漏洞:https://www.exploit-db.com/exploits/38456/
作者:wj2ge
测试环境:xp sp3
根据提供的EXP
然后OD附加调试,在ReadFile函数下断点,然后f9运行 点击PLAY
我们为了先大致看一下程序的执行流程,一直F8
发现一直在swich case里 循环
004BA881 |> /8BC7 /mov eax,edi
004BA883 |. |83F8 04 |cmp eax,0x4 ; Switch (cases 0..4)
004BA886 |. |0F87 FD040000 |ja wavtomp3.004BAD89
004BA88C |. |FF2485 93A84B>|jmp dword ptr ds:[eax*4+0x4BA893]
004BA893 |. |A7A84B00 |dd wavtomp3.004BA8A7 ; 分支表 被用于 004BA88C
004BA897 |. |EEA84B00 |dd wavtomp3.004BA8EE
004BA89B |. |35A94B00 |dd wavtomp3.004BA935
004BA89F |. |F5AB4B00 |dd wavtomp3.004BABF5
004BA8A3 |. |E9AC4B00 |dd wavtomp3.004BACE9
004BA8A7 |> |BA D4AD4B00 |mov edx,wavtomp3.004BADD4 ; ASCII "RIFF"; Case 0 of switch 004BA883 主要在这个case0里
004BA8AC |. |8D4434 08 |lea eax,dword ptr ss:[esp+esi+0x8]
004BA8B0 |. |E8 B7F3FFFF |call wavtomp3.004B9C6C
004BA8B5 |. |84C0 |test al,al
004BA8B7 |. |75 17 |jnz Xwavtomp3.004BA8D0
004BA8B9 |. |8D5434 0C |lea edx,dword ptr ss:[esp+esi+0xC]
004BA8BD |. |B9 01000000 |mov ecx,0x1
004BA8C2 |. |8B43 60 |mov eax,dword ptr ds:[ebx+0x60]
004BA8C5 |. |8B28 |mov ebp,dword ptr ds:[eax]
004BA8C7 |. |FF55 0C |call [arg.2] 这个函数每CALL一次堆栈里就多一个word的数 据
004BA8CA |. |46 |inc esi
004BA8CB |. |E9 B9040000 |jmp wavtomp3.004BAD89
004BA8D0 |> |8D5434 0C |lea edx,dword ptr ss:[esp+esi+0xC]
004BA8D4 |. |B9 04000000 |mov ecx,0x4
004BA8D9 |. |8B43 60 |mov eax,dword ptr ds:[ebx+0x60]
004BA8DC |. |8B38 |mov edi,dword ptr ds:[eax]
004BA8DE |. |FF57 0C |call dword ptr ds:[edi+0xC]
一直在Case0循环未对长度做出限制导致溢出 查找最近的SEH在12FB3C处 4132个字节刚好覆盖到
形成一个典型的溢出SEH漏洞利用过程