Microsoft Reader 2.1.1.3143 – Integer Overflow (1)

• Exploit Database
• 110 阅读

• 作者： Luigi Auriemma
  日期： 2011-04-12
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17160/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160

  Source: http://aluigi.org/adv/msreader_1-adv.txt   #######################################################################   Luigi Auriemma   Application:Microsoft Reader http://www.microsoft.com/reader Versions: <= 2.1.1.3143 (PC version) the Origami 2.6.1.7169 version doesn&apos;t seem vulnerable the non-PC versions have not been tested Platforms:Windows, Windows Mobile, Tablet PC and UMPC devices Bug:integer overflow Date: 11 Apr 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org     #######################################################################     1) Introduction 2) Bug 3) The Code 4) Fix     #######################################################################   =============== 1) Introduction ===============     Microsoft Reader is a software needed to read and catalog the ebooks in LIT format and the Audible audio books bought via internet, indeed the homepage acts also as online store for these protected contents.     #######################################################################   ====== 2) Bug ======     The software is affected by an integer overflow just during the handling of the number of pieces of the initial ITLS header at offset 0x10:   0108306E|> 8B7B 68MOV EDI,DWORD PTR DS:[EBX+68] 01083071 >|. 8BF7 MOV ESI,EDI 01083073|. C1E6 04SHL ESI,4 01083076|. 837D 08 00 CMP DWORD PTR SS:[EBP+8],0 0108307A|. 7C 78JL SHORT MSReader.010830F4 0108307C|. 8BC7 MOV EAX,EDI 0108307E|. C1E0 04SHL EAX,4 01083081|. 50 PUSH EAX 01083082|. E8 A1870000CALL MSReader.0108B828; LocalAlloc 01083087|. 85C0 TEST EAX,EAX 01083089|. 59 POP ECX 0108308A|. 74 06JE SHORT MSReader.01083092 0108308C|. 4F DEC EDI 0108308D|. 897D 08MOV DWORD PTR SS:[EBP+8],EDI 01083090|. EB 02JMP SHORT MSReader.01083094 01083092|> 33C0 XOR EAX,EAX 01083094|> 8943 44MOV DWORD PTR DS:[EBX+44],EAX 01083097|. 8B43 68MOV EAX,DWORD PTR DS:[EBX+68] 0108309A|. C1E0 02SHL EAX,2 0108309D|. 50 PUSH EAX 0108309E|. E8 85870000CALL MSReader.0108B828; LocalAlloc 010830A3|. 837B 44 00 CMP DWORD PTR DS:[EBX+44],0 010830A7|. 59 POP ECX 010830A8|. 8943 48MOV DWORD PTR DS:[EBX+48],EAX 010830AB|. 74 40JE SHORT MSReader.010830ED 010830AD|. 85C0 TEST EAX,EAX 010830AF|. 74 3CJE SHORT MSReader.010830ED 010830B1|. 8B4B 68MOV ECX,DWORD PTR DS:[EBX+68] 010830B4|. C1E1 02SHL ECX,2 010830B7|. 51 PUSH ECX 010830B8|. 6A 00PUSH 0 010830BA|. 50 PUSH EAX 010830BB|. E8 0D6DFEFFCALL MSReader.01069DCD; memset 010830C0|. 6A 28PUSH 28 010830C2|. 8B43 3CMOV EAX,DWORD PTR DS:[EBX+3C] 010830C5|. 59 POP ECX 010830C6|. 8D55 FCLEA EDX,DWORD PTR SS:[EBP-4] 010830C9|. 8B38 MOV EDI,DWORD PTR DS:[EAX] 010830CB|. 52 PUSH EDX 010830CC|. 56 PUSH ESI 010830CD|. 33D2 XOR EDX,EDX 010830CF|. FF73 44PUSH DWORD PTR DS:[EBX+44] 010830D2|. 52 PUSH EDX 010830D3|. 51 PUSH ECX 010830D4|. 50 PUSH EAX 010830D5|. FF57 0CCALL DWORD PTR DS:[EDI+C] ; ReadFile ... 01082CD8 >|. 8B5E 68MOV EBX,DWORD PTR DS:[ESI+68] 01082CDB|> 8BC3 /MOV EAX,EBX 01082CDD|. 4B |DEC EBX 01082CDE|. 85C0 |TEST EAX,EAX 01082CE0|. 74 1C|JE SHORT MSReader.01082CFE 01082CE2|. 8B46 48|MOV EAX,DWORD PTR DS:[ESI+48] 01082CE5|. 8B3C98 |MOV EDI,DWORD PTR DS:[EAX+EBX*4] 01082CE8|. 3BFD |CMP EDI,EBP 01082CEA|.^74 EF|JE SHORT MSReader.01082CDB 01082CEC|> 8B07 |/MOV EAX,DWORD PTR DS:[EDI] 01082CEE|. 57 ||PUSH EDI 01082CEF|. FF50 08||CALL DWORD PTR DS:[EAX+8] ; exploitation ... 010832D0|> 8B4E 48MOV ECX,DWORD PTR DS:[ESI+48] 010832D3|. 8BD8 MOV EBX,EAX 010832D5|. C1E3 02SHL EBX,2 010832D8|. 8B3C19 MOV EDI,DWORD PTR DS:[ECX+EBX] 010832DB|. 85FF TEST EDI,EDI 010832DD|. 74 0FJE SHORT MSReader.010832EE 010832DF|. 8B07 MOV EAX,DWORD PTR DS:[EDI] 010832E1|. 57 PUSH EDI 010832E2|. FF50 04CALL DWORD PTR DS:[EAX+4] ; exploitation   For exploiting the vulnerability there are some things to consider. Exists a minimal heap spray that can be performed on the memory because the pieces (the number involved in the integer overflow) or the secondary data block with the size specified at offset 0x14 get loaded correctly. So it&apos;s necessary to tune the exploit for having a chance of EAX (or another register, because there is also another location for the exploitation) pointing to our code.   I have provided two examples written from scratch that show the usage of the first (number of pieces) and second field (0200000098000000...) for loading data. This simple technique can be used as help also for exploiting the other vulnerabilities reported in this software.     #######################################################################   =========== 3) The Code ===========     http://aluigi.org/poc/msreader_1.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17160.zip     #######################################################################   ====== 4) Fix ======     No fix.     #######################################################################