Lucene search

K
myhack58佚名MYHACK58:62201681759
HistoryDec 03, 2016 - 12:00 a.m.

Hand to hand teach you how to construct the office exploits EXP(fourth period)-bug warning-the black bar safety net

2016-12-0300:00:00
佚名
www.myhack58.com
240

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.9%

This is a period of vulnerability to share with you is CVE-2015-1641 learning summary, this vulnerability due to its good versatility and stability claims to have replaced the CVE-2012-0158 trend. The vulnerability is a type confusion class of vulnerability, through which you can achieve arbitrary address of the memory write data, and then according to vulnerability characteristics, combined with some of the typical use of the technique can achieve arbitrary code execution.
The vulnerability principle
This vulnerability of the common sample is the rtf Document Format File, this point and below, the exploit about, the main reason is the rtf to facilitate construction using components, of course this is not absolute。 However, the vulnerability principle in fact, and rtf Document Format independent, but with the office open xml document format is implementation dependent. This document format of the common word document, expand the name is docx is actually a use the open xml organizations document internal resources after the zip compression package. In fact, the vulnerability of the rtf sample, generally contains 3 docx format file component, wherein the 2 files used to trigger the vulnerability component, the other as an exp component, still is not an absolute one.
! [](/Article/UploadPic/2016-12/2016123171529970. png? www. myhack58. com! web)
The above 3 zip bag is from the rtf file sample in the extracted, as to how to extract here a simple way, the word document there is an Insert object function, you can insert another word document files, this sample is inserted into the 3 docx documents into it and then the main document is saved as rtf Document Format, then this 3 Insert the docx file object in the main file is a section of a 16-ary data, the corresponding 3 files in the 16-ary coding, so you can by a regular expression using Notepad++like editor from the main file in the extracted 16-ary coding:“\\objdata [0-9a-f\r\n]+”, and then by means of some hex editor such as 010edit Save As 3 docx/zip files. After that you can begin to analyze the vulnerability principle, the first second of the target file remove the zip suffix using the office Open, then the word program will directly crash, and in the debugger you can see the crash point is an assignment statement and ecx for a stable memory address value, 其指向的范围是漏洞利用使用到的一个为了绕过aslr的模块msvcr71.dll to:
! [](/Article/UploadPic/2016-12/2016123171529671. png? www. myhack58. com! web)
Then from the file point of view, plus the zip suffix decompression is as follows:
! [](/Article/UploadPic/2016-12/2016123171529361. png? www. myhack58. com! web)
Wherein, the word directory is under the document. the xml for the organization of the documentation resource of primary documents, generally the document’s text content is also on the inside, and from this file we can find to trigger this vulnerability the main content:
! [](/Article/UploadPic/2016-12/2016123171530503. png? www. myhack58. com! web)
As can be seen in the debugger that appears in the crash point of the ecx value is directly unicode encoding in the smartTag tag element attribute value inside, and the condition is satisfied in the case msvcr71 module has been previously loaded, The follow-up will be a memory copy, and the copy of the destination address according to ecx calculated a value, and copy the data to 0xffffe696 that sub-label moveFromRangethe ID value 4294960790: the
! [](/Article/UploadPic/2016-12/2016123171530111. png? www. myhack58. com! web)
Thus, by the file as the configuration of the content, the main control two variable values can be simple to achieve arbitrary memory address of the write data function. Of course, we are also more concerned about a focus on this construct the content of the principles is what? You can see this piece of content is a set of open xml closing tags, the outermost layer is the smartTag label, the innermost layer is moveFromRange
label. Respectively, refer to the msdn documentation of the relevant information, to be aware of these tags in detail, where attention to moveFromRangelabel displaceByCustomXml Property description:
! [](/Article/UploadPic/2016-12/2016123171530291. png? www. myhack58. com! web)
From the above figure it can be seen, the attribute specified is replaced by a custom xml tag elements, in other words understand that is moveFromRange
the label of this attribute specifies the parent tag of a customXml object to be replaced. However, from the sample content we did not see the customXml tags, carefully observed a moment customXml tag, and smartTag label instructions after the discovery, the two Label elements not only function with a certain similarity, the internal property of the structure is also more interesting to keep consistent:
! [](/Article/UploadPic/2016-12/2016123171530419. png? www. myhack58. com! web)
Can imagine this on the same template out of the twins tag, is He the founder of Microsoft assigned to different jobs, that sometimes Microsoft’s own didn’t even recognize who is who. In fact, the type confusion vulnerability it is thus, seen above in the debugger the crash position, that is, the word program parses to moveFromRangelabel, prepare the internal id of the transfer to which the parent element smartTag(/customXml object“space”inside it. By back tracking this process and contrast, if it is a normal case of the higher tag for the customXml, the transfer will be carried out once the memory allocation and then copy it to new memory space; and if it is a confusing case, since both objects the essence of the difference, this time directly to the id value of the transfer to the smartTag object has some internal space, the following two cases of code of the tracking sequence contrast figure:
! [](/Article/UploadPic/2016-12/2016123171530657. png? www. myhack58. com! web)
Since the two tags inside the attributes of the members have a certain similarity can lead to type confusion, the syntax through an internal check, but the actual parsing process, the object’s internal lack of strict check, cause confusion to the smartTag object, parse moveFromRange
when the tag is considered to replace the need of memory space already exists, on the direct use of the wrong location for the copy process, resulting in this can be utilized the security vulnerability.
Configured to trigger the vulnerability POC
According to the above principle, the vulnerability occurs in the scene is the word program in the analysis inside custom xml customXml tags there is a replacement marker case, the original moveFromRangetag is to the tag id is transmitted to the superior customXml object, however, due to the customXml and its brother label smartTag there is a certain similarity, resulting in the customXml tag is replaced with the smartTag occurs when the type of Confusion caused by memory copy vulnerabilities. The following describes how to construct the trigger this vulnerability POC samples, we first make one thing clear, in order to achieve arbitrary memory address, we need to control the two variables are confused after the smartTag tag of element attribute values and moveFromRangetag id value, they were controlled to overwrite the memory address and memory data, the reverse track at the above-mentioned point of collapse function:

[1] [2] [3] next

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.9%