About ani 0day simple analysis-vulnerability warning-the black bar safety net

2007-04-02T00:00:00
ID MYHACK58:62200714835
Type myhack58
Reporter 佚名
Modified 2007-04-02T00:00:00

Description

Would have been no effort with this vulnerability, but today to listen to the swan in the irc said the online exp use is not good enough, covers only 2 bytes, so the afternoon using a bit of free time to talk a bit.

In my xp sp2 cn, full patches, the vulnerabilities occur in the following places

77D53A5C 5 5 PUSH EBP 77D53A5D 8BEC MOV EBP,ESP 77D53A5F 8B45 0 8 MOV EAX,DWORD PTR SS:[EBP+8] 77D53A62 8B55 1 0 MOV EDX,DWORD PTR SS:[EBP+1 0] ; You can control the length of the 77D53A65 5 6 PUSH ESI 77D53A66 8B70 0 4 MOV ESI,DWORD PTR DS:[EAX+4] 77D53A69 8D0C16 LEA ECX,DWORD PTR DS:[ESI+EDX] 77D53A6C 3BCE CMP ECX,ESI 77D53A6E 7 2 2 8 JB SHORT USER32. 77D53A98 77D53A70 3BCA CMP ECX,EDX 77D53A72 7 2 2 4 JB SHORT USER32. 77D53A98 77D53A74 3B48 0 8 CMP ECX,DWORD PTR DS:[EAX+8] 77D53A77 7 7 1F JA SHORT USER32. 77D53A98 77D53A79 5 3 PUSH EBX 77D53A7A 5 7 PUSH EDI 77D53A7B 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C] ; target buf [ebp+3c] 77D53A7E 8BCA MOV ECX,EDX ; control the length of the 77D53A80 8BD9 MOV EBX,ECX 77D53A82 C1E9 0 2 SHR ECX,2 77D53A85 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; covers

A copy occurs in user32. dll,note here

77D53A7E 8BCA MOV ECX,EDX ; control the length of the 77D53A80 8BD9 MOV EBX,ECX 77D53A82 C1E9 0 2 SHR ECX,2 77D53A85 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; covers

edx control we copy the length. edx by the ani file 0x54 offset of the incoming, but since the back has some judgment, so you want to trigger the copy, and edx can not be too large.

In my xp sp2 cn all hot fixes, edx = 0x50 exactly cover the upper layer function of the ebp

Because it is from the[ebp+3c]begin to cover, it is not possible in the current function returns control, we can choose a covering layer function's return address.

Since the publication of the exp only covers user32. dll in the two-byte address, this is not very common, so the swan will have the front of that phrase.

In fact, you can overwrite the entire ebp, ebp+4, The control eip.

From codepage to find Chinese universal address is very simple.

And this dll without the/gs protection, so using it is very simple.

Different platforms, such as 2 0 0 0/2 0 0 3 needs to cover the bytes may be different.

But this vulnerability only cover[ebp+4]at 2 bytes, or in user32. dll,generally does not crash

But if the entire eip are covered, if the platform caused by differences in the coverage of the number of bytes is different, it will cause ie to crash

Presumably this is why the disclosure of the exp cover only 2 bytes, the insertion 2 a picture of the reason(that the two images of the length of the control values are different, overwrite the 2 bytes are different)

To killing this is also very simple, the major AV only need to determine the incoming edx whether the length exceeds the limit on it