-
-
[原创]RealPlayer 6.0.10 到 6.0.14 整数溢出分析
-
发表于: 2007-11-23 00:10
-
RealPlayer 6.0.10 到 6.0.14 整数溢出分析
今天早上茄子就告诉我 cnbeta 被挂马了,使用最近出现的各种漏洞。
其中比较有意思的是,一个脚本中使用没有见过的 realplayer 溢出。
先从 realplayer 目录 rpplugins\ierpplug.dll 中的 IIERPCtl.Import 开始讲起,
下面是其声明
HRESULT Import(
[in] BSTR file,
[in, optional, defaultvalue("")] BSTR playlist,
[in, optional, defaultvalue("")] BSTR clipInfo,
[in, optional, defaultvalue(0)] long bPlayFile,
[in, optional, defaultvalue(0)] long bCopyToMyMusic,
[out, retval] long* pVal);
.text:65E91640 ; int __stdcall IIERPCtl_Import(int,int This,int file,int playlist,int clipInfo,int bPlayFile,int bCopyToMyMusic) .text:65E91640 IIERPCtl_Import proc near ; DATA XREF: .rdata:65EB545Co .text:65E91640 ; .rdata:65EB54E4o .text:65E91640 .text:65E91640 var_C = dword ptr -0Ch .text:65E91640 This = dword ptr 0Ch .text:65E91640 file = dword ptr 10h .text:65E91640 playlist = dword ptr 14h .text:65E91640 clipInfo = dword ptr 18h .text:65E91640 bPlayFile = dword ptr 1Ch .text:65E91640 bCopyToMyMusic = dword ptr 20h .text:65E91640 .text:65E91640 push ebp .text:65E91641 mov ebp, esp .text:65E91643 push ebx .text:65E91644 mov ebx, [ebp+playlist] ;关键参数 .text:65E91647 push esi .text:65E91648 push edi .text:65E91649 test ebx, ebx .text:65E9164B jnz short loc_65E91652 .text:65E9164B .text:65E9164D mov [ebp+playlist], ebx .text:65E91650 jmp short loc_65E91684 .text:65E91650 .text:65E91652 ; --------------------------------------------------------------------------- .text:65E91652 .text:65E91652 loc_65E91652: ; CODE XREF: IIERPCtl_Import+Bj .text:65E91652 push ebx ; lpString .text:65E91653 call ds:lstrlenW .text:65E91659 lea edi, [eax+eax+2] .text:65E9165D mov eax, edi .text:65E9165F add eax, 3 .text:65E91662 and al, 0FCh .text:65E91664 call __alloca_probe .text:65E91664 .text:65E91669 mov esi, esp .text:65E9166B push 0 .text:65E9166D push 0 .text:65E9166F push edi .text:65E91670 push esi .text:65E91671 push 0FFFFFFFFh .text:65E91673 push ebx .text:65E91674 push 0 .text:65E91676 push 0 .text:65E91678 mov byte ptr [esi], 0 .text:65E9167B call ds:WideCharToMultiByte .text:65E91681 mov [ebp+playlist], esi .text:65E91681 .text:65E91684 .text:65E91684 loc_65E91684: ; CODE XREF: IIERPCtl_Import+10j .text:65E91684 mov ebx, [ebp+file] .text:65E91687 test ebx, ebx .text:65E91689 jnz short loc_65E91690 .text:65E91689 .text:65E9168B mov [ebp+file], ebx .text:65E9168E jmp short loc_65E916C2 .text:65E9168E .text:65E91690 ; --------------------------------------------------------------------------- .text:65E91690 .text:65E91690 loc_65E91690: ; CODE XREF: IIERPCtl_Import+49j .text:65E91690 push ebx ; lpString .text:65E91691 call ds:lstrlenW .text:65E91697 lea edi, [eax+eax+2] .text:65E9169B mov eax, edi .text:65E9169D add eax, 3 .text:65E916A0 and al, 0FCh .text:65E916A2 call __alloca_probe .text:65E916A2 .text:65E916A7 mov esi, esp .text:65E916A9 push 0 .text:65E916AB push 0 .text:65E916AD push edi .text:65E916AE push esi .text:65E916AF push 0FFFFFFFFh .text:65E916B1 push ebx .text:65E916B2 push 0 .text:65E916B4 push 0 .text:65E916B6 mov byte ptr [esi], 0 .text:65E916B9 call ds:WideCharToMultiByte .text:65E916BF mov [ebp+file], esi .text:65E916BF .text:65E916C2 .text:65E916C2 loc_65E916C2: ; CODE XREF: IIERPCtl_Import+4Ej .text:65E916C2 mov ebx, [ebp+This] .text:65E916C5 test ebx, ebx .text:65E916C7 jnz short loc_65E916CD .text:65E916C7 .text:65E916C9 xor esi, esi .text:65E916CB jmp short loc_65E916FC .text:65E916CB .text:65E916CD ; --------------------------------------------------------------------------- .text:65E916CD .text:65E916CD loc_65E916CD: ; CODE XREF: IIERPCtl_Import+87j .text:65E916CD push ebx ; lpString .text:65E916CE call ds:lstrlenW .text:65E916D4 lea edi, [eax+eax+2] .text:65E916D8 mov eax, edi .text:65E916DA add eax, 3 .text:65E916DD and al, 0FCh .text:65E916DF call __alloca_probe .text:65E916DF .text:65E916E4 mov esi, esp .text:65E916E6 push 0 .text:65E916E8 push 0 .text:65E916EA push edi .text:65E916EB push esi .text:65E916EC push 0FFFFFFFFh .text:65E916EE push ebx .text:65E916EF push 0 .text:65E916F1 push 0 .text:65E916F3 mov byte ptr [esi], 0 .text:65E916F6 call ds:WideCharToMultiByte .text:65E916F6 .text:65E916FC .text:65E916FC loc_65E916FC: ; CODE XREF: IIERPCtl_Import+8Bj .text:65E916FC mov eax, [ebp+bCopyToMyMusic] .text:65E916FF mov ecx, [ebp+bPlayFile] .text:65E91702 mov edx, [ebp+clipInfo] .text:65E91705 push eax ; int .text:65E91706 mov eax, [ebp+playlist] .text:65E91709 push ecx ; int .text:65E9170A mov ecx, [ebp+file] .text:65E9170D push edx ; int .text:65E9170E push eax ; int .text:65E9170F push ecx ; file .text:65E91710 push esi ; lpString .text:65E91711 call sub_65E9C860 ;进入
65E9C860 ; int __cdecl sub_65E9C860(LPCSTR lpString,int file,int,int,int,int) .text:65E9C860 sub_65E9C860 proc near ; CODE XREF: IIERPCtl_Import+D1p .text:65E9C860 .text:65E9C860 var_3C = dword ptr -3Ch .text:65E9C860 var_38 = dword ptr -38h .text:65E9C860 var_34 = dword ptr -34h .text:65E9C860 var_30 = dword ptr -30h .text:65E9C860 var_2C = dword ptr -2Ch .text:65E9C860 var_28 = dword ptr -28h .text:65E9C860 var_24 = dword ptr -24h .text:65E9C860 var_20 = dword ptr -20h .text:65E9C860 var_1C = dword ptr -1Ch .text:65E9C860 var_18 = dword ptr -18h .text:65E9C860 var_10 = dword ptr -10h .text:65E9C860 hWnd = dword ptr -0Ch .text:65E9C860 var_8 = dword ptr -8 .text:65E9C860 var_4 = dword ptr -4 .text:65E9C860 lpString = dword ptr 8 .text:65E9C860 file = dword ptr 0Ch .text:65E9C860 arg_8 = dword ptr 10h .text:65E9C860 arg_C = dword ptr 14h .text:65E9C860 arg_10 = dword ptr 18h .text:65E9C860 arg_14 = dword ptr 1Ch .text:65E9C860 .text:65E9C860 push ebp .text:65E9C861 mov ebp, esp .text:65E9C863 sub esp, 3Ch .text:65E9C866 lea eax, [ebp+var_8] .text:65E9C869 push esi .text:65E9C86A xor esi, esi .text:65E9C86C push eax ; int .text:65E9C86D push 1 ; hWnd .text:65E9C86F mov [ebp+var_8], esi .text:65E9C872 call sub_65E9DE90 ; 检测 realplayer 运行中吗,如果则将其起动 .text:65E9C872 .... .text:65E9C8CE .text:65E9C8D3 .text:65E9C8D3 loc_65E9C8D3: ; CODE XREF: sub_65E9C860+7Dj .text:65E9C8D3 mov edx, [eax] .text:65E9C8D5 add eax, 8 .text:65E9C8D8 dec ecx .text:65E9C8D9 lea esi, [esi+edx+7] .text:65E9C8DD jnz short loc_65E9C8D3 .text:65E9C8DD .text:65E9C8DF push ebx .text:65E9C8E0 push edi .text:65E9C8E1 lea edi, [esi+0Bh] .text:65E9C8E4 push edi .text:65E9C8E5 call operator new(uint) .text:65E9C8E5 .text:65E9C8EA mov ecx, edi .text:65E9C8EC mov edx, eax .text:65E9C8EE mov ebx, ecx .text:65E9C8F0 xor eax, eax .text:65E9C8F2 mov edi, edx .text:65E9C8F4 add esp, 4 .text:65E9C8F7 shr ecx, 2 .text:65E9C8FA rep stosd .text:65E9C8FC mov ecx, ebx .text:65E9C8FE mov [ebp+var_10], edx .text:65E9C901 and ecx, 3 .text:65E9C904 mov [ebp+lpString], 5 .text:65E9C90B rep stosb .text:65E9C90D mov dword ptr [edx], 5 .text:65E9C913 mov [edx+4], esi .text:65E9C916 lea eax, [edx+8] .text:65E9C919 lea edx, [ebp+var_38] .text:65E9C919 .text:65E9C91C .text:65E9C91C loc_65E9C91C: ; CODE XREF: sub_65E9C860+E4j .text:65E9C91C mov ecx, [edx] .text:65E9C91E mov esi, [edx-4] .text:65E9C921 mov [eax], ecx .text:65E9C923 mov ebx, ecx .text:65E9C925 lea edi, [eax+4] .text:65E9C928 add edx, 8 .text:65E9C92B shr ecx, 2 .text:65E9C92E rep movsd .text:65E9C930 mov ecx, ebx .text:65E9C932 and ecx, 3 .text:65E9C935 rep movsb .text:65E9C937 mov ecx, [eax] .text:65E9C939 lea eax, [eax+ecx+4] .text:65E9C93D mov ecx, [ebp+lpString] .text:65E9C940 dec ecx .text:65E9C941 mov [ebp+lpString], ecx .text:65E9C944 jnz short loc_65E9C91C .text:65E9C944 .text:65E9C946 mov ebx, [ebp+var_10] .text:65E9C949 mov edi, [ebp+hWnd] .text:65E9C94C push ebx ; int .text:65E9C94D push edi ; hWnd .text:65E9C94E call sub_65E9E060 ;!!此处很重要了,这个进程将通过 WM_COPYDATA 向 realplayer 传送数据,包括 playlist .text:65E9C94E ... .text:65E9C9A0 mov eax, esi .text:65E9C9A2 pop edi .text:65E9C9A3 pop ebx .text:65E9C9A4 pop esi .text:65E9C9A5 mov esp, ebp .text:65E9C9A7 pop ebp .text:65E9C9A8 retn .text:65E9C9A8
:65E9E060 ; int __cdecl sub_65E9E060(HWND hWnd,int) .text:65E9E060 sub_65E9E060 proc near ; CODE XREF: sub_65E9C4C0+10Ap .text:65E9E060 ; sub_65E9C5F0+101p .text:65E9E060 ; sub_65E9C720+2Ap .text:65E9E060 ; sub_65E9C770+C3p .text:65E9E060 ; sub_65E9C860+EEp .text:65E9E060 ; sub_65E9C9B0+78p .text:65E9E060 .text:65E9E060 lParam = dword ptr -0Ch .text:65E9E060 var_8 = dword ptr -8 .text:65E9E060 var_4 = dword ptr -4 .text:65E9E060 hWnd = dword ptr 8 .text:65E9E060 arg_4 = dword ptr 0Ch .text:65E9E060 .text:65E9E060 push ebp .text:65E9E061 mov ebp, esp .text:65E9E063 sub esp, 0Ch .text:65E9E066 xor eax, eax .text:65E9E068 lea edx, [ebp+lParam] .text:65E9E06B mov [ebp+var_8], eax .text:65E9E06E push edx ; lParam .text:65E9E06F mov [ebp+var_4], eax .text:65E9E072 mov eax, [ebp+arg_4] .text:65E9E075 mov [ebp+var_4], eax .text:65E9E078 push 0 ; wParam .text:65E9E07A mov ecx, [eax+4] .text:65E9E07D mov eax, [ebp+hWnd] .text:65E9E080 add ecx, 0Bh .text:65E9E083 push WM_COPYDATA ; Msg .text:65E9E085 push eax ; hWnd .text:65E9E086 mov [ebp+lParam], 0 .text:65E9E08D mov [ebp+var_8], ecx .text:65E9E090 call ds:SendMessageA ; 发生消息给 realplayer, 将数据传给他 .text:65E9E096 neg eax .text:65E9E098 sbb eax, eax .text:65E9E09A neg eax .text:65E9E09C mov esp, ebp .text:65E9E09E pop ebp .text:65E9E09F retn
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5601
发现这个漏洞很久之前就被发现了 
|
|
|
利用代码也是今天才被俺发现
|
|
|
|
|
|
|
|
|
|
|
|
大米总是发现漏洞
|
|
|
|
|
|
|
|
|
借用某人的话,dummy大湿,学习!
|
|
|
|
|
|
|
|
|
一样的问题啊
开始还以为是版本不对 可是换了肯定有问题的版本还是跟不出来 大米来指点下啊???????????? 
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
终于跟到了
但是好象不是每次都有效 有的时候一运行起来在rpc*****.dll里面的一个realloc没有检测返回值,是0就死了退出了.
|
