MS-0 7 0 0 4 analysis and use-vulnerability and early warning-the black bar safety net

ID MYHACK58:62200715323
Type myhack58
Reporter 佚名
Modified 2007-05-03T00:00:00


Article author: gyzy [E. S. T] it Information source: evil octal information security team

This article has been published in the hacker line of Defense of the 2 0 0 7 year 3 monthly. The author and the hacker line of Defense on the retention of copyright, reprint please indicate.

For the reader: overflow of lovers Pre-knowledge: Assembly language basics, debugging based buffer overflow principle

Text/figure of the solitary cigarette by cloud gyzy)【Jiangsu University information security & evil octal information security team】

I believe we the last of MS06-0 5 5 remember right, Microsoft's vector Markup Language VML in the Method variables IE not for its length to be checked, leading to a stack overflow vulnerability. 2 0 0 7 the year the New Year bell had just sounded, and one on the VML vulnerability exposure, CVMLRecolorinf:InternalLoad() in recolorinfo method in the presence of integer overflow, milw0orm on foreign someone the first time published the poc code, no doubt for our analysis process provide a convenient, we can binary patch the comparative positioning to the problems of the code, the patch added a to eax check the instruction'cmp eax, 0x5d1745d', as shown in Figure 1: ! Figure 1 The relevant code is as follows:

. text:6FF176A7 loc_6FF176A7: ; CODE XREF: sub_6FF17642+21j . text:6FF176A7 mov eax, [esi+8] . text:6FF176AA add eax, [esi+4] . text:6FF176AD test eax, eax . text:6FF176AF jle short loc_6FF176C4 . text:6FF176B1 imul eax, 2Ch . text:6FF176B4 push 101h . text:6FF176B9 push eax ; size_t . text:6FF176BA call sub_6FECFEF4 . text:6FF176BF pop ecx . text:6FF176C0 pop ecx . text:6FF176C1 mov [esi+14h], eax

eax is from the html code in the Get, because the 3 2-bit register can be represented by the number range is limited, so if we submitted a very large number, so multiplied by the 2Ch later on but the smaller, 6FF176BA the code calls the malloc application heap memory, so the vulnerability is essentially because of an integer overflow and indirectly lead to a stack overflow, so how do we locate this piece of code? We first in the OD in the above code a hard breakpoint in the command line input he 7FF176AD, and then open the poc page, and very soon the OD is broken down, as shown in Figure 2: ! Figure 2 Then follow up 6FECFEF4 got malloc returns a pointer 003A8320, in this address the upper and lower write-off point, hw 003A8320, broken in, shown in Figure 3 ! Figure 3 push 0B pop ecx and the following rep movs which third instruction is the rgb x, x, x)(see the back of the Exp of the color parameters after a certain algorithm, hereinafter referred to as the RGB algorithm the calculated results are copied to the heap, each 0B bytes. recolorinfo a total of five parameters, respectively, tocolor, the lbcolor, and forecolor, the backcolor, the fromcolor need to go through the RGB algorithm is derived, 0B*5 =2C, we can guess that each of the following recolorinfoentry are copies of the 2C single byte to the stack, we look at the OD below the data window to verify our guess, it really is from 003A83FC at the beginning of each 2C decimal 4 4 byte of data is repeated. Then we press the F9 button to let IE run up and OD tips with the exception, as shown in Figure 4: ! Figure 4 Obviously some of the function pointer is overwritten, we search in memory 6E006F00, in 0 0 0 1 0 1 0 1 The place to find the string sequence, and the 0 0 0 1 0 1 0 1 that occurs in the heap data in memory if we could will the pointer point to our shellcode, Hey to use? This vulnerability in turn and ordinary stack overflow use a little bit different, a traditional heap overflow by the secondary Alloc or Free rewrite RtlEnterCriticalSection or Unhandled Exception Filter, etc. pointer to gain code execution rights, IE. you can by a“violent expansion of the heap”method to obtain the code execution right is connected to a 0 5 0 5 0 5 0 5+shellcode such a form, the stack is from low address to high address growth, then look at the heap is that we cover the data, if we call not[0 0 0 1 0 1 0 1]but[0 1 0 1 0 1 0 0]then just jump to 0 5 0 5 0 5 0 5 this address, in a series of Add eax, the 5050505h after the instruction, these instructions are irrelevant, the final jump into our shellcode execution, the heap data is by recolorinfo some of the parameters obtained, the specific algorithm I'm not fine with, big head Ah, but the rgb x, x, x the three parameters will eventually be directly determined function pointer points, the online publication of poc in the rgb (1,1,1)The generation of the address is 0 0 0 1 0 1 0 1 It. In addition to this vulnerability due to the Loom and the ISO does not 1 0 0% success rate, I believe now see readers and friends also know what is the reason. Then we put the shellcode into their own down&exec, on how to write shellcode we can flip flop black anti previous article. But one thing is to remember previous to plus 4 a nop, otherwise it may fail, because the continuous 0 5 0 5 0 5 corrupts your shellcode, you need a few nop buffer bit, made me depressed for a while, the sweat...I'm on Chinese xp SP2 + IE6 under the test is successful, the test code below, the test results shown in Figure 5: ! The relevant code of the view:! article_1066_code.txt In addition, in order to facilitate the Black anti-readers to the test, I wrote a generator, the filling is down&exec Shellcode, and fill in to download the app URL points to generate, if all goes well, the program will be executed, hope you do not for illegal purposes! Need to extend the functions themselves can be modified shellcode, by changing the RGB algorithm, three parameters can be more accurate positioning of the shellcode, if the readers have any good ideas or methods, be sure to tell everyone Ah, another javascript encryption can hide from antivirus software and the hunted, the rising card with a leak-proof wall function can prevent IE to execute code in a certain extent does make a considerable part of the net horse no choice, here also recommended the majority of Internet users use, in order to avoid recruitment, but the world is not impervious to wind wall, if we in the shellcode will be code injected into other processes download perform then the leakage preventing wall is useless, and my blog www. gyzy. org there is such a shellcode, the interested reader can improve the look of shellcode Articles write a comparison in a hurry, errors omissions inevitable, right when the initiate, have any questions, and I welcome the Exchange: (Relates to program or code has been included into the magazine supporting the disc“magazine”section.)