[讨论]不知是不是新的 mscomctl 漏洞（附件是病毒样本，勿直接运行）-软件逆向-看雪-安全社区|安全招聘|kanxue.com

gwJiang

雪币： 55

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

36

粉丝

0

关注

私信

gwJiang: 2 楼

是CButton::Load调用LoadMFCPropertySet时的栈溢出，应该是ms12-060吧。
这样本在打了ms12-060补丁后，还是crash，可以看到补丁的LoadMFCPropertySet里对size限制为0x1000，大于这个值时不拷贝，只是memset了下，然后返回了，但相加的值还是原先流中的值

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

.text:275D4F83 loc_275D4F83:                           ; CODE XREF: sub_275D4EA0+15Dj
.text:275D4F83                 mov     eax, [ebp+pBuffer]
.text:275D4F86
.text:275D4F86 loc_275D4F86:                           ; CODE XREF: sub_275D4EA0+E1j
.text:275D4F86                 mov     ecx, [eax]
.text:275D4F88                 mov     esi, [eax+4]
.text:275D4F8B                 add     eax, 8
.text:275D4F8E                 push    esi             ; user controlled size
.text:275D4F8F                 mov     [ebp+pBuffer], eax
.text:275D4F92                 push    eax
.text:275D4F93                 lea     eax, [ebp+MultiByteStr]
.text:275D4F99                 push    100h            ; max size
.text:275D4F9E                 push    eax
.text:275D4F9F                 mov     [ebp+var_28], ecx
.text:275D4FA2                 call    sub_275CEAD4
.text:275D4FA7                 add     [ebp+pBuffer], esi ; add directly!!!

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

(c10.c44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=380b88b8 ebx=00300500 ecx=7c93005d edx=025c0008 esi=2762bee0 edi=2762bd90
eip=275d4f86 esp=00125e2c ebp=00125f7c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
MSCOMCTL!DllGetClassObject+0x9cb8:
275d4f86 mov     ecx,dword ptr [eax]                  ds:0023:380b88b8=????????
0:000> knL 10
 # ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00125f7c 275a71dd MSCOMCTL!DllGetClassObject+0x9cb8
01 00125fc4 275a29d3 MSCOMCTL!DLLGetDocumentation+0x1c2ed
02 00126004 275cdfe6 MSCOMCTL!DLLGetDocumentation+0x17ae3
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll - 
03 00126018 30eb4eaa MSCOMCTL!DllGetClassObject+0x2d18
04 0012604c 307f4090 mso!MsoHrLoadStorageFromPersistStorage+0x31
05 001260e0 307f451a WINWORD!wdGetApplicationObject+0x9de21
06 00126320 6520e294 WINWORD!wdGetApplicationObject+0x9e2ab
07 00126360 651deeb1 VBE6!ExtendedControlCF::CreateExtendedControl+0xd0
08 00126394 651e02ba VBE6!CVBAControlMgr::CreateControlInstance+0x61
09 00126424 307f4d5c VBE6!CVBAControlMgr::DefineControl+0x273
0a 00126488 307f5353 WINWORD!wdGetApplicationObject+0x9eaed
0b 001264c4 307f5596 WINWORD!wdGetApplicationObject+0x9f0e4
0c 001264ec 302c5d61 WINWORD!wdGetApplicationObject+0x9f327
0d 00126594 7c9300b8 WINWORD+0x2c5d61
0e 001265a0 7c930041 ntdll!RtlpFreeToHeapLookaside+0x22
0f 0012666c 7c931452 ntdll!RtlFreeHeap+0x1e9
0:000> lm vm mscomctl
start    end        module name
27580000 27684000   MSCOMCTL   (export symbols)       C:\WINDOWS\System32\MSCOMCTL.OCX
    Loaded symbol image file: C:\WINDOWS\System32\MSCOMCTL.OCX
    Image path: C:\WINDOWS\System32\MSCOMCTL.OCX
    Image name: MSCOMCTL.OCX
    Timestamp:        Thu May 03 01:55:51 2012 (4FA17527)
    CheckSum:         00108C6A
    ImageSize:        00104000
    File version:     6.1.98.34
    Product version:  6.1.98.34
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04e4
    CompanyName:      Microsoft Corporation
    ProductName:      MSCOMCTL
    InternalName:     MSCOMCTL
    OriginalFilename: MSCOMCTL.OCX
    ProductVersion:   6.01.9834
    FileVersion:      6.01.9834
    FileDescription:  Windows Common Controls ActiveX Control DLL
    LegalCopyright:   Copyright © 1987-2000 Microsoft Corp.
    LegalTrademarks:  Microsoft® is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation
    Comments:         May 2, 2012