Hand to hand teach you how to construct the office exploits EXP(the second period)-bug warning-the black bar safety net

2016-09-09T00:00:00
ID MYHACK58:62201678967
Type myhack58
Reporter 佚名
Modified 2016-09-09T00:00:00

Description

On a period I shared office classic Vulnerability CVE-2 0 1 2-0 1 5 8 that demonstrates how a stack-based buffer overflow in the principles of construction to trigger the vulnerability document. The current share of the vulnerability is CVE-2 0 1 3-3 9 0 6, is also a typical overflow type office document vulnerabilities. The vulnerability of the background with a certain legendary, from a technical framework for the development of the military related to APT attacks, and the security company continue the tracking process, all have much to get to the bottom of the meaning. The following article only for its technical framework in detail, and demonstrates how vulnerability-based principles to construct the attack document, and further development demonstrate how to bypass office 2 0 1 0 Open the dep protection mechanism. The vulnerability principle This loophole occurs is OGL. DLL module, this module is the office used to parse the graphical image of the dynamic library, such as a document inside it if you include some charts or pictures, when using the office Open this document when the OGL. The DLL will automatically be loaded into process space is called to parse the graphic elements. And this vulnerability occurred because of the OGL. DLL when parsing TIFF this format of the picture data calculated dynamically allocated memory size, the calculation results due to the occurrence of integer overflow and no parity, which leads to heap memory buffer overflow. The vulnerability occurs process as follows: ! As can be seen the key problem is that the document contains the TIFF format images to calculate size of the data process, this process can be from the IDA in this sub-function find: ! Shown here is the OGL. DLL in the to go through the JPEG compression algorithm the TIFF format for image analysis, dynamic calculation of the compressed data size of the process, see the size of the data is mainly composed of a plurality of the array of the value cycle accumulation, and wherein each array value actually represents a compressed block of data of size. Finished computing the total data size, you can see the function and does not perform any checks immediately for a memory allocation, which is also the cause of this vulnerability is an important reason, of course, the fundamental reason is further characterized in that a plurality of values superimposed after the occurrence of a 3 2-bit integer overflow. Thereafter, to allocate 0 bytes of memory, this call will succeed and return memory to a heap block of the handle, just its heap block memory has a capacity of 0, so when the back to copy data when the buffer is bound to happen to overflow, destroying the original stack block data structure, thus leading to the back of the program easily occur abnormal and collapse. The following is a winword process is turned on page heap after running a POC to see heap memory out of bounds Access, see copies of the target heap block size to 0: ! Configured to trigger the vulnerability POC After the above for vulnerability cause analysis, know the vulnerability is due to the office of parsing the compression of the TIFF image when the calculation is not strictly caused. In order to verify the above analysis and trigger the vulnerability, we need to be in an office document insert a special structure of TIFF images. This particular picture of course is not a normal TIFF picture, but to meet we said earlier after JPEG compression algorithm and the compression block size array superimposed upon an integer overflow. Specifically, we need to reference the TIFF file format Handbook, the normal by the JPEG compression of TIFF images to be transformed, the transformation process need to involve the main field is: Compression(compression flag field, the StripOffsets(compressed data offset array and StripByteCounts(compressed data size of the array, the JPEGInterchangeFormat a JPEG compressed data format header SOI and JPEGInterchangeFormatLength data length of the head SOI_SIZE, the ImageLength-image data length and the RowsPerStrip(compression block size, and wherein, Compression=6, on behalf of the use of JPEG compression, as shown below: ! While the total size to meet the calculated results for the 3 2-bit integer 0, The total size is calculated as follows: size=SOI_SIZE+strip_size[1]+strip_size[2]+...+strip_size[n]+n*2+8(SOI_SIZE=JPEGInterchangeFormatLength, n=ImageLength/RowsPerStrip, n > 1) According to this formula the size of the array data to be modified, so that its accumulation can occur 3 2-bit integer overflow, as shown below: ! Constructed to meet the condition formula of a picture, the picture embedded in the document, you can first embed a normal image and then replaced with the configuration of the image saved, and then after through the office to open the document, the document can be gorgeous to crash: ! Exploit Thus, we get a due to an integer overflow leads to heap memory bounds copy of the vulnerability, the abnormal distribution of the 0-Byte heap block was originally to be used to copy the SOI data, now due to the cross-border copies of the destroyed heap behind the blocks of memory data causes the program to appear abnormal. So, in order to be able to use this vulnerability to do something, our primary goal is to take over program control, to get to the eip. Of course, this step is the eyes of the beholder wise see wisdom, the so-called roads lead to Rome, the following describes a feasible way to use. Due to SOI data in a TIFF image can be controlled, so indirectly you can control the transboundary copy of the memory data, and this part of the data is in heap memory inside, it is unclear a copy of the data after destruction of what in-memory data structure. Therefore, by constructing the can predict the in-memory object, and then by means of the object's virtual table pointer to jump to compete for the eip is one of the more can be expected of the method. Specifically, I inserted a TIFF image, first insert a chart, and then insert the normal to the replacement of the picture, followed by re-insertion of one copy of the chart, and finally replaced the picture of the structure of a good TIFF images. Thus, the equivalent in the parsing of TIFF images of the front and rear, will be parsed to insert the chart object: ! While the objects in the chart parsing process will involve other more sub-objects, such as GraphicsPath this image of the path object. Structure of TIFF images and populate the SOI data as a duplicate of the memory address value such as 0x0a0a00a0, to replace the structure of the TIFF image after open the document in the debugger in the track will find the program in an image path of the Copy Function GdipClonePath call to GraphicsPath object of the virtual function, and the GraphicsPath object's virtual table pointer is constructed of TIFF pictures the SOI data coverage for the specified memory address value in 0x0a0a00a0 for example, so they successfully hijacked the program the eip to a memory address 0x0a0a00a4:

[1] [2] next