[CAL-2011-0071]Adobe Shockwave Player Parsing cupt atom heap overflow


[CAL-2011-0071]Adobe Shockwave Player Parsing cupt atom heap overflow Discover: instruder of code audit labs of vulnhunt.com CAL: CAL-2011-0071 CVE: CVE-2012-0758 http://blog.vulnhunt.com/index.php/2012/02/15/cal-2011-0071_adobe-shockwave-player-parsing-cupt-atom-heap-overflow/ adobe security bulletins http://www.adobe.com/support/security/bulletins/apsb12-02.html 1 Affected Products ================= adobe shockwave adobe Shockwave and prior 2 Vulnerability Details ===================== When adobe shockwave player parsing a dir type file, it takes a dword from the dir file,and then take some Computing this computing will leding to Integer overflow, allocate a small memory,this Cause a heap overflow. 3 Analysis ========= asm in dirapi.dll text:6809FC7A push esi text:6809FC7B push edi text:6809FC7C push ebp text:6809FC7D call IML32_1414_get_a_dword //get a dword form dir file text:6809FC82 mov esi, eax //if eax=66666680 some like this,after esi+esi*4 Will cause a heap overflow text:6809FC84 lea eax, [esi+esi*4] // Integrated overflow text:6809FC87 push 1 text:6809FC89 lea ecx, ds:24h[eax*8] text:6809FC90 push ecx text:6809FC91 call IML32_1111 ; text:6809FC96 push eax text:6809FC97 mov [esp+14h+arg_4], eax text:6809FC9B call IML32_1114 //allocate memory text:6809FCA0 mov edi, eax text:6809FCA2 test edi, edi text:6809FCA4 jz short loc_6809FD03 text:6809FCA6 mov [edi+1Ch], esi text:6809FCA9 test esi, esi text:6809FCAB jbe short loc_6809FCCB text:6809FCAD lea esi, [edi+28h] text:6809FCB0 text:6809FCB0 loc_6809FCB0: ; CODE XREF: sub_6809FC60+69j text:6809FCB0 push ebp text:6809FCB1 call IML32_1414_get_a_dword ////write the dword to the heap text:6809FCB6 push 20h text:6809FCB8 push esi text:6809FCB9 push ebp text:6809FCBA mov [esi-4], eax text:6809FCBD call IML32_1409 text:6809FCC2 inc ebx text:6809FCC3 add esi, 28h ////heap buffer overflow text:6809FCC6 cmp ebx, [edi+1Ch] text:6809FCC9 jb short loc_6809FCB0 //Cycle c code like ================== v6 = v4 + 40; do { *(_DWORD *)(v6 - 4) = IML32_1414_get_a_dword(v3); v4 = IML32_1409(); ++v2; v6 += 40; } while ( v2 < *(_DWORD *)(v5 + 0x1C) ); 4 Exploitable? ============ Successfully exploited this vulnerability could lead to arbitrary code execution. 5 Crash info: =============== eax=00000000 ebx=00002a63 ecx=07916058 edx=08980028 esi=07981008 edi=07917068 eip=0754fd5a esp=09e9ef28 ebp=08250bd8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 *** ERROR: Module load completed but symbols could not be loaded for C:\WINDOWS\system32\Adobe\Shockwave 11\DIRAPI.dll DIRAPI+0x9fd5a: 0754fd5a 8946fc mov dword ptr [esi-4],eax ds:0023:07981004=????????0:028> 0:023> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 09e9ef40 0755028c 07894154 08250bb0 07894154 DIRAPI+0x9fd5a 00000000 00000000 00000000 00000000 00000000 DIRAPI+0xa028cPOC 6 About Code Audit Labs: ===================== Code Audit Labs secure your software,provide Professional include source code audit and binary code audit service. Code Audit Labs:" You create value for customer,We protect your value" http://www.VulnHunt.com http://blog.vulnhunt.com http://t.qq.com/vulnhunt http://weibo.com/vulnhunt