FILE缓冲区溢出漏洞的解决方案(7)

0:000> p
eax=00000041 ebx=00000000 ecx=00a21080 edx=0000001a esi=00a1e420 edi=0012d22e
eip=00b63b6e esp=0012d1c4 ebp=00000000 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
php_tidy!get_module+0x12b6e:
00b63b6e 83c408          add     esp,8
0:000> p
eax=00000041 ebx=00000000 ecx=00a21080 edx=0000001a esi=00a1e420 edi=0012d22e
eip=00b63b71 esp=0012d1cc ebp=00000000 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
php_tidy!get_module+0x12b71:
00b63b71 47              inc     edi
0:000> p
eax=00000041 ebx=00000000 ecx=00a21080 edx=0000001a esi=00a1e420 edi=0012d22f
eip=00b63b72 esp=0012d1cc ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
php_tidy!get_module+0x12b72:
00b63b72 84c0            test    al,al
0:000> dc ecx
00a21080  666e6f43 203a6769 276e6143 706f2074  Config: Can't op
00a21090  22206e65 41414141 00414141 00000000  en "AAAAAAA.....

此时缓冲区已经溢出，看一下缓冲区内的情况。

0:000> bp 00b63b84
0:000> dc ecx
00a1ef88  666e6f43 203a6769 276e6143 706f2074  Config: Can't op
00a1ef98  22206e65 41414141 41414141 41414141  en "AAAAAAAAAAAA
00a1efa8  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00a1efb8  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00a1efc8  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00a1efd8  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA

执行到返回

0:000> p
eax=00000811 ebx=00000000 ecx=00a1ef88 edx=00000810 esi=00000000 edi=00a1da80
eip=00b63b89 esp=0012d1d4 ebp=00000000 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
php_tidy!get_module+0x12b89:
00b63b89 5d              pop     ebp
0:000> p
eax=00000811 ebx=00000000 ecx=00a1ef88 edx=00000810 esi=00000000 edi=00a1da80
eip=00b63b8a esp=0012d1d8 ebp=00a1e468 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
php_tidy!get_module+0x12b8a:
00b63b8a 5b              pop     ebx
0:000> p
eax=00000811 ebx=00a1e420 ecx=00a1ef88 edx=00000810 esi=00000000 edi=00a1da80
eip=00b63b8b esp=0012d1dc ebp=00a1e468 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
php_tidy!get_module+0x12b8b:
00b63b8b 81c440080000    add     esp,840h
0:000> p
eax=00000811 ebx=00a1e420 ecx=00a1ef88 edx=00000810 esi=00000000 edi=00a1da80
eip=00b63b91 esp=0012da1c ebp=00a1e468 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
php_tidy!get_module+0x12b91:
00b63b91 c3              ret
0:000> dd esp
0012da1c  41414141 00000a22 00000002 00000000

此时esp已经被覆盖，返回后到达可控位置。

0:000> p
eax=00000811 ebx=00a1e420 ecx=00a1ef88 edx=00000810 esi=00000000 edi=00a1da80
eip=41414141 esp=0012da20 ebp=00a1e468 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
41414141 ??              ???

通过IDA pro可以看到这个存在问题的函数逻辑，实际上两处拷贝时两处for循环，但并没有对for循环长度进行控制，而是全部拷贝。