失之交臂的 cve 2012-0181
2012-06-22 15:45
197 查看
1: kd> p
win32k!ReadLayoutFile+0x123:
bf89edb7 7407 je win32k!ReadLayoutFile+0x12c (bf89edc0)
1: kd> p
win32k!ReadLayoutFile+0x125:
bf89edb9 0fb703 movzx eax,word ptr [ebx] 原本这个内存范围是从e294b008--e294ba68,此时这个指针已经被改写了
1: kd> db ebx
e294a008 49 a5 1e 82 ff 03 1f 00-00 00 00 00 0c 08 00 00 I...............
e294a018 00 00 00 00 10 08 00 00-00 00 00 00 14 08 00 00 ................
e294a028 00 00 00 00 18 08 00 00-00 00 00 00 1c 08 00 00 ................
e294a038 00 00 00 00 20 08 00 00-00 00 00 00 24 08 00 00 .... .......$...
e294a048 00 00 00 00 28 08 00 00-00 00 00 00 2c 08 00 00 ....(.......,...
e294a058 00 00 00 00 30 08 00 00-00 00 00 00 34 08 00 00 ....0.......4...
e294a068 00 00 00 00 38 08 00 00-00 00 00 00 3c 08 00 00 ....8.......<...
e294a078 00 00 00 00 40 08 00 00-00 00 00 00 44 08 00 00 ....@.......D...
1: kd> .trap 0xffffffffb235689c
ErrCode = 00000000
eax=e2954551 ebx=e294a008 ecx=e294a008 edx=e294b008 esi=00000000 edi=fffff000
eip=bf89edc2 esp=b2356910 ebp=b2356944 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
win32k!ReadLayoutFile+0x12e:
bf89edc2 3930 cmp dword ptr [eax],esi ds:0023:e2954551=????????
这个漏洞之前看过
.text:BF882230 mov edi, [ebp+arg_8_is_tainted]
.text:BF882233 sub edi, [eax+0Ch]
这个地方的Section RVA 过大会导致上面分配的内存指针被改写了
当时在idb里面写了句注释
并没有对下面仔细看了,因为这个漏洞在win7下面必须要是管理员权限,xp sp3 下微软也不会重视? 漏洞意义不大,草草看完了事.......
win32k!ReadLayoutFile+0x123:
bf89edb7 7407 je win32k!ReadLayoutFile+0x12c (bf89edc0)
1: kd> p
win32k!ReadLayoutFile+0x125:
bf89edb9 0fb703 movzx eax,word ptr [ebx] 原本这个内存范围是从e294b008--e294ba68,此时这个指针已经被改写了
1: kd> db ebx
e294a008 49 a5 1e 82 ff 03 1f 00-00 00 00 00 0c 08 00 00 I...............
e294a018 00 00 00 00 10 08 00 00-00 00 00 00 14 08 00 00 ................
e294a028 00 00 00 00 18 08 00 00-00 00 00 00 1c 08 00 00 ................
e294a038 00 00 00 00 20 08 00 00-00 00 00 00 24 08 00 00 .... .......$...
e294a048 00 00 00 00 28 08 00 00-00 00 00 00 2c 08 00 00 ....(.......,...
e294a058 00 00 00 00 30 08 00 00-00 00 00 00 34 08 00 00 ....0.......4...
e294a068 00 00 00 00 38 08 00 00-00 00 00 00 3c 08 00 00 ....8.......<...
e294a078 00 00 00 00 40 08 00 00-00 00 00 00 44 08 00 00 ....@.......D...
1: kd> .trap 0xffffffffb235689c
ErrCode = 00000000
eax=e2954551 ebx=e294a008 ecx=e294a008 edx=e294b008 esi=00000000 edi=fffff000
eip=bf89edc2 esp=b2356910 ebp=b2356944 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
win32k!ReadLayoutFile+0x12e:
bf89edc2 3930 cmp dword ptr [eax],esi ds:0023:e2954551=????????
这个漏洞之前看过
.text:BF882230 mov edi, [ebp+arg_8_is_tainted]
.text:BF882233 sub edi, [eax+0Ch]
这个地方的Section RVA 过大会导致上面分配的内存指针被改写了
当时在idb里面写了句注释
并没有对下面仔细看了,因为这个漏洞在win7下面必须要是管理员权限,xp sp3 下微软也不会重视? 漏洞意义不大,草草看完了事.......
相关文章推荐
- CVE-2012-0003 Microsoft Windows Media Player ‘winmm.dll’ MIDI文件解析远程代码执行漏洞 分析
- Adobe Flash Player CVE-2012-0779漏洞技术分析
- Oracle Database Server 'TNS Listener'远程数据投毒漏洞(CVE-2012-1675)的完美解决方法
- CVE-2012-5106浅析-Freefloat FTP Server栈溢出漏洞
- Microsoft IIS FTP Service CVE-2012-2532 Remote Command Injection Vulnerability
- Security Alert CVE-2012-6329: TWiki MAKETEXT Variable Allows Arbitrary Shell Command Execution
- PHP-CGI远程任意代码执行漏洞(CVE-2012-1823)修复方案
- CVE-2012-0158 MSCOMCTL控件漏洞分析
- Adobe Flash Player CVE-2012-0779漏洞技术分析
- [转载]CVE-2012-2122: MySQL身份认证漏洞
- Linux>=2.6.39 Mempodipper本地提权分析和EXP利用(CVE-2012-0056)
- 研究了下apache的漏洞CVE-2012-0053
- CVE-2012-1889浅析-Internet Explorer内存未初始化(暴雷)漏洞
- CVE-2012-4792浅析-Internet Explorer释放重引用漏洞
- PHP libxml RSHUTDOWN安全限制绕过漏洞(CVE-2012-1171)
- CVE-2012-4969
- CVE-2012-1535分析报告
- Oracle Database Server 'TNS Listener'远程数据投毒漏洞(CVE-2012-1675)解决
- CVE2012-1723 Java Field Bytecode Verifier Cache RCE分析
- CVE-2012-0158 MSCOMCTL控件漏洞分析