发布日期:2013-04-27
更新日期:2013-05-02
受影响系统:
Kingsoft Corp WPS Office
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 59529
CVE(CAN) ID: CVE-2012-4886
WPS Office 是金山软件公司的一套办公软件。
WPS Office 2012 及其他版本中,Wpsio.dll模块存在栈缓冲区溢出漏洞,该漏洞源于文件内的某BSTR类型的字符串被复制到栈缓冲区时没有检查长度。攻击者可利用此漏洞造成受影响软件崩溃,可能执行任意代码。
<*来源:Zhangjiantao
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
摘录自
POC
==================
崩溃信息
==================
crash info:
(b70.eb8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012c0a4 ebx=770f4b39 ecx=90909090 edx=0012be00 esi=0012c0a4 edi=0018bd54
eip=45e25208 esp=0012bdec ebp=0012bdf8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
wpsio!TxExport+0x37b1:
45e25208 ff5114 call dword ptr [ecx+14h] ds:0023:909090a4=????????
module info:
start end module name
45e00000 4606f000 wpsio (export symbols) C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
Loaded symbol image file: C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
Image path: C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
Image name: wpsio.dll
Timestamp: Mon May 28 04:10:12 2012 (4FC28A24)
CheckSum: 0026D933
ImageSize: 0026F000
File version: 8.1.0.3238
Product version: 8.1.0.3238
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 0.0 Unknown
File date: 00000000.00000000
Translations: 0000.04b0
CompanyName: Zhuhai Kingsoft Office-software Co.,Ltd
ProductName: Kingsoft Office
InternalName: wpsio
OriginalFilename: wpsio.dll
ProductVersion: 8,1,0,3238
FileVersion: 8,1,0,3238
FileDescription: wpsio
LegalCopyright: Copyright©1988-2011 Kingsoft Corporation. All rights reserved.
溢出点代码
==================
In sub_45E2CC84:
.text:45E2CC84 var_210 = byte ptr -210h ;buffer size 0x200
.text:45E2CC84 var_4 = dword ptr -4
.text:45E2CDB3 push [ebp+Src] ; BSTR
.text:45E2CDB9 call esi ; SysStringLen
.text:45E2CDBB mov [ebp+var_244], eax
.text:45E2CDC1 add eax, eax ;size is 0x170
.text:45E2CDC3 push eax ; Size
.text:45E2CDC4 push [ebp+Src] ; Src
.text:45E2CDCA lea eax, [ebp+var_210]
.text:45E2CDD0 push eax ; Dst
.text:45E2CDD1 call memcpy
First time,copy 0x170 bytes to buffer var_210.
.text:45E2CE16 push edi ; BSTR
.text:45E2CE17 mov [ebp+var_234], ax
.text:45E2CE1E call esi ; SysStringLen
.text:45E2CE20 add eax, eax
.text:45E2CE22 push eax ; Size
.text:45E2CE23 movzx eax, [ebp+var_234] ;length
.text:45E2CE2A lea eax, [ebp+eax*2+var_210]
.text:45E2CE31 push edi ; Src
.text:45E2CE32 push eax ; Dst
.text:45E2CE33 call memcpy