HWP一个整数溢出导致的堆溢出

HWP注释功能存在一个堆溢出，是因为长度变量经过计算后整数溢出，分配小内存拷贝大数据。

HWP是棒子用的WORD软件，懂的就懂了，不要问我怎么利用，好利用的话我会公布？

Offset     0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000170   6F 63 04 10 00 00 00 00  00 00 00 00 00 00 47 04   oc............G.
00000180   50 06 6B 6E 75 25 01 80  00 00 00 29 00 4D 00 45   P.knu%.€...).M.E
00000190   00 4D 00 4F 00 2F 00 36  00 35 00 35 00 33 00 35   .M.O./.6.5.5.3.5
000001A0   00 2F 00 31 00 2F 00 33  00 38 00 31 00 37 00 32   ./.1./.3.8.1.7.2
000001B0   00 32 00 35 00 38 00 34  00 30 00 2F 00 33 00 30   .2.5.8.4.0./.3.0
000001C0   00 33 00 32 00 35 00 39  00 36 00 30 00 2F 00 69   .3.2.5.9.6.0./.i
000001D0   00 73 00 6E 00 6F 00 2F  00 5C 00 3B 00 3B 00 3D   .s.n.o./.\.;.;.=
000001E0   2C 72 53 01 00 00 00 5D  04 40 00 01 00 00 00 48   ,rS....].@.....H
000001F0   04 00 01 01 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000200   00 00 00 42 04 80 01 14  27 00 80 00 00 00 00 0B   ...B.€..'.€.....    //这个14 27 00 80是下个块的长度，改成FF FF FF FF后会造成整数溢出，分配小内存然后拷贝大数据
00000210   00 0D 00 01 00 00 00 73  00 00 00 00 00 00 00 43   .......s.......C    //73是注释的行数
00000220   08 F0 FF 28 4E 00 00 61  00 61 00 61 00 61 00 61   .?(N..a.a.a.a.a
00000230   00 61 00 61 00 61 00 61  00 61 00 61 00 61 00 61   .a.a.a.a.a.a.a.a
00000240   00 61 00 61 00 61 00 61  00 61 00 61 00 61 00 61   .a.a.a.a.a.a.a.a
00000250   00 61 00 61 00 61 00 61  00 61 00 61 00 61 00 61   .a.a.a.a.a.a.a.a
00000260   00 61 00 61 00 61 00 61  00 61 00 61 00 61 00 61   .a.a.a.a.a.a.a.a
00000270   00 61 00 61 00 61 00 61  00 61 00 61 00 61 00 61   .a.a.a.a.a.a.a.a

03205B3B    8B45 3C         mov     eax, dword ptr [ebp+3C]
03205B3E    0FB653 38       movzx   edx, byte ptr [ebx+38]
03205B42    8B48 34         mov     ecx, dword ptr [eax+34]
03205B45    3B91 C4020000   cmp     edx, dword ptr [ecx+2C4]
03205B4B    7C 04           jl      short 03205B51
03205B4D    C643 38 00      mov     byte ptr [ebx+38], 0
03205B51    8B4424 24       mov     eax, dword ptr [esp+24]    ; 下个块长度
03205B55    8063 39 0C      and     byte ptr [ebx+39], 0C
03205B59    85C0            test    eax, eax
03205B5B    79 13           jns     short 03205B70
03205B5D    8B4C24 54       mov     ecx, dword ptr [esp+54]
03205B61    25 FFFFFF7F     and     eax, 7FFFFFFF              ; 最大就是7fffffff
03205B66    894424 24       mov     dword ptr [esp+24], eax
03205B6A    C701 01000000   mov     dword ptr [ecx], 1
03205B70    8B4C24 14       mov     ecx, dword ptr [esp+14]
03205B74    66:85C9         test    cx, cx
03205B77    74 09           je      short 03205B82
03205B79    0FB7D1          movzx   edx, cx
03205B7C    895424 54       mov     dword ptr [esp+54], edx
03205B80    EB 08           jmp     short 03205B8A
03205B82    C74424 54 01000>mov     dword ptr [esp+54], 1
03205B8A    0FB74C24 28     movzx   ecx, word ptr [esp+28]
03205B8F    0FB77C24 1C     movzx   edi, word ptr [esp+1C]
03205B94    6A 01           push    1
03205B96    51              push    ecx
03205B97    894C24 58       mov     dword ptr [esp+58], ecx
03205B9B    8B4C24 5C       mov     ecx, dword ptr [esp+5C]
03205B9F    51              push    ecx
03205BA0    894424 48       mov     dword ptr [esp+48], eax
03205BA4    50              push    eax
03205BA5    8BC7            mov     eax, edi
03205BA7    8BF3            mov     esi, ebx
03205BA9    E8 42301B00     call    033B8BF0                    ; 根据下个块的长度分配两块内存，填充相关结构
03205BAE    85C0            test    eax, eax
03205BB0    74 2F           je      short 03205BE1
03205BB2    8B5424 50       mov     edx, dword ptr [esp+50]
03205BB6    8B4424 54       mov     eax, dword ptr [esp+54]
03205BBA    6A 20           push    20
03205BBC    6A 01           push    1
03205BBE    57              push    edi
03205BBF    52              push    edx
03205BC0    8B5424 4C       mov     edx, dword ptr [esp+4C]
03205BC4    50              push    eax
03205BC5    E8 46331B00     call    033B8F10                    ; 处理分配的两块内存，填上空格

分配算法：

033B8E5D    8B4C24 20       mov     ecx, dword ptr [esp+20]
033B8E61    8BD8            mov     ebx, eax
033B8E63 >  0FAF5C24 1C     imul    ebx, dword ptr [esp+1C]     ; 73*60
033B8E68    8D3C7F          lea     edi, dword ptr [edi+edi*2]
033B8E6B    03FF            add     edi, edi
033B8E6D    03FF            add     edi, edi
033B8E6F    8D04CD 00000000 lea     eax, dword ptr [ecx*8]
033B8E76    C1E8 02         shr     eax, 2
033B8E79    C1EF 02         shr     edi, 2
033B8E7C    03F8            add     edi, eax
033B8E7E    C1EB 02         shr     ebx, 2                      ; 73*60/2
033B8E81    03FB            add     edi, ebx
033B8E83    03FD            add     edi, ebp
033B8E85    8D14BD 00000000 lea     edx, dword ptr [edi*4]
033B8E8C    52              push    edx
033B8E8D    894424 20       mov     dword ptr [esp+20], eax
033B8E91    FF15 88244003   call    dword ptr [<&MSVCR90.malloc>]    ; MSVCR90.malloc
033B8E97    83C4 04         add     esp, 4
033B8E9A    8946 04         mov     dword ptr [esi+4], eax
033B8E9D    85C0            test    eax, eax
033B8E9F  ^ 0F84 7EFEFFFF   je      033B8D23
033B8EA5    8B4C24 1C       mov     ecx, dword ptr [esp+1C]
033B8EA9    03CB            add     ecx, ebx
033B8EAB    8D042B          lea     eax, dword ptr [ebx+ebp]    ; 40000000+AC8
033B8EAE    8B5C24 24       mov     ebx, dword ptr [esp+24]
033B8EB2    03CD            add     ecx, ebp
033B8EB4    896E 08         mov     dword ptr [esi+8], ebp
033B8EB7    8946 0C         mov     dword ptr [esi+C], eax
033B8EBA    894E 10         mov     dword ptr [esi+10], ecx
033B8EBD    83FB FF         cmp     ebx, -1
033B8EC0    75 0C           jnz     short 033B8ECE
033B8EC2    C74424 24 01000>mov     dword ptr [esp+24], 1
033B8ECA    8B5C24 24       mov     ebx, dword ptr [esp+24]
033B8ECE    C1E3 04         shl     ebx, 4
033B8ED1    C1EB 02         shr     ebx, 2
033B8ED4    03DD            add     ebx, ebp
033B8ED6    8D149D 00000000 lea     edx, dword ptr [ebx*4]       ; 40000004*4=10--整数溢出
033B8EDD    52              push    edx
033B8EDE    FF15 88244003   call    dword ptr [<&MSVCR90.malloc>]    ; MSVCR90.malloc

[原文地址]

留言评论（旧系统）：