我的调试环境是win7旗舰版32位+wmpalyer+windbg+IDA。
poc见: https://www.exploit-db.com/exploits/15112/
wmpalyer设置页堆:
C:\Program Files\Debugging Tools for Windows (x86)>gflags.exe -i wmplayer.exe +h
pa +htc
Current Registry Settings for wmplayer.exe executable are: 02000010
htc - Enable heap tail checking
hpa - Enable page heapC:\Program Files\Debugging Tools for Windows (x86)>gflags.exe -i wmplayer.exe
Current Registry Settings for wmplayer.exe executable are: 02000010
htc - Enable heap tail checking
hpa - Enable page heap
打开wmplayer,windbg附加进程,wmplayer中打开poc,windbg成功断下:
0:015> g
(f14.efc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=113f1000 ebx=113ef000 ecx=00000040 edx=00000000 esi=113ef000 edi=113f1000
eip=76faa05b esp=1163f510 ebp=1163f518 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
msvcrt!__ascii_strnicmp+0x99:
76faa05b 660f7f07 movdqa xmmword ptr [edi],xmm0 ds:0023:113f1000=????????????????????????????????
此时查看栈回溯及113f1000所在堆的信息:
0:027> kvn
# ChildEBP RetAddr Args to Child
00 1163f518 76faa00b 113f1000 113ef000 00002000 msvcrt!__ascii_strnicmp+0x99 (FPO: [3,0,0])
01 1163f548 70ae3ba2 113f1000 113ef000 00002000 msvcrt!_VEC_memcpy+0x52 (FPO: [3,0,0])
02 1163f588 70aeeeda 00000004 00000000 00000068 iccvid!CVDecompress+0x141 (FPO: [Non-Fpo])
03 1163f5b8 70ae80f8 0ddd0f60 00000000 10ed2fd8 iccvid!Decompress+0x128 (FPO: [Non-Fpo])
04 1163f604 71f01759 0ddd0f60 00000001 0000400d iccvid!DriverProc+0x1bf (FPO: [Non-Fpo])
05 1163f628 6ce78639 71f1c7c0 0000400d 1163f640 MSVFW32!ICSendMessage+0x31 (FPO: [Non-Fpo])
06 1163f658 6ce789c4 71f1c7c0 00000000 10ed2fd8 quartz!CVFWDynLink::ICDecompress+0x3e (FPO: [Non-Fpo])
07 1163f710 6cf26cbe 1107cfa8 111bafb8 00000000 quartz!CAVIDec::Transform+0x2b0 (FPO: [Non-Fpo])
08 1163f73c 6cf26910 1107cfa8 00000000 0e956ee0 quartz!CVideoTransformFilter::Receive+0x120 (FPO: [Non-Fpo])
09 1163f750 6ce60472 0e9aef44 1107cfa8 1163f790 quartz!CTransformInputPin::Receive+0x33 (FPO: [Non-Fpo])
0a 1163f760 6cf2d61e 1107cfa8 00040103 0e956ee0 quartz!CBaseOutputPin::Deliver+0x22 (FPO: [Non-Fpo])
0b 1163f790 6cf2d830 1163f7c0 1163f7bc 00000000 quartz!CBaseMSRWorker::TryDeliverSample+0x102 (FPO: [Non-Fpo])
0c 1163f7d4 6cf2deba 00000000 0e956ee0 0e956ee0 quartz!CBaseMSRWorker::PushLoop+0x15b (FPO: [Non-Fpo])
0d 1163f7ec 6cf2e46a 00000000 6ce35735 00000000 quartz!CBaseMSRWorker::DoRunLoop+0x44 (FPO: [Non-Fpo])
0e 1163f7f4 6ce35735 00000000 00000000 1163f810 quartz!CBaseMSRWorker::ThreadProc+0x39 (FPO: [0,0,4])
0f 1163f804 76811174 0e956ee0 1163f850 7720b3f5 quartz!CAMThread::InitialThreadProc+0x15 (FPO: [Non-Fpo])
10 1163f810 7720b3f5 0e956ee0 6779fde2 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
11 1163f850 7720b3c8 6ce35720 0e956ee0 00000000 ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
12 1163f868 00000000 6ce35720 0e956ee0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])
0:027> !heap -p -a 113f1000
address 113f1000 found in
_DPH_HEAP_ROOT @ b1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
10e53c64: 113eb000 6000 - 113ea000 8000
6fe58e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77274ea6 ntdll!RtlDebugAllocateHeap+0x00000030
77237d96 ntdll!RtlpAllocateHeap+0x000000c4
772034ca ntdll!RtlAllocateHeap+0x0000023a
754a7589 KERNELBASE!LocalAlloc+0x0000005f
70ae3d93 iccvid!CVDecompressBegin+0x00000092
70aee2a2 iccvid!DecompressBegin+0x000002cf
70ae80d1 iccvid!DriverProc+0x00000198
71f01759 MSVFW32!ICSendMessage+0x00000031
6ce79925 quartz!CAVIDec::StartStreaming+0x0000027a
6cf266fb quartz!CTransformFilter::Pause+0x00000060
6ce782a4 quartz!CAVIDec::Pause+0x0000002f
6ce29e03 quartz!CFilterGraph::Pause+0x00000223
6ce2c8b1 quartz!CFGControl::Cue+0x00000032
6ce35c40 
最低0.47元/天 解锁文章
扫一扫
2517
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
