首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Reader <= 2.1.1.3143 NULL Byte Write
来源:aluigi@autistici.org 作者:Luigi 发布时间:2011-04-13  

#######################################################################

                             Luigi Auriemma

Application:  Microsoft Reader
              http://www.microsoft.com/reader
Versions:     <= 2.1.1.3143 (PC version)
              the Origami 2.6.1.7169 version doesn't seem vulnerable
              the non-PC versions have not been tested
Platforms:    Windows, Windows Mobile, Tablet PC and UMPC devices
Bug:          writing of NULL byte in arbitrary location
Date:         11 Apr 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Microsoft Reader is a software needed to read and catalog the ebooks in
LIT format and the Audible audio books bought via internet, indeed the
homepage acts also as online store for these protected contents.


#######################################################################

======
2) Bug
======


Possibility to write a 0x00 byte in an arbitrary memory location.
From aud_file.dll (base address 5fff0000):

  5FFF634A >|> 8D47 01        |LEA EAX,DWORD PTR DS:[EDI+1]             ; size at offset 0xbd of the PoC
  5FFF634D  |. 50             |PUSH EAX
  5FFF634E  |. E8 2B470000    |CALL <JMP.&MSVCRT.??2@YAPAXI@Z>          ; malloc
  5FFF6353  |. 57             |PUSH EDI
  5FFF6354  |. 50             |PUSH EAX
  5FFF6355  |. FF75 08        |PUSH DWORD PTR SS:[EBP+8]
  5FFF6358  |. 8945 F8        |MOV DWORD PTR SS:[EBP-8],EAX
  5FFF635B  |. E8 58460000    |CALL <JMP.&utils.?read_bytes@TypeIO@@SA> ; read
  5FFF6360  |. 8B45 F8        |MOV EAX,DWORD PTR SS:[EBP-8]
  5FFF6363  |. 83C4 10        |ADD ESP,10
  5FFF6366  |. 802438 00      |AND BYTE PTR DS:[EAX+EDI],0              ; place the delimiter (all ok)
  5FFF636A  |. 807D FF 00     |CMP BYTE PTR SS:[EBP-1],0
  5FFF636E  |. 75 5B          |JNZ SHORT aud_file.5FFF63CB
  5FFF6370  |. 8D46 01        |LEA EAX,DWORD PTR DS:[ESI+1]             ; size at offset 0xc1 of the PoC
  5FFF6373  |. 50             |PUSH EAX
  5FFF6374  |. E8 05470000    |CALL <JMP.&MSVCRT.??2@YAPAXI@Z>          ; now malloc will return NULL
  5FFF6379  |. 8BD8           |MOV EBX,EAX
  5FFF637B  |. 56             |PUSH ESI
  5FFF637C  |. 53             |PUSH EBX
  5FFF637D  |. FF75 08        |PUSH DWORD PTR SS:[EBP+8]
  5FFF6380  |. E8 33460000    |CALL <JMP.&utils.?read_bytes@TypeIO@@SA> ; read
  5FFF6385  |. 802433 00      |AND BYTE PTR DS:[EBX+ESI],0              ; exploitation

The first allocation must succeed to avoid problems during the
reading operations (like memcpy on 0x00000000).

Note that is not possible to exploit the visible integer overflow
caused by malloc(size + 1) because the function that reads the data
goes in endless loop, yeah bad.

The provided proof-of-concept first tries to allocate 0x44000000 bytes
and it should succeed without problems and then will try to allocate
the second size that MUST fail so that is possible to use the size
value as an arbitrary memory offset.

Modified bytes in the proof-of-concept:
000000BD   00       43  ; first size needed to steal memory to the next size
000000BE   00       FF
000000BF   00       FF
000000C0   0A       FF
000000C1   00       61  ; second size, will try to write 0x00 at address 0x61616161
000000C2   00       61
000000C3   00       61
000000C4   16       61


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/msreader_5.zip
http://www.exploit-db.com/sploits/17164.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Reader <= 2.1.1.3143
·TinyBB v1.4 Blind Sql Injectio
·Microsoft Reader <= 2.1.1.3143
·PlaylistMaker V1.5 .txt File B
·Microsoft Reader <= 2.1.1.3143
·Microsoft Reader <= 2.1.1.3143
·Microsoft Host Integration Ser
·Microsoft HTML Help <= 6.1 Sta
·Wordtrainer 3.0 .ORD File Buff
·TinyBB 1.4 Path Disclosure / B
·OpenText FirstClass Client v 1
·Xilisoft Video Converter Ultim
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved