Microsoft Excel 2007 SP2 – Buffer Overwrite (MS11-021)

• Exploit Database
• 106 阅读

• 作者： Abysssec
  日期： 2011-11-02
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18067/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156

  Abysssec Research   1) Advisory information   Title :Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability Analysis:Abysssec.com Vendor:http://www.microsoft.com Impact:Critical Contact :info [at] abysssec.com Twitter :@abysssec   Microsoft : A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.     each excel file can contain multipleBOF (2057) records . This record specifies the first substream associated with workbook. One of the fields in these records, specify substream recordd to come with. This field can be extracted from sub_3018F0C2 function.   .text:301A0C87 push[ebp+arg_2C] .text:301A0C8A mov ecx, [ebp+var_14] .text:301A0C8D push1 .text:301A0C8F callsub_3018F0C2 .text:301A0C94 mov ecx, eax .text:301A0C96 mov eax, [ebp+arg_24] .text:301A0C99 cmp eax, ebx .text:301A0C9B mov [ebp+var_10], ecx .text:301A0C9E jzshort loc_301A0CA2 .text:301A0CA0 mov [eax], ecx     If the field value is equal with 400, sub_3019DFBA function is called to check file type. if file type is xls EXCEL.exe will display a message If approved it will continue to run the code.if you change file extension to xlb there will be any message. After this step sub_3053F626 function will be executed. This function will parse the next BOF records.   .text:304D4E9D cmp [ebp+arg_20], ebx .text:304D4EA0 jnz short loc_304D4EC6 .text:304D4EA2 testdword ptr word_30EDCF9C, 2000000h .text:304D4EAC jnz short loc_304D4EC6 .text:304D4EAE mov edx, [ebp+arg_C] .text:304D4EB1 mov ecx, [ebp+arg_8] .text:304D4EB4 push3Fh .text:304D4EB6 callsub_3019DFBA .text:304D4EBB cmp eax, ebx .text:304D4EBD mov [ebp+var_8], eax .text:304D4EC0 jzloc_304D4FD3 .text:304D4EC6 .text:304D4EC6 loc_304D4EC6: ; CODE XREF: sub_301A0BC7+3342D9j .text:304D4EC6 ; sub_301A0BC7+3342E5j .text:304D4EC6 pushebx .text:304D4EC7 pushdword_30EB89A4 .text:304D4ECD push[ebp+var_C] .text:304D4ED0 callsub_3053F626 .text:304D4ED5 cmp dword_30F5E64C, ebx .text:304D4EDB mov [ebp+var_8], eax .text:304D4EDE jzshort loc_304D4EE7 .text:304D4EE0 cmp eax, ebx .text:304D4EE2 jzshort loc_304D4EE7   one of records may come after BOF,is undocumented record which have record type equal to 0xA7 (167). for truly parsing this record should come with another record with 0x3C (60) record type. if it meet this requirement the length of records will be read and copied to the stack.   the function which operation of copying data records in the stack is sub_30199E55. This function takes three arguments. The first argument specifies the number of bytes to copy, which will read from file. The second argument specifies the destination of the copy and the third argument specifies the maximum amount of data can be copied. values of the second and third arguments based on the amount of computing reading from file and into this cumpoting,computational error which may occur here ...     .text:3053F830 callsub_301A0A01 .text:3053F835 cmp eax, 3Ch .text:3053F838 mov [ebp+var_ED4], eax .text:3053F83E jnz loc_30540488 .text:3053F844 callsub_301A0A01 .text:3053F849 mov ecx, [ebp+var_EDC] .text:3053F84F imulecx, [ebp+var_F00] .text:3053F856 mov edi, eax .text:3053F858 mov eax, [ebp+var_EE0] .text:3053F85E lea ebx, [ecx+eax+3] .text:3053F862 callsub_301A0ABE .text:3053F867 push0FFFFFFFDh .text:3053F869 pop edx .text:3053F86A sub edx, ecx .text:3053F86C add eax, edx .text:3053F86E pusheax ; Dst .text:3053F86F pushebx ; int .text:3053F870 mov eax, edi .text:3053F872 callsub_30199E55       the vulnerability that exists here is that we can change the value of parameter 3 whith our own values. program will not correcly controll third argument of sub_30199E55 this and can result in the desired amount and location of desired data can overwrite in the stack.   .text:30199E60 cmp edi, [esp+4+Dst] .text:30199E64 jaloc_303EE1B7 .text:30199E6A mov ecx, [esp+4+arg_0] .text:30199E6E pushebx .text:30199E6F mov ebx, dword_30F726C0 .text:30199E75 pushebp .text:30199E76 mov ebp, nNumberOfBytesToRead .text:30199E7C pushesi .text:30199E7D mov [esp+10h+Dst], ecx .... .text:30199E93 mov eax, [esp+10h+Dst] .text:30199E97 pushesi ; Size .text:30199E98 lea edx, dword_30F6E6B8[ebx] .text:30199E9E pushedx ; Src .text:30199E9F pusheax ; Dst .text:30199EA0 sub edi, esi .text:30199EA2 callmemcpy .text:30199EA7 add [esp+1Ch+Dst], esi .text:30199EAB add ebx, esi .text:30199EAD add esp, 0Ch .text:30199EB0 testedi, edi .text:30199EB2 mov dword_30F726C0, ebx .text:30199EB8 jnz loc_301E0DB3     Exploiting :   Stack overflows are not hard to exploit at all ! but as we have both /GS , SAFESEH here. because given that we are destined to memcpy we can change it so that it begins to overwrite the stack after GS. and from there when the return comes , our values contained in the ESP and we can call it with simple call esp and game is over !!!   exploit can be download from here :   http://www.abysssec.com/blog/wp-content/uploads/2011/11/MS11-021.zip   EDB mirror :   https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18067.zip