分析环境
win xp sp3,IDA,OD,windbg
office excel 2003 sp3
基于污点追踪思路的漏洞分析方法
运行excel.exe,然后windbg加载运行,打开exploit.xlb,触发异常
(eb8.b2c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=51455047 ebx=0013ca60 ecx=00000006 edx=31622f28 esi=00000000 edi=00000400
eip=300e06f7 esp=0013aa1c ebp=0013aa88 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -
EXCEL!Ordinal41+0xe06f7:
300e06f7 8908 mov dword ptr [eax],ecx ds:0023:51455047=????????
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0013aa88 584b4c4b 30435451 50453043 55514b4c EXCEL!Ordinal41+0xe06f7
0013aa8c 30435451 50453043 55514b4c 4b4c4c47 0x584b4c4b
0013aa90 50453043 55514b4c 4b4c4c47 35434c43 EXCEL!Ordinal41+0x435451
0013aa94 55514b4c 4b4c4c47 35434c43 51453844 0x50453043
0013aa98 4b4c4c47 35434c43 51453844 4b4c4f4a 0x55514b4c
0013aa9c 35434c43 51453844 4b4c4f4a 58444f50 0x4b4c4c47
0013aaa0 51453844 4b4c4f4a 58444f50 4f514b4c 0x35434c43
0013aaa4 4b4c4f4a 58444f50 4f514b4c 51455047 0x51453844
0013aaa8 58444f50 4f514b4c 51455047 59514b4a 0x4b4c4f4a
0013aaac 4f514b4c 51455047 59514b4a 54464b4c 0x58444f50
0013aab0 51455047 59514b4a 54464b4c 31434b4c 0x4f514b4c
0013aab4 59514b4a 54464b4c 31434b4c 51464e4a 0x51455047
0013aab8 54464b4c 31434b4c 51464e4a 394a5049 0x59514b4a
...
通过IDA观察确定崩溃地址0x300e06f7位于函数sub_300E05AD
OD载入,在0x300E05AD处下断
中断后在栈顶下内存写入断点
f9运行,中断在了0x300de834,这里就是循环复制数据到栈上导致溢出的地址
用IDA查看
v7为复制的字节数
向上追溯可发现函数入口在0x300DE7EC
300DE7EC $ 53 push ebx
300DE7ED . 8B5C24 0C mov ebx,dword ptr ss:[esp+0xC]
300DE7F1 . 85DB test ebx,ebx
300DE7F3 . 0F84 89970200 je EXCEL.30107F82
300DE7F9 . 3B5C24 10 cmp ebx,dword ptr ss:[esp+0x10] ; EXCEL.3070DF42
300DE7FD . 0F87 03A71500 ja EXCEL.30238F06
300DE803 . 8B15 442C8930 mov edx,dword ptr ds:[0x30892C44]
300DE809 . A1 402C8930 mov eax,dword ptr ds:[0x30892C40]
300DE80E . 55 push ebp
300DE80F . 8B6C24 0C mov ebp,dword ptr ss:[esp+0xC]
300DE813 . 56 push esi ; EXCEL.3088ECC4
300DE814 . 57 push edi
300DE815 > 3BD0 cmp edx,eax
300DE817 . 0F8D F0B90300 jge EXCEL.3011A20D
300DE81D > 2BC2 sub eax,edx
300DE81F . 3BD8 cmp ebx,eax
300DE821 . 7D 02 jge short EXCEL.300DE825
300DE823 . 8BC3 mov eax,ebx
300DE825 > 8DB2 40EC8830 lea esi,dword ptr ds:[edx+0x3088EC40]
300DE82B . 8BC8 mov ecx,eax
300DE82D