Article author: gyzy [E. S. T] it www.gyzy.org） Information source: evil octal information security team www.eviloctal.com）
This article has been published in the hacker line of Defense of the 2 0 0 7 year 3 monthly. The author and the hacker line of Defense on the retention of copyright, reprint please indicate.
For the reader: overflow of lovers Pre-knowledge: Assembly language basics, debugging based buffer overflow principle
Text/figure of the solitary cigarette by cloud gyzy）【Jiangsu University information security & evil octal information security team】
I believe we the last of MS06-0 5 5 remember right, Microsoft's vector Markup Language VML in the Method variables IE not for its length to be checked, leading to a stack overflow vulnerability. 2 0 0 7 the year the New Year bell had just sounded, and one on the VML vulnerability exposure, CVMLRecolorinf:InternalLoad() in recolorinfo method in the presence of integer overflow, milw0orm on foreign someone the first time published the poc code, no doubt for our analysis process provide a convenient, we can binary patch the comparative positioning to the problems of the code, the patch added a to eax check the instruction'cmp eax, 0x5d1745d', as shown in Figure 1: ! Figure 1 The relevant code is as follows:
. text:6FF176A7 loc_6FF176A7: ; CODE XREF: sub_6FF17642+21j . text:6FF176A7 mov eax, [esi+8] . text:6FF176AA add eax, [esi+4] . text:6FF176AD test eax, eax . text:6FF176AF jle short loc_6FF176C4 . text:6FF176B1 imul eax, 2Ch . text:6FF176B4 push 101h . text:6FF176B9 push eax ; size_t . text:6FF176BA call sub_6FECFEF4 . text:6FF176BF pop ecx . text:6FF176C0 pop ecx . text:6FF176C1 mov [esi+14h], eax