佚名MYHACK58:62200716244Fuzzing in Microsoft Word overflow analysis and use-vulnerability and early warning-the black bar safety net
This article has been published in the hacker line of Defense of the 2 0 0 7 years 7 monthly. The author and the hacker line of Defense on the retention of copyright, reproduced, please indicate the original source.
For the reader: overflow of lovers
Pre-knowledge: Assembly language, buffer overflow fundamentals
Fuzzing in Microsoft Word overflow analysis and the use of
Text/figure gyzy[Jiangsu University, Information Security Department&EST]
From 0 3 to 0 7 years, the Office continuously exposed a series of vulnerabilities, that is, from then on, people gradually will look from the remote service overflow turned to the client program of the overflow, now milw0rm on average per published 1 0 overflow POC code 8 one is the client program of the overflow, which even many antivirus such“security products”. Word as Microsoft Office series of products in the main product, its safety became numerous security researchers the focus of attention, from the beginning of the macro virus development to the present of the overflow, the object pointer vulnerability, the danger is growing, many businesses of the disclosure of confidential information source is maybe the employees received an Email entrained in the Annex. Microsoft has now released the security Bulletin is also more and more concise, such as described herein to explore the MS06 - 0 2 7, Microsoft for its description only the following few sentences:
Microsoft Security Bulletin MS06-0 2 7
Microsoft Word vulnerability could allow remote code execution (9 1 7 3 3 6)
Microsoft Word malformed object pointer Vulnerability - CVE-2 0 0 6-2 4 9 2
This to vulnerability researchers to reproduce the vulnerabilities brought a lot of difficulty, in this paper, to MS06-0 2 7, For example, how to use a hand on some of the information to construct such a vulnerability POC, but also to the mining of such vulnerability researchers provide some ideas on tips.
Step on the point
A single from the Microsoft description would never structure is not a sample, so still have to rely on search engines to obtain information about the vulnerability of some of the information in the Google to MS 0 6 0 2 7 for the keyword search, you can search out many entries, but most are just Microsoft’s announcement of the piracy, but I’m in the green Alliance website is found on 0 6 0 2 7 some of the information, although very few, but very critical:
2006-06-13 Microsoft Word malformation object pointer memory corruption vulnerability, MS06-0 2 7)
NSFOUCS ID: 8 8 4 2
Review:
Microsoft Word open the Word file in the processing smarttags object pointer vulnerability exists, a remote attacker could exploit this vulnerability by persuading a user to open the malicious DOC file on a user’s machine to execute arbitrary commands.
Hazards:
A remote attacker could exploit this vulnerability by persuading a user to open the malicious DOC file on a user’s machine to execute arbitrary commands
From this Bulletin can be known to trigger this vulnerability is the key smarttags, then exactly what are smarttags? On MSDN, I searched the following information, as shown in Figure 1:
! /Article/UploadPic/2007-7/200772010208582.jpg
Figure 1
In order to take care of E the text is not good brother, I offered ugly translate, to the effect that the Word can be smart identification document of some of the names for example(in Outlook contacts)or place names, and then automatically pop up a label, users can easily give the other person an email or do some processing. The first step is to construct a include Smarttags in Word document, create a new blank Word document, and then enter:John Smith, then a carriage return, John Smith the following will appear purple on the dotted line, this time saved out of the document contains the Smarttags,if does not appear, you can click on the Tools menu in the AutoCorrect options, there is a smart tag tag, check all the names related to it, the Word default will Smarttags saved in a Word document inside, as shown in Figure 2:
! /Article/UploadPic/2007-7/2007720102012947.jpg
Figure 2
To this, the POC of the construction has been completed 2 0%, from the prior information we only know Word processing Smarttags object exists on the issue, but what exactly is the problem that we know nothing about, but the basic can be sure is not a simple stack overflow. In this case, the subject of this article fuzzing began to play a role.
Fuzz
What is the fuzz for? According to my superficial understanding is a black box testing method, through to the application submitted to the deformity parameters to observe the application’s response. Some Protocol fuzzer is relatively easy to achieve, for file formats, not all formats are suitable to the fuzz,and the tips on more stress, fill something, every time you fill the number of bytes, from where to start, are very worthy of study things. The Word is a composite of the binary document, the Document Format is more suitable for fuzz. Before that, the need for the Word Document Format has a macro understanding, a Word document is composed of a head, and countless Sector composition, OpenOffice has a presentation of the composite Document Format information, interested readers can look. Word inside the object there are two either Storage, or is the Stream,the former is equivalent to the folder, the latter is equivalent to the file, may be this is more easy to understand. WordDocument Stream is a FIB (FiIe Information Block at the beginning of the recorded Word document inside a stored object. For a start, I was so considered, since it is a Smarttags object malformations pointer vulnerability, it should fuzz stored in the 1Table stream in the Smarttags object, the following is my fuzzing code, write a rough comparison,
for ( DWORD offset = 0x2ab0 ; offset < 0x3400 ; offset+=4)
{
//From 0x2ab0 began to fuzz, step into 4 bytes
//The file contents are copied to the ccl, the ccl is the application of a piece of memory space
memcpy(ccl,content,filesize);
//Each 4 bytes
for( int x =0 ; x<4 ;x++)
ccl[offset+x]=0xEE;
//Write out the modified file
memset(name,0,2 0);
sprintf(name,“%d.doc”,count);
hccl = CreateFile(name,GENERIC_WRITE,0, NULL,CREATE_ALWAYS,0,NULL);
WriteFile(hccl, (LPCVOID)ccl,filesize,&dwWritten,NULL);
CloseHandle(hccl);
count++;
}
The first time fuzz build 1 0 3 doc, a open to see, anyway, not too much, -_ -! When you open to 1 0 to 3 When Word finally collapsed,as shown in Figure 3:
! /Article/UploadPic/2007-7/2007720102014543.jpg
Figure 3
Pity is a memory violation access, the basic is UnExploitable that category. It seems the further down the fuzz is also not a wise choice, you can only expand the fuzz range, it turns out, I later conjecture is correct. Below the fuzz in the process I will not repeat them here directly given the answer: it should be fuzz WordDocument this stream, from 0x632 the beginning of the four bytes into 0xEE, Word will crash, as shown in Figure 4 and 5! /Article/UploadPic/2007-7/2007720102014106.jpg
! /Article/UploadPic/2007-7/2007720102015798.jpg
Figure 5
Try to use
Oh, quite a bit“a thousand miles of embankment, collapse of the colony”of taste, so huge an app to actually modify the 4 bytes after the crash. 301AC0F9 at the CALL DWORD PTR DS:[ECX+1 4]Memory violation access results in a Word crash, if we can control the ECX register, then we can execute our Shellcode?! Here from the OD seen seem to ECX register is not controlled, is a random number, for which I am also depressed for a long time, then use Softice to debug later only to find that ecx is controllable. Ecx by eax addressing, look at Softice under the eax points to is 0x125AA8,D eax and take a look at eax is pointing to, as shown in Figure 6:
! /Article/UploadPic/2007-7/2007720102015970.jpg
Figure 6
Can be found this time 0x125AA8 around the content from the Word document content, we can compare in Figure 7 The Word content of the document, 0x125AA8 in this case is 0x00000000, and will definitely cause a crash, how to control the Ecx register it, can in 0x125AA8 at the filling 0x125AA8 this address, 0x125AA8+0x14 = 0x125ABC in CALL DWORD PTR DS:[ECX+1 4]After the EIP will jump to the 0x125ABC the address pointed to, and in this case the stack content is what we can control,
As shown in Figure 7! /Article/UploadPic/2007-7/2007720102016376.jpg
Figure 7
The filling of the four 0x125AA8 after, EIP jumps back to the 00125AA8, since 00125AA8 is a Nop-Like instructions, so smooth to jump into our Shellcode, as shown in Figure 8:
! /Article/UploadPic/2007-7/2007720102032111.jpg
Figure 8
SummaryTaking into account such vulnerability to the dangers of the use of the program is not advertised, the interested reader may be in the sample on the basis of self-modifying, I want to also not what difficult thing. Can give you some ideas on the tips, due to the WordDocument stream can not be placed into the Shellcode might be damaged Word document structure, so can only take the Egg-Hunt is a small Shellcode to find the maximum Shellcode, complex functions can be placed in the larger Shellcode. See WinWord. exe CPU utilization becomes 1 0 0% heart of a boulder also calculate the floor-to-ceiling, MS06-0 2 7 commissioning before and after the experience of more than a week, mainly introduced in the absence of POC in the case of how to use some of the published vulnerabilities and experiences, and gave relevant examples, in the hope that interested friends can serve to initiate action. My blog http://www. gyzy. org the future will continue to release some of the Microsoft vulnerability Poc code, interested readers can look.
The article also write the comparison in haste, mistakes omissions are inevitable, please readers correct me, have any questions to my blog comment:http://www. gyzy. org
(Herein relates to a program code, please go to the Black anti-the official website of the download, the detailed address please see the public forum sticky posts)