolType MSVCR90!memmove
  ============================================================================================
  (d44.c10): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=02644c14 
  ebx=02643008 
  ecx=3fffff6b 
  edx=00000000 
  esi=02644e68 
  edi=00000000
  eip=7855b36a 
  esp=0012d4d8 
  ebp=0012d4e0 iopl=0 nv up ei pl nz na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206
  C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\MSVCR90.dll - 
  MSVCR90!memmove+0x5a:
  7855b36a f3a5rep movs dword ptr es:[edi],dword ptr [esi]
  
  Exception Sub-Type: Write Access Violation
  
  Stack Trace:
  MSVCR90!memmove+0x5a
  CoolType!CTInit+0x34db9
  CoolType+0x14cae
  Instruction Address: 0x000000007855b36a
  Short Description: WriteAV
  ============================================================================================
  Second memory corruption @ JP2KLib JP2KLib!CIEParamsAreDefaults
  ============================================================================================
  (d0.6a8): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=028a56f0 
  ebx=018126e4 
  ecx=00000000 
  edx=00000000 
  esi=0196893c 
  edi=00000004
  eip=022ea797 esp=022ada98 ebp=022adb1c iopl=0 nv up ei pl nz ac po nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010212
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\JP2KLib.dll - 
  JP2KLib!CIEParamsAreDefaults+0x871:
  022ea797 89411cmov dword ptr [ecx+1Ch],eax ds:0023:0000001c=????????
  
  JP2KLib!CIEParamsAreDefaults+0x871:
  022ea797 89411cmov dword ptr [ecx+1Ch],eax ds:0023:0000001c=????????
  
  Exception Sub-Type: Write Access Violation
  
  Stack Trace:
  JP2KLib!CIEParamsAreDefaults+0x871
  JP2KLib!CIEParamsAreDefaults+0x2091
  JP2KLib!JP2KCopyRect+0x6fef
  MSVCR90!malloc+0x79
  AcroRd32!CTJPEGRotateOptions::operator=+0x2268
  AcroRd32!AVAcroALM_Destroy+0x84a64
  MSVCR90!malloc+0x79
  AcroRd32!CTJPEGRotateOptions::operator=+0x29e7
  AcroRd32!AVAcroALM_Destroy+0x13886
  AcroRd32!AVAcroALM_Destroy+0x7394a
  AcroRd32!AVAcroALM_Destroy+0x73ff2
  MSVCR90!memcmp+0x1717
  AcroRd32!AVAcroALM_Destroy+0x51cbd
  AcroRd32!AVAcroALM_Destroy+0x537e8
  AcroRd32!AVAcroALM_Destroy+0x1a3a
  AcroRd32!AVAcroALM_Destroy+0x9304b
  Instruction Address: 0x00000000022ea797
  
  Short Description: WriteAV
  
  ============================================================================================
  Proof of concept :
  CoolType
  http://www36.zippyshare.com/v/25032778/file.html
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22878-1.rar
  
  JP2KLib
  http://www7.zippyshare.com/v/22655486/file.html
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22878-2.rar