soritong MP3播放器缓冲区溢出漏洞分析

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了soritong MP3播放器缓冲区溢出漏洞分析相关的知识,希望对你有一定的参考价值。

软件下载:https://www.exploit-db.com/apps/a1def037869c831496bda3d81b0d06f5-soritong10.exe

加载POC

程序崩溃点:

SoriTong!MmutilityC8_4+0xc53:
0040c55f 8802            mov     byte ptr [edx],al          ds:0023:00130000=41\

该段代码伪代码:

int __cdecl sub_40C444(int a4, LPCSTR lpFileName)
{
  const CHAR *v5; // [email protected]
  int v6; // [email protected]
  int v7; // [email protected]
  int result; // [email protected]
  __int32 v9; // [email protected]
  HGLOBAL v10; // [email protected]
  __int32 v11; // [email protected]
  CHAR *v12; // [email protected]
  CHAR v13; // [email protected]
  int v14; // [email protected]
  LPCSTR *v15; // [email protected]
  char v16; // [sp+0h] [bp-238h]@0
  CHAR Buffer; // [sp+8h] [bp-230h]@20
  CHAR FileName; // [sp+108h] [bp-130h]@7
  LPSTR FilePart; // [sp+208h] [bp-30h]@20
  __int16 v20; // [sp+21Ch] [bp-1Ch]@1
  int v21; // [sp+228h] [bp-10h]@1
  char v22; // [sp+230h] [bp-8h]@20
  int v23; // [sp+234h] [bp-4h]@1

  __InitExceptBlockLDTC();
  System::AnsiString::AnsiString((System::AnsiString *)&lpFileName, (const System::AnsiString *)&lpFileName);
  v20 = 20;
  v23 = 0;
  Sysutils::ExtractFilePath(lpFileName, &v23);
  sub_486A54(v23);
  v21 = 2;
  System::AnsiString::~AnsiString((System::AnsiString *)&v23);
  if ( lpFileName )
    v5 = lpFileName;
  else
    v5 = (const CHAR *)&unk_4A1684;
  v6 = j____open(v5, 0, v16);
  v7 = v6;
  v20 = 8;
  if ( v6 >= 0 )
  {
    v9 = filelength(v6);
    v10 = GlobalAlloc(0x40u, v9 + 16);
    v11 = filelength(v7);
    j____read(v7, v10, v11);
    j____close(v7);
    lstrcatA((LPSTR)v10, asc_4A1685);
    while ( *(_BYTE *)v10 )
    {
      memset(&FileName, 0, 0x100u);
      v20 = 8;
      while ( *(_BYTE *)v10 == 32 )
        v10 = (char *)v10 + 1;
      v12 = &FileName;
      while ( 1 )
      {
        v13 = *(_BYTE *)v10;
        v14 = *(_BYTE *)v10;
        if ( v14 == 13 || v14 == 10 || !v13 )
          break;
        *v12++ = v13;
        v10 = (char *)v10 + 1;
      }
      while ( *(_BYTE *)v10 == 13 || *(_BYTE *)v10 == 10 && *(_BYTE *)v10 )
        v10 = (char *)v10 + 1;
      GetFullPathNameA(&FileName, 0x100u, &Buffer, &FilePart);
      v20 = 32;
      v15 = (LPCSTR *)sub_49ACA0(&v22, &Buffer);
      ++v21;
      sub_40BA7C(a4, *v15);
      --v21;
      System::AnsiString::~AnsiString((System::AnsiString *)&v22);
      v20 = 0;
    }
    GlobalFree(v10);
    --v21;
    result = System::AnsiString::~AnsiString((System::AnsiString *)&lpFileName);
  }
  else
  {
    --v21;
    result = System::AnsiString::~AnsiString((System::AnsiString *)&lpFileName);
  }
  return result;
}

 

怀疑lstrcatA函数出错

对0040C523下断点,应该问题就出在这个函数,未检查缓冲区长度

 

以上是关于soritong MP3播放器缓冲区溢出漏洞分析的主要内容,如果未能解决你的问题,请参考以下文章

Winamp栈溢出漏洞研究

缓存区溢出检测工具BED

20145336张子扬 《网络对抗》逆向及bof基础

计算机中的“溢出”到底是啥意思

在 Linux 上播放 mp3 声音缓冲区

如何在 ActionScript 3 中从缓冲区 (ByteArray/Stream) 播放 MP3 声音?