提交者看雪ID:xfmaple
职业:(学生、程序员、安全专家、黑客技术爱好者、其他?)
黑客技术爱好者
PE分析:
程序启动之后,会监听本地的7777端口,用来接受用户的输入,然后显示在屏幕上。
漏洞描述:
程序在接受用户的输入的数据时候,没有进行边界的检查,导致用户输入过长的数据时,在strcpy时产生溢出
用IDA加载分析
(因为是在处理接受输入的数据的时候出现的问题,因为我们可以直接找到recv函数的地方)
.text:00401200 loc_401200: ; CODE XREF: _main+1AA j
.text:00401200 ; _main+1C9 j
.text:00401200 mov ecx, 80h
.text:00401205 xor eax, eax
.text:00401207 lea edi, [esp+34h]
.text:0040120B push eax ; flags
.text:0040120C rep stosd
.text:0040120E lea ecx, [esp+38h]
.text:00401212 push 200h ; len //接受的长度
.text:00401217 push ecx ; buf //缓冲区80h
.text:00401218 push ebx ; s
.text:00401219 call ds:recv //接受数据
.text:0040121F mov esi, eax
.text:00401221 test esi, esi //是否有数据受到
.text:00401223 jge short loc_40124B //如果有数据接受到,跳转
.text:00401225 push offset aReadingStreamM ; "reading stream message erro!"
.text:0040122A mov ecx, offset dword_409A68
.text:0040122F call ??6ostream@@QAEAAV0@PBD@Z ; ostream::operator<<(char const *)
.text:00401234 push offset sub_4012D0
.text:00401239 push 0Ah
.text:0040123B mov ecx, eax
.text:0040123D call ??6ostream@@QAEAAV0@E@Z ; ostream::operator<<(uchar)
.text:00401242 mov ecx, eax
.text:00401244 call sub_4012B0
.text:00401249 xor esi, esi
如上面分析,程序在接受到数据以后会跳转到short loc_40124B 进行处理,继续跟进
.text:0040124B loc_40124B: ; CODE XREF: _main+173 j
.text:0040124B lea edx, [esp+34h] //把edx指向接受到的数据
.text:0040124F push edx
.text:00401250 call sub_401000 //处理,跟进
.text:00401255 add esp, 4
.text:00401258 test esi, esi
.text:0040125A jnz short loc_401200
.text:0040125C push ebx ; s
.text:0040125D call ds:closesocket
.text:00401263 lea eax, [esp+3C4h+name]
.text:00401267 lea ecx, [esp+3C4h+addr.sa_data+2]
.text:0040126B push eax ; addrlen
.text:0040126C push ecx ; addr
.text:0040126D push ebp ; s
.text:0040126E call ds:accept
.text:00401274 mov ebx, eax
.text:00401276 cmp ebx, 0FFFFFFFFh
.text:00401279 jnz short loc_401200
.text:0040127B pop edi
.text:0040127C pop esi
跟进出:
.text:00401000 sub_401000 proc near ; CODE XREF: _main+1A0 p
.text:00401000
.text:00401000 var_C8 = byte ptr -0C8h
.text:00401000 arg_0 = dword ptr 4
.text:00401000
.text:00401000 sub esp, 0C8h //分配内存大小0c8h = 200字节,关键
.text:00401006 or ecx, 0FFFFFFFFh //
.text:00401009 xor eax, eax //eax清零
.text:0040100B lea edx, [esp+0C8h+var_C8] //指向分配空间的起始地址
.text:0040100F push esi
.text:00401010 push edi //保存esi,edi
.text:00401011 mov edi, [esp+0D0h+arg_0] //edi指向接受的数据
.text:00401018 push offset asc_40904C ; "********************"
.text:0040101D repne scasb
.text:0040101F not ecx
.text:00401021 sub edi, ecx
.text:00401023 mov eax, ecx
.text:00401025 mov esi, edi
.text:00401027 mov edi, edx
.text:00401029 shr ecx, 2
.text:0040102C rep movsd //把源数据copy到目标区域,这里就是strcpy,溢出点。我们只分配了200空间的大小,也就是说超过200个字符就会溢出。
.text:0040102E mov ecx, eax
.text:00401030 and ecx, 3
.text:00401033 rep movsb
.text:00401035 mov ecx, offset dword_409A68
.text:0040103A call ??6ostream@@QAEAAV0@PBD@Z ; ostream::operator<<(char const *)
.text:0040103F push offset sub_4012D0
.text:00401044 push 0Ah
.text:00401046 mov ecx, eax
.text:00401048 call ??6ostream@@QAEAAV0@E@Z ; ostream::operator<<(uchar)
.text:0040104D mov ecx, eax
.text:0040104F call sub_4012B0
.text:00401054 push offset aReceived ; "received:"
.text:00401059 mov ecx, offset dword_409A68
.text:0040105E call ??6ostream@@QAEAAV0@PBD@Z ; ostream::operator<<(char const *)
.text:00401063 push offset sub_4012D0
.text:00401068 push 0Ah
.text:0040106A mov ecx, eax
.text:0040106C call ??6ostream@@QAEAAV0@E@Z ; ostream::operator<<(uchar)
.text:00401071 mov ecx, eax
.text:00401073 call sub_4012B0
.text:00401078 lea ecx, [esp+0D0h+var_C8]
.text:0040107C push ecx
.text:0040107D mov ecx, offset dword_409A68
.text:00401082 call ??6ostream@@QAEAAV0@PBD@Z ; ostream::operator<<(char const *)
.text:00401087 push offset sub_4012D0
.text:0040108C push 0Ah
.text:0040108E mov ecx, eax
.text:00401090 call ??6ostream@@QAEAAV0@E@Z ; ostream::operator<<(uchar)
.text:00401095 mov ecx, eax
.text:00401097 call sub_4012B0
.text:0040109C pop edi
.text:0040109D pop esi
.text:0040109E add esp, 0C8h
.text:004010A4 retn
.text:004010A4 sub_401000 endp
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!