BitComet_Torrent_URI处理缓冲区溢出漏洞分析备忘

最新推荐文章于 2021-12-02 14:10:47 发布

freexploit

最新推荐文章于 2021-12-02 14:10:47 发布

阅读量1.9k

点赞数

分类专栏：编程指南溢出研究文章标签： string encoding url date bt ie

本文链接：https://blog.csdn.net/freexploit/article/details/587917

版权

编程指南同时被 2 个专栏收录

250 篇文章 0 订阅

订阅专栏

溢出研究

83 篇文章 0 订阅

订阅专栏

//见识到了一个实际的防溢出机制:)

BitComet_Torrent_URI处理缓冲区溢出漏洞分析备忘

author:cocoruder
date:01/24/2006

漏洞报告:http://www.nsfocus.net/vulndb/8422bugtraq-id:16311
从网上随便下载一个bt种子文件，解码如下

//------------------------------------start---------------------------------------------------
announce=http://tracker.icefish.org:8080/announce
created by=BitComet/0.61
creation date=1138017089
encoding=GBK
info=
{
length=347723144
name=HappySunday20060122.rm
name.utf-8=HappySunday20060122.rm
piece length=262144
pieces=........................0x67ac length
publisher=http://bt.icefish.org
publisher-url=http://bt.icefish.org            //buffer overflow
publisher-url.utf-8=http://bt.icefish.org
publisher.utf-8=http://bt.icefish.org
}
nodes=
{
86.52.67.165:17284
84.122.33.248:13162
60.51.18.5:9161
82.154.234.249:10078
84.9.113.230:6881
69.140.109.108:36285
24.126.127.49:25644
81.233.17.102:8255
210.159.185.90:7454
62.231.82.41:12932
}
//------------------------------------------end---------------------------------------------

参考漏洞描述是在处理publisher-url的值("http://bt.icefish.org") 时出了问题，因此构造1个publisher-url值超长的.torrent文件，BitComet打开，点击创建者链接的时候BitComet会直接退出（无任何可见错误产生），可见程序自己接管了系统的异常处理，stack查看回溯栈的老办法难以快速找出溢出点，改用直接内存搜索，下内存断点，最终可找到问题代码如下：

text:0045CCB0 sub_45CCB0      proc near               ; CODE XREF: sub_45C320+19p
.text:0045CCB0                                         ; sub_45CE00+40p
.text:0045CCB0
.text:0045CCB0 var_420         = dword ptr -420h
.text:0045CCB0 WideCharStr     = word ptr -414h
.text:0045CCB0 var_4           = dword ptr -4
.text:0045CCB0 lpFile          = dword ptr  0Ch
.text:0045CCB0 nShowCmd        = dword ptr  10h
.text:0045CCB0
.text:0045CCB0                 push    ebp
.text:0045CCB1                 mov     ebp, esp
.text:0045CCB3                 sub     esp, 414h        ;分配变量，大小0x414
.text:0045CCB9                 mov     eax, dword_5FBF64
.text:0045CCBE                 push    ebx
.text:0045CCBF                 push    esi
.text:0045CCC0                 mov     [ebp+var_4], eax        ;把变量最后4字节设为[005fbf64],为一随机值
.text:0045CCC3                 push    edi
.text:0045CCC4                 lea     eax, [ebp+WideCharStr]
.text:0045CCCA                 push    eax
.text:0045CCCB                 mov     ecx, offset a_htm ; ".htm"
.text:0045CCD0                 mov     edx, 80000000h
.text:0045CCD5                 call    sub_45C9F0
.text:0045CCDA                 test    eax, eax
.text:0045CCDC                 jnz     loc_45CDCE
.text:0045CCE2                 mov     ebx, ds:lstrcatW
.text:0045CCE8                 push    offset aShellOpenComma ; lpString2
.text:0045CCED                 lea     ecx, [ebp+WideCharStr]
.text:0045CCF3                 push    ecx             ; lpString1
.text:0045CCF4                 call    ebx ; lstrcatW
.text:0045CCF6                 lea     edx, [ebp+WideCharStr]
.text:0045CCFC                 push    edx
.text:0045CCFD                 mov     ecx, edx
.text:0045CCFF                 mov     edx, 80000000h
.text:0045CD04                 call    sub_45C9F0        ;获得ie路径+名+参数
.text:0045CD09                 test    eax, eax
.text:0045CD0B                 jnz     loc_45CDCE
.text:0045CD11                 lea     eax, [ebp+WideCharStr]
.text:0045CD17                 push    offset a1       ; wchar_t *
.text:0045CD1C                 push    eax             ; wchar_t *
.text:0045CD1D                 call    _wcsstr
.text:0045CD22                 mov     edi, ds:lstrlenW
.text:0045CD28                 mov     esi, eax
.text:0045CD2A                 add     esp, 8
.text:0045CD2D                 test    esi, esi
.text:0045CD2F                 jnz     short loc_45CD5D
.text:0045CD31                 lea     ecx, [ebp+WideCharStr]
.text:0045CD37                 push    offset a1_0     ; wchar_t *
.text:0045CD3C                 push    ecx             ; wchar_t *
.text:0045CD3D                 call    _wcsstr
.text:0045CD42                 mov     esi, eax
.text:0045CD44                 add     esp, 8
.text:0045CD47                 test    esi, esi
.text:0045CD49                 jnz     short loc_45CD5D
.text:0045CD4B                 lea     edx, [ebp+WideCharStr]
.text:0045CD51                 push    edx             ; lpString
.text:0045CD52                 call    edi ; lstrlenW
.text:0045CD54                 lea     esi, [ebp+eax*2-416h]
.text:0045CD5B                 jmp     short loc_45CD62
.text:0045CD5D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0045CD5D
.text:0045CD5D loc_45CD5D:                             ; CODE XREF: sub_45CCB0+7Fj
.text:0045CD5D                                         ; sub_45CCB0+99j
.text:0045CD5D                 mov     word ptr [esi], 0
.text:0045CD62
.text:0045CD62 loc_45CD62:                             ; CODE XREF: sub_45CCB0+ABj
.text:0045CD62                 push    offset asc_5B2A20 ; lpString2
.text:0045CD67                 push    esi             ; lpString1
.text:0045CD68                 call    ebx ; lstrcatW        ;ie路径+名+参数+1空格
.text:0045CD6A                 mov     eax, [ebp+lpFile]
.text:0045CD6D                 push    eax             ; lpString2
.text:0045CD6E                 push    esi             ; lpString1
.text:0045CD6F                 call    ebx ; lstrcatW        ;ie路径+名+参数+1空格+publisher-url的值，溢出!
.text:0045CD71                 call    Target
.text:0045CD77                 lea     ecx, [ebp+WideCharStr]
.text:0045CD7D                 push    ecx             ; lpString
.text:0045CD7E                 mov     ebx, eax
.text:0045CD80                 call    edi ; lstrlenW
.text:0045CD82                 lea     edi, [eax+eax+2]
.text:0045CD86                 mov     eax, edi
.text:0045CD88                 add     eax, 3
.text:0045CD8B                 and     eax, 0FFFFFFFCh
.text:0045CD8E                 call    __alloca_probe
.text:0045CD93                 mov     esi, esp
.text:0045CD95                 test    esi, esi
.text:0045CD97                 jz      short loc_45CDBC
.text:0045CD99                 push    0               ; lpUsedDefaultChar
.text:0045CD9B                 push    0               ; lpDefaultChar
.text:0045CD9D                 push    edi             ; cchMultiByte
.text:0045CD9E                 push    esi             ; lpMultiByteStr
.text:0045CD9F                 push    0FFFFFFFFh      ; cchWideChar
.text:0045CDA1                 lea     edx, [ebp+WideCharStr]
.text:0045CDA7                 push    edx             ; lpWideCharStr
.text:0045CDA8                 push    0               ; dwFlags
.text:0045CDAA                 push    ebx             ; CodePage
.text:0045CDAB                 mov     byte ptr [esi], 0
.text:0045CDAE                 call    ds:WideCharToMultiByte        ;wchar-->char
.text:0045CDB4                 neg     eax
.text:0045CDB6                 sbb     eax, eax
.text:0045CDB8                 and     eax, esi
.text:0045CDBA                 jmp     short loc_45CDBE
.text:0045CDBC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0045CDBC
.text:0045CDBC loc_45CDBC:                             ; CODE XREF: sub_45CCB0+E7j
.text:0045CDBC                 xor     eax, eax
.text:0045CDBE
.text:0045CDBE loc_45CDBE:                             ; CODE XREF: sub_45CCB0+10Aj
.text:0045CDBE                 mov     ecx, [ebp+nShowCmd]
.text:0045CDC1                 push    ecx             ; uCmdShow
.text:0045CDC2                 push    eax             ; lpCmdLine
.text:0045CDC3                 call    ds:WinExec        ;WinExec调用ie打开url
.text:0045CDC9                 cmp     eax, 20h
.text:0045CDCC                 ja      short loc_45CDE7
.text:0045CDCE
.text:0045CDCE loc_45CDCE:                             ; CODE XREF: sub_45CCB0+2Cj
.text:0045CDCE                                         ; sub_45CCB0+5Bj
.text:0045CDCE                 mov     edx, [ebp+nShowCmd]
.text:0045CDD1                 mov     eax, [ebp+lpFile]
.text:0045CDD4                 push    edx             ; nShowCmd
.text:0045CDD5                 push    0               ; lpDirectory
.text:0045CDD7                 push    0               ; lpParameters
.text:0045CDD9                 push    eax             ; lpFile
.text:0045CDDA                 push    offset Operation ; lpOperation
.text:0045CDDF                 push    0               ; hwnd
.text:0045CDE1                 call    ds:ShellExecuteW ; Opens or prints a specified file
.text:0045CDE7
.text:0045CDE7 loc_45CDE7:                             ; CODE XREF: sub_45CCB0+11Cj
.text:0045CDE7                 lea     esp, [ebp-420h]        ;恢复堆栈到未分配局部变量时
.text:0045CDED                 mov     ecx, [ebp+var_4]        ;ecx即为0x414长度局部变量最后4字节的值
.text:0045CDF0                 call    sub_53F2FA        ;这个函数检查后4字节值是否被更改并作相应处理
.text:0045CDF5                 pop     edi
.text:0045CDF6                 pop     esi
.text:0045CDF7                 pop     ebx
.text:0045CDF8                 mov     esp, ebp
.text:0045CDFA                 pop     ebp
.text:0045CDFB                 retn    0Ch
.text:0045CDFB sub_45CCB0      endp

触发溢出的原因在于0045CD6F处调用lstrcatW但未对源string作长度检查（源string即为我们可以控制的url），但由于程序本身的安全检查机制使得无法完成溢出攻击。

安全检查原理：
在函数开始地方，分配局部变量(记为szWinExecParam[0x414])后即设置szWinExecParam的最后4字节为一随机值，然后在函数ret前检查这个值是否被更改，如更改表示被溢出直接弹出警告对话框并退出进程。由于栈溢出覆盖ret地址前必然要完全覆盖完局部变量和ebp，因此此种检查机制简单有效，值得推荐。

--EOF--