-
-
[原创]破壳漏洞分析(CVE-2014-6271)
-
2014-9-30 15:16
3330
-
[原创]破壳漏洞分析(CVE-2014-6271)
更新一下,之前静态分析代码得出的结论有问题。
新的文件大小超过了限制,上传不了。
就简单的在这里补充一下,
在调用yyparse解析成功之后程序先后三次调用了execute_command_internal函数,每次处理的command都不一样,先进入了cm_connection分支,在这个case下会调用execute_connection函数,
case cm_connection:
exec_result = execute_connection (command, asynchronous,
pipe_in, pipe_out, fds_to_close);
break;
分析execute_connection函数可以知道,
() { :; }; echo Vulneribiltiy由于有一个‘;’被解析成了2个command,这两个command由一个connection数据结果来管理,
/* Structure used to represent the CONNECTION type. */
typedef struct connection {
int ignore; /* Unused; simplifies make_command (). */
COMMAND *first; /* Pointer to the first command. */
COMMAND *second; /* Pointer to the second command. */
int connector; /* What separates this command from others. */
} CONNECTION;
在execute_connection中会先后再次调用execute_command_internal来执行这两个command,
/* Just call execute command on both sides. */
case ';':
if (ignore_return)
{
if (command->value.Connection->first)
command->value.Connection->first->flags |= CMD_IGNORE_RETURN;
if (command->value.Connection->second)
command->value.Connection->second->flags |= CMD_IGNORE_RETURN;
}
QUIT;
execute_command (command->value.Connection->first);
QUIT;
exec_result = execute_command_internal (command->value.Connection->second,
asynchronous, pipe_in, pipe_out,
fds_to_close);
break;
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法