Quantcast
Channel: BOT24
Viewing all articles
Browse latest Browse all 8064

CVE-2013-0641, analysis of Acrobat Reader sandbox escape

February 21, 2013, 8:45 am
$
0
0

沙盒lpc channel函数调用w系列函数buffer和size不一致性漏洞

by instruder and binjo of code audit labs of vulnhunt.com
Acrobat Reader自从引入沙盒功能以来,针对其的漏洞攻击就急剧减少,表明沙盒对攻击门槛的提高帮助不少。门槛提升不代表无法攻击,最近流传的通过spear phishing邮件发送pdf附件的攻击就是利用了2个漏洞,第一个利用xfa漏洞rop shellcode加载恶意dll后,再次利用沙盒漏洞,在broker process进程执行最终的恶意代码。
整个逃离过程全是在D.T dll中完成,该DLL由sandbox process触发xfa漏洞之后shellcode加载。
  1. 通过函数RegisterClipboardFormatW注册剪切板格式,构造0×80个dword,dword全为0×8080020。
  2. 触发broker process进程分配大小0xC800000内存,其中布置好rop shellcode,同时站位0×8080020附近范围的内存。
  3. D.T构造调用GetClipboardFormatNameA的lpc buffer,同时更改lpc buffer对应要调用的tag变成0×73,0×73为GetClipboardFormatNameW的调用tag,broker process进程调用GetClipboardFormatNameW函数获取format,由于原本GetClipboardFormatNameW参数buffer里面填充了0×9c大小的0×42,且是单字节,但是实际的拷贝长度为0×9c×2,导致覆盖了后面的函数指针。
  4. D.T构造tag id 0xb0的调用,最终在acrod32.exe 地址AcroRd32+0×9afda控制EIP,跳至0×808002c处执行已经布置好的shellcode, 该shellcode加载L2P.T dll后完成此次攻击。

Clipboard format注册

D.T通过user32!RegisterClipboardFormatW注册了一个clipboard format,format中构造数据为0×80个0×08080020(该地址为触发漏洞是指向的函数指针地址)。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
.text:10001D74                 sub     esp, 208h
.text:10001D7A                 xor     eax, eax
.text:10001D7C
.text:10001D7C loc_10001D7C:                           ; CODE XREF: register_clipfmt+1Cj
.text:10001D7C                 mov     dword ptr [ebp+eax*4+szFormat], 8080020h
.text:10001D87                 inc     eax
.text:10001D88                 cmp     eax, 80h
.text:10001D8D                 jb      short loc_10001D7C
…………………………………………………………………………………………………………………………
.text:10001E12
.text:10001E12 loc_10001E12:                           ; CODE XREF: register_clipfmt+2Bj
.text:10001E12                 lea     eax, [ebp+szFormat]
.text:10001E18                 push    eax             ; lpszFormat
.text:10001E19                 call    RegisterClipboardFormatW
这里填充的是宽字符buffer。

Rop shellcode


read more........http://blog.vulnhunt.com/index.php/2013/02/21/cve-2013-0641-analysis-of-acrobat-reader-sandbox-escape/
Search
Viewing all articles
Browse latest Browse all 8064

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

February 16, 2017, 4:24 pm

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

January 5, 2014, 10:34 pm

Ominde Commission Report and Recommendations – Ominde Report of 1964

March 16, 2015, 5:14 am

Bureau of Internal Revenue: Regional Offices (Directory)

January 9, 2014, 11:06 pm

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

March 26, 2017, 11:23 pm

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

October 17, 2016, 7:20 am

Mp3 Download: Mdu - Kunjenjenjena

December 7, 2017, 8:16 am

How the kill the job , when DTP request running for long hours.

July 26, 2013, 2:41 am

Microsoft Intune から展開しているアプリのアップデートについて

October 17, 2016, 4:11 am

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

September 1, 2017, 10:00 pm

Car crash in Dunton Bassett leaves driver in critical condition

October 7, 2014, 7:51 am

Macky 2, Two Others In Road Accident

March 29, 2015, 5:34 am

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

May 14, 2015, 11:27 pm

Detroit mafia: D’Anna Brothers agree to plea deal

April 21, 2016, 6:56 am

Delivery block field greyed out using VA02

January 26, 2016, 2:52 pm

Muloraki Au

June 22, 2016, 1:44 am

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出w【リベンジポルノ】@PornHub

October 12, 2017, 2:23 pm

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

February 9, 2018, 4:56 am

FIAT 500 B0111 B0112

July 5, 2018, 10:31 am
Search