Adobe Reader 10.1.4 – JP2KLib&CoolType Crash (PoC)

• Exploit Database
• 99 阅读

• 作者： coolkaveh
  日期： 2012-11-21
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/22878/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172

  Title:Adobe Reader 10.1.4 JP2KLib&CoolType WriteAV Vulnerability Version:10.1.4.38 Date :2012-11-20 Vendor :http://www.adobe.com/ Impact :Med/High Contact:coolkaveh [at] rocketmail.com Twitter:@coolkaveh tested :XP SP3 ENG Author :coolkaveh ================================================================================ Thanks to @Binjo and others for all support and help ================================================================================ Details: ================================================================================ The parsing routine is really complicated :D Write AV by some kind of not properly initialized array But the parameters of memmove, the counter And destiny pointer seems controllable with data from flatedecoded data. The wierd thing is the stream encoded with flatedecode can't decode properly via zlib.decompress, but Adobe seems decode it correctly, The esi points to a 0x10 length buffer, which contains word or dword calculated from decoded data, after some integrity checks, it'll reach the memove. .text:08088FCEmoveax, esi; jumptable 08087D44 case 8 .text:08088FD0leaecx, [ebp+64h+var_1E0] .text:08088FD6subeax, ecx .text:08088FD8andeax, 0FFFFFFFCh .text:08088FDBcmpeax, 10h .text:08088FDEjlloc_8088496; jumptable 08087D2D cases 0,2 .text:08088FE4push4 .text:08088FE6popeax .text:08088FE7subesi, eax .text:08088FE9movsxedi, word ptr [esi+2] ; ff6b -> ffffff6b .text:08088FEDsubesi, eax .text:08088FEFmovsxecx, word ptr [esi+2] ; 0 .text:08088FF3subesi, eax .text:08088FF5movsxedx, word ptr [esi+2] ; 0 .text:08088FF9subesi, eax .text:08088FFBmoveax, [ebx+358h] .text:08089001mov[ebp+64h+var_68], edx .text:08089004movsxedx, word ptr [esi+2] ; 0 .text:08089008mov[ebp+64h+var_88], ecx .text:0808900Bmov[ebp+64h+var_98], edx ; index [...] .text:0808906Acmpedx, 3; var_98, can't great than 3 .text:0808906Djaloc_8087D00; jumptable 08087D7F case 2 .text:08089073testecx, ecx .text:08089075jlloc_8087D00; jumptable 08087D7F case 2 .text:0808907Baddecx, edi .text:0808907Dcmpecx, [ebx+360h] .text:08089083jgloc_8087D00; jumptable 08087D7F case 2 .text:08089089movecx, [ebp+64h+var_68] .text:0808908Ctestecx, ecx .text:0808908Ejlloc_8087D00; jumptable 08087D7F case 2 .text:08089094addecx, edi .text:08089096cmpecx, [ebx+edx*8+38Ch] .text:0808909Djgloc_8087D00; jumptable 08087D7F case 2 .text:080890A3movecx, edi .text:080890A5shlecx, 2 .text:080890A8pushecx; size_t .text:080890A9movecx, [ebp+64h+var_88] .text:080890ACleaeax, [eax+ecx*4] .text:080890AFmovecx, [ebp+64h+var_68] .text:080890B2pusheax; void * .text:080890B3moveax, [ebp+64h+var_98] .text:080890B6moveax, [ebx+eax*8+390h] ; ebx+390h seems a array pointer .text:080890BD .text:080890BD loc_80890BD:; CODE XREF: sub_80875AE+1A1B .text:080890BDleaeax, [eax+ecx*4] .text:080890C0pusheax; void * .text:080890C1callds:memmove   Here, ecx points to a buffer, which contains data the routine used to parse.   .text:0808B103cmpeax, 0FEh .text:0808B108jgshort loc_808B12A .text:0808B10Amovzxedx, byte ptr [ecx] ; byte ptr [ecx] = 0x29 .text:0808B10Daddeax, 0FFFFFF05h .text:0808B112shleax, 8 .text:0808B115incecx .text:0808B116mov[ebp+64h+var_78], ecx .text:0808B119push0FFFFFF94h .text:0808B11Boreax, edx .text:0808B11Dpopecx .text:0808B11Esubecx, eax .text:0808B120shlecx, 10h .text:0808B123mov[esi], ecx; ecx = ff6b .text:0808B125jmploc_80889B5   This issue needs more investigation , so Stay in touch ============================================================================================ first memory corruption @ CoolType MSVCR90!memmove ============================================================================================ (d44.c10): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02644c14 ebx=02643008 ecx=3fffff6b edx=00000000 esi=02644e68 edi=00000000 eip=7855b36a esp=0012d4d8 ebp=0012d4e0 iopl=0 nv up ei pl nz na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\MSVCR90.dll - MSVCR90!memmove+0x5a: 7855b36a f3a5rep movs dword ptr es:[edi],dword ptr [esi]   Exception Sub-Type: Write Access Violation   Stack Trace: MSVCR90!memmove+0x5a CoolType!CTInit+0x34db9 CoolType+0x14cae Instruction Address: 0x000000007855b36a Short Description: WriteAV ============================================================================================ Second memory corruption @ JP2KLib JP2KLib!CIEParamsAreDefaults ============================================================================================ (d0.6a8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=028a56f0 ebx=018126e4 ecx=00000000 edx=00000000 esi=0196893c edi=00000004 eip=022ea797 esp=022ada98 ebp=022adb1c iopl=0 nv up ei pl nz ac po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010212 *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\JP2KLib.dll - JP2KLib!CIEParamsAreDefaults+0x871: 022ea797 89411cmov dword ptr [ecx+1Ch],eax ds:0023:0000001c=????????   JP2KLib!CIEParamsAreDefaults+0x871: 022ea797 89411cmov dword ptr [ecx+1Ch],eax ds:0023:0000001c=????????   Exception Sub-Type: Write Access Violation   Stack Trace: JP2KLib!CIEParamsAreDefaults+0x871 JP2KLib!CIEParamsAreDefaults+0x2091 JP2KLib!JP2KCopyRect+0x6fef MSVCR90!malloc+0x79 AcroRd32!CTJPEGRotateOptions::operator=+0x2268 AcroRd32!AVAcroALM_Destroy+0x84a64 MSVCR90!malloc+0x79 AcroRd32!CTJPEGRotateOptions::operator=+0x29e7 AcroRd32!AVAcroALM_Destroy+0x13886 AcroRd32!AVAcroALM_Destroy+0x7394a AcroRd32!AVAcroALM_Destroy+0x73ff2 MSVCR90!memcmp+0x1717 AcroRd32!AVAcroALM_Destroy+0x51cbd AcroRd32!AVAcroALM_Destroy+0x537e8 AcroRd32!AVAcroALM_Destroy+0x1a3a AcroRd32!AVAcroALM_Destroy+0x9304b Instruction Address: 0x00000000022ea797   Short Description: WriteAV   ============================================================================================ Proof of concept : CoolType http://www36.zippyshare.com/v/25032778/file.html https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22878-1.rar   JP2KLib http://www7.zippyshare.com/v/22655486/file.html https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22878-2.rar