首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Reader <= 2.1.1.3143 Array Overflow
来源:aluigi@autistici.org 作者:Luigi 发布时间:2011-04-13  

Source: http://aluigi.org/adv/msreader_4-adv.txt

#######################################################################

                             Luigi Auriemma

Application:  Microsoft Reader
              http://www.microsoft.com/reader
Versions:     <= 2.1.1.3143 (PC version)
              <= 2.6.1.7169 (Origami version)
              the non-PC versions have not been tested
Platforms:    Windows, Windows Mobile, Tablet PC and UMPC devices
Bug:          array overflow
Date:         11 Apr 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Microsoft Reader is a software needed to read and catalog the ebooks in
LIT format and the Audible audio books bought via internet, indeed the
homepage acts also as online store for these protected contents.


#######################################################################

======
2) Bug
======


Array overflow in the AOLL chunk caused by the usage of more sections
than those available:

  0107F59B  |. 8B43 14        MOV EAX,DWORD PTR DS:[EBX+14] ; our number
  0107F59E  |. 8BF1           MOV ESI,ECX
  0107F5A0  |. 8BF8           MOV EDI,EAX
  0107F5A2  |. 8B8E A4000000  MOV ECX,DWORD PTR DS:[ESI+A4]
  0107F5A8  |. C1E7 02        SHL EDI,2
  0107F5AB  |. 833C39 00      CMP DWORD PTR DS:[ECX+EDI],0  ; check the array, must be != 0
  0107F5AF     75 0C          JNZ SHORT msreader.0107F5BD
  0107F5B1  |. 50             PUSH EAX
  0107F5B2  |. 8BCE           MOV ECX,ESI
  0107F5B4  |. E8 36F5FFFF    CALL msreader.0107EAEF        ; alternative memory corruption
  0107F5B9  |. 85C0           TEST EAX,EAX
  0107F5BB  |. 7C 34          JL SHORT msreader.0107F5F1
  0107F5BD  |> 8B86 A4000000  MOV EAX,DWORD PTR DS:[ESI+A4]
  0107F5C3  |. 8B3C38         MOV EDI,DWORD PTR DS:[EAX+EDI]
  0107F5C6  |. 8D43 20        LEA EAX,DWORD PTR DS:[EBX+20]
  0107F5C9  |. 57             PUSH EDI
  0107F5CA  |. 50             PUSH EAX
  0107F5CB  |. E8 EAC9FEFF    CALL msreader.0106BFBA
  ...
  0106BFBA  /$ 8B4424 08      MOV EAX,DWORD PTR SS:[ESP+8]
  0106BFBE  |. FF70 04        PUSH DWORD PTR DS:[EAX+4]     ; must point to our data
  0106BFC1  |. FF7424 08      PUSH DWORD PTR SS:[ESP+8]
  0106BFC5  |. E8 36E8FFFF    CALL msreader.0106A800
  ...
  0106A800  /$ 56             PUSH ESI
  0106A801  |. 8B7424 0C      MOV ESI,DWORD PTR SS:[ESP+C]
  0106A805  |> 85F6           /TEST ESI,ESI
  0106A807  |. 74 21          |JE SHORT msreader.0106A82A   ; must be a valid memory address
  0106A809  |. FF76 20        |PUSH DWORD PTR DS:[ESI+20]
  0106A80C  |. FF7424 0C      |PUSH DWORD PTR SS:[ESP+C]
  0106A810  |. E8 75180100    |CALL msreader.0107C08A
  0106A815  |. 59             |POP ECX
  0106A816  |. 85C0           |TEST EAX,EAX
  0106A818  |. 59             |POP ECX
  0106A819  |. 74 05          |JE SHORT msreader.0106A820   ; EAX must be 0
  0106A81B  |. 8B76 10        |MOV ESI,DWORD PTR DS:[ESI+10]
  0106A81E  |.^EB E5          \JMP SHORT msreader.0106A805
  0106A820  |> 8B06           MOV EAX,DWORD PTR DS:[ESI]
  0106A822  |. 56             PUSH ESI
  0106A823  |. FF50 04        CALL DWORD PTR DS:[EAX+4]     ; code execution

Modified bytes in the proof-of-concept:
00000744   03       0A  ; dynamic 64bit number, any value >= 4 (for this PoC) exploits the bug


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/msreader_4.zip
http://www.exploit-db.com/sploits/17163.zip

#######################################################################

======
4) Fix
======


No fix.


#######################################################################


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Reader <= 2.1.1.3143
·Microsoft Reader <= 2.1.1.3143
·Microsoft Reader <= 2.1.1.3143
·TinyBB v1.4 Blind Sql Injectio
·Microsoft Reader <= 2.1.1.3143
·PlaylistMaker V1.5 .txt File B
·Microsoft Host Integration Ser
·Microsoft HTML Help <= 6.1 Sta
·Wordtrainer 3.0 .ORD File Buff
·OpenText FirstClass Client v 1
·Cisco Security Agent Managemen
·TinyBB 1.4 Path Disclosure / B
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved