2019/9/12
1. Vulnerability reproduction
① crash found
② function to find a loophole, the next breakpoint, re-run, single-step debugging, find a place to stack rewritten
③ Analysis The function
The MSCOMCTL dragged into IDA, look at the function codes
④ view the call stack traceback.
First find the address of the return address is overwritten, and then see how it covered
Find the function trigger the vulnerability, see its parameters, pointer trigger the vulnerability is its first argument
Entry to the function, find the statement trigger the vulnerability of
As can be seen, a local copy large amounts of data in a four-byte variable, leading to a stack overflow, covering return address belongs to the local variables of the function, giving rise to vulnerability.
2. Exploit
① Principle Analysis
After analysis, vulnerability data passed by a function that is called twice.
The first: first get the number of bytes saved file (0xC), it will compare with the incoming parameters, if they are equal, then copy the data of the number (0xC) bytes out.
Second: the first data is extracted as a parameter, the parameter extracted 4 bytes of data from a file comparison, if they are equal, the number of bytes to copy the value of the size parameter.
sub_275C876D function calls twice
The first copy
Twice as long as the file is used to save the comparison value (the number of bytes read) are equal, and greater than or equal to 4, bound to a loophole and very good use, only a jmp esp instruction on the line
②shellcode
- Jmp esp find the address in the module, preferably no built-in system and various protection
I chose immunityDebugger! Find qualified MSVBVM60.DLL
Jmp esp find the address in the module if the read attribute executable, just have 0x729a0535
The 41,414,141 replaced jmp esp address, because the function has finally ret 8, so empty octet, adding shellcode on the line, just write read size, simply do whatever they want.
Poc file
