标签:
poc来源为 exploit-db
测试环境为WINDOWS SP3
首先打开windows media player windbg附加
开启页堆 !gflag +hpa
0:011> g
(7f0.2f8): Access violation - code c0000005 (!!! second chance !!!)
eax=00008000 ebx=00132060 ecx=000002a4 edx=027ffd38 esi=00147000 edi=00149000
eip=73b722cc esp=027ffd04 ebp=027ffd30 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
iccvid!CVDecompress+0x11e:
73b722cc f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:011> kb
ChildEBP RetAddr Args to Child
027ffd30 73b7cbf3 00000004 00003731 00000068 iccvid!CVDecompress+0x11e
027ffd60 73b766c8 0012c8d0 00000000 00132530 iccvid!Decompress+0x11d
027ffdac 73b41938 0012c8d0 00000001 0000400d iccvid!DriverProc+0x1bf
027ffdd0 7cf8fa9e 73b5b500 0000400d 027ffde8 MSVFW32!ICSendMessage+0x2b
027ffe00 7cf8f9e9 73b5b500 00000000 00132530 quartz!CVFWDynLink::ICDecompress+0x3e
027ffec0 7cf90a55 01b6c258 01b6a658 00000000 quartz!CAVIDec::Transform+0x282
027ffeec 7cf90939 01b6c258 00000000 01b836d0 quartz!CVideoTransformFilter::Receive+0x110
027fff00 7cf8e67a 01b79c5c 01b6c258 027fff40 quartz!CTransformInputPin::Receive+0x33
027fff10 7cf90ca0 01b6c258 00040103 01b836d0 quartz!CBaseOutputPin::Deliver+0x22
027fff40 7cf90e1c 027fff70 027fff6c 00000000 quartz!CBaseMSRWorker::TryDeliverSample+0x102
027fff84 7cf8ce30 00000000 01b836d0 01b836d0 quartz!CBaseMSRWorker::PushLoop+0x15e
027fff9c 7cf8dbe6 00000000 7cf8a121 00000000 quartz!CBaseMSRWorker::DoRunLoop+0x4a
027fffa4 7cf8a121 00000000 000a0178 027fffec quartz!CBaseMSRWorker::ThreadProc+0x39
027fffb4 7c80b713 01b836d0 00000000 000a0178 quartz!CAMThread::InitialThreadProc+0x15
027fffec 00000000 7cf8a10c 01b836d0 00000000 kernel32!BaseThreadStart+0x37
0:011> ub iccvid!Decompress+0x11d
iccvid!Decompress+0x102:
73b7cbd8 ffb698000000 push dword ptr [esi+98h]
73b7cbde 57 push edi
73b7cbdf ff7528 push dword ptr [ebp+28h]
73b7cbe2 ff752c push dword ptr [ebp+2Ch]
73b7cbe5 ff7530 push dword ptr [ebp+30h]
73b7cbe8 ff7514 push dword ptr [ebp+14h]
73b7cbeb ff765c push dword ptr [esi+5Ch]
73b7cbee e8bb55ffff call iccvid!CVDecompress (73b721ae)
73b7cbee e8bb55ffff call iccvid!CVDecompress (73b721ae)这个涵数有漏洞
IDA单独查看该函数 进行详细分析
cve-2010-2553 CVDecompress 函数堆溢出漏洞
标签:
原文地址:http://www.cnblogs.com/wj2ge/p/5933693.html