WPS Office 'Wpsio.dll'栈缓冲区溢出漏洞

                                                摘录自
http://seclists.org/fulldisclosure/2013/Apr/247

POC
==================
http://seclists.org/fulldisclosure/2013/Apr/att-247/poc_zip.bin

崩溃信息
==================
crash info:
(b70.eb8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012c0a4 ebx=770f4b39 ecx=90909090 edx=0012be00 esi=0012c0a4 edi=0018bd54
eip=45e25208 esp=0012bdec ebp=0012bdf8 iopl=0  nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
wpsio!TxExport+0x37b1:
45e25208 ff5114  call    dword ptr [ecx+14h] ds:0023:909090a4=????????

module info:
start    end        module name
45e00000 4606f000   wpsio      (export symbols)       C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
    Loaded symbol image file: C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
    Image path: C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
    Image name: wpsio.dll
    Timestamp:        Mon May 28 04:10:12 2012 (4FC28A24)
    CheckSum:         0026D933
    ImageSize:        0026F000
    File version:     8.1.0.3238
    Product version:  8.1.0.3238
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        0.0 Unknown
    File date:        00000000.00000000
    Translations:     0000.04b0
    CompanyName:      Zhuhai Kingsoft Office-software Co.,Ltd
    ProductName:      Kingsoft Office
    InternalName:     wpsio
    OriginalFilename: wpsio.dll
    ProductVersion:   8,1,0,3238
    FileVersion:      8,1,0,3238
    FileDescription:  wpsio
    LegalCopyright:   Copyright©1988-2011 Kingsoft Corporation.  All rights reserved.

溢出点代码
==================
In sub_45E2CC84:

.text:45E2CC84 var_210         = byte ptr -210h ;buffer size 0x200
.text:45E2CC84 var_4           = dword ptr -4


.text:45E2CDB3                 push    [ebp+Src]       ; BSTR
.text:45E2CDB9                 call    esi ; SysStringLen
.text:45E2CDBB                 mov     [ebp+var_244], eax
.text:45E2CDC1                 add     eax, eax        ;size is 0x170
.text:45E2CDC3                 push    eax             ; Size
.text:45E2CDC4                 push    [ebp+Src]       ; Src
.text:45E2CDCA                 lea     eax, [ebp+var_210]
.text:45E2CDD0                 push    eax             ; Dst
.text:45E2CDD1                 call    memcpy

First time,copy 0x170 bytes to buffer var_210.

.text:45E2CE16                 push    edi             ; BSTR
.text:45E2CE17                 mov     [ebp+var_234], ax
.text:45E2CE1E                 call    esi ; SysStringLen
.text:45E2CE20                 add     eax, eax
.text:45E2CE22                 push    eax             ; Size
.text:45E2CE23                 movzx   eax, [ebp+var_234] ;length
.text:45E2CE2A                 lea     eax, [ebp+eax*2+var_210]
.text:45E2CE31                 push    edi             ; Src
.text:45E2CE32                 push    eax             ; Dst
.text:45E2CE33                 call    memcpy

Second time,copy the same string, placed after the first string. var_234 is the length of the string. Total copy 0x2e0
bytes.
After copy,return address and SEH record has been overwritten.

0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c070 90909090 wpsio!TxExport+0xb3e1
0012c148 45e2a113 0x90909090

0:000> !exchain
0012c064: 90909090
Invalid exception stack at 90909090

The source data of memcpy is from the file poc.wps,offset 0x41d7.