Monday, July 4, 2011

an old bug for a new job ? CVE-2004-0194

A couple of months ago I receive an interesting challenge for get the final (I think) step in the job selection path for a big company (not a well known exploit research company but probably if you are reading this post you are using once of their os). The challenge it consist in the writing an exploit for the CVE-2004-0194. Obviously, at the first step I did follow, was a good googling acrivity. With my surprise I didn't get anything. I did found only the original advisory in a lot of version . The original is at the following link http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0051.html that is an old NGSSoftware Insight Security Research Advisory:


This issue was detected in the 5.1 version of Adobe Reader (if you want try you cand find it here: http://www.oldversion.com/download/acrobat51.exe).This issue was related to a bug that it's triggered due a misuses of sprintf for format the OutputDebugString during the XFDF parsing. The origianl XFDF schema use the UTF-8 encoding. For fit well the unicode shell code via Metasploit module I have to choose another encoding like this one:

<?xml version="1.0" encoding="ISO-8859-1"?>
Anyway what follows is the proof of concept that launch calc.exe For this task I have used a SEH Overwriting technique using the code of not safeseh DLLs.


Also it’s possible download the poc from here: http://www.exploit-db.com/exploits/17488/. Anyay what did happens ? Well if I'm still updating this blog is because I haven't get this job although their compliments. Anyway what I did learn? I learn how to write up unicode shell code and that sometimes the encoding techniques are your best friends. What is sound strange is that the cve id is very near to my nightmare: cve-2010-4091. 

So, why I decided to post just now this stuff ? I dunno why . Enjoy it!
Greeting to 0xff for open my mind to the bytes encoding landscape (http://whsbehind.blogspot.com)