首页 > 八卦互联 > 对superli发的漏洞刷屏的总结

对superli发的漏洞刷屏的总结

2010年1月29日 baoz 阅读评论 521 views

看了职业欠钱的博客,顺手也搜了下superli发的POC,该人的确是勤快,几天发了将近10个POC。涉及软件包括,金山网盾、金山安全中心、趋势杀毒、Adobe、NOS Microsystems、迅雷、UUSee、QVOD、SopCast、PPMate、网际快车(flashget)、射手播放器。至于漏洞能否被利用,就各自评估好了,反正现在暂时还没听到利用这些漏洞的消息,或许大家习惯了畸形或超长参数的漏洞吧。Qvod的POC我也用微软的exploitable鉴定了下,是exploitable的。有图有真相。

*******************************************************************************
(950.ba8): Break instruction exception – code 80000003 (first chance)
eax=7ffde000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c92120e esp=02adffcc ebp=02adfff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll -
ntdll!DbgBreakPoint:
7c92120e cc              int     3
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:015> g
(950.968): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001e105c ebx=02d5a1c0 ecx=001b3680 edx=036d6b5c esi=003bca89 edi=003bca8c
eip=001ef843 esp=01dcfb58 ebp=01dcfb90 iopl=0         ov up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010a03
<Unloaded_sspc.dll>+0×1ef842:
001ef843 ea000108ff0000  jmp     0000:FF080100
0:005> g
(950.968): Access violation – code c0000005 (!!! second chance !!!)
eax=001e105c ebx=02d5a1c0 ecx=001b3680 edx=036d6b5c esi=003bca89 edi=003bca8c
eip=001ef843 esp=01dcfb58 ebp=01dcfb90 iopl=0         ov up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a03
<Unloaded_sspc.dll>+0×1ef842:
001ef843 ea000108ff0000  jmp     0000:FF080100
0:005> g
(950.968): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001e105c ebx=02d5a1c0 ecx=001b3680 edx=036d6b5c esi=003bca89 edi=003bca8c
eip=001ef843 esp=01dcfb58 ebp=01dcfb90 iopl=0         ov up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010a03
<Unloaded_sspc.dll>+0×1ef842:
001ef843 ea000108ff0000  jmp     0000:FF080100
0:005> g
(950.968): Access violation – code c0000005 (!!! second chance !!!)
eax=001e105c ebx=02d5a1c0 ecx=001b3680 edx=036d6b5c esi=003bca89 edi=003bca8c
eip=001ef843 esp=01dcfb58 ebp=01dcfb90 iopl=0         ov up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a03
<Unloaded_sspc.dll>+0×1ef842:
001ef843 ea000108ff0000  jmp     0000:FF080100
0:005> !exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0xffffffffffffffff
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:READ
FAULTING_INSTRUCTION:001ef843 jmp 0000:ff080100
MAJOR_HASH:0×1e69442b
MINOR_HASH:0×773f2842
STACK_DEPTH:20
STACK_FRAME:<Unloaded_sspc.dll>+0×1ef842
STACK_FRAME:mshtml!DllGetClassObject+0xeb438
STACK_FRAME:mshtml!DllGetClassObject+0xadcb7
STACK_FRAME:mshtml!DllGetClassObject+0xa78da
STACK_FRAME:mshtml!DllGetClassObject+0xa328c
STACK_FRAME:mshtml!DllCanUnloadNow+0×86cd
STACK_FRAME:mshtml!DllGetClassObject+0×8598a
STACK_FRAME:mshtml!MatchExactGetIDsOfNames+0×1ec29
STACK_FRAME:mshtml!MatchExactGetIDsOfNames+0×1eb88
STACK_FRAME:mshtml!ShowModalDialog+0×2a65e
STACK_FRAME:mshtml!CreateHTMLPropertyPage+0×1bb9b
STACK_FRAME:mshtml!CreateHTMLPropertyPage+0×1bf5e
STACK_FRAME:mshtml!DllGetClassObject+0xa8ab4
STACK_FRAME:mshtml!DllGetClassObject+0xa26d4
STACK_FRAME:USER32!GetDC+0×6d
STACK_FRAME:USER32!GetDC+0×14f
STACK_FRAME:USER32!GetWindowLongW+0×127
STACK_FRAME:USER32!DispatchMessageW+0xf
STACK_FRAME:IEFRAME!Ordinal300+0×36c1
STACK_FRAME:kernel32!GetModuleFileNameA+0×1ba
INSTRUCTION_ADDRESS:0×00000000001ef843
INVOKING_STACK_FRAME:0
DESCRIPTION:Read Access Violation on Control Flow
SHORT_DESCRIPTION:ReadAVonControlFlow
CLASSIFICATION:EXPLOITABLE
BUG_TITLE:Exploitable – Read Access Violation on Control Flow starting at <Unloaded_sspc.dll>+0×00000000001ef842 (Hash=0×1e69442b.0×773f2842)
EXPLANATION:Access violations not near null in control flow instructions are considered exploitable.

包子猜您可能还喜欢下列文章:

  1. 隐藏VPN传入的连接 zz

分类: 八卦互联 标签: , , , , , , , , ,
  1. 本文目前尚无任何评论.