WPS Office 'Wpsio.dll'栈缓冲区溢出漏洞

摘录自 http://seclists.org/fulldisclosure/2013/Apr/247 POC ================== http://seclists.org/fulldisclosure/2013/Apr/att-247/poc_zip.bin 崩溃信息 ================== crash info: (b70.eb8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0012c0a4 ebx=770f4b39 ecx=90909090 edx=0012be00 esi=0012c0a4 edi=0018bd54 eip=45e25208 esp=0012bdec ebp=0012bdf8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 wpsio!TxExport+0x37b1: 45e25208 ff5114 call dword ptr [ecx+14h] ds:0023:909090a4=???????? module info: start end module name 45e00000 4606f000 wpsio (export symbols) C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll Loaded symbol image file: C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll Image path: C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll Image name: wpsio.dll Timestamp: Mon May 28 04:10:12 2012 (4FC28A24) CheckSum: 0026D933 ImageSize: 0026F000 File version: 8.1.0.3238 Product version: 8.1.0.3238 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 0.0 Unknown File date: 00000000.00000000 Translations: 0000.04b0 CompanyName: Zhuhai Kingsoft Office-software Co.,Ltd ProductName: Kingsoft Office InternalName: wpsio OriginalFilename: wpsio.dll ProductVersion: 8,1,0,3238 FileVersion: 8,1,0,3238 FileDescription: wpsio LegalCopyright: Copyright©1988-2011 Kingsoft Corporation. All rights reserved. 溢出点代码 ================== In sub_45E2CC84: .text:45E2CC84 var_210 = byte ptr -210h ;buffer size 0x200 .text:45E2CC84 var_4 = dword ptr -4 .text:45E2CDB3 push [ebp+Src] ; BSTR .text:45E2CDB9 call esi ; SysStringLen .text:45E2CDBB mov [ebp+var_244], eax .text:45E2CDC1 add eax, eax ;size is 0x170 .text:45E2CDC3 push eax ; Size .text:45E2CDC4 push [ebp+Src] ; Src .text:45E2CDCA lea eax, [ebp+var_210] .text:45E2CDD0 push eax ; Dst .text:45E2CDD1 call memcpy First time,copy 0x170 bytes to buffer var_210. .text:45E2CE16 push edi ; BSTR .text:45E2CE17 mov [ebp+var_234], ax .text:45E2CE1E call esi ; SysStringLen .text:45E2CE20 add eax, eax .text:45E2CE22 push eax ; Size .text:45E2CE23 movzx eax, [ebp+var_234] ;length .text:45E2CE2A lea eax, [ebp+eax*2+var_210] .text:45E2CE31 push edi ; Src .text:45E2CE32 push eax ; Dst .text:45E2CE33 call memcpy Second time,copy the same string, placed after the first string. var_234 is the length of the string. Total copy 0x2e0 bytes. After copy,return address and SEH record has been overwritten. 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012c070 90909090 wpsio!TxExport+0xb3e1 0012c148 45e2a113 0x90909090 0:000> !exchain 0012c064: 90909090 Invalid exception stack at 90909090 The source data of memcpy is from the file poc.wps,offset 0x41d7.