不知道大家碰没碰到过这种问题:漏洞只能通过双击打开样本文件的方式才能触发,其他方式均不能触发。比如,先打开程序,然后使用文件菜单打开;再比如,先打开程序,然后拖拽文档文件进入程序方式打开;再比如使用命令行打开文档;都不行,使用调试器载入程序后就更不行了。
CVE-2010-3333双机调试过程
1.调试环境:
winxp sp3 cn
office2003 sp3 cn
mso.dll 11.0.8172.0
2.调试过程
0.侵入winword.exe进程
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
Failed to get VadRoot
PROCESS 821b9830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00b40000 ObjectTable: e1000c90 HandleCount: 262.
Image: System
Failed to get VadRoot
PROCESS 82000da0 SessionId: none Cid: 017c Peb: 7ffd9000 ParentCid: 0004
DirBase: 06b80020 ObjectTable: e13c1308 HandleCount: 19.
Image: smss.exe
Failed to get VadRoot
PROCESS 81e90da0 SessionId: 0 Cid: 062c Peb: 7ffde000 ParentCid: 02a4
DirBase: 06b802a0 ObjectTable: e1decca8 HandleCount: 107.
Image: alg.exe
Failed to get VadRoot
PROCESS 81dcb340 SessionId: 0 Cid: 0664 Peb: 7ffdc000 ParentCid: 0408
DirBase: 06b802c0 ObjectTable: e1d268b8 HandleCount: 39.
Image: wscntfy.exe
Failed to get VadRoot
PROCESS 82072648 SessionId: 0 Cid: 06f8 Peb: 7ffde000 ParentCid: 067c
DirBase: 06b802e0 ObjectTable: e1ac6cd0 HandleCount: 270.
Image: WINWORD.EXE
kd> .process 82072648
Implicit process is now 82072648
WARNING: .cache forcedecodeuser is not enabled
可能需要reload ,ld之类的命令,自己看着办。
1.内核调试,中断到数据copy点
Microsoft (R) Windows Debugger Version 10.0.17763.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \\.\pipe\kd_winxp
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target at (Thu Sep 5 11:33:08.840 2019 (UTC + 8:00)), ptr64 FALSE
Kernel Debugger connection established.
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*H:\symbols\win10*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*H:\symbols\win10*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d8000 PsLoadedModuleList = 0x80554fc0
Debug session time: Thu Sep 5 10:42:01.218 2019 (UTC + 8:00)
System Uptime: 0 days 6:41:20.062
Break instruction exception - code 80000003 (first chance)
30ed442c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
2.查看seh链
kd> !teb
TEB at 7ffdd000
ExceptionList: 0012ffb0
StackBase: 00130000
StackLimit: 00119000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7ffdd000
EnvironmentPointer: 00000000
ClientId: 000000dc . 000000ec
RpcHandle: 00000000
Tls Storage: 001432c0
PEB Address: 7ffde000
LastErrorValue: 0
LastStatusValue: c0000034
Count Owned Locks: 0
HardErrorMode: 0
kd> dt ntdll!_EXCEPTION_REGISTRATION_RECORD -l next poi(7ffdd000)
next at 0x0012ffb0
---------------------------------------------
+0x000 Next : 0x0012ffe0 _EXCEPTION_REGISTRATION_RECORD
+0x004 Handler : 0x30aa1abc _EXCEPTION_DISPOSITION +30aa1abc
next at 0x0012ffe0
---------------------------------------------
+0x000 Next : 0xffffffff _EXCEPTION_REGISTRATION_RECORD
+0x004 Handler : 0x7c839ac0 _EXCEPTION_DISPOSITION +7c839ac0
next at 0xffffffff
---------------------------------------------
+0x000 Next : ????
+0x004 Handler : ????
Memory read error 00000003
3.下内存写入断点,等待修改seh
kd> ba w 4 0x0012ffe4
kd> g
Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
30ed442c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
4.再次查看seh链
kd> dt ntdll!_EXCEPTION_REGISTRATION_RECORD -l next poi(7ffdd000)
next at 0x0012ffb0
---------------------------------------------
+0x000 Next : 0x8b2b06eb _EXCEPTION_REGISTRATION_RECORD
+0x004 Handler : 0x30001bdd _EXCEPTION_DISPOSITION +30001bdd
next at 0x8b2b06eb
---------------------------------------------
+0x000 Next : ????
+0x004 Handler : ????
Memory read error 8b2b06ef
5.下断seh处理函数
kd> bu 0x30001bdd
6.执行到ppret
kd> g
Breakpoint 1 hit
30001bdd 59 pop ecx
7.shellcode执行
a.下断解密指令,以免单步异常影响解密
b.按几次F5,解密部分指令
c.下断解密完成指令,按F5解密完成
kd> bu 001237f7
d.完成shellcode的运行