cve 2010-0842 Oracle Java MixerSequencer Object GM_Song Structure Handling Vulnerability
2012-05-08 22:58
302 查看
cve 2010-0842Oracle Java MixerSequencer Object GM_Song Structure Handling Vulnerability
分析没啥难度这个…目的不在分析,呵呵Instruder
version: jre 6u18
设置HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\java.exe 路径
打开html,windbg g
Breakpoint 1 hit eax=00000000 ebx=079f17e8 ecx=00000000edx=000000c0 esi=00000000 edi=079f3cf0 eip=6d52abda esp=06cef8fc ebp=06cef924iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 jsound!Java_com_sun_media_sound_Platform_nGetLibraryForFeature+0x73c1: 6d52abda 8a03 mov al,byte ptr [ebx] ds:0023:079f17e8=80 *** ERROR: Symbol file could not befound. Defaulted to export symbols forC:\Program Files\Java\jre6\bin\client\jvm.dll - *** ERROR: Symbol file could not befound. Defaulted to export symbols forC:\Program Files\Java\jre6\bin\msvcr71.dll - *** ERROR: Symbol file could not befound. Defaulted to export symbols forC:\Windows\system32\kernel32.dll - 0:030> db ebx 079f17e8 80 00 38 ff 02 c9 50 cc-cc 00 00 00 00 8b 0c 24 ..8...P........$ 079f17f8 83 c4 04 8d 49 12 41 80-31 74 80 39 90 75 f7 35 ....I.A.1t.9.u.5 079f1808 9f 26 42 ff 01 48 42 ff-00 41 0c 77 81 22 4a ff .&B..HB..A.w."J. 079f1818 02 54 77 81 47 bd 3d 35-d9 47 af 42 7b ca 60 5c .Tw.G.=5.G.B{.`\ 079f1828 4e a2 00 7c b5 bf 79 77-ae 34 9f 9b 4f ab 01 93 N..|..yw.4..O... 079f1838 2a 4a ff 2a 50 77 a9 12-4a ff 78 3f 4a ff 2a 68 *J.*Pw..J.x?J.*h 079f1848 77 a9 4a ff 70 ff 77 b1-b7 01 06 18 19 1b 1a 5a w.J.p.w........Z 079f1858 10 18 18 74 47 b4 10 77-34 44 0c 7b 4a ff 34 78 ...tG..w4D.{J.4x
Ebx对应文件中0x8e偏移
0:030> t Breakpoint 1 hit eax=00000000 ebx=079f17e8 ecx=00000000edx=000000c0 esi=00000000 edi=079f3cf0 eip=6d52abda esp=06cef8fc ebp=06cef924iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 jsound!Java_com_sun_media_sound_Platform_nGetLibraryForFeature+0x73c1: 6d52abda 8a03 mov al,byte ptr [ebx] ds:0023:079f17e8=80 0:030> t eax=00000080 ebx=079f17e8 ecx=00000000edx=000000c0 esi=00000000 edi=079f3cf0 eip=6d52abdc esp=06cef8fc ebp=06cef924iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 jsound!Java_com_sun_media_sound_Platform_nGetLibraryForFeature+0x73c3: 6d52abdc 43 inc ebx 0:030> t eax=00000080 ebx=079f17e9ecx=00000000 edx=000000c0 esi=00000000 edi=079f3cf0 eip=6d52abdd esp=06cef8fc ebp=06cef924iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 jsound!Java_com_sun_media_sound_Platform_nGetLibraryForFeature+0x73c4: 6d52abdd 88450f mov byte ptr [ebp+0Fh],al ss:0023:06cef933=00 0:030> t eax=00000080 ebx=079f17e9 ecx=00000000edx=000000c0 esi=00000000 edi=079f3cf0 eip=6d52abe0 esp=06cef8fc ebp=06cef924iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 jsound!Java_com_sun_media_sound_Platform_nGetLibraryForFeature+0x73c7: 6d52abe0 8a03 mov al,byte ptr [ebx] ds:0023:079f17e9=00 0:030> g Breakpoint 1 hit eax=00000000 ebx=079f17e8 ecx=04200000edx=000000c0 esi=00000000 edi=079f3cf0 eip=6d52abda esp=0798f9d0 ebp=0798f9f8iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 jsound!Java_com_sun_media_sound_Platform_nGetLibraryForFeature+0x73c1: 6d52abda 8a03 mov al,byte ptr [ebx] ds:0023:079f17e8=80 0:037> g Breakpoint 0 hit eax=07a02a60 ebx=079f17ea ecx=00000080 edx=00000000 esi=00000000 edi=079f3cf0 eip=6d52ac4e esp=0798f9d0 ebp=0798f9f8iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 jsound!Java_com_sun_media_sound_Platform_nGetLibraryForFeature+0x7435: 6d52ac4e 8b1488 mov edx,dword ptr [eax+ecx*4] ds:0023:07a02c60=7c35a78d 0:037> u 6d52ac40 jsound!Java_com_sun_media_sound_Platform_nGetLibraryForFeature+0x7427: 6d52ac40 660fb64d0f movzx cx,byte ptr [ebp+0Fh] 6d52ac45 0f84ca010000 je jsound!Java_com_sun_media_sound_Platform_nGetLibraryForFeature+0x75fc(6d52ae15) 6d52ac4b 0fbfc9 movsx ecx,cx 6d52ac4e 8b1488 mov edx,dword ptr [eax+ecx*4] 6d52ac51 85d2 test edx,edx 6d52ac53 0f84bc010000 je jsound!Java_com_sun_media_sound_Platform_nGetLibraryForFeature+0x75fc(6d52ae15) 6d52ac59 660fb675f4 movzx si,byte ptr [ebp-0Ch] 6d52ac5e 56 push esi 0:037> u jsound!Java_com_sun_media_sound_Platform_nGetLibraryForFeature+0x7446: 6d52ac5f 660fb6750f movzx si,byte ptr [ebp+0Fh] 6d52ac64 56 push esi 6d52ac65 ff75f8 push dword ptr [ebp-8] 6d52ac68 ff75f0 push dword ptr [ebp-10h] 6d52ac6b ffb48800020000 push dword ptr [eax+ecx*4+200h] 6d52ac72 57 push edi 6d52ac73 ff7508 push dword ptr [ebp+8] 6d52ac76 ffd2 call edx 0:037> u 7c35a78d msvcr71!_RTDynamicCast+0x4fe: 7c35a78d ffe3 jmp ebx 7c35a78f ff ??? 7c35a790 ff0d00600000 dec dword ptr ds:[6000h] 7c35a796 eb56 jmp msvcr71!_RTDynamicCast+0x55f (7c35a7ee) 7c35a798 25ffbfffff and eax,0FFFFBFFFh 7c35a79d 0d00200000 or eax,2000h 7c35a7a2 eb4a jmp msvcr71!_RTDynamicCast+0x55f (7c35a7ee) 7c35a7a4 25ffebffff and eax,0FFFFEBFFh 0:037> u ebx 079f17ea 38ff cmp bh,bh 079f17ec 02c9 add cl,cl 079f17ee 50 push eax 079f17ef cc int 3 079f17f0 cc int 3 079f17f1 0000 add byte ptr [eax],al 079f17f3 0000 add byte ptr [eax],al 079f17f5 8b0c24 mov ecx,dword ptr [esp]
这个漏洞是java在处理midi文件时,错误计算了指针,通过取文件中一个byte作为索引取一个this指针,索引没有做范围检测,从而可以获取一个文件中可以控制的数据作为指针,从而实现了任意代码执行。
附件中附有poc,pic_int3.rmf 是修改后的,在shellcode处加了个int3 ,pic.rmf这个样本里面的shellcode不知道做啥的,不用擅自运行。
感谢大东 大牛提供poc
I'm looking for a breakthrough in java!
相关文章推荐
- JAVA错误:Error while registering Oracle JDBC Diagnosability MBean. javax.management.MalformedObjectNameException:
- Oracle Security Alert for CVE-2013-1493 java
- Oracle Linux Reference Index of Security Vulnerability bug fixes, CVE IDs and Oracle Linux Errata
- oracle 与 java object对照
- at oException:racle.jdbc.driver.OracleCallableStatement.getObject(OracleCallableStatement.java:1401)
- 解如何利用 XML 和 JavaScript Object Notation 在 Ajax 客户端和 Java 服务器之间传输数据(代码)(Oracle)。
- Microsoft LNK Vulnerability Brief Technical Analysis(CVE-2010-2568)【windowsLNK快捷方式漏洞分析】
- Oracle JAVA SORCE and BLOB OBJECT
- java操作oracle和一些技巧
- 游标、例外、存储过程、存储函数、java调用存储过程、触发器(Oracle之二)
- 好记性不如烂笔头20-java对oracle的clob和blob字段的总结
- Exception starting filter struts2 java.lang.NoClassDefFoundError: org/objectweb/asm/ClassVisitor
- Oracle推出Java 6 Update 26修复漏洞
- (二十五)Java工具类EqualsBuilder协助Object.equals(object)方法详解
- ssh整合异常:java.lang.NoClassDefFoundError: org/objectweb/asm/CodeVisitor
- Java+Oracle应用开发的几个经典问题
- void android.widget.TextView.setText(java.lang.CharSequence)' on a null object reference
- (二十五)Java工具类EqualsBuilder协助Object.equals(object)方法详解
- effect java 学习摘要(2) - object通用的方法
- java.lang.Object