zoukankan      html  css  js  c++  java

  • cve-2010-2553 CVDecompress 函数堆溢出漏洞

    poc来源为 exploit-db

    测试环境为WINDOWS SP3

    首先打开windows media player windbg附加

    开启页堆 !gflag +hpa

    0:011> g
    (7f0.2f8): Access violation - code c0000005 (!!! second chance !!!)
    eax=00008000 ebx=00132060 ecx=000002a4 edx=027ffd38 esi=00147000 edi=00149000
    eip=73b722cc esp=027ffd04 ebp=027ffd30 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    iccvid!CVDecompress+0x11e:
    73b722cc f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
    0:011> kb
    ChildEBP RetAddr  Args to Child              
    027ffd30 73b7cbf3 00000004 00003731 00000068 iccvid!CVDecompress+0x11e
    027ffd60 73b766c8 0012c8d0 00000000 00132530 iccvid!Decompress+0x11d
    027ffdac 73b41938 0012c8d0 00000001 0000400d iccvid!DriverProc+0x1bf
    027ffdd0 7cf8fa9e 73b5b500 0000400d 027ffde8 MSVFW32!ICSendMessage+0x2b
    027ffe00 7cf8f9e9 73b5b500 00000000 00132530 quartz!CVFWDynLink::ICDecompress+0x3e
    027ffec0 7cf90a55 01b6c258 01b6a658 00000000 quartz!CAVIDec::Transform+0x282
    027ffeec 7cf90939 01b6c258 00000000 01b836d0 quartz!CVideoTransformFilter::Receive+0x110
    027fff00 7cf8e67a 01b79c5c 01b6c258 027fff40 quartz!CTransformInputPin::Receive+0x33
    027fff10 7cf90ca0 01b6c258 00040103 01b836d0 quartz!CBaseOutputPin::Deliver+0x22
    027fff40 7cf90e1c 027fff70 027fff6c 00000000 quartz!CBaseMSRWorker::TryDeliverSample+0x102
    027fff84 7cf8ce30 00000000 01b836d0 01b836d0 quartz!CBaseMSRWorker::PushLoop+0x15e
    027fff9c 7cf8dbe6 00000000 7cf8a121 00000000 quartz!CBaseMSRWorker::DoRunLoop+0x4a
    027fffa4 7cf8a121 00000000 000a0178 027fffec quartz!CBaseMSRWorker::ThreadProc+0x39
    027fffb4 7c80b713 01b836d0 00000000 000a0178 quartz!CAMThread::InitialThreadProc+0x15
    027fffec 00000000 7cf8a10c 01b836d0 00000000 kernel32!BaseThreadStart+0x37
    0:011> ub iccvid!Decompress+0x11d

    iccvid!Decompress+0x102:
    73b7cbd8 ffb698000000    push    dword ptr [esi+98h]
    73b7cbde 57              push    edi
    73b7cbdf ff7528          push    dword ptr [ebp+28h]
    73b7cbe2 ff752c          push    dword ptr [ebp+2Ch]
    73b7cbe5 ff7530          push    dword ptr [ebp+30h]
    73b7cbe8 ff7514          push    dword ptr [ebp+14h]
    73b7cbeb ff765c          push    dword ptr [esi+5Ch]
    73b7cbee e8bb55ffff      call    iccvid!CVDecompress (73b721ae)

    73b7cbee e8bb55ffff      call    iccvid!CVDecompress (73b721ae)这个涵数有漏洞 

    IDA单独查看该函数  进行详细分析

  • 相关阅读:
    js对象数组(JSON) 根据某个共同字段 分组
    一个 函数 用来转化esSearch 的range 条件
    关于 vuex 报错 Do not mutate vuex store state outside mutation handlers.
    android listview 重用view导致的选择混乱问题
    android SDK和ADT的更新
    Android中adb push和adb install的使用区别
    pycharm中添加扩展工具pylint
    su Authentication failure解决
    Putty以及adb网络调试
    有关android源码编译的几个问题
  • 原文地址:https://www.cnblogs.com/wj2ge/p/5933693.html
Copyright © 2011-2022 走看看