vm 快照快速分析堆类型漏洞
来源:互联网 发布:mac imovie怎么保存 编辑:程序博客网 时间:2024/05/21 09:36
先选择一个虚拟机快照的分析开始点,这个点要把握好,堆的布局基本定了,不再改变
然后直接运行poc,在崩溃地方,下这个断点Flash11e+0x5261c
0:022> u Flash11e+0x5261c
Flash11e+0x5261c:
053c261c 8bb614050000 mov esi,dword ptr <Unloaded_ud.drv>+0x513 (00000514)[esi]
053c2622 8b06 mov eax,dword ptr [esi] esi this 对象 ,直接看哪里覆盖这个对象的就行了
053c2624 8bce mov ecx,esi
053c2626 ff5008 call dword ptr [eax+8]
053c2629 8b4df0 mov ecx,dword ptr [ebp-10h]
053c262c e825f3faff call Flash11e+0x1956 (05371956)
重新来过,第一次断下来
0:000> g
Breakpoint 2 hit
eax=05ff3000 ebx=00000000 ecx=7c80189c edx=00000004 esi=05fd4810 edi=00000001
eip=053c261c esp=0639fec0 ebp=0639ff0c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
Flash11e+0x5261c:
053c261c 8bb614050000 mov esi,dword ptr <Unloaded_ud.drv>+0x513 (00000514)[esi] ds:0023:05fd4d24=05cac160
0:023> dd 05fd4810
05fd4810 059d8c08 05cb4020 05f6b218 00000000
05fd4820 05fd4810 000007f0 00000000 00000001
05fd4830 00000000 00000000 00000000 059d4fcc
05fd4840 00000000 00000000 00000000 001ac278
05fd4850 ffffffff 00000000 00000000 00000000
05fd4860 00000000 00000001 053c51bb 05fd4810
05fd4870 00000960 00000066 05caa084 05fd5000
05fd4880 00000001 00000000 00000000 00000000
0:023> p
eax=05ff3000 ebx=00000000 ecx=7c80189c edx=00000004 esi=05cac160 edi=00000001
eip=053c2622 esp=0639fec0 ebp=0639ff0c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
Flash11e+0x52622:
053c2622 8b06 mov eax,dword ptr [esi] ds:0023:05cac160=0c0c0c0c
重新恢复虚拟机快照,下这个ba w 1 05cac160 地址访问断点
F5 连续运行,很快就找到了拷贝的地方
0:000> g
creatfile
05cc8320 "\\?\C:\DOCUME~1\torpedo\LOCALS~1"
05cc8360 "\Temp\fla56.tmp"
ChildEBP RetAddr Args to Child
0012c6c8 055454df 05cc8320 c0000000 00000000 kernel32!CreateFileW
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c6f0 05545560 05cc8320 c0000000 00000000 Flash11e!DllUnregisterServer+0x39e3b
0012c724 053c224b 05cac160 05fd4810 053c4ef8 Flash11e!DllUnregisterServer+0x39ebc
0012c748 05476a5d 0012c8c0 00002000 00002890 Flash11e+0x5224b
0012c7b4 054f0f60 0012c8c0 00002000 00000000 Flash11e+0x106a5d
eax=05cc8320 ebx=00000000 ecx=05cca758 edx=00000000 esi=05cac160 edi=05cb3158
eip=7c8107f0 esp=0012c6cc ebp=0012c6f0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040246
kernel32!CreateFileW:
7c8107f0 8bff mov edi,edi
0:000> g
Breakpoint 2 hit
eax=05ff18b8 ebx=ffffffff ecx=000001e4 edx=00000002 esi=05ff1126 edi=05cac164
eip=05938baa esp=0619fce0 ebp=0619fce8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
Flash11e!DllUnregisterServer+0x42d506:
05938baa f3a5 rep movs dword ptr es:[edi],dword ptr [esi] -----快速找到拷贝溢出的地方
0:022> db esi
05ff1126 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1136 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1146 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1156 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1166 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1176 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1186 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1196 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
0:022> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0619fce8 05545258 05caa08c 05fef04e 0000286a Flash11e!DllUnregisterServer+0x42d506 ----memcpy
0619fd0c 053fb07e 05caa08c ffffffff 0619fe40 Flash11e!DllUnregisterServer+0x39bb4
0619fe50 05940e38 0600a420 00000100 00000025 Flash11e+0x8b07e
0619fe74 05940e38 0600a530 00000100 05b64c60 Flash11e!DllUnregisterServer+0x435794
0619fea4 053c244f 00cac160 05fd4881 00002890 Flash11e!DllUnregisterServer+0x435794
0619ff0c 053c4aa4 7c809832 0619ffa0 05b64b9c Flash11e+0x5244f
0619ff2c 0554f86e 05fd4810 00000000 05fd4838 Flash11e+0x54aa4
0619ff54 0554f85c ffffffff ffffffff 56433230 Flash11e!DllUnregisterServer+0x441ca
0619ffa0 0554f8ed 00000000 00000000 0554f92c Flash11e!DllUnregisterServer+0x441b8
0619ffec 00000000 0554f920 05fd4838 00000000 Flash11e!DllUnregisterServer+0x44249
查看下基址,在对应ida里面看下
.text:1008B03E inc eax
.text:1008B03F push 1
.text:1008B041 push eax
.text:1008B042 call sub_10403240
.text:1008B047 mov ecx, [esi+16650h]
.text:1008B04D imul ecx, 120h
.text:1008B053 mov [ecx+esi+154h], eax
.text:1008B05A mov eax, [edi]
.text:1008B05C add esp, 18h
.text:1008B05F lea ecx, [ebp+60h+var_64]
.text:1008B062 push ecx
.text:1008B063 mov ecx, [esi+16650h]
.text:1008B069 push [ebp+60h+var_18]
.text:1008B06C imul ecx, 120h
.text:1008B072 push dword ptr [ecx+esi+154h]
.text:1008B079 mov ecx, edi
然后直接运行poc,在崩溃地方,下这个断点Flash11e+0x5261c
0:022> u Flash11e+0x5261c
Flash11e+0x5261c:
053c261c 8bb614050000 mov esi,dword ptr <Unloaded_ud.drv>+0x513 (00000514)[esi]
053c2622 8b06 mov eax,dword ptr [esi] esi this 对象 ,直接看哪里覆盖这个对象的就行了
053c2624 8bce mov ecx,esi
053c2626 ff5008 call dword ptr [eax+8]
053c2629 8b4df0 mov ecx,dword ptr [ebp-10h]
053c262c e825f3faff call Flash11e+0x1956 (05371956)
重新来过,第一次断下来
0:000> g
Breakpoint 2 hit
eax=05ff3000 ebx=00000000 ecx=7c80189c edx=00000004 esi=05fd4810 edi=00000001
eip=053c261c esp=0639fec0 ebp=0639ff0c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
Flash11e+0x5261c:
053c261c 8bb614050000 mov esi,dword ptr <Unloaded_ud.drv>+0x513 (00000514)[esi] ds:0023:05fd4d24=05cac160
0:023> dd 05fd4810
05fd4810 059d8c08 05cb4020 05f6b218 00000000
05fd4820 05fd4810 000007f0 00000000 00000001
05fd4830 00000000 00000000 00000000 059d4fcc
05fd4840 00000000 00000000 00000000 001ac278
05fd4850 ffffffff 00000000 00000000 00000000
05fd4860 00000000 00000001 053c51bb 05fd4810
05fd4870 00000960 00000066 05caa084 05fd5000
05fd4880 00000001 00000000 00000000 00000000
0:023> p
eax=05ff3000 ebx=00000000 ecx=7c80189c edx=00000004 esi=05cac160 edi=00000001
eip=053c2622 esp=0639fec0 ebp=0639ff0c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
Flash11e+0x52622:
053c2622 8b06 mov eax,dword ptr [esi] ds:0023:05cac160=0c0c0c0c
重新恢复虚拟机快照,下这个ba w 1 05cac160 地址访问断点
F5 连续运行,很快就找到了拷贝的地方
0:000> g
creatfile
05cc8320 "\\?\C:\DOCUME~1\torpedo\LOCALS~1"
05cc8360 "\Temp\fla56.tmp"
ChildEBP RetAddr Args to Child
0012c6c8 055454df 05cc8320 c0000000 00000000 kernel32!CreateFileW
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c6f0 05545560 05cc8320 c0000000 00000000 Flash11e!DllUnregisterServer+0x39e3b
0012c724 053c224b 05cac160 05fd4810 053c4ef8 Flash11e!DllUnregisterServer+0x39ebc
0012c748 05476a5d 0012c8c0 00002000 00002890 Flash11e+0x5224b
0012c7b4 054f0f60 0012c8c0 00002000 00000000 Flash11e+0x106a5d
eax=05cc8320 ebx=00000000 ecx=05cca758 edx=00000000 esi=05cac160 edi=05cb3158
eip=7c8107f0 esp=0012c6cc ebp=0012c6f0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040246
kernel32!CreateFileW:
7c8107f0 8bff mov edi,edi
0:000> g
Breakpoint 2 hit
eax=05ff18b8 ebx=ffffffff ecx=000001e4 edx=00000002 esi=05ff1126 edi=05cac164
eip=05938baa esp=0619fce0 ebp=0619fce8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
Flash11e!DllUnregisterServer+0x42d506:
05938baa f3a5 rep movs dword ptr es:[edi],dword ptr [esi] -----快速找到拷贝溢出的地方
0:022> db esi
05ff1126 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1136 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1146 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1156 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1166 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1176 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1186 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
05ff1196 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
0:022> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0619fce8 05545258 05caa08c 05fef04e 0000286a Flash11e!DllUnregisterServer+0x42d506 ----memcpy
0619fd0c 053fb07e 05caa08c ffffffff 0619fe40 Flash11e!DllUnregisterServer+0x39bb4
0619fe50 05940e38 0600a420 00000100 00000025 Flash11e+0x8b07e
0619fe74 05940e38 0600a530 00000100 05b64c60 Flash11e!DllUnregisterServer+0x435794
0619fea4 053c244f 00cac160 05fd4881 00002890 Flash11e!DllUnregisterServer+0x435794
0619ff0c 053c4aa4 7c809832 0619ffa0 05b64b9c Flash11e+0x5244f
0619ff2c 0554f86e 05fd4810 00000000 05fd4838 Flash11e+0x54aa4
0619ff54 0554f85c ffffffff ffffffff 56433230 Flash11e!DllUnregisterServer+0x441ca
0619ffa0 0554f8ed 00000000 00000000 0554f92c Flash11e!DllUnregisterServer+0x441b8
0619ffec 00000000 0554f920 05fd4838 00000000 Flash11e!DllUnregisterServer+0x44249
查看下基址,在对应ida里面看下
.text:1008B03E inc eax
.text:1008B03F push 1
.text:1008B041 push eax
.text:1008B042 call sub_10403240
.text:1008B047 mov ecx, [esi+16650h]
.text:1008B04D imul ecx, 120h
.text:1008B053 mov [ecx+esi+154h], eax
.text:1008B05A mov eax, [edi]
.text:1008B05C add esp, 18h
.text:1008B05F lea ecx, [ebp+60h+var_64]
.text:1008B062 push ecx
.text:1008B063 mov ecx, [esi+16650h]
.text:1008B069 push [ebp+60h+var_18]
.text:1008B06C imul ecx, 120h
.text:1008B072 push dword ptr [ecx+esi+154h]
.text:1008B079 mov ecx, edi
.text:1008B07B call dword ptr [eax+14h] ; 101D521E 里面有memcpy,拷贝溢出
这个方法之前说过了,用这个方法分析这种漏洞找到对应的溢出点只要几分钟就行了.....如果你的windbg符号下载速度快的话.....
- vm 快照快速分析堆类型漏洞
- 漏洞分析----非常给力的方法----虚拟机快照
- vm linux 快照clone
- 转载:WPS 2012/2013 RTF fchars 堆溢出漏洞分析
- vm 下恢复虚拟机快照出错
- 漏洞类型
- 百度快照特色分析
- lvm分析之快照
- Openstack快照现状分析
- openstack快照现状分析
- openstack 快照分析
- openstack快照分析
- 百度快照实现分析
- openstack 快照分析
- 堆、栈、值类型、引用类型分析总结 Part 1
- 堆、栈、值类型、引用类型分析总结 Part 2
- VM扩展名类型
- Sun Java虚拟机畸形Gif文件处理堆溢出漏洞初步分析
- 免费的android如何赚钱
- BIEE 11g 禁用字段拖动及排序功能
- make snod (make system no dependencies)
- make snod (make system no dependencies)
- 快速插入数据
- vm 快照快速分析堆类型漏洞
- 断句啊
- [WebKit]为JavaScript Binding添加新DOM对象的三种方式及实作
- android设置音量(话音)
- 探索 Pexpect----第 2 部分:Pexpect 的实例分析
- 强制刷新窗口并能立即生效的办法
- 获取所有的android源码
- 反编译apk
- LINUX下的SOCKET编程