-
-
一个缓冲区溢出的简单分析
-
发表于: 2013-10-24 14:32
-
今天早上和往常一样先到座位上按下开机键,然后趁开机的几十秒去接了一杯水,回来的时候正准备展开工作,
赫然发现桌面和往常不一样了,没有熟悉的工作界面,却多了一个对话框!如下:
非常之醒目,因为桌面上就这一个东西了,看了一下原来是Explorer出了问题,提示溢出!
Explorer本身不会有问题,那么大概是中毒了,如之奈何!格了它!当然不是格式化,格式化了就没有下面的事了!
是格物致知的格,当然做不到古圣贤什么东西都能拿来格一格的境界,稍微格一下windows程序可以一试。
由于自己亲历现场,我可以直接上调试器,但为了稳妥起见还是决定先保存一下现场,
调出运行->CMD进入调试工具目录 利用ADPlus将当前的Explorer进程状态转储到文件。
完成上面的工作,可以放心的用windbg附加到Explorer进程了。
加载之后先切换到线程0(转储的文件就不用切换了)
因为提示问题为缓冲区溢出,所以我们先看以下堆栈:
0:000> kb ChildEBP RetAddr 0007dc7c 7c92de5c ntdll!KiFastSystemCallRet 0007dc80 7c81cab6 ntdll!ZwTerminateProcess+0xc 0007dd7c 7c81cb0e kernel32!_ExitProcess+0x62 0007dd90 7c348d03 kernel32!ExitProcess+0x14 0007dd987c3476c8MSVCR71!__crtExitProcess+0x2e [f:\vs70builds\3052\vc\crtbld\crt\src\crt0dat.c @ 463] 0007ddc8 7c348d22 MSVCR71!doexit+0xab [f:\vs70builds\3052\vc\crtbld\crt\src\crt0dat.c @ 414] 0007ddd8 7c34d6eb MSVCR71!_exit+0xd [f:\vs70builds\3052\vc\crtbld\crt\src\crt0dat.c @ 311] 0007dff4 016b619d MSVCR71!__security_error_handler+0x146 WARNING: Stack unwind information not available. Following frames may be wrong. 0007e028 0169b93b BGCloudSH_1_0_0_1__750_!DllUnregisterServer+0x1cf5d 0007e0e0 017c9714 BGCloudSH_1_0_0_1__750_!DllUnregisterServer+0x26fb 0007e0e4 00150015 0012ead5 0012e125 00150015 <Unloaded_llv.dll>+0x17c9713 0007e0e8 0012ead5 0012e125 00150015 768913f1 <Unloaded_llv.dll>+0x150014 0007e0ec 0012e125 00150015 768913f1 00e63d45 <Unloaded_llv.dll>+0x12ead4 0007e0f0 00150015 768913f1 00e63d45 00150015 <Unloaded_llv.dll>+0x12e124 0007e0f4 768913f1 00e63d45 00150015 0012ead5 <Unloaded_llv.dll>+0x150014 0007e0f8 00e63d45 00150015 0012ead5 0012e125 0x768913f1 0007e0fc 00150015 0012ead5 0012e125 00150015 <Unloaded_llv.dll>+0xe63d44 0007e100 0012ead5 0012e125 00150015 0012e72d <Unloaded_llv.dll>+0x150014 0007e104 0012e125 00150015 0012e72d 0012ec91 <Unloaded_llv.dll>+0x12ead4 0007e108 00150015 0012e72d 0012ec91 00150015 <Unloaded_llv.dll>+0x12e124
0:000> k 1000 ChildEBP RetAddr 0007e5b8 00150014 <Unloaded_dll>+0xc18b5 0007e5bc 00150015 <Unloaded_dll>+0xc18b4 0007e5c0 00150015 <Unloaded_dll>+0xc18b5 0007e5c4 00150015 <Unloaded_dll>+0xc18b5 0007e5c8 00150011 <Unloaded_dll>+0xc18b5 0007e5cc 00150015 <Unloaded_dll>+0xc18b1 0007e5d0 00150015 <Unloaded_dll>+0xc18b5 0007e5d4 00150015 <Unloaded_dll>+0xc18b5 0007e5d8 00150015 <Unloaded_dll>+0xc18b5 0007e5dc 00150015 <Unloaded_dll>+0xc18b5 0007e5e0 00150015 <Unloaded_dll>+0xc18b5 0007e5e4 00150015 <Unloaded_dll>+0xc18b5 0007e5e8 00150015 <Unloaded_dll>+0xc18b5 0007e5ec 00150015 <Unloaded_dll>+0xc18b5 0007e5f0 00150015 <Unloaded_dll>+0xc18b5 0007e5f4 00150015 <Unloaded_dll>+0xc18b5 0007e5f8 00150015 <Unloaded_dll>+0xc18b5 0007e5fc 00150015 <Unloaded_dll>+0xc18b5 0007e600 00150015 <Unloaded_dll>+0xc18b5 0007e604 00150015 <Unloaded_dll>+0xc18b5 0007e608 00150015 <Unloaded_dll>+0xc18b5 0007e60c 00150015 <Unloaded_dll>+0xc18b5 0007e610 00150015 <Unloaded_dll>+0xc18b5 0007e614 00150015 <Unloaded_dll>+0xc18b5 0007e714 7c934f67 <Unloaded_dll>+0xc18b5 0007e740 00000000 ntdll!RtlAppendUnicodeToString+0x50
0:000> lm start end module name 00400000 00409000 Normaliz (deferred) 00f80000 00fc6000 xappex_1_1_1_73__840_ (deferred) 01000000 010f1000 Explorer (deferred) 015c0000 015db000 xappdrv_1_0_0_73 (deferred) 01690000 016ea000 BGCloudSH_1_0_0_1__750_ (export symbols) C:\Program Files\Common Files\Microsoft Shared\bg\BGCloudSH.1.0.0.1.(750).dll
.text:1000B929 8B 8C 24 94 00 00 00 mov ecx, [esp+98h+var_4] .text:1000B930 5F pop edi .text:1000B931 5E pop esi .text:1000B932 5D pop ebp .text:1000B933 33 C0 xor eax, eax .text:1000B935 5B pop ebx .text:1000B936 E8 7A A8 01 00 call sub_100261B5//这个就是__security_check_cookie函数了 .text:1000B93B 81 C4 88 00 00 00 add esp, 88h//这是windbg提示的返回地址也就是0x26fb偏移 .text:1000B941 C3 retn
.text:100261B5 3B 0D 64 89 03 10 cmp ecx, dword_10038964 //比较看返回地址是否 被修改 .text:100261BB 75 01 jnz short loc_100261BE .text:100261BD C3 retn .text:100261BE ; --------------------------------------------------------------------------- .text:100261BE .text:100261BE loc_100261BE: ; CODE XREF: sub_100261B5+6j .text:100261BE E9 C1 FF FF FF jmp _report_failure
81 EC 88 00 00 00 sub esp, 88h
.text:1000B6E6 A1 64 89 03 10 mov eax, dword_10038964
.text:1000B6EB 53 push ebx
.text:1000B6EC 89 84 24 88 00 00 00 mov [esp+8Ch+var_4], eax
.text:1000B6F3 55 push ebp
.text:1000B6F4 B8 65 00 00 00 mov eax, 65h
.text:1000B6F9 56 push esi
.text:1000B6FA 66 89 44 24 4E mov [esp+94h+var_46], ax
.text:1000B6FF 66 89 44 24 58 mov [esp+94h+var_3C], ax
.text:1000B704 B8 74 00 00 00 mov eax, 74h
.text:1000B709 57 push edi
.text:1000B70A BF 61 00 00 00 mov edi, 'a'
.text:1000B70F 66 89 44 24 60 mov [esp+98h+var_38], ax
.text:1000B714 BA 70 00 00 00 mov edx, 70h
.text:1000B719 66 89 84 24 84 00 00 00 mov [esp+98h+var_14], ax
.text:1000B721 8B F1 mov esi, ecx
.text:1000B723 BB 3A 00 00 00 mov ebx, ':'
.text:1000B728 B9 60 00 00 00 mov ecx, '`'
.text:1000B72D BD 3B 00 00 00 mov ebp, ';'
.text:1000B732 8D 44 24 4C lea eax, [esp+98h+var_4C]
.text:1000B736 6A 15 push 15h
.text:1000B738 50 push eax
.text:1000B739 66 C7 44 24 54 7D 00 mov [esp+0A0h+var_4C], '}'
.text:1000B740 66 89 7C 24 56 mov [esp+0A0h+var_4A], di
.text:1000B745 66 89 7C 24 58 mov [esp+0A0h+var_48], di
.text:1000B74A 66 C7 44 24 5C 2F 00 mov [esp+0A0h+var_44], '/'
.text:1000B751 66 89 5C 24 5E mov [esp+0A0h+var_42], bx
.text:1000B756 66 89 5C 24 60 mov [esp+0A0h+var_40], bx
.text:1000B75B 66 89 4C 24 62 mov [esp+0A0h+var_3E], cx
.text:1000B760 66 C7 44 24 66 71 00 mov [esp+0A0h+var_3A], 'q'
.text:1000B767 66 89 7C 24 6A mov [esp+0A0h+var_36], di
.text:1000B76C 66 89 54 24 6C mov [esp+0A0h+var_34], dx
.text:1000B771 66 89 6C 24 6E mov [esp+0A0h+var_32], bp
.text:1000B776 66 89 7C 24 70 mov [esp+0A0h+var_30], di
.text:1000B77B 66 C7 44 24 72 7C 00 mov [esp+0A0h+var_2E], '|'
.text:1000B782 66 C7 44 24 74 78 00 mov [esp+0A0h+var_2C], 'x'
.text:1000B789 66 C7 44 24 76 24 00 mov [esp+0A0h+var_2A], '$'
.text:1000B790 66 C7 44 24 78 27 00 mov [esp+0A0h+var_28], 27h
.text:1000B797 66 C7 44 24 7A 26 00 mov [esp+0A0h+var_26], '&'
.text:1000B79E 66 89 6C 24 7C mov [esp+0A0h+var_24], bp
.text:1000B7A3 66 C7 44 24 7E 7B 00 mov [esp+0A0h+var_22], '{'
.text:1000B7AA 66 89 94 24 80 00 00 00 mov [esp+0A0h+var_20], dx
.text:1000B7B2 66 89 BC 24 82 00 00 00 mov [esp+0A0h+var_1E], di
.text:1000B7BA 66 89 9C 24 84 00 00 00 mov [esp+0A0h+var_1C], bx
.text:1000B7C2 66 89 8C 24 86 00 00 00 mov [esp+0A0h+var_1A], cx
.text:1000B7CA 66 C7 84 24 88 00 00 00+ mov [esp+0A0h+var_18], 'e'
.text:1000B7D4 66 C7 84 24 8A 00 00 00+ mov [esp+0A0h+var_16], 'q'
.text:1000B7DE 66 89 BC 24 8E 00 00 00 mov [esp+0A0h+var_12], di
.text:1000B7E6 66 89 94 24 90 00 00 00 mov [esp+0A0h+var_10], dx
.text:1000B7EE 66 89 AC 24 92 00 00 00 mov [esp+0A0h+var_E], bp
.text:1000B7F6 66 C7 84 24 94 00 00 00+ mov [esp+0A0h+var_C], 's'
.text:1000B800 66 C7 84 24 96 00 00 00+ mov [esp+0A0h+var_A], 'v'
.text:1000B80A 66 C7 84 24 98 00 00 00+ mov [esp+0A0h+var_8], 'r'
.text:1000B814 66 C7 84 24 9A 00 00 00+ mov [esp+0A0h+var_6], 15h
.text:1000B81E E8 92 24 00 00 call sub_1000DCB5
.text:1000B823 8B D8 mov ebx, eax
.text:1000B825 83 C4 08 add esp, 8
.text:1000B828 85 DB test ebx, ebx
.text:1000B82A 74 09 jz short loc_1000B835
.text:1000B82C 53 push ebx ; Str
.text:1000B82D E8 3A A9 01 00 call wcslen
.text:1000B832 83 C4 04 add esp, 4
.text:1000B835
.text:1000B835 loc_1000B835: ; CODE XREF: sub_1000B6E0+14Aj
.text:1000B835 50 push eax
.text:1000B836 53 push ebx
.text:1000B837 8D 8E B4 01 00 00 lea ecx, [esi+1B4h]
.text:1000B83D E8 CE E8 FF FF call sub_1000A110
.text:1000B842 B9 76 00 00 00 mov ecx, 76h
.text:1000B847 33 C0 xor eax, eax
.text:1000B849 66 89 4C 24 1E mov [esp+98h+var_7A], cx
.text:1000B84E 66 89 4C 24 3C mov [esp+98h+var_5C], cx
.text:1000B853 66 89 4C 24 46 mov [esp+98h+var_52], cx
.text:1000B858 BA 3A 00 00 00 mov edx, 3Ah
.text:1000B85D 8D 4C 24 10 lea ecx, [esp+98h+var_88]
.text:1000B861 89 46 34 mov [esi+34h], eax
.text:1000B864 89 46 38 mov [esi+38h], eax
.text:1000B867 B8 78 00 00 00 mov eax, 78h
.text:1000B86C BB 71 00 00 00 mov ebx, 71h
.text:1000B871 51 push ecx
.text:1000B872 8D 4E 3C lea ecx, [esi+3Ch]
.text:1000B875 66 C7 44 24 14 7D 00 mov [esp+9Ch+var_88], 7Dh
.text:1000B87C 66 89 7C 24 16 mov [esp+9Ch+var_86], di
.text:1000B881 66 89 7C 24 18 mov [esp+9Ch+var_84], di
.text:1000B886 66 C7 44 24 1A 65 00 mov [esp+9Ch+var_82], 65h
.text:1000B88D 66 C7 44 24 1C 2F 00 mov [esp+9Ch+var_80], 2Fh
.text:1000B894 66 89 54 24 1E mov [esp+9Ch+var_7E], dx
.text:1000B899 66 89 54 24 20 mov [esp+9Ch+var_7C], dx
.text:1000B89E 66 89 44 24 24 mov [esp+9Ch+var_78], ax
.text:1000B8A3 66 89 5C 24 26 mov [esp+9Ch+var_76], bx
.text:1000B8A8 66 89 6C 24 28 mov [esp+9Ch+var_74], bp
.text:1000B8AD 66 89 7C 24 2A mov [esp+9Ch+var_72], di
.text:1000B8B2 66 C7 44 24 2C 7C 00 mov [esp+9Ch+var_70], 7Ch
.text:1000B8B9 66 89 44 24 2E mov [esp+9Ch+var_6E], ax
.text:1000B8BE 66 C7 44 24 30 24 00 mov [esp+9Ch+var_6C], 24h
.text:1000B8C5 66 C7 44 24 32 27 00 mov [esp+9Ch+var_6A], 27h
.text:1000B8CC 66 C7 44 24 34 26 00 mov [esp+9Ch+var_68], 26h
.text:1000B8D3 66 89 6C 24 36 mov [esp+9Ch+var_66], bp
.text:1000B8D8 66 C7 44 24 38 7B 00 mov [esp+9Ch+var_64], 7Bh
.text:1000B8DF 66 C7 44 24 3A 70 00 mov [esp+9Ch+var_62], 70h
.text:1000B8E6 66 89 7C 24 3C mov [esp+9Ch+var_60], di
.text:1000B8EB 66 89 54 24 3E mov [esp+9Ch+var_5E], dx
.text:1000B8F0 66 89 44 24 42 mov [esp+9Ch+var_5A], ax
.text:1000B8F5 66 89 5C 24 44 mov [esp+9Ch+var_58], bx
.text:1000B8FA 66 89 6C 24 46 mov [esp+9Ch+var_56], bp
.text:1000B8FF 66 C7 44 24 48 73 00 mov [esp+9Ch+var_54], 73h
.text:1000B906 66 C7 44 24 4C 72 00 mov [esp+9Ch+var_50], 72h
.text:1000B90D 66 C7 44 24 4E 15 00 mov [esp+9Ch+var_4E], 15h
.text:1000B914 E8 EB 87 00 00 call sub_10014104
.text:1000B919 8D 54 24 10 lea edx, [esp+98h+var_88] //取栈地址
.text:1000B91D 52 push edx //传入参数
.text:1000B91E 8D 8E F8 00 00 00 lea ecx, [esi+0F8h]
.text:1000B924 E8 DB 87 00 00 call sub_10014104
.text:1000B929 8B 8C 24 94 00 00 00 mov ecx, [esp+98h+var_4] //当前返回地址数值
.text:1000B930 5F pop edi
.text:1000B931 5E pop esi
.text:1000B932 5D pop ebp
.text:1000B933 33 C0 xor eax, eax
.text:1000B935 5B pop ebx
.text:1000B936 E8 7A A8 01 00 call sub_100261B5
.text:1000B93B 81 C4 88 00 00 00 add esp, 88h
.text:1000B941 C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
好牛逼的样子。。。我裸机会不会有危险啊。。
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
大佬,我也中招了,但是我不会代码,能不能帮我弄一下,我电脑打开没桌面
|
|
|
|
