A simple analysis of the mplayer player to read. m3u File format vulnerability-vulnerability warning-the black bar safety net

2011-09-06T00:00:00
ID MYHACK58:62201131775
Type myhack58
Reporter 佚名
Modified 2011-09-06T00:00:00

Description

Foreword:this time has been in efforts to study vulnerability analysis,and with reference to the failwest large cattle production<0day, Second Edition>, the storm m3u file reading vulnerability(see snow network->the fresh fruit was also analyzed),the younger brother not,can only follow a large cattle run behind. Attached to:storm m3u analysis,is in the colleague dge completed with the help of the Debug,take the heat blacksmith,own analysis of the same type(mplayer player)vulnerability. Can be considered on their own knowledge of the summary,for the first time to write articles,but please blame criticism,is unclear you can email ask me

Test environment: windows xp sp3_cn (physical machine test, without using a virtual machine) ollyice see snow Edition poc and test version of the software see:http://www. exploit-db. com/exploits/1 7 5 6 5/

The vulnerability is triggered during the analysis: ollyice additional mplayer. exe process,set the OD to debug the breakpoint(toolbar - >options - >Debugger options--->exception label) ------------------------------ Ignored in Kernel32 in memory access exceptions,and tick the following options int3 interrupt Single-step interrupt An integer divided by 0 Invalid or privileged instructions All FPU Exceptions -----------------------------------------

Will generate an m3u format file and drag it to the mplayer player window,F9 to run,the OD will automatically shutdown in abnormal program information information at. Observe the od of the stack information window,view the stack information

0022E948 0 0 0 0 0 0 0 0 0022E94C 0 0 5 6 1 7 6 0 to return to the mplayer. 0 0 5 6 1 7 6 0 from <jmp.& amp;applications like. strcpy>(suspicious) 0022E950 0022EBB8 ASCII "http:// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"... 0022E954 003FD5C8 ASCII "http:// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"... 0022E958 0 0 0 0 0 0 0 0 0022E95C 0 0 0 0 0 0 0 0 0022E960 0 0 0 0 0 0 0 0 0022E964 0022E974 0022E968 0 0 0 0 0 0 0 0 0022E96C 7C930098 return to ntdll. 7C930098 from ntdll. 7C922AB0

Can be found in jmp.& amp;applications like. strcpy(suspected,then later confirmed),right mouse click the line,select the"disassembly window, follow the",came the compilation of the main form,the function of the lower breakpoint,reload the m3u to mplayer, F9 came at a breakpoint,you can view the stack information and compile information

------------------------------------------ The stack information: 0022E950 0022EBB8 |dest = 0022EBB8(destination address) 0022E954 003FD5C8 \src = "http:// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...(source address) 0022E958 0 0 0 0 0 0 0 0 0022E95C 0 0 0 0 0 0 0 0 0022E960 0 0 0 0 0 0 0 0 0022E964 0022E974 0022E968 0 0 0 0 0 0 0 0 0022E96C 7C930098 return to ntdll. 7C930098 from ntdll. 7C922AB0

A compilation of the main form information: 0 0 5 6 1 7 5 4 |. 895C24 0 4 mov dword ptr [esp+4], ebx ; || 0 0 5 6 1 7 5 8 |. 8 9 0 4 2 4 mov dword ptr [esp], eax ; || 0056175B |. E8 A8032900 call <jmp.& amp;applications like. strcpy> ; |\strcpy 0 0 5 6 1 7 6 0 |. 8D9424 6 8 0 2 0 0>lea edx, dword ptr [esp+2 6 8] ; | 0 0 5 6 1 7 6 7 |. C74424 0 4 2F0>mov dword ptr [esp+4], 2F ; | 0056176F |. 8 9 1 4 2 4 mov dword ptr [esp], edx ; | 0 0 5 6 1 7 7 2 |. E8 C1032900 call <jmp.& amp;applications like. strrchr> ; \strrchr -----------------------------------------------

F7 to enter the call: 77C16030 > 5 7 push edi 77C16031 8B7C24 0 8 mov edi, dword ptr [esp+8] 77C16035 EB 6A jmp short 77C160A1 77C16037 8DA424 0 0 0 0 0 0 0 0 lea esp, dword ptr [esp]

[1] [2] [3] [4] next