Adobe Reader Vulnerability (adobe_cooltype_sing) Learning Research

Lab environment: Kali 2.0+windows XP sp3+adobe Reader 9.0.0

Category: Buffer overflow

Description: This vulnerability causes a buffer overflow for a parameter named UniqueName in the Sing Table object, which is a previous version of the Adobe Reader 9.3.4.

Reference: "Metasploit Devil training Camp" p286-p298

Adobe vulnerability penetration process:

Use windows/fileformat/adobe_cooltype_singon Kali, load is windows/meterpreter/reverse_http, generate maliciously constructed PDF file, and open Exploit/multi/handler to monitor.

Open the PDF on Windows XP SP3 target drone, execute shellcode successfully, and connect back to kali!

Adobe Vulnerability Mechanism analysis:

First, through the source code to understand the general mechanism of the vulnerability.

100#UniqueName101#"The UniqueName string must be a string of in most 7-bit ASCII characters" 102#sing << "A" * (0x254-sing.length)
103 Sing << rand_text (0x254-sing.length)
104
105#0xFFFFFFFF gets written here @ 0x7001400 (in BIB.dll)106 sing[0x140, 4] = [0x4a8a08e2-0x1c].pack ('V')107 108#This becomes we new EIP (puts ESP to stack buffer)109 ret = 0x4a80cb38#add Ebp, 0x794/leave/retsing[0x208, 4] = [Ret].pack ('V')

A string of length 0x254 is constructed, where the 4 bytes offset to 0x208 becomes the new EIP after overflow.

The next step is to find the overflow point of the program. For convenience, modify the code below.

Removes the randomness of the string,

Sing << rand_text (0x254-sing.length)

Switch

" A " * (0x254-sing.length)

Then change the ret=0x4a80cb38 to ret=0x42424242 (string "BBBB").

Regenerate the sample file Debug.pdf and open it in target drone Windows XP.

However, I did not get the results of the book, jumped out of the two ollyice, after a about AcroRd32.exe has been terminated

The last one is not an exception because of the access address 0x42424242, but another address.

To solve this problem for the moment, I decided to "cheat"!

Since the above step is to find the overflow point, so I read directly to find the corresponding anomaly and the next breakpoint.

Then, I debug again open debug.pdf, or the above.

It appears that there are other exceptions before the overflow point, which can only be debugged by using ollydbg to open the construction file formalattack.pdf the previous successful attack.

Or not, Although the direct Formalattack.pdf can successfully perform the shellcode, but through the ollydbg to open the formalattack.pdf will produce an exception, after the break in a few steps after a few strange instructions to terminate, and did not pass our breakpoint Cooltype module.

Adobe Reader Vulnerability (adobe_cooltype_sing) Learning Research