//见识到了一个实际的防溢出机制:)
BitComet_Torrent_URI处理缓冲区溢出漏洞分析备忘
author:cocoruder
date:01/24/2006
漏洞报告:http://www.nsfocus.net/vulndb/8422bugtraq-id:16311
从网上随便下载一个bt种子文件,解码如下
//------------------------------------start---------------------------------------------------
announce=http://tracker.icefish.org:8080/announce
created by=BitComet/0.61
creation date=1138017089
encoding=GBK
info=
{
length=347723144
name=HappySunday20060122.rm
name.utf-8=HappySunday20060122.rm
piece length=262144
pieces=........................0x67ac length
publisher=http://bt.icefish.org
publisher-url=http://bt.icefish.org //buffer overflow
publisher-url.utf-8=http://bt.icefish.org
publisher.utf-8=http://bt.icefish.org
}
nodes=
{
86.52.67.165:17284
84.122.33.248:13162
60.51.18.5:9161
82.154.234.249:10078
84.9.113.230:6881
69.140.109.108:36285
24.126.127.49:25644
81.233.17.102:8255
210.159.185.90:7454
62.231.82.41:12932
}
//------------------------------------------end---------------------------------------------
参考漏洞描述是在处理publisher-url的值("http://bt.icefish.org") 时出了问题,因此构造1个publisher-url值超长的.torrent文件,BitComet打开,点击创建者链接的时候BitComet会直接退出(无任何可见错误产生),可见程序自己接管了系统的异常处理,stack查看回溯栈的老办法难以快速找出溢出点,改用直接内存搜索,下内存断点,最终可找到问题代码如下:
text:0045CCB0 sub_45CCB0 proc near ; CODE XREF: sub_45C320+19p
.text:0045CCB0 ; sub_45CE00+40p
.text:0045CCB0
.text:0045CCB0 var_420 = dword ptr -420h
.text:0045CCB0 WideCharStr = word ptr -414h
.text:0045CCB0 var_4 = dword ptr -4
.text:0045CCB0 lpFile = dword ptr 0Ch
.text:0045CCB0 nShowCmd = dword ptr 10h
.text:0045CCB0
.text:0045CCB0 push ebp
.text:0045CCB1 mov ebp, esp
.text:0045CCB3 sub esp, 414h ;分配变量,大小0x414
.text:0045CCB9 mov eax, dword_5FBF64
.text:0045CCBE push ebx
.text:0045CCBF push esi
.text:0045CCC0 mov [ebp+var_4], eax ;把变量最后4字节设为[005fbf64],为一随机值
.text:0045CCC3 push edi
.text:0045CCC4 lea eax, [ebp+WideCharStr]
.text:0045CCCA push eax
.text:0045CCCB mov ecx, offset a_htm ; ".htm"
.text:0045CCD0 mov edx, 80000000h
.text:0045CCD5 call sub_45C9F0
.text:0045CCDA test eax, eax
.text:0045CCDC jnz loc_45CDCE
.text:0045CCE2 mov ebx, ds:lstrcatW
.text:0045CCE8 push offset aShellOpenComma ; lpString2
.text:0045CCED lea ecx, [ebp+WideCharStr]
.text:0045CCF3 push ecx ; lpString1
.text:0045CCF4 call ebx ; lstrcatW
.text:0045CCF6 lea edx, [ebp+WideCharStr]
.text:0045CCFC push edx
.text:0045CCFD mov ecx, edx
.text:0045CCFF mov edx, 80000000h
.text:0045CD04 call sub_45C9F0 ;获得ie路径+名+参数
.text:0045CD09 test eax, eax
.text:0045CD0B jnz loc_45CDCE
.text:0045CD11 lea eax, [ebp+WideCharStr]
.text:0045CD17 push offset a1 ; wchar_t *
.text:0045CD1C push eax ; wchar_t *
.text:0045CD1D call _wcsstr
.text:0045CD22 mov edi, ds:lstrlenW
.text:0045CD28 mov esi, eax
.text:0045CD2A add esp, 8
.text:0045CD2D test esi, esi
.text:0045CD2F jnz short loc_45CD5D
.text:0045CD31 lea ecx, [ebp+WideCharStr]
.text:0045CD37 push offset a1_0 ; wchar_t *
.text:0045CD3C push ecx ; wchar_t *
.text:0045CD3D call _wcsstr
.text:0045CD42 mov esi, eax
.text:0045CD44 add esp, 8
.text:0045CD47 test esi, esi
.text:0045CD49 jnz short loc_45CD5D
.text:0045CD4B lea edx, [ebp+WideCharStr]
.text:0045CD51 push edx ; lpString
.text:0045CD52 call edi ; lstrlenW
.text:0045CD54 lea esi, [ebp+eax*2-416h]
.text:0045CD5B jmp short loc_45CD62
.text:0045CD5D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0045CD5D
.text:0045CD5D loc_45CD5D: ; CODE XREF: sub_45CCB0+7Fj
.text:0045CD5D ; sub_45CCB0+99j
.text:0045CD5D mov word ptr [esi], 0
.text:0045CD62
.text:0045CD62 loc_45CD62: ; CODE XREF: sub_45CCB0+ABj
.text:0045CD62 push offset asc_5B2A20 ; lpString2
.text:0045CD67 push esi ; lpString1
.text:0045CD68 call ebx ; lstrcatW ;ie路径+名+参数+1空格
.text:0045CD6A mov eax, [ebp+lpFile]
.text:0045CD6D push eax ; lpString2
.text:0045CD6E push esi ; lpString1
.text:0045CD6F call ebx ; lstrcatW ;ie路径+名+参数+1空格+publisher-url的值,溢出!
.text:0045CD71 call Target
.text:0045CD77 lea ecx, [ebp+WideCharStr]
.text:0045CD7D push ecx ; lpString
.text:0045CD7E mov ebx, eax
.text:0045CD80 call edi ; lstrlenW
.text:0045CD82 lea edi, [eax+eax+2]
.text:0045CD86 mov eax, edi
.text:0045CD88 add eax, 3
.text:0045CD8B and eax, 0FFFFFFFCh
.text:0045CD8E call __alloca_probe
.text:0045CD93 mov esi, esp
.text:0045CD95 test esi, esi
.text:0045CD97 jz short loc_45CDBC
.text:0045CD99 push 0 ; lpUsedDefaultChar
.text:0045CD9B push 0 ; lpDefaultChar
.text:0045CD9D push edi ; cchMultiByte
.text:0045CD9E push esi ; lpMultiByteStr
.text:0045CD9F push 0FFFFFFFFh ; cchWideChar
.text:0045CDA1 lea edx, [ebp+WideCharStr]
.text:0045CDA7 push edx ; lpWideCharStr
.text:0045CDA8 push 0 ; dwFlags
.text:0045CDAA push ebx ; CodePage
.text:0045CDAB mov byte ptr [esi], 0
.text:0045CDAE call ds:WideCharToMultiByte ;wchar-->char
.text:0045CDB4 neg eax
.text:0045CDB6 sbb eax, eax
.text:0045CDB8 and eax, esi
.text:0045CDBA jmp short loc_45CDBE
.text:0045CDBC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0045CDBC
.text:0045CDBC loc_45CDBC: ; CODE XREF: sub_45CCB0+E7j
.text:0045CDBC xor eax, eax
.text:0045CDBE
.text:0045CDBE loc_45CDBE: ; CODE XREF: sub_45CCB0+10Aj
.text:0045CDBE mov ecx, [ebp+nShowCmd]
.text:0045CDC1 push ecx ; uCmdShow
.text:0045CDC2 push eax ; lpCmdLine
.text:0045CDC3 call ds:WinExec ;WinExec调用ie打开url
.text:0045CDC9 cmp eax, 20h
.text:0045CDCC ja short loc_45CDE7
.text:0045CDCE
.text:0045CDCE loc_45CDCE: ; CODE XREF: sub_45CCB0+2Cj
.text:0045CDCE ; sub_45CCB0+5Bj
.text:0045CDCE mov edx, [ebp+nShowCmd]
.text:0045CDD1 mov eax, [ebp+lpFile]
.text:0045CDD4 push edx ; nShowCmd
.text:0045CDD5 push 0 ; lpDirectory
.text:0045CDD7 push 0 ; lpParameters
.text:0045CDD9 push eax ; lpFile
.text:0045CDDA push offset Operation ; lpOperation
.text:0045CDDF push 0 ; hwnd
.text:0045CDE1 call ds:ShellExecuteW ; Opens or prints a specified file
.text:0045CDE7
.text:0045CDE7 loc_45CDE7: ; CODE XREF: sub_45CCB0+11Cj
.text:0045CDE7 lea esp, [ebp-420h] ;恢复堆栈到未分配局部变量时
.text:0045CDED mov ecx, [ebp+var_4] ;ecx即为0x414长度局部变量最后4字节的值
.text:0045CDF0 call sub_53F2FA ;这个函数检查后4字节值是否被更改并作相应处理
.text:0045CDF5 pop edi
.text:0045CDF6 pop esi
.text:0045CDF7 pop ebx
.text:0045CDF8 mov esp, ebp
.text:0045CDFA pop ebp
.text:0045CDFB retn 0Ch
.text:0045CDFB sub_45CCB0 endp
触发溢出的原因在于0045CD6F处调用lstrcatW但未对源string作长度检查(源string即为我们可以控制的url),但由于程序本身的安全检查机制使得无法完成溢出攻击。
安全检查原理:
在函数开始地方,分配局部变量(记为szWinExecParam[0x414])后即设置szWinExecParam的最后4字节为一随机值,然后在函数ret前检查这个值是否被更改,如更改表示被溢出直接弹出警告对话框并退出进程。由于栈溢出覆盖ret地址前必然要完全覆盖完局部变量和ebp,因此此种检查机制简单有效,值得推荐。
--EOF--
BitComet_Torrent_URI处理缓冲区溢出漏洞分析备忘
最新推荐文章于 2021-12-02 14:10:47 发布