cve-2010-3333

CVE-2010-3333

  • OS: Windows xp sp3(x86) 简中
  • 虚拟机:VMware Workstation 14.1.1
  • 调试器:windbg(6.11.0001.404)
  • 静态分析:IDA Pro 7.0
  • 漏洞软件:Office Word 2003 sp3

这是第一次使用windbg调试cve,windbg对我这种初学者来讲非常难用,尽管引起了诸多生理不适,但还是很高兴能完成这么一项工作。


调试开始前,先从msf上获取POC。

打开word之后使用windbg附加上去,之后打开msf.rtf。

可以看到windbg提示了一个访问冲突的异常并将程序断了下来,并且断下来的位置在mso.dll中的一处重复拷贝指令处,而且观察此时edi及ebp的值,很明显地发现这里发生了栈溢出,并且溢出的数据非常大,覆盖到了0x130000处,通过!address edi命令发现,此处是一个只读地址,数据复制到了这里导致了访问冲突

现在使用栈回溯来寻找一下引发漏洞的函数位置,重新打开并附加一下word,使用bp 30e9eb88下断。

这里成功断了下来,之后使用kb进行栈回溯

使用ub mso!Ordinal753+0x306e查看调用函数的指令(主要是看被调函数的地址)

重新打开word并附加,在0x30f4cc5d处下断,之后开始单步调试(单步过程较长,可跳过)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
0:004> bp 30f4cc5d
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll -
0:004> g
ModLoad: 76060000 761b6000 C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76d70000 76d92000 C:\WINDOWS\system32\appHelp.dll
ModLoad: 76590000 765de000 C:\WINDOWS\System32\cscui.dll
ModLoad: 76570000 7658c000 C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 5fdd0000 5fe25000 C:\WINDOWS\system32\netapi32.dll
ModLoad: 76960000 76984000 C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76af0000 76b01000 C:\WINDOWS\system32\ATL.DLL
ModLoad: 759d0000 75a7f000 C:\WINDOWS\system32\USERENV.dll
ModLoad: 75ef0000 75fed000 C:\WINDOWS\system32\browseui.dll
ModLoad: 7e550000 7e6c1000 C:\WINDOWS\system32\shdocvw.dll
ModLoad: 765e0000 76673000 C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 76db0000 76dc2000 C:\WINDOWS\system32\MSASN1.dll
ModLoad: 75430000 754a1000 C:\WINDOWS\system32\CRYPTUI.dll
ModLoad: 76680000 76726000 C:\WINDOWS\system32\WININET.dll
ModLoad: 76c00000 76c2e000 C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 76c60000 76c88000 C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 76f30000 76f5c000 C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 76950000 76958000 C:\WINDOWS\system32\LINKINFO.dll
ModLoad: 36c30000 36c39000 C:\Program Files\Microsoft Office\OFFICE11\msostyle.dll
ModLoad: 39800000 399b3000 C:\Program Files\Microsoft Office\OFFICE11\GdiPlus.DLL
ModLoad: 76f20000 76f28000 C:\WINDOWS\system32\WTSAPI32.DLL
ModLoad: 762d0000 762e0000 C:\WINDOWS\system32\WINSTA.dll
Breakpoint 0 hit
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00000000
eip=30f4cc5d esp=00123dd4 ebp=00123e00 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal753+0x2f0e:
30f4cc5d 55 push ebp
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00000000
eip=30f4cc5e esp=00123dd0 ebp=00123e00 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal753+0x2f0f:
30f4cc5e 8bec mov ebp,esp
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00000000
eip=30f4cc60 esp=00123dd0 ebp=00123dd0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal753+0x2f11:
30f4cc60 83ec14 sub esp,14h
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00000000
eip=30f4cc63 esp=00123dbc ebp=00123dd0 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
mso!Ordinal753+0x2f14:
30f4cc63 837d1800 cmp dword ptr [ebp+18h],0 ss:0023:00123de8=014d14e0
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00000000
eip=30f4cc67 esp=00123dbc ebp=00123dd0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mso!Ordinal753+0x2f18:
30f4cc67 57 push edi
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00000000
eip=30f4cc68 esp=00123db8 ebp=00123dd0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mso!Ordinal753+0x2f19:
30f4cc68 8bf8 mov edi,eax
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc6a esp=00123db8 ebp=00123dd0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mso!Ordinal753+0x2f1b:
30f4cc6a 0f84b6291300 je mso!Ordinal1549+0x93fa9 (3107f626) [br=0]
0:000> p
eax=00123f88 ebx=00000000 ecx=00123dfc edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc70 esp=00123db8 ebp=00123dd0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mso!Ordinal753+0x2f21:
30f4cc70 8b4f08 mov ecx,dword ptr [edi+8] ds:0023:00123f90=0012408c
0:000> p
eax=00123f88 ebx=00000000 ecx=0012408c edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc73 esp=00123db8 ebp=00123dd0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mso!Ordinal753+0x2f24:
30f4cc73 53 push ebx
0:000> p
eax=00123f88 ebx=00000000 ecx=0012408c edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc74 esp=00123db4 ebp=00123dd0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mso!Ordinal753+0x2f25:
30f4cc74 56 push esi
0:000> p
eax=00123f88 ebx=00000000 ecx=0012408c edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc75 esp=00123db0 ebp=00123dd0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mso!Ordinal753+0x2f26:
30f4cc75 e892b4ddff call mso!Ordinal6594+0x596 (30d2810c)
0:000> p
eax=00124150 ebx=00000000 ecx=0012408c edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc7a esp=00123db0 ebp=00123dd0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mso!Ordinal753+0x2f2b:
30f4cc7a ff750c push dword ptr [ebp+0Ch] ss:0023:00123ddc=00000000
0:000> p
eax=00124150 ebx=00000000 ecx=0012408c edx=00000000 esi=00000000 edi=00123f88
eip=30f4cc7d esp=00123dac ebp=00123dd0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mso!Ordinal753+0x2f2e:
30f4cc7d 8b7064 mov esi,dword ptr [eax+64h] ds:0023:001241b4=014d10f0
0:000> p
eax=00124150 ebx=00000000 ecx=0012408c edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc80 esp=00123dac ebp=00123dd0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mso!Ordinal753+0x2f31:
30f4cc80 8365f800 and dword ptr [ebp-8],0 ss:0023:00123dc8=00000000
0:000> p
eax=00124150 ebx=00000000 ecx=0012408c edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc84 esp=00123dac ebp=00123dd0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal753+0x2f35:
30f4cc84 8b06 mov eax,dword ptr [esi] ds:0023:014d10f0=30d9ed10
0:000> p
eax=30d9ed10 ebx=00000000 ecx=0012408c edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc86 esp=00123dac ebp=00123dd0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal753+0x2f37:
30f4cc86 8d4df0 lea ecx,[ebp-10h]
0:000> p
eax=30d9ed10 ebx=00000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc89 esp=00123dac ebp=00123dd0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal753+0x2f3a:
30f4cc89 51 push ecx
0:000> p
eax=30d9ed10 ebx=00000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc8a esp=00123da8 ebp=00123dd0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal753+0x2f3b:
30f4cc8a bb00000005 mov ebx,5000000h
0:000> p
eax=30d9ed10 ebx=05000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc8f esp=00123da8 ebp=00123dd0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal753+0x2f40:
30f4cc8f 56 push esi
0:000> p
eax=30d9ed10 ebx=05000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc90 esp=00123da4 ebp=00123dd0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal753+0x2f41:
30f4cc90 895df4 mov dword ptr [ebp-0Ch],ebx ss:0023:00123dc4=00000000
0:000> p
eax=30d9ed10 ebx=05000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123f88
eip=30f4cc93 esp=00123da4 ebp=00123dd0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal753+0x2f44:
30f4cc93 ff501c call dword ptr [eax+1Ch] ds:0023:30d9ed2c=30e9eb62
这里遇到漏洞函数,F8跟进
0:000> t
eax=30d9ed10 ebx=05000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123f88
eip=30e9eb62 esp=00123da0 ebp=00123dd0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal6426+0x627:
30e9eb62 57 push edi
0:000> p
eax=30d9ed10 ebx=05000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123f88
eip=30e9eb63 esp=00123d9c ebp=00123dd0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal6426+0x628:
30e9eb63 8b7c240c mov edi,dword ptr [esp+0Ch] ss:0023:00123da8=00123dc0
目的缓冲区起始位置
0:000> p
eax=30d9ed10 ebx=05000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123dc0
eip=30e9eb67 esp=00123d9c ebp=00123dd0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mso!Ordinal6426+0x62c:
30e9eb67 85ff test edi,edi
0:000> p
eax=30d9ed10 ebx=05000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123dc0
eip=30e9eb69 esp=00123d9c ebp=00123dd0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mso!Ordinal6426+0x62e:
30e9eb69 7427 je mso!Ordinal6426+0x657 (30e9eb92) [br=0]
0:000> p
eax=30d9ed10 ebx=05000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123dc0
eip=30e9eb6b esp=00123d9c ebp=00123dd0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mso!Ordinal6426+0x630:
30e9eb6b 8b442408 mov eax,dword ptr [esp+8] ss:0023:00123da4=014d10f0
0:000> p
eax=014d10f0 ebx=05000000 ecx=00123dc0 edx=00000000 esi=014d10f0 edi=00123dc0
eip=30e9eb6f esp=00123d9c ebp=00123dd0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mso!Ordinal6426+0x634:
30e9eb6f 8b4808 mov ecx,dword ptr [eax+8] ds:0023:014d10f8=0004c8ac
0:000> p
eax=014d10f0 ebx=05000000 ecx=0004c8ac edx=00000000 esi=014d10f0 edi=00123dc0
eip=30e9eb72 esp=00123d9c ebp=00123dd0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mso!Ordinal6426+0x637:
30e9eb72 81e1ffff0000 and ecx,0FFFFh
这里ecx的值就是之后需要拷贝的数据的大小
0:000> p
eax=014d10f0 ebx=05000000 ecx=0000c8ac edx=00000000 esi=014d10f0 edi=00123dc0
eip=30e9eb78 esp=00123d9c ebp=00123dd0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mso!Ordinal6426+0x63d:
30e9eb78 56 push esi
0:000> p
eax=014d10f0 ebx=05000000 ecx=0000c8ac edx=00000000 esi=014d10f0 edi=00123dc0
eip=30e9eb79 esp=00123d98 ebp=00123dd0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mso!Ordinal6426+0x63e:
30e9eb79 8bf1 mov esi,ecx
0:000> p
eax=014d10f0 ebx=05000000 ecx=0000c8ac edx=00000000 esi=0000c8ac edi=00123dc0
eip=30e9eb7b esp=00123d98 ebp=00123dd0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mso!Ordinal6426+0x640:
30e9eb7b 0faf742414 imul esi,dword ptr [esp+14h] ss:0023:00123dac=00000000
0:000> p
eax=014d10f0 ebx=05000000 ecx=0000c8ac edx=00000000 esi=00000000 edi=00123dc0
eip=30e9eb80 esp=00123d98 ebp=00123dd0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mso!Ordinal6426+0x645:
30e9eb80 037010 add esi,dword ptr [eax+10h] ds:0023:014d1100=1104000c
0:000> p
eax=014d10f0 ebx=05000000 ecx=0000c8ac edx=00000000 esi=1104000c edi=00123dc0
eip=30e9eb83 esp=00123d98 ebp=00123dd0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mso!Ordinal6426+0x648:
30e9eb83 8bc1 mov eax,ecx
0:000> p
eax=0000c8ac ebx=05000000 ecx=0000c8ac edx=00000000 esi=1104000c edi=00123dc0
eip=30e9eb85 esp=00123d98 ebp=00123dd0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mso!Ordinal6426+0x64a:
30e9eb85 c1e902 shr ecx,2
0:000> p
eax=0000c8ac ebx=05000000 ecx=0000322b edx=00000000 esi=1104000c edi=00123dc0
eip=30e9eb88 esp=00123d98 ebp=00123dd0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mso!Ordinal6426+0x64d:
30e9eb88 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

通过上面调试时ecx的值,我们发现了待拷贝数据的大小0xc8ac,在poc中也发现了这个数值

此时通过db esi命令即可查看待拷贝的数据

1
2
3
4
5
6
7
8
9
0:000> db esi
1104000c 41 61 30 41 61 31 41 61-32 41 61 33 41 61 34 41 Aa0Aa1Aa2Aa3Aa4A
1104001c 61 35 41 61 36 41 61 37-41 61 38 41 61 39 41 62 a5Aa6Aa7Aa8Aa9Ab
1104002c 30 41 62 31 41 62 32 41-62 33 41 62 34 41 62 35 0Ab1Ab2Ab3Ab4Ab5
1104003c 41 62 36 41 62 37 41 62-38 41 62 39 41 63 30 41 Ab6Ab7Ab8Ab9Ac0A
1104004c 63 31 41 63 32 41 63 33-41 63 34 41 63 35 41 63 c1Ac2Ac3Ac4Ac5Ac
1104005c 36 41 63 37 41 63 38 41-63 39 41 64 30 41 64 31 6Ac7Ac8Ac9Ad0Ad1
1104006c 41 64 32 41 64 33 41 64-34 41 64 35 41 64 36 41 Ad2Ad3Ad4Ad5Ad6A
1104007c 64 37 41 64 38 41 64 39-41 65 30 41 65 31 41 65 d7Ad8Ad9Ae0Ae1Ae

观察ascii码发现,待拷贝的数据正好紧跟着0xc8ac。

通过《漏洞战争》上的描述,0xc8ac是pFragements属性值的大小,而后面就是属性值了。漏洞成因书上也讲得很明白,是由于Word的RTF分析器在解析pFragements属性值的时候没有检验属性值的大小,从而形成了一个栈溢出漏洞。(可能解析其他属性值的也有类似的问题存在?)

这里计算下需要多少字节的数据可以溢出到返回地址

1
2
0:000> ? ebp - edi
Evaluate expression: 16 = 00000010

通过这里的计算再加上ebp的四字节大小,我们需要0x14个字节就可以溢出到返回地址了,手动构造poc如下:

重新加载附加,可以看到eip被成功劫持

之后exp的编写一直没完成,以前接触漏洞利用都是在ctf中的,都是linux的,Windwos的还不是很了解,希望以后把这个坑补上。