Tencent's online security check controls the overflow analysis(not running it)-vulnerability warning-the black bar safety net

2007-07-30T00:00:00
ID MYHACK58:62200716345
Type myhack58
Reporter 佚名
Modified 2007-07-30T00:00:00

Description

Software files: TSOBase. ocx(UPX shell) Software name: Tencent Online Safety Center Software description: Tencent's online security check controls Software version: 2 0 0 6, 1 2, 2 0, 4 Test platform: VC6+xp sp1

Affirm: This article is only for learning and exchange with,all the consequences of the use of the sole responsibility of the

See the school renamed after,good long time not to go,may have the time,write an article to irrigation water. Also don't know if this count software security aspects.

Controls TSOBase. ocx of one of the interface functions BOOL CTSOClean::DownloadPatch(LPCTSTR lpszBuildIDs) { BOOL result; static BYTE parms[] = VTS_BSTR; InvokeHelper(0xf, DISPATCH_METHOD, VT_BOOL, (void*)&result, parms, lpszBuildIDs); return result; } There is a stack overflow vulnerability.

The function string need to go through MultiByteToWideChar,WideCharToMultiByte conversion processing Therefore in the call to the control software(俺 的 是 test.exe)up and down WideCharToMultiByte(function at the beginning of the)breakpoint Once the process is complete after a few pace will come to the following processing process,when entering,the stack state as follows: ESP high


| .... | |Convert character offset|10001ea0 |Function returns the EIP |<-the current esp -------------- low

1 0 0 0 4 7 9 0 sub esp,1 0 8 esp<- esp-108h (temporary variable storage space) 1 0 0 0 4 7 9 6 push ebx esp<- esp-4 1 0 0 0 4 7 9 7 push ebp esp<- esp-4 1 0 0 0 4 7 9 8 mov ebp,dword ptr ss:[esp+1 1 4] ebp<- convert-byte pointer offset 1000479F xor ebx,ebx 100047A1 push esi esp<- esp-4 100047A2 cmp ebp,ebx determine whether the null pointer 100047A4 push edi esp<- esp-4 100047A5 mov dword ptr ss:[esp+1 0],ecx 100047A9 je TSOBase. 1 0 0 0 4 9 1 4 100047AF mov edi,ebp 100047B1 or ecx,FFFFFFFF 100047B4 xor eax,eax 100047B6 repne scas byte ptr es:[edi] 100047B8 not ecx 100047BA dec ecx determine the character length(<1) 100047BB je TSOBase. 1 0 0 0 4 9 1 4 100047C1 mov ecx,4 0 100047C6 lea edi,dword ptr ss:[esp+1 5] 100047CA mov byte ptr ss:[esp+1 4],al, 1 byte is cleared 100047CE xor esi,esi 100047D0 rep stos dword ptr es:[edi] 40h4 bytes cleared 100047D2 stos word ptr es:[edi] the 2-byte cleared 100047D4 stos byte ptr es:[edi], 1 byte is cleared 100047D5 mov edi,ebp (esp+14h--esp+118h)a total of 104h bytes 100047D7 or ecx,FFFFFFFF 100047DA xor eax,eax 100047DC mov dword ptr ds:[1006C654],ebx 100047E2 repne scas byte ptr es:[edi] 100047E4 not ecx 100047E6 dec ecx 100047E7 inc ecx to obtain the converted character length 100047E8 je TSOBase. 1 0 0 0 4 9 1 4 100047EE mov dl,byte ptr ds:[ebx+ebp] read each of the bytes into characters 100047F1 cmp dl,7C determines whether a character is'|' 100047F4 je short TSOBase. 1 0 0 0 4 8 1 9 is then put in front to save(esp+14h--esp+118h)is cleared, 100047F6 mov edi,ebp converted from the character next character start processing 100047F8 or ecx,FFFFFFFF 100047FB xor eax,eax 100047FD repne scas byte ptr es:[edi] 100047FF not ecx 1 0 0 0 4 8 0 1 dec ecx 1 0 0 0 4 8 0 2 cmp ebx,ecx determine whether the process is completed 1 0 0 0 4 8 0 4 je short TSOBase. 1 0 0 0 4 8 1 9 1 0 0 0 4 8 0 6 cmp esi,1 0 4 determines whether a is greater than the 104h 1000480C jg TSOBase. 1 0 0 0 4 9 1 4 is greater than the end 1 0 0 0 4 8 1 2 mov byte ptr ss:[esp+esi+1 4],dl copies the characters into the top of cleared space(esp+14h--esp+118h) 1 0 0 0 4 8 1 6 inc esi above here is the overflow of the key reasons, when the count into the 104h-byte, 1 0 0 0 4 8 1 7 jmp short TSOBase. 1 0 0 0 4 8 9 0 because there is no strict process,lead can also copy the 105h byte 1 0 0 0 4 8 1 9 mov eax,dword ptr ds:[1006C650] that is mov byte ptr ss:[esp+1 1 8],the dl and esp+1 1 8 It is 1000481E xor esi,esi return function EIP to save stack space, the cover byte after the will cause the jump to the other space 1 0 0 0 4 8 2 0 test eax,eax 1 0 0 0 4 8 2 2 jle short TSOBase. 1 0 0 0 4 8 8 1 1 0 0 0 4 8 2 4 mov ebp,TSOBase. 1001F664 1 0 0 0 4 8 2 9 mov edi,ebp 1000482B or ecx,FFFFFFFF 1000482E xor eax,eax 1 0 0 0 4 8 3 0 repne scas byte ptr es:[edi] 1 0 0 0 4 8 3 2 not ecx 1 0 0 0 4 8 3 4 dec ecx 1 0 0 0 4 8 3 5 lea eax,dword ptr ss:[esp+1 4] 1 0 0 0 4 8 3 9 push ecx 1000483A push ebp 1000483B push eax 1000483C call dword ptr ds:[1001A50C] ; applications like. strncmp 1 0 0 0 4 8 4 2 add esp,0C 1 0 0 0 4 8 4 5 test eax,eax 1 0 0 0 4 8 4 7 je short TSOBase. 1000485B 1 0 0 0 4 8 4 9 mov eax,dword ptr ds:[1006C650] 1000484E inc esi 1000484F add ebp,2 6 8 1 0 0 0 4 8 5 5 cmp esi,eax 1 0 0 0 4 8 5 7 jl short TSOBase. 1 0 0 0 4 8 2 9 1 0 0 0 4 8 5 9 jmp short TSOBase. 1000487A 1000485B lea ecx,dword ptr ds:[esi+esi8] 1000485E lea edx,dword ptr ds:[esi+ecx2] 1 0 0 0 4 8 6 1 lea eax,dword ptr ds:[esi+edx4] 1 0 0 0 4 8 6 4 mov dword ptr ds:[eax*8+1001F774> 1000486F mov eax,dword ptr ds:[1006C654] 1 0 0 0 4 8 7 4 inc eax 1 0 0 0 4 8 7 5 mov dword ptr ds:[1006C654],eax 1000487A mov ebp,dword ptr ss:[esp+11C] 1 0 0 0 4 8 8 1 xor esi,esi 1 0 0 0 4 8 8 3 mov ecx,4 1 1 0 0 0 4 8 8 8 xor eax,eax 1000488A lea edi,dword ptr ss:[esp+1 4] 1000488E rep stos dword ptr es:[edi] 1 0 0 0 4 8 9 0 mov edi,ebp 1 0 0 0 4 8 9 2 or ecx,FFFFFFFF 1 0 0 0 4 8 9 5 xor eax,eax 1 0 0 0 4 8 9 7 inc ebx 1 0 0 0 4 8 9 8 repne scas byte ptr es:[edi] 1000489A not ecx 1000489C cmp ebx,ecx determine whether the conversion has finished processing the character 1000489E jb TSOBase. 100047EE whether to continue processing 100048A4 mov eax,dword ptr ds:[1006C654] 100048A9 xor edi,edi 1 00048AB cmp eax,edi 100048AD je short TSOBase. 1 0 0 0 4 9 1 4 100048AF mov esi,dword ptr ss:[esp+1 0] 100048B3 mov ecx,esi 100048B5 call TSOBase. 1 0 0 0 4 9 3 0 100048BA mov ecx,dword ptr ds:[1006C654] 100048C0 push edi 100048C1 push edi 100048C2 push esi 100048C3 push TSOBase. 100049A0 100048C8 mov dword ptr ds:[esi+8 6 1 0],ecx 100048CE mov dword ptr ds:[esi+8 6 1 4],edi 100048D4 mov dword ptr ds:[esi+8 6 1 8],-1 100048DE push edi 100048DF mov dword ptr ds:[1006C658],edi 100048E5 push edi 100048E6 mov dword ptr ds:[esi+86B4],edi 100048EC mov dword ptr ds:[esi+86B8],edi 100048F2 call dword ptr ds:[1001A058] ; kernel32. CreateThread 100048F8 xor edx,edx 100048FA cmp eax,edi 100048FC mov dword ptr ds:[esi+86B0],eax 1 0 0 0 4 9 0 2 pop edi 1 0 0 0 4 9 0 3 setne dl 1 0 0 0 4 9 0 6 pop esi 1 0 0 0 4 9 0 7 pop ebp 1 0 0 0 4 9 0 8 mov eax,edx 1000490A pop ebx 1000490B add esp,1 0 8 1 0 0 0 4 9 1 1 retn 4 1 0 0 0 4 9 1 4 pop edi 1 0 0 0 4 9 1 5 pop esi 1 0 0 0 4 9 1 6 pop ebp 1 0 0 0 4 9 1 7 xor eax,eax 1 0 0 0 4 9 1 9 pop ebx 1000491A add esp,1 0 8 1 0 0 0 4 9 2 0 retn 4 Error return From the above analysis we can know, into the processing function,the function assigned 108h+4+4+4+4=118h of the stack space as temporary data storage space And in the processing after the conversion of the string,from ESP+1 4 Start character a temporary save. When the converted character length is more than 1 0 of 4 bytes,the first 1 0 of 5 bytes Will cover esp+1 1 8, right here is the function return address. Successful exploitation of the vulnerability requires its conversion to perform a RETN instruction address me directly Select(10001ec5)so the first 1 0 to 5-byte value for(0xc5) Now look at 1 0 0 0 4 9 2 0 at the stack of case ESP high


\ + .... + | 0x16498c | convert string address----- 4 + 0x73D4436C + MFC42. 73D4436C(should be InvokeHelper)----3 | 0x16498C | convert string address----- 2 + 0x10001ec5 + to convert a string address----- 1 ---------------- low Execute retn 4 will return to 1(0x10001ec5)the execution,esp->3, after executing the 1 After,will continue to return to 3 at the execution,in this case esp->4,after executing the 3 Into our instruction address. The instruction encoding to note that the UNICODE conversion of character of the processing,to prevent the instruction encoding is not restored correctly