[讨论]不知是不是新的 mscomctl 漏洞（附件是病毒样本，勿直接运行）-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (11)
gwJiang 雪币： 55 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 36 粉丝 0 关注私信	gwJiang 2 楼是CButton::Load调用LoadMFCPropertySet时的栈溢出，应该是ms12-060吧。这样本在打了ms12-060补丁后，还是crash，可以看到补丁的LoadMFCPropertySet里对size限制为0x1000，大于这个值时不拷贝，只是memset了下，然后返回了，但相加的值还是原先流中的值 .text:275D4F83 loc_275D4F83: ; CODE XREF: sub_275D4EA0+15Dj .text:275D4F83 mov eax, [ebp+pBuffer] .text:275D4F86 .text:275D4F86 loc_275D4F86: ; CODE XREF: sub_275D4EA0+E1j .text:275D4F86 mov ecx, [eax] .text:275D4F88 mov esi, [eax+4] .text:275D4F8B add eax, 8 .text:275D4F8E push esi ; user controlled size .text:275D4F8F mov [ebp+pBuffer], eax .text:275D4F92 push eax .text:275D4F93 lea eax, [ebp+MultiByteStr] .text:275D4F99 push 100h ; max size .text:275D4F9E push eax .text:275D4F9F mov [ebp+var_28], ecx .text:275D4FA2 call sub_275CEAD4 .text:275D4FA7 add [ebp+pBuffer], esi ; add directly!!! (c10.c44): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=380b88b8 ebx=00300500 ecx=7c93005d edx=025c0008 esi=2762bee0 edi=2762bd90 eip=275d4f86 esp=00125e2c ebp=00125f7c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 MSCOMCTL!DllGetClassObject+0x9cb8: 275d4f86 mov ecx,dword ptr [eax] ds:0023:380b88b8=???????? 0:000> knL 10 # ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 00 00125f7c 275a71dd MSCOMCTL!DllGetClassObject+0x9cb8 01 00125fc4 275a29d3 MSCOMCTL!DLLGetDocumentation+0x1c2ed 02 00126004 275cdfe6 MSCOMCTL!DLLGetDocumentation+0x17ae3 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll - 03 00126018 30eb4eaa MSCOMCTL!DllGetClassObject+0x2d18 04 0012604c 307f4090 mso!MsoHrLoadStorageFromPersistStorage+0x31 05 001260e0 307f451a WINWORD!wdGetApplicationObject+0x9de21 06 00126320 6520e294 WINWORD!wdGetApplicationObject+0x9e2ab 07 00126360 651deeb1 VBE6!ExtendedControlCF::CreateExtendedControl+0xd0 08 00126394 651e02ba VBE6!CVBAControlMgr::CreateControlInstance+0x61 09 00126424 307f4d5c VBE6!CVBAControlMgr::DefineControl+0x273 0a 00126488 307f5353 WINWORD!wdGetApplicationObject+0x9eaed 0b 001264c4 307f5596 WINWORD!wdGetApplicationObject+0x9f0e4 0c 001264ec 302c5d61 WINWORD!wdGetApplicationObject+0x9f327 0d 00126594 7c9300b8 WINWORD+0x2c5d61 0e 001265a0 7c930041 ntdll!RtlpFreeToHeapLookaside+0x22 0f 0012666c 7c931452 ntdll!RtlFreeHeap+0x1e9 0:000> lm vm mscomctl start end module name 27580000 27684000 MSCOMCTL (export symbols) C:\WINDOWS\System32\MSCOMCTL.OCX Loaded symbol image file: C:\WINDOWS\System32\MSCOMCTL.OCX Image path: C:\WINDOWS\System32\MSCOMCTL.OCX Image name: MSCOMCTL.OCX Timestamp: Thu May 03 01:55:51 2012 (4FA17527) CheckSum: 00108C6A ImageSize: 00104000 File version: 6.1.98.34 Product version: 6.1.98.34 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04e4 CompanyName: Microsoft Corporation ProductName: MSCOMCTL InternalName: MSCOMCTL OriginalFilename: MSCOMCTL.OCX ProductVersion: 6.01.9834 FileVersion: 6.01.9834 FileDescription: Windows Common Controls ActiveX Control DLL LegalCopyright: Copyright © 1987-2000 Microsoft Corp. LegalTrademarks: Microsoft® is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation Comments: May 2, 2012 2013-5-31 15:29 0
仙果雪币： 1491 活跃值： (985) 能力值： (RANK：860 ) 在线值：发帖 68 回帖 1507 粉丝 67 关注私信	仙果 19 3 楼有可能是CVE-2012-0158 2013-5-31 17:53 0
最爱小铅雪币： 34 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 57 粉丝 0 关注私信	最爱小铅 4 楼好崇拜你们，菜鸟一枚，完全看不懂 2013-6-1 14:52 0
dayang 雪币： 220 活跃值： (721) 能力值： ( LV2，RANK：10 ) 在线值：发帖 38 回帖 935 粉丝 1 关注私信	dayang 5 楼 .VOC后缀？用什么打开？ 2013-6-1 15:37 0
风间仁雪币： 29209 活跃值： (7714) 能力值： ( LV15，RANK：3306 ) 在线值：发帖 111 回帖 591 粉丝 83 关注私信	风间仁 19 6 楼 mark下从Toolbar Control修改而来, 变量大小0x100, 应该没有cve, 但是被ms12-027补了 2013-6-2 00:14 0
魔造师雪币： 34 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 21 粉丝 0 关注私信	魔造师 7 楼我打了060的补丁就不crash了，打开后显示一个红叉。 2013-6-4 16:52 0
arjohn 雪币： 232 活跃值： (40) 能力值： ( LV3，RANK：30 ) 在线值：发帖 3 回帖 15 粉丝 0 关注私信	arjohn 8 楼 12-027的补丁也把它补了 2013-6-6 15:34 0
魔造师雪币： 34 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 21 粉丝 0 关注私信	魔造师 9 楼好像没有完全补上，027的补丁安装后还是会crash，但是不知道飞哪儿去了，自己不会修改，不知道有没有高人优化一下 2013-6-6 21:10 0
cmdhz 雪币： 345 活跃值： (122) 能力值： ( LV2，RANK：150 ) 在线值：发帖 8 回帖 77 粉丝 0 关注私信	cmdhz 3 10 楼感谢楼主，分析下看看。 2013-6-25 21:13 0
nineB 雪币： 19 活跃值： (40) 能力值： ( LV6，RANK：90 ) 在线值：发帖 9 回帖 61 粉丝 0 关注私信	nineB 2 11 楼遇到了同样的漏洞，也无法确认CVE号，不知道楼主是否已经确认是哪个CVE了，cve-2012-1856不是堆的use-after-free吗？这个应该是栈溢出吧。。。 2013-11-29 18:40 0
tuobaofeng 雪币： 108 活跃值： (44) 能力值： ( LV3，RANK：30 ) 在线值：发帖 5 回帖 149 粉丝 0 关注私信	tuobaofeng 12 楼搞“漏洞”的，你们说的啥完全看不懂 2013-11-30 12:18 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

gwJiang

雪币： 55

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

36

粉丝

0

关注

私信

gwJiang: 2 楼

是CButton::Load调用LoadMFCPropertySet时的栈溢出，应该是ms12-060吧。
这样本在打了ms12-060补丁后，还是crash，可以看到补丁的LoadMFCPropertySet里对size限制为0x1000，大于这个值时不拷贝，只是memset了下，然后返回了，但相加的值还是原先流中的值

.text:275D4F83 loc_275D4F83:                           ; CODE XREF: sub_275D4EA0+15Dj
.text:275D4F83                 mov     eax, [ebp+pBuffer]
.text:275D4F86
.text:275D4F86 loc_275D4F86:                           ; CODE XREF: sub_275D4EA0+E1j
.text:275D4F86                 mov     ecx, [eax]
.text:275D4F88                 mov     esi, [eax+4]
.text:275D4F8B                 add     eax, 8
.text:275D4F8E                 push    esi             ; user controlled size
.text:275D4F8F                 mov     [ebp+pBuffer], eax
.text:275D4F92                 push    eax
.text:275D4F93                 lea     eax, [ebp+MultiByteStr]
.text:275D4F99                 push    100h            ; max size
.text:275D4F9E                 push    eax
.text:275D4F9F                 mov     [ebp+var_28], ecx
.text:275D4FA2                 call    sub_275CEAD4
.text:275D4FA7                 add     [ebp+pBuffer], esi ; add directly!!!

(c10.c44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=380b88b8 ebx=00300500 ecx=7c93005d edx=025c0008 esi=2762bee0 edi=2762bd90
eip=275d4f86 esp=00125e2c ebp=00125f7c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
MSCOMCTL!DllGetClassObject+0x9cb8:
275d4f86 mov     ecx,dword ptr [eax]                  ds:0023:380b88b8=????????
0:000> knL 10
 # ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00125f7c 275a71dd MSCOMCTL!DllGetClassObject+0x9cb8
01 00125fc4 275a29d3 MSCOMCTL!DLLGetDocumentation+0x1c2ed
02 00126004 275cdfe6 MSCOMCTL!DLLGetDocumentation+0x17ae3
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll - 
03 00126018 30eb4eaa MSCOMCTL!DllGetClassObject+0x2d18
04 0012604c 307f4090 mso!MsoHrLoadStorageFromPersistStorage+0x31
05 001260e0 307f451a WINWORD!wdGetApplicationObject+0x9de21
06 00126320 6520e294 WINWORD!wdGetApplicationObject+0x9e2ab
07 00126360 651deeb1 VBE6!ExtendedControlCF::CreateExtendedControl+0xd0
08 00126394 651e02ba VBE6!CVBAControlMgr::CreateControlInstance+0x61
09 00126424 307f4d5c VBE6!CVBAControlMgr::DefineControl+0x273
0a 00126488 307f5353 WINWORD!wdGetApplicationObject+0x9eaed
0b 001264c4 307f5596 WINWORD!wdGetApplicationObject+0x9f0e4
0c 001264ec 302c5d61 WINWORD!wdGetApplicationObject+0x9f327
0d 00126594 7c9300b8 WINWORD+0x2c5d61
0e 001265a0 7c930041 ntdll!RtlpFreeToHeapLookaside+0x22
0f 0012666c 7c931452 ntdll!RtlFreeHeap+0x1e9
0:000> lm vm mscomctl
start    end        module name
27580000 27684000   MSCOMCTL   (export symbols)       C:\WINDOWS\System32\MSCOMCTL.OCX
    Loaded symbol image file: C:\WINDOWS\System32\MSCOMCTL.OCX
    Image path: C:\WINDOWS\System32\MSCOMCTL.OCX
    Image name: MSCOMCTL.OCX
    Timestamp:        Thu May 03 01:55:51 2012 (4FA17527)
    CheckSum:         00108C6A
    ImageSize:        00104000
    File version:     6.1.98.34
    Product version:  6.1.98.34
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04e4
    CompanyName:      Microsoft Corporation
    ProductName:      MSCOMCTL
    InternalName:     MSCOMCTL
    OriginalFilename: MSCOMCTL.OCX
    ProductVersion:   6.01.9834
    FileVersion:      6.01.9834
    FileDescription:  Windows Common Controls ActiveX Control DLL
    LegalCopyright:   Copyright © 1987-2000 Microsoft Corp.
    LegalTrademarks:  Microsoft® is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation
    Comments:         May 2, 2012

2013-5-31 15:29

0