{"id":780,"date":"2011-12-17T21:41:55","date_gmt":"2011-12-17T13:41:55","guid":{"rendered":"http:\/\/notes.zerobox.org\/?p=780"},"modified":"2011-12-17T21:41:55","modified_gmt":"2011-12-17T13:41:55","slug":"%e5%a0%86%e5%9d%97%e5%8f%8c%e9%87%8d%e9%87%8a%e6%94%be%e6%bc%8f%e6%b4%9e%e8%b0%83%e8%af%95%e6%8a%80%e5%b7%a7","status":"publish","type":"post","link":"http:\/\/zerobox.org\/notes\/780.html","title":{"rendered":"\u5806\u5757\u53cc\u91cd\u91ca\u653e\u6f0f\u6d1e\u8c03\u8bd5\u6280\u5de7"},"content":{"rendered":"<p><strong>\u6280\u5de7\u4e00\uff1a<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u4e0b\u65ad\uff1a<\/p>\n<p>bu 3440D279&#8243;.if(1){.echo EnterVulnFunc;gc}&#8221;<\/p>\n<p>bu 6e264b6c&#8221;.if(1){.echo Free heap block; dd esp l4;gc}&#8221;<\/p>\n<p>&nbsp;<\/p>\n<p>\u8f93\u51fa\u7ed3\u679c\uff1a<\/p>\n<p>EnterVulnFunc<\/p>\n<p>Free heap block<\/p>\n<p>0011bc5c\u00a0\u00a0<strong>3441e2a2\u00a0<\/strong><strong>138f0020\u00a0<\/strong>3b906313 10027b64<\/p>\n<p>Free heap block<\/p>\n<p>0011bc5c\u00a0\u00a0<strong>3441dc6c\u00a0138f0020<\/strong>\u00a03b906313 10027b64<\/p>\n<p>(1508.e84): Accessviolation &#8211; code c0000005 (first chance)<\/p>\n<p>First chanceexceptions are reported before any exception handling.<\/p>\n<p>This exception may beexpected and handled.<\/p>\n<p>eax=138f0018ebx=138f0020 ecx=6e287a7e edx=10028a70 esi=008a0000 edi=00000000<\/p>\n<p>eip=77691f88esp=0011bbe8 ebp=0011bbf8 iopl=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0nv up ei pl zr na pe nc<\/p>\n<p>cs=001b\u00a0\u00a0ss=0023\u00a0ds=0023\u00a0\u00a0es=0023\u00a0\u00a0fs=003b\u00a0gs=0000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0efl=00010246<\/p>\n<p>ntdll!RtlFreeHeap+0x3a:<\/p>\n<p>77691f8880780705\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0cmp\u00a0\u00a0\u00a0\u00a0\u00a0byte ptr [eax+7],5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ds:0023:138f001f=??<\/p>\n<p>0:000&gt; kb<\/p>\n<p>ChildEBP RetAddr\u00a0\u00a0Args to Child<\/p>\n<p>0011bbf8 75aaf14c008a0000 00000000 138f0020 ntdll!RtlFreeHeap+0x3a<\/p>\n<p>0011bc0c 6e264c39008a0000 00000000 138f0020 kernel32!HeapFree+0x14<\/p>\n<p>0011bc58\u00a0<strong>3441dc6c\u00a0<\/strong><strong>138f0020\u00a0<\/strong>3b90631310027b64\u00a0<strong>MSVCR80!free<\/strong>+0xcd<\/p>\n<p>&nbsp;<\/p>\n<p><strong>\u6280\u5de7\u4e8c\uff1a<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>0:000&gt; kb<\/p>\n<p>ChildEBP RetAddr \u00a0Args to Child<\/p>\n<p>0012fbe4 7c85079b 015b1000 0012fc94 0012fc70 ntdll!DbgBreakPoint<\/p>\n<p>0012fbf4 7c87204b 00000007 7c8722f8 015b1000 ntdll!RtlpPageHeapStop+0x72<\/p>\n<p>0012fc70 7c873305 015b1000 00000004 003f5858 ntdll!RtlpDphReportCorruptedBlock+0x11e<\/p>\n<p>0012fca0 7c8734c3 015b1000 003f0000 01001002 ntdll!RtlpDphNormalHeapFree+0x32<\/p>\n<p>0012fcf8 7c8766b9 015b0000 01001002 003f5858 ntdll!RtlpDebugPageHeapFree+0x146<\/p>\n<p>0012fd60 7c860386 015b0000 01001002 003f5858 ntdll!RtlDebugFreeHeap+0x1ed<\/p>\n<p>0012fe38 7c81d77d 015b0000 01001002 003f5858 ntdll!RtlFreeHeapSlowly+0x37<\/p>\n<p>0012ff1c 78134c3b 015b0000 01001002 003f5858 ntdll!RtlFreeHeap+0x11a<\/p>\n<p>0012ff68\u00a0<strong>00401016<\/strong>\u00a0<strong>003f5858\u00a0<\/strong>003f5858 00000064 MSVCR80!free+0xcd<\/p>\n<p>&nbsp;<\/p>\n<p>0:000&gt; !heap -p -a 0x3f5858<\/p>\n<p>address 003f5858 found in<\/p>\n<p>_HEAP @ 3f0000<\/p>\n<p>in HEAP_ENTRY: Size : Prev Flags &#8211; UserPtr UserSize &#8211; state<\/p>\n<p>3f5830: 0014 : N\/A \u00a0[N\/A] &#8211; 3f5858 (70) &#8211; (free DelayedFree)<\/p>\n<p>Trace: 004f<\/p>\n<p>7c860386 ntdll!RtlFreeHeapSlowly+0x00000037<\/p>\n<p>7c81d77d ntdll!RtlFreeHeap+0x0000011a<\/p>\n<p>78134c3b\u00a0<strong>MSVCR80!free<\/strong>+0x000000cd \u00a0 \u00a0 \u00a0 \/\/ \u5728callstack\u4e2d\u5df2\u663e\u793a\u66fe\u88ab\u91ca\u653e\u8fc7\u4e00\u6b21<\/p>\n<p><strong>401010<\/strong>win32!main+0x00000010<\/p>\n<p>77e523cd kernel32!BaseProcessStart+0x00000023<\/p>\n<p>&nbsp;<\/p>\n<p>0:000&gt; uf\u00a0<strong>00401010<\/strong><\/p>\n<p>74 00401000 56 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 push \u00a0 \u00a0esi<\/p>\n<p>75 00401001 6a64 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 push \u00a0 \u00a00x64<\/p>\n<p>75 00401003 e824000000 \u00a0 \u00a0 \u00a0 call \u00a0 \u00a0win32!operator new[] (0040102c)<\/p>\n<p>75 00401008 8bf0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0 esi,eax<\/p>\n<p>76 0040100a 56 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 push \u00a0 \u00a0esi<\/p>\n<p>76 0040100b e828000000 \u00a0 \u00a0 \u00a0 call \u00a0 \u00a0win32!operator\u00a0<strong>delete<\/strong>\u00a0(00401038)<\/p>\n<p>77 00401010 56 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 push \u00a0 \u00a0esi<\/p>\n<p>&nbsp;<\/p>\n<p>77 00401011 e81c000000 \u00a0 \u00a0 \u00a0 call \u00a0 \u00a0win32!operator\u00a0<strong>delete<\/strong>\u00a0(00401032)<\/p>\n<p>&nbsp;<\/p>\n<p><strong>\u6280\u5de7\u4e09\uff1a<\/strong><\/p>\n<p>\u7531\u4e8e\u5806\u5757\u662f\u52a8\u6001\u5206\u914d\uff0c\u6bcf\u6b21\u52a0\u8f7d\u8c03\u8bd5\u65f6\uff0c\u8fdb\u7a0b\u6240\u5206\u914d\u7684\u5806\u5757\u5730\u5740\u90fd\u662f\u4e0d\u540c\u7684\u3002\u4e3a\u4e86\u63d0\u9ad8\u5206\u6790\u6548\u7387\uff0c\u6211\u4eec\u53ef\u4ee5\u5728\u8c03\u8bd5\u5230\u4e00\u5b9a\u7a0b\u5ea6\u65f6\u4fdd\u5b58\u865a\u62df\u673a\u5feb\u7167\uff0c\u7b49\u6211\u4eec\u9700\u8981\u91cd\u65b0\u52a0\u8f7d\u8c03\u8bd5\u65f6\uff0c\u53ef\u4ee5\u76f4\u63a5\u6062\u590d\u865a\u62df\u673a\u5feb\u7167\uff0c\u8fd9\u6837\u6bcf\u6b21\u8c03\u8bd5\u7684\u5806\u5757\u5730\u5740\u90fd\u662f\u56fa\u5b9a\u7684\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6280\u5de7\u4e00\uff1a &nbsp; \u4e0b\u65ad\uff1a bu 3440D279&#8243;.if(1) &hellip;<\/p>\n<p class=\"read-more\"><a href=\"http:\/\/zerobox.org\/notes\/780.html\">\u7ee7\u7eed\u9605\u8bfb &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[182],"class_list":["post-780","post","type-post","status-publish","format-standard","hentry","tag-182"],"views":949,"_links":{"self":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/comments?post=780"}],"version-history":[{"count":0,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/780\/revisions"}],"wp:attachment":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/media?parent=780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/categories?post=780"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/tags?post=780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}