• cve-2010-2553 CVDecompress 函数堆溢出漏洞


    poc来源为 exploit-db

    测试环境为WINDOWS SP3

    首先打开windows media player windbg附加

    开启页堆 !gflag +hpa

    0:011> g
    (7f0.2f8): Access violation - code c0000005 (!!! second chance !!!)
    eax=00008000 ebx=00132060 ecx=000002a4 edx=027ffd38 esi=00147000 edi=00149000
    eip=73b722cc esp=027ffd04 ebp=027ffd30 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    iccvid!CVDecompress+0x11e:
    73b722cc f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
    0:011> kb
    ChildEBP RetAddr  Args to Child              
    027ffd30 73b7cbf3 00000004 00003731 00000068 iccvid!CVDecompress+0x11e
    027ffd60 73b766c8 0012c8d0 00000000 00132530 iccvid!Decompress+0x11d
    027ffdac 73b41938 0012c8d0 00000001 0000400d iccvid!DriverProc+0x1bf
    027ffdd0 7cf8fa9e 73b5b500 0000400d 027ffde8 MSVFW32!ICSendMessage+0x2b
    027ffe00 7cf8f9e9 73b5b500 00000000 00132530 quartz!CVFWDynLink::ICDecompress+0x3e
    027ffec0 7cf90a55 01b6c258 01b6a658 00000000 quartz!CAVIDec::Transform+0x282
    027ffeec 7cf90939 01b6c258 00000000 01b836d0 quartz!CVideoTransformFilter::Receive+0x110
    027fff00 7cf8e67a 01b79c5c 01b6c258 027fff40 quartz!CTransformInputPin::Receive+0x33
    027fff10 7cf90ca0 01b6c258 00040103 01b836d0 quartz!CBaseOutputPin::Deliver+0x22
    027fff40 7cf90e1c 027fff70 027fff6c 00000000 quartz!CBaseMSRWorker::TryDeliverSample+0x102
    027fff84 7cf8ce30 00000000 01b836d0 01b836d0 quartz!CBaseMSRWorker::PushLoop+0x15e
    027fff9c 7cf8dbe6 00000000 7cf8a121 00000000 quartz!CBaseMSRWorker::DoRunLoop+0x4a
    027fffa4 7cf8a121 00000000 000a0178 027fffec quartz!CBaseMSRWorker::ThreadProc+0x39
    027fffb4 7c80b713 01b836d0 00000000 000a0178 quartz!CAMThread::InitialThreadProc+0x15
    027fffec 00000000 7cf8a10c 01b836d0 00000000 kernel32!BaseThreadStart+0x37
    0:011> ub iccvid!Decompress+0x11d

    iccvid!Decompress+0x102:
    73b7cbd8 ffb698000000    push    dword ptr [esi+98h]
    73b7cbde 57              push    edi
    73b7cbdf ff7528          push    dword ptr [ebp+28h]
    73b7cbe2 ff752c          push    dword ptr [ebp+2Ch]
    73b7cbe5 ff7530          push    dword ptr [ebp+30h]
    73b7cbe8 ff7514          push    dword ptr [ebp+14h]
    73b7cbeb ff765c          push    dword ptr [esi+5Ch]
    73b7cbee e8bb55ffff      call    iccvid!CVDecompress (73b721ae)

    73b7cbee e8bb55ffff      call    iccvid!CVDecompress (73b721ae)这个涵数有漏洞 

    IDA单独查看该函数  进行详细分析

  • 相关阅读:
    linux 查看磁盘空间
    nginx面试中最常见的18道题
    spring -mvc service层调用工具类配置
    IntelliJ IDEA tomcat 远程Ddbug调试
    IntelliJ IDEA tomcat 热部署
    Java HttpClient PostMethod
    Java Base64 加密/解密
    启动tomcat时cmd窗口一闪而过
    remote staging type or host is not specified
    Maven更新后本地仓库jar后缀带有 lastUpdated
  • 原文地址:https://www.cnblogs.com/wj2ge/p/5933693.html
Copyright © 2020-2023  润新知