Shulou(Shulou.com)05/31 Report--

This article introduces you how to carry out CVE-2018-4990 vulnerability analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Test version: AcroRdrDC1700920044_en_US

Vulnerability module: Escript.api

Loophole function

Repair function

Analysis of problems

When copying an object, the object address of the DWORD type is copied as the BYTE type, and the heap object copy overflow vulnerability. The object is offset at the 0x50, that is, in the wrong place.

The object code ejected in Javascript.

Repair scheme

Locate the problem and it's easy to fix.

ROP technology

Use the EScript.api module as the ROP execution address, the base address is 69260000 and ROP table is as follows.

0D130064 692E2803 EScript.692E2803

0D130068 692E2803 EScript.692E2803

0D13006C 692E2802 EScript.692E2802

0D130070 693F7084

0D130074 69271784 EScript.69271784

0D130078 693EAF26 EScript.693EAF26

0D13007C 69278000 EScript.69278000

0D130080 69283AAA EScript.69283AAA

0D130084 6936F282 EScript.6936F282

0D130088 00010201

0D13008C 692E2802 EScript.692E2802

0D130090 692695C4 EScript.692695C4

0D130094 77842FB6 kernel32.VirtualAlloc

0D130098 69283AAA EScript.69283AAA

The first ROP instruction RETN is in 692E2803, which is a RETN instruction. Because it is protected by ASLR, the address looks different.

ROP instructions are not explained one by one, and then a function VirtualAlloc is constructed by ROP technology to allocate a section of memory. Notice the value of the EAX register.

EAX is 0x9090909090. There is also 0x90909090 in the heap ejector of javascript.

Use the VirtualAlloc function to request a read, write and executable memory with a size of 66049 bytes. Why? Because there is also a pe file in the malicious pdf, shellcode should have a pe loader that executes the pe file in memory directly in the process.

Next, the shellcode returned to malicious memory to continue execution. Notice that the first 4 bytes are 0x90. Indicates that that is a populated NOP instruction.

Shellcode

The first function is to search for a 4-byte tag 0xBFAFBFAF after the shellcode length (0x2710 byte length). The purpose of the search tag is to locate the PE header.

Next, the classic fs: [0x30] technology is used to locate the base address of kernel32.

The next step is to search for the address of the GetProcAddress function by parsing the PE file, which is also windows's classic shellcode technology.

Use the getprocaddress function to get the addresses of loadlibrarya, virtualalloc, virtualfree, virtualprotect, getmodulehandlea

Then there are the classic functions of the PE loader, such as copying PE headers, repairing sections, relocating, populating input tables, and so on.

Then use the VirtualProtect function to rewrite PE to be readable, executable and writable.

Finally, the entry function of the PE file is called, and because PE is dll, the entry is DllMain.

This dll has only one function, use MessageBoxA to play a dialog box.

Entry function of Dll.

On how to carry out CVE-2018-4990 vulnerability analysis is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.