Information

Stack based buffer overflow due to corrpued EMF being parsed in MPS.dll.

Crash Dump:

Stack

MPS.dll + 0x36EDA (id: 857, no function symbol available)
MPS.dll + 0xA4355 (id: 44f, no function symbol available)
0x10101010 (no function symbol available)
0x10101010 (no function symbol available)
0x1010F90F (no function symbol available)
0x10101010 (no function symbol available)
0x10101010 (no function symbol available)
0x10101010 (no function symbol available)
0x10101010 (no function symbol available)
0x10101010 (no function symbol available)
0x10101010 (no function symbol available)
0x10101010 (no function symbol available)
0x10101018 (no function symbol available)
0x10101010 (no function symbol available)
0xF101010 (no function symbol available)
0x101010F2 (no function symbol available)
0x10101010 (no function symbol available)
0x10101010 (no function symbol available)
0x10101010 (no function symbol available)
0xFF050010 (no function symbol available)

Registers

eax=00000001 ebx=1e664fa0 ecx=00000002 edx=000001e0 esi=00cfddf4 edi=2e7aab20
eip=2aa86eda esp=00cfd158 ebp=00cfd47c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
fpcw=027F: rn 53 puozdi  fpsw=4000: top=0 cc=1000 --------  fptw=FFFF
fopcode=0000  fpip=0000:51ea5769  fpdp=0000:00000000
st0= 0.000000000000000000000e+0000  st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000  st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000  st5= 1.600000000000000000000e+0001
st6= 0.000000000000000000000e+0000  st7= 1.611000000000000000000e+0004
mm0=0000000000000000  mm1=0000000000000000
mm2=0000000000000000  mm3=0000000000000000
mm4=0000000000000000  mm5=8000000000000000
mm6=0000000000000000  mm7=fbb8000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 9
xmm7=0 0 0 0.5
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
MPS!MPSToAGMColorSpace+0x12fda:
2aa86eda cd29            int     29h 

Disassembly of stack frame 1 at MPS.dll + 0x36EDA

2aa86e28 50              push    eax
2aa86e29 e83f7d0000      call    MPS!MPSToAGMColorSpace+0x1ac6d (2aa8eb6d)
2aa86e2e 0bc0            or      eax,eax
2aa86e30 7416            je      MPS!MPSToAGMColorSpace+0x12f48 (2aa86e48)
2aa86e32 8b4320          mov     eax,dword ptr [ebx+20h]
2aa86e35 3d30324356      cmp     eax,56433230h
2aa86e3a 750c            jne     MPS!MPSToAGMColorSpace+0x12f48 (2aa86e48)
2aa86e3c 8b4324          mov     eax,dword ptr [ebx+24h]
2aa86e3f 0bc0            or      eax,eax
2aa86e41 7412            je      MPS!MPSToAGMColorSpace+0x12f55 (2aa86e55)
2aa86e43 53              push    ebx
2aa86e44 ffd0            call    eax
2aa86e46 eb0d            jmp     MPS!MPSToAGMColorSpace+0x12f55 (2aa86e55)
2aa86e48 8b431c          mov     eax,dword ptr [ebx+1Ch]
2aa86e4b 50              push    eax
2aa86e4c 56              push    esi
2aa86e4d e893770000      call    MPS!MPSToAGMColorSpace+0x1a6e5 (2aa8e5e5)
2aa86e52 83c408          add     esp,8
2aa86e55 6a00            push    0
2aa86e57 8b4314          mov     eax,dword ptr [ebx+14h]
2aa86e5a e836780000      call    MPS!MPSToAGMColorSpace+0x1a795 (2aa8e695)
2aa86e5f 8bd3            mov     edx,ebx
2aa86e61 8b5a04          mov     ebx,dword ptr [edx+4]
2aa86e64 8b7a08          mov     edi,dword ptr [edx+8]
2aa86e67 8b720c          mov     esi,dword ptr [edx+0Ch]
2aa86e6a 8b44245c        mov     eax,dword ptr [esp+5Ch]
2aa86e6e 83f801          cmp     eax,1
2aa86e71 83d000          adc     eax,0
2aa86e74 8b6210          mov     esp,dword ptr [edx+10h]
2aa86e77 83c404          add     esp,4
2aa86e7a ff6214          jmp     dword ptr [edx+14h]
2aa86e7d 8be5            mov     esp,ebp
2aa86e7f 5d              pop     ebp
2aa86e80 c3              ret
2aa86e81 e9dafc0a00      jmp     MPS!MPSRecognizeWMF+0x8e410 (2ab36b60)
2aa86e86 55              push    ebp
2aa86e87 8bec            mov     ebp,esp
2aa86e89 ff15e041d62a    call    dword ptr [MPS!MPSOptions+0x19da20 (2ad641e0)]
2aa86e8f 6a01            push    1
2aa86e91 a3c453e22a      mov     dword ptr [MPS!MPSOptions+0x25ec04 (2ae253c4)],eax
2aa86e96 e8167d0000      call    MPS!MPSToAGMColorSpace+0x1acb1 (2aa8ebb1)
2aa86e9b ff7508          push    dword ptr [ebp+8]
2aa86e9e e8d66f0000      call    MPS!MPSToAGMColorSpace+0x19f79 (2aa8de79)
2aa86ea3 833dc453e22a00  cmp     dword ptr [MPS!MPSOptions+0x25ec04 (2ae253c4)],0
2aa86eaa 59              pop     ecx
2aa86eab 59              pop     ecx
2aa86eac 7508            jne     MPS!MPSToAGMColorSpace+0x12fb6 (2aa86eb6)
2aa86eae 6a01            push    1
2aa86eb0 e8fc7c0000      call    MPS!MPSToAGMColorSpace+0x1acb1 (2aa8ebb1)
2aa86eb5 59              pop     ecx
2aa86eb6 68090400c0      push    0C0000409h
2aa86ebb e8a46f0000      call    MPS!MPSToAGMColorSpace+0x19f64 (2aa8de64)
2aa86ec0 59              pop     ecx
2aa86ec1 5d              pop     ebp
2aa86ec2 c3              ret
2aa86ec3 55              push    ebp
2aa86ec4 8bec            mov     ebp,esp
2aa86ec6 81ec24030000    sub     esp,324h
2aa86ecc 6a17            push    17h
2aa86ece e86f9e0100      call    MPS!MPSToAGMColorSpace+0x2ce42 (2aaa0d42)
2aa86ed3 85c0            test    eax,eax
2aa86ed5 7405            je      MPS!MPSToAGMColorSpace+0x12fdc (2aa86edc)
2aa86ed7 6a02            push    2
2aa86ed9 59              pop     ecx
MPS!MPSToAGMColorSpace+0x12fda:
2aa86eda cd29            int     29h // current instruction
2aa86edc a3a851e22a      mov     dword ptr [MPS!MPSOptions+0x25e9e8 (2ae251a8)],eax
2aa86ee1 890da451e22a    mov     dword ptr [MPS!MPSOptions+0x25e9e4 (2ae251a4)],ecx
2aa86ee7 8915a051e22a    mov     dword ptr [MPS!MPSOptions+0x25e9e0 (2ae251a0)],edx
2aa86eed 891d9c51e22a    mov     dword ptr [MPS!MPSOptions+0x25e9dc (2ae2519c)],ebx
2aa86ef3 89359851e22a    mov     dword ptr [MPS!MPSOptions+0x25e9d8 (2ae25198)],esi
2aa86ef9 893d9451e22a    mov     dword ptr [MPS!MPSOptions+0x25e9d4 (2ae25194)],edi
2aa86eff 668c15c051e22a  mov     word ptr [MPS!MPSOptions+0x25ea00 (2ae251c0)],ss
2aa86f06 668c0db451e22a  mov     word ptr [MPS!MPSOptions+0x25e9f4 (2ae251b4)],cs
2aa86f0d 668c1d9051e22a  mov     word ptr [MPS!MPSOptions+0x25e9d0 (2ae25190)],ds
2aa86f14 668c058c51e22a  mov     word ptr [MPS!MPSOptions+0x25e9cc (2ae2518c)],es
2aa86f1b 668c258851e22a  mov     word ptr [MPS!MPSOptions+0x25e9c8 (2ae25188)],fs
2aa86f22 668c2d8451e22a  mov     word ptr [MPS!MPSOptions+0x25e9c4 (2ae25184)],gs
2aa86f29 9c              pushfd
2aa86f2a 8f05b851e22a    pop     dword ptr [MPS!MPSOptions+0x25e9f8 (2ae251b8)]
2aa86f30 8b4500          mov     eax,dword ptr [ebp]
2aa86f33 a3ac51e22a      mov     dword ptr [MPS!MPSOptions+0x25e9ec (2ae251ac)],eax
2aa86f38 8b4504          mov     eax,dword ptr [ebp+4]
2aa86f3b a3b051e22a      mov     dword ptr [MPS!MPSOptions+0x25e9f0 (2ae251b0)],eax
2aa86f40 8d4508          lea     eax,[ebp+8]
2aa86f43 a3bc51e22a      mov     dword ptr [MPS!MPSOptions+0x25e9fc (2ae251bc)],eax
2aa86f48 8b85dcfcffff    mov     eax,dword ptr [ebp-324h]
2aa86f4e c705f850e22a01000100 mov dword ptr [MPS!MPSOptions+0x25e938 (2ae250f8)],10001h
2aa86f58 a1b051e22a      mov     eax,dword ptr [MPS!MPSOptions+0x25e9f0 (2ae251b0)] 

PoC

attached


Attachments:
OOBW@Stack@0x36EDA.emf

References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html