Microsoft Reader 2.1.1.3143 – Heap Overflow

• Exploit Database
• 102 阅读

• 作者： Luigi Auriemma
  日期： 2011-04-12
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17161/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141

  Source: http://aluigi.org/adv/msreader_2-adv.txt   #######################################################################   Luigi Auriemma   Application:Microsoft Reader http://www.microsoft.com/reader Versions: <= 2.1.1.3143 (PC version) <= 2.6.1.7169 (Origami version) the non-PC versions have not been tested Platforms:Windows, Windows Mobile, Tablet PC and UMPC devices Bug:heap overflow Date: 11 Apr 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org     #######################################################################     1) Introduction 2) Bug 3) The Code 4) Fix     #######################################################################   =============== 1) Introduction ===============     Microsoft Reader is a software needed to read and catalog the ebooks in LIT format and the Audible audio books bought via internet, indeed the homepage acts also as online store for these protected contents.     #######################################################################   ====== 2) Bug ======     Heap overflow caused by the allocation of a certain amount of memory and the copying of arbitrary data during the decompression of the sections.   A quick trace of the sum operations performed with the entry size/offset values and then the function that performs the copying:   0107F517|> 8B85 E0FDFFFFMOV EAX,DWORD PTR SS:[EBP-220]; second 64bit number (entry->size) 0107F51D|. 0B85 E4FDFFFFOR EAX,DWORD PTR SS:[EBP-21C] 0107F523|. 74 12JE SHORT msreader.0107F537 0107F525|. 8B46 60MOV EAX,DWORD PTR DS:[ESI+60] ; 64bit total size 0107F528|. 8B4E 64MOV ECX,DWORD PTR DS:[ESI+64] 0107F52B|. 0185 D8FDFFFFADD DWORD PTR SS:[EBP-228],EAX; added to the first 64bit number (entry->offset) 0107F531|. 118D DCFDFFFFADC DWORD PTR SS:[EBP-224],ECX 0107F537|> FF75 18PUSH DWORD PTR SS:[EBP+18] 0107F53A|. 8D85 D8FDFFFFLEA EAX,DWORD PTR SS:[EBP-228] 0107F540|. FF75 14PUSH DWORD PTR SS:[EBP+14] 0107F543|. 50 PUSH EAX 0107F544|. FF76 74PUSH DWORD PTR DS:[ESI+74] 0107F547|. 56 PUSH ESI 0107F548|. FF75 0CPUSH DWORD PTR SS:[EBP+C] 0107F54B|. E8 DEBEFEFFCALL msreader.0106B42E ... 0106B596|. 8B71 48MOV ESI,DWORD PTR DS:[ECX+48] ; second 64bit number (entry->size) 0106B599|. 897D F0MOV DWORD PTR SS:[EBP-10],EDI 0106B59C|. 13C2 ADC EAX,EDX 0106B59E|. 03F3 ADD ESI,EBX ; added to the 64bit total size 0106B5A0|. 8975 0CMOV DWORD PTR SS:[EBP+C],ESI 0106B5A3|. 8B71 4CMOV ESI,DWORD PTR DS:[ECX+4C] 0106B5A6|. 1371 44ADC ESI,DWORD PTR DS:[ECX+44] 0106B5A9|. 5B POP EBX 0106B5AA|. 3BD6 CMP EDX,ESI 0106B5AC|. 72 1CJB SHORT msreader.0106B5CA 0106B5AE|. 77 08JA SHORT msreader.0106B5B8 ... 01092A02/. 55 PUSH EBP; copying function ...skip... examples specific for the PoC msreader_2a.lit LocalAlloc000a6f68= 01610020 ReadFile000a6f68(file offset 0x22f5d) LocalAlloc000a6f68= 016c0020 DES decryption of the data read by the file with output in the second allocated buffer memcpy esi is 016c0020 memcpy edi is 0022a008 ...skip... 01092B50|. 8B45 FCMOV EAX,DWORD PTR SS:[EBP-4] 01092B53|. 8B55 F4MOV EDX,DWORD PTR SS:[EBP-C] 01092B56|. 8B7D 14MOV EDI,DWORD PTR SS:[EBP+14] 01092B59|. 8BCB MOV ECX,EBX 01092B5B|. 8D3410 LEA ESI,DWORD PTR DS:[EAX+EDX] 01092B5E|. 8BD1 MOV EDX,ECX 01092B60|. C1E9 02SHR ECX,2 01092B63|. F3:A5REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>   The data copied in the heap buffer is exactly the one coming from the file and decrypted with DES, that&apos;s why the bytes visible during the copying can&apos;t be seen in the file.   I have provided two proof-of-concepts where the first shows the exact location of the memcpy while the second will cause an exception during the "call [ret+num]" instruction (could take some seconds to be reached).   Modified bytes for msreader_2a.lit: 000005F6 84 40; from 0x230 to 0x40 000005F7 30 5F; modified only to keep the size of the subsequent entry string   Modified bytes for msreader_2b.lit: 000005F7 30 00; from 0x230 to 0x200     #######################################################################   =========== 3) The Code ===========     http://aluigi.org/poc/msreader_2.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17161.zip     #######################################################################   ====== 4) Fix ======     No fix.     #######################################################################