MS15-0 3 5 EMF file processing vulnerability analysis and POC structure-vulnerability warning-the black bar safety net

2015-04-21T00:00:00
ID MYHACK58:62201561479
Type myhack58
Reporter 佚名
Modified 2015-04-21T00:00:00

Description

MS15-0 3 5 is the Microsoft Graphics component handles enhanced metafile (EMF) the vulnerability could allow remote code execution. Through the patch alignment, you can see the main is to patch some there may be shaping of the overflow of position, but these positions, I've tried many methods are unable to perform. ! But 1 int __thiscall MRSETDIBITSTODEVICE::bPlay(EMRSETDIBITSTODEVICE this, HDC hdc, struct tagHANDLETABLE a3, unsigned int a4) The patch is an example, the patch before the code is as follows: ! Patched, the code is as follows: ! Apparently the patch after the code for the LocalAlloc allocated memory space of the minimum limit, and the patch before and there is no limit, so guess where there may be a buffer bounds write issue. By analyzing the function call chain, you can find MRSETDIBITSTODEVICE::bPlay is PlayEnhMetaFileRecord call. PlayEnhMetaFileRecord according to the EMF file elements in the file block types call for different analytic functions. 0 9 in the articles of the New EMF gdiplus.dll crash not exploitable for code execution on the description of the EMF Vulnerability, CVE-2 0 0 9-1 2 1 7 also further confirms the explorer process is through the PlayEnhMetaFileRecord parsing EMF files metafile block. The following brief overview of the EMF file, EMF file by the variable size of the metadata file blocks. Each file block is a variable length ENHMETARECORD structure, the structure is as follows. 1 2 3 4 5 typedef struct tagENHMETARECORD { DWORD iType; DWORD nSize; DWORD dParm[1]; } ENHMETARECORD, PENHMETARECORD; The SDK defines a different iType type, as shown below. ! According to iType type, dParm is a different structure, EMR_SETDIBITSTODEVICE the corresponding structure is EMRSETDIBITSTODEVICE it. 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 typedef struct tagEMR { DWORD iType; // Enhanced metafile record type DWORD nSize; // Length of the record in bytes. // This must be a multiple of 4. } EMR, PEMR;

typedef struct tagEMRSETDIBITSTODEVICE { EMR emr; RECTL rclBounds; // Inclusive-inclusive bounds in device units LONG xDest; LONG yDest; LONG xSrc; LONG ySrc; LONG cxSrc; LONG cySrc; DWORD offBmiSrc; // Offset to the source BITMAPINFO structure DWORD cbBmiSrc; // Size of the source BITMAPINFO structure DWORD offBitsSrc; // Offset to the source bitmap bits DWORD cbBitsSrc; // Size of the source bitmap bits DWORD iUsageSrc; // Source bitmap info color table usage DWORD iStartScan; DWORD cScans; } EMRSETDIBITSTODEVICE, *PEMRSETDIBITSTODEVICE;

For MRSETDIBITSTODEVICE::bPlay function, its first argument is EMRSETDIBITSTODEVICE it. In order to verify the conjecture of correctness by the program to generate a small emf file, on which the iType be modified so that its execution to MRSETDIBITSTODEVICE::bPlay function, 0x54(EMR_EXTTEXTOUTW modified to 0x50(EMR_SETDIBITSTODEVICE) the. 1 2 3 4 5 6 7 8 9 1 0 1 1 HDC, hEmf = CreateEnhMetaFile( 0 , "1. emf" , NULL , NULL ); RECT rect; rect. top = 0 ; rect. left = 0 ; rect. bottom = 2 0; rect. right = 2 0 0;

char szStr[] = "WSAWSAW"; ExtTextOut( hEmf , 0 , 0 , ETO_OPAQUE , &rect , szStr , sizeof(szStr) , NULL ); CloseEnhMetaFile(hEmf);

[1] [2] next