CVE-2011-0104 Microsoft Excel TOOLBARDEF 记录解析栈溢出漏洞漏洞分析

本文链接：https://blog.youkuaiyun.com/weixin_50287973/article/details/108281468

本文详细介绍了CVE-2011-0104安全漏洞的分析过程，涉及Windows XP SP3环境下Office Excel 2003 SP3的exploit.xlb文件触发异常。通过使用IDA、OD和Windbg等工具，深入剖析了栈溢出漏洞的发生位置，以及如何从0x300E05AD开始的函数导致栈溢出。在函数0x3070DD5F处设置断点，揭示了调用堆栈，进一步理解漏洞利用机制。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

分析环境

win xp sp3,IDA,OD,windbg
office excel 2003 sp3

基于污点追踪思路的漏洞分析方法

运行excel.exe,然后windbg加载运行，打开exploit.xlb,触发异常

(eb8.b2c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=51455047 ebx=0013ca60 ecx=00000006 edx=31622f28 esi=00000000 edi=00000400
eip=300e06f7 esp=0013aa1c ebp=0013aa88 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE - 
EXCEL!Ordinal41+0xe06f7:
300e06f7 8908            mov     dword ptr [eax],ecx  ds:0023:51455047=????????
0:000> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0013aa88 584b4c4b 30435451 50453043 55514b4c EXCEL!Ordinal41+0xe06f7
0013aa8c 30435451 50453043 55514b4c 4b4c4c47 0x584b4c4b
0013aa90 50453043 55514b4c 4b4c4c47 35434c43 EXCEL!Ordinal41+0x435451
0013aa94 55514b4c 4b4c4c47 35434c43 51453844 0x50453043
0013aa98 4b4c4c47 35434c43 51453844 4b4c4f4a 0x55514b4c
0013aa9c 35434c43 51453844 4b4c4f4a 58444f50 0x4b4c4c47
0013aaa0 51453844 4b4c4f4a 58444f50 4f514b4c 0x35434c43
0013aaa4 4b4c4f4a 58444f50 4f514b4c 51455047 0x51453844
0013aaa8 58444f50 4f514b4c 51455047 59514b4a 0x4b4c4f4a
0013aaac 4f514b4c 51455047 59514b4a 54464b4c 0x58444f50
0013aab0 51455047 59514b4a 54464b4c 31434b4c 0x4f514b4c
0013aab4 59514b4a 54464b4c 31434b4c 51464e4a 0x51455047
0013aab8 54464b4c 31434b4c 51464e4a 394a5049 0x59514b4a
...

通过IDA观察确定崩溃地址0x300e06f7位于函数sub_300E05AD

OD载入，在0x300E05AD处下断
中断后在栈顶下内存写入断点
在这里插入图片描述
f9运行，中断在了0x300de834，这里就是循环复制数据到栈上导致溢出的地址

用IDA查看

v7为复制的字节数
向上追溯可发现函数入口在0x300DE7EC

300DE7EC   $  53            push ebx
300DE7ED   .  8B5C24 0C     mov ebx,dword ptr ss:[esp+0xC]
300DE7F1   .  85DB          test ebx,ebx
300DE7F3   .  0F84 89970200 je EXCEL.30107F82
300DE7F9   .  3B5C24 10     cmp ebx,dword ptr ss:[esp+0x10]                  ;  EXCEL.3070DF42
300DE7FD   .  0F87 03A71500 ja EXCEL.30238F06
300DE803   .  8B15 442C8930 mov edx,dword ptr ds:[0x30892C44]
300DE809   .  A1 402C8930   mov eax,dword ptr ds:[0x30892C40]
300DE80E   .  55            push ebp
300DE80F   .  8B6C24 0C     mov ebp,dword ptr ss:[esp+0xC]
300DE813   .  56            push esi                                         ;  EXCEL.3088ECC4
300DE814   .  57            push edi
300DE815   >  3BD0          cmp edx,eax
300DE817   .  0F8D F0B90300 jge EXCEL.3011A20D
300DE81D   >  2BC2          sub eax,edx
300DE81F   .  3BD8          cmp ebx,eax
300DE821   .  7D 02         jge short EXCEL.300DE825
300DE823   .  8BC3          mov eax,ebx
300DE825   >  8DB2 40EC8830 lea esi,dword ptr ds:[edx+0x3088EC40]
300DE82B   .  8BC8