bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/17161.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

140 lines
No EOL
5 KiB
Text
Raw Blame History

Source: http://aluigi.org/adv/msreader_2-adv.txt
#######################################################################
Luigi Auriemma
Application: Microsoft Reader
http://www.microsoft.com/reader
Versions: <= 2.1.1.3143 (PC version)
<= 2.6.1.7169 (Origami version)
the non-PC versions have not been tested
Platforms: Windows, Windows Mobile, Tablet PC and UMPC devices
Bug: heap overflow
Date: 11 Apr 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Microsoft Reader is a software needed to read and catalog the ebooks in
LIT format and the Audible audio books bought via internet, indeed the
homepage acts also as online store for these protected contents.
#######################################################################
======
2) Bug
======
Heap overflow caused by the allocation of a certain amount of memory
and the copying of arbitrary data during the decompression of the
sections.
A quick trace of the sum operations performed with the entry
size/offset values and then the function that performs the copying:
0107F517 |> 8B85 E0FDFFFF MOV EAX,DWORD PTR SS:[EBP-220] ; second 64bit number (entry->size)
0107F51D |. 0B85 E4FDFFFF OR EAX,DWORD PTR SS:[EBP-21C]
0107F523 |. 74 12 JE SHORT msreader.0107F537
0107F525 |. 8B46 60 MOV EAX,DWORD PTR DS:[ESI+60] ; 64bit total size
0107F528 |. 8B4E 64 MOV ECX,DWORD PTR DS:[ESI+64]
0107F52B |. 0185 D8FDFFFF ADD DWORD PTR SS:[EBP-228],EAX ; added to the first 64bit number (entry->offset)
0107F531 |. 118D DCFDFFFF ADC DWORD PTR SS:[EBP-224],ECX
0107F537 |> FF75 18 PUSH DWORD PTR SS:[EBP+18]
0107F53A |. 8D85 D8FDFFFF LEA EAX,DWORD PTR SS:[EBP-228]
0107F540 |. FF75 14 PUSH DWORD PTR SS:[EBP+14]
0107F543 |. 50 PUSH EAX
0107F544 |. FF76 74 PUSH DWORD PTR DS:[ESI+74]
0107F547 |. 56 PUSH ESI
0107F548 |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
0107F54B |. E8 DEBEFEFF CALL msreader.0106B42E
...
0106B596 |. 8B71 48 MOV ESI,DWORD PTR DS:[ECX+48] ; second 64bit number (entry->size)
0106B599 |. 897D F0 MOV DWORD PTR SS:[EBP-10],EDI
0106B59C |. 13C2 ADC EAX,EDX
0106B59E |. 03F3 ADD ESI,EBX ; added to the 64bit total size
0106B5A0 |. 8975 0C MOV DWORD PTR SS:[EBP+C],ESI
0106B5A3 |. 8B71 4C MOV ESI,DWORD PTR DS:[ECX+4C]
0106B5A6 |. 1371 44 ADC ESI,DWORD PTR DS:[ECX+44]
0106B5A9 |. 5B POP EBX
0106B5AA |. 3BD6 CMP EDX,ESI
0106B5AC |. 72 1C JB SHORT msreader.0106B5CA
0106B5AE |. 77 08 JA SHORT msreader.0106B5B8
...
01092A02 /. 55 PUSH EBP ; copying function
...skip...
examples specific for the PoC msreader_2a.lit
LocalAlloc 000a6f68 = 01610020
ReadFile 000a6f68 (file offset 0x22f5d)
LocalAlloc 000a6f68 = 016c0020
DES decryption of the data read by the file with output in the second allocated buffer
memcpy esi is 016c0020
memcpy edi is 0022a008
...skip...
01092B50 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
01092B53 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
01092B56 |. 8B7D 14 MOV EDI,DWORD PTR SS:[EBP+14]
01092B59 |. 8BCB MOV ECX,EBX
01092B5B |. 8D3410 LEA ESI,DWORD PTR DS:[EAX+EDX]
01092B5E |. 8BD1 MOV EDX,ECX
01092B60 |. C1E9 02 SHR ECX,2
01092B63 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
The data copied in the heap buffer is exactly the one coming from the
file and decrypted with DES, that's why the bytes visible during the
copying can't be seen in the file.
I have provided two proof-of-concepts where the first shows the exact
location of the memcpy while the second will cause an exception during
the "call [ret+num]" instruction (could take some seconds to be
reached).
Modified bytes for msreader_2a.lit:
000005F6 84 40 ; from 0x230 to 0x40
000005F7 30 5F ; modified only to keep the size of the subsequent entry string
Modified bytes for msreader_2b.lit:
000005F7 30 00 ; from 0x230 to 0x200
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/msreader_2.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17161.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Reference in a new issue View git blame Copy permalink