Beijing blue-Technology Co., Ltd.
2003 SP3 Office ( CVE-2012-0158 ) vulnerability analysis
Software Name : Office 2003 SP3 Software Version : 2.0 Vulnerability module : MSCOMCTL.ocx Module Version : 2.0.0.0 Compile Date : 2003 |
Operating System : Windows XP / 2003/7 / 8.1 / 10 Vulnerability ID : CVE-2012-0158 Hazard Class : Super-risk or high-risk or moderate-risk or low-risk Vulnerability Type : Stack overflow Threat Type : Local |
Analyst: Miao sweet
September 13, 2019
- Software Description
Microsoft Office 2003 is Microsoft Windows operating system for the launch of the office suite software, including WORD, EXCEL, PowerPoint and other three major components, extensive use, and many more popular office and administrative. And office applications, as it includes a joint server and Internet-based services.
- Causes of Vulnerability
2.1 Introduction Vulnerabilities
CVE-2012-0158 vulnerability is a stack overflow vulnerability is Microsoft's Office productivity software MSCOMCTL.oce in MSCOMCTL.ListView controls to check for errors caused by, an attacker can control the data through a carefully constructed program EIP arbitrary code execution
Microsoft ID CVE-2012-0158 vulnerability is ms02-027
2.2 reproduce the vulnerability
Preparation: Get caused by the vulnerability poc, install office 2003 sp3
Use winworld direct execution poc effect:
2.3 Debugging vulnerability
Set OD not ignore the exception, not skipping abnormal, additional WINWORD program
2.3.1 Positioning vulnerability trigger point
After analyzing the spill point near the stack, a layer function stack overflow function point following stack is usually just called, overflow
May have been destroyed, stack overflow point above the stack is generally a function just executed, you can find an address
275C8A0A, can be seen that this address is MSCOMCTL module address, determination thereby perform the function just executed
Line of code modules MSCOMCTL
Several debugging found no randomized base address
In calling the breakpoint function external function 275C8A0A
Re-commissioning, observe where the return address is changed
As can be seen in the return address 275C8A05 address, call the function after the change MSCOMCTL.275C876D
Then analyze the function, find MSCOMCTL.OCX file, use IDA find the function static analyze
It found that the copy function has a function
Using OD copy debugging a problem is found, the damaged layer stack return address override function
Calling function, defining the number of bytes found to v7 are local variables and dwBytes
And the same as 8282
Use 010 View Files found two bytes stored in a file
Change the number, commissioning again
EDI is a parameter, i.e. the first number is passed in digital dzbyte, the second number is the number of bytes defined v7
Is free to change the buffer size, filling, local variables save any, damage to the stack
reference:
- Use process
Use of loopholes steps :
1. The analysis and design of structural vulnerability shellcode
2. Find a springboard address of the instruction in a running program
jmp esp
Use ImmunityDebugger + mona.py
The mona.py into PyCommands in directory ImmunityDebugger
In use ImmunityDebugger in! Mona modules traverse command module
Find Rebase, SafeSEH, ASLR, NXCompat to False, True and OS DLL for the system modules. (That is, no protection, the module will call the system)
msvbvm60.dll
Use ! Mona find -s "\ xff \ xe4" -m msvbvm60.dll command, found in the module, look jmp esp instruction
Find a readable executable jmp esp instruction, 0x729a0535
In the small end into the file buffer to cover the return address location
- PoC
jmp esp instruction address with the next write shellcode
shellcode template:
Pop up a messagebox, helloworld
- Epilogue
Requires patience, thank Xue teacher's video, Wan teacher's guide
- Reference material