Bitcomet_torrent_uri handle buffer overflow vulnerability analysis memo

// I have seen an actual anti-overflow mechanism :)

Bitcomet_torrent_uri handle buffer overflow vulnerability analysis memo

Author: cocoruder
Date: 01/24/2006

Vulnerability reports: http://www.nsfocus.net/vulndb/8422bugtraq-id:16311
Download a BT seed file from the Internet and decode it as follows:

// -------------------------------------- Start ---------------------------------------------------
Announce = http://tracker.icefish.org: 8080/announce
Created by = bitcomet/ 0.61
Creation date = 1138017089
Encoding = GBK
Info =
{
Length = 347723144
Name = happysunday20060122.rm
Name. UTF-8 = happysunday20060122.rm
Piece length = 262144
Pieces =...
Publisher = http://bt.icefish.org
Publisher-url = http://bt.icefish.org // Buffer Overflow
Publisher-url.utf-8 = http://bt.icefish.org
Publisher. UTF-8 = http://bt.icefish.org
}
Nodes =
{
86.52.67.165: 17284
84.122.33.248: 13162
60.51.18.5: 9161
82.154.234.249: 10078
84.9.113.230: 6881
69.140.109.108: 36285
24.126.127.49: 25644
81.233.17.102: 8255
210.159.185.90: 7454
62.231.82.41: 12932
}
// -------------------------------------------- End ---------------------------------------------

The Reference Vulnerability description is problematic when dealing with the publisher-URL value ("http://bt.icefish.org"), so a publisher-URL value is too long. the torrent file is opened by bitcomet. When you click the Creator link, bitcomet will exit directly (no visible error is generated). It can be seen that the program takes over system exception handling by itself, the old method of viewing the rollback stack on the stack is difficult to quickly find out the overflow. Instead, you can use Direct Memory search to break down the memory. The problem code is as follows:

Text: 0045ccb0 sub_45ccb0 proc near; Code xref: sub_45c320 + 19 P
. Text: 0045ccb0; sub_45ce00 + 40 P
. Text: 0045ccb0
. Text: 0045ccb0 var_420 = dword ptr-420 h
. Text: 0045ccb0 widecharstr = word PTR-414 H
. Text: 0045ccb0 var_4 = dword ptr-4
. Text: 0045ccb0 lpfile = dword ptr 0ch
. Text: 0045ccb0 nshowcmd = dword ptr 10 h
. Text: 0045ccb0
. Text: 0045ccb0 push EBP
. Text: 0045ccb1 mov EBP, ESP
. Text: 0045ccb3 sub ESP, 414 h; Allocation variable, size 0x414
. Text: 0045ccb9 mov eax, dword_5fbf64
. Text: 0045 CCBE push EBX
. Text: 0045 CCBF push ESI
. Text: 0045ccc0 mov [EBP + var_4], eax; set the last 4 bytes of the variable to [005fbf64] And a random value.
. Text: 0045ccc3 push EDI
. Text: 0045ccc4 Lea eax, [EBP + widecharstr]
. Text: 0045 ccca push eax
. Text: 0045 cccb mov ECx, offset a_htm; ". htm"
. Text: 0045ccd0 mov edX, 80000000 H
. Text: 0045ccd5 call sub_45c9f0
. Text: 0045 ccda test eax, eax
. Text: 0045 CCDC jnz loc_45cdce
. Text: 0045cce2 mov EBX, DS: lstrcatw
. Text: 0045cce8 push offset ashellopencomma; lpstring2
. Text: 0045 CCed Lea ECx, [EBP + widecharstr]
. Text: 0045ccf3 push ECx; lpstring1
. Text: 0045ccf4 call EBX; lstrcatw
. Text: 0045ccf6 Lea edX, [EBP + widecharstr]
. Text: 0045 ccfc push edX
. Text: 0045 CCFD mov ECx, EDX
. Text: 0045 CCFF mov edX, 80000000 H
. Text: 0045cd04 call sub_45c9f0; obtain the IE path + name + Parameter
. Text: 0045cd09 test eax, eax
. Text: 0045cd0b jnz loc_45cdce
. Text: 0045cd11 Lea eax, [EBP + widecharstr]
. Text: 0045cd17 push offset A1; wchar_t *
. Text: 0045cd1c push eax; wchar_t *
. Text: 0045cd1d call _ wcsstr
. Text: 0045cd22 mov EDI, DS: lstrlenw
. Text: 004528mov ESI, eax
. Text: 0045cd2a add ESP, 8
. Text: 0045cd2d test ESI, ESI
. Text: 0045cd2f jnz short loc_45cd5d
. Text: 0045cd31 Lea ECx, [EBP + widecharstr]
. Text: 0045cd37 push offset a1_0; wchar_t *
. Text: 0045cd3c push ECx; wchar_t *
. Text: 0045cd3d call _ wcsstr
. Text: 0045cd42 mov ESI, eax
. Text: 004544add ESP, 8
. Text: 0045cd47 test ESI, ESI
. Text: 0045cd49 jnz short loc_45cd5d
. Text: 0045cd4b Lea edX, [EBP + widecharstr]
. Text: 0045cd51 push edX; lpstring
. Text: 0045cd52 call EDI; lstrlenw
. Text: 0045cd54 Lea ESI, [EBP + eax * 2-416 H]
. Text: 0045cd5b JMP short loc_45cd62
. Text: 0045cd5d; where where?
. Text: 0045cd5d
. Text: 0045cd5d loc_45cd5d:; Code xref: sub_45ccb0 + 7fj
. Text: 0045cd5d; sub_45ccb0 + 99j
. Text: 0045cd5d mov word PTR [esi], 0
. Text: 0045cd62
. Text: 0045cd62 loc_45cd62:; Code xref: sub_45ccb0 + abj
. Text: 0045cd62 push offset asc_5b2a20; lpstring2
. Text: 0045cd67 push ESI; lpstring1
. Text: 0045cd68 call EBX; lstrcatw; ie path + name + parameter + 1 Space
. Text: 0045cd6a mov eax, [EBP + lpfile]
. Text: 0045cd6d push eax; lpstring2
. Text: 0045cd6e push ESI; lpstring1
. Text: 0045cd6f call EBX; lstrcatw; ie path + name + parameter + 1 space + publisher-URL value, overflow!
. Text: 0045cd71 call Target
. Text: 0045cd77 Lea ECx, [EBP + widecharstr]
. Text: 0045cd7d push ECx; lpstring
. Text: 0045cd7e mov EBX, eax
. Text: 0045cd80 call EDI; lstrlenw
. Text: 0045cd82 Lea EDI, [eax + 2]
. Text: 0045509 mov eax, EDI
. Text: 0045cd88 add eax, 3
. Text: 0045cd8b and eax, 0 fffffffch
. Text: 0045cd8e call _ alloca_probe
. Text: 0045cd93 mov ESI, ESP
. Text: 0045cd95 test ESI, ESI
. Text: 0045cd97 JZ short loc_45cdbc
. Text: 0045cd99 push 0; lpuseddefachar char
. Text: 0045cd9b push 0; lpdefaultchar
. Text: 0045cd9d push EDI; cchmultibyte
. Text: 0045cd9e push ESI; lpmultibytestr
. Text: 0045cd9f push 0 ffffffh; cchwidechar
. Text: 0045cda1 Lea edX, [EBP + widecharstr]
. Text: 0045cda7 push edX; lpwidecharstr
. Text: 0045cda8 push 0; dwflags
. Text: 0045 cdaa push EBX; codePage
. Text: 0045 cdab mov byte PTR [esi], 0
. Text: 0045 cdae call DS: widechartomultibyte; wchar --> char
. Text: 0045cdb4 neg eax
. Text: 0045cdb6 SBB eax, eax
. Text: 0045cdb8 and eax, ESI
. Text: 0045 cdba JMP short loc_45cdbe
. Text: 0045 cdbc; where where?
. Text: 0045 cdbc
. Text: 0045 cdbc loc_45cdbc:; Code xref: sub_45ccb0 + e7j
. Text: 0045 cdbc XOR eax, eax
. Text: 0045 cdbe
. Text: 0045 cdbe loc_45cdbe:; Code xref: sub_45ccb0 + 10aj
. Text: 0045 cdbe mov ECx, [EBP + nshowcmd]
. Text: 0045cdc1 push ECx; ucmdshow
. Text: 0045cdc2 push eax; lpcmdline
. Text: 0045cdc3 call DS: winexec; winexec call IE to open the URL
. Text: 0045cdc9 CMP eax, 20 h
. Text: 0045 CDCC ja short loc_45cde7
. Text: 0045 cdce
. Text: 0045 cdce loc_45cdce:; Code xref: sub_45ccb0 + 2cj
. Text: 0045 cdce; sub_45ccb0 + 5bj
. Text: 0045 cdce mov edX, [EBP + nshowcmd]
. Text: 0045cdd1 mov eax, [EBP + lpfile]
. Text: 0045cdd4 push edX; nshowcmd
. Text: 0045cdd5 push 0; lpdirectory
. Text: 0045cdd7 push 0; lpparameters
. Text: 0045cdd9 push eax; lpfile
. Text: 0045 cdda push offset operation; lpoperation
. Text: 0045 cddf push 0; hwnd
. Text: 0045cde1 call DS: shellexecutew; opens or prints a specified file
. Text: 0045cde7
. Text: 0045cde7 loc_45cde7:; Code xref: sub_45ccb0 + 11cj
. Text: 0045cde7 Lea ESP, [ebp-420h]; when restoring the stack to unallocated local variables
. Text: 0045 cded mov ECx, [EBP + var_4]; ECx is the last 4 bytes of the local variable with a length of 0x414.
. Text: 0045cdf0 call sub_53f2fa; this function checks whether the 4-byte value is changed and processes it accordingly.
. Text: 0045cdf5 pop EDI
. Text: 0045cdf6 pop ESI
. Text: 0045cdf7 pop EBX
. Text: 0045cdf8 mov ESP, EBP
. Text: 0045 cdfa pop EBP
. Text: 0045 cdfb retn 0ch
. Text: 0045 cdfb sub_45ccb0 endp

The cause of triggering overflow is that lstrcatw is called at 0045cd6f, but the length of the source string is not checked (the source string is the URL that we can control ), however, due to the security check mechanism of the program itself, overflow attacks cannot be completed.

Security check principle:
At the beginning of the function, assign a local variable (recorded as szwinexecparam [0x414]) and set the last 4 bytes of szwinexecparam to a random value, check whether the value is changed before the function ret. If the value is changed, the warning dialog box is displayed and the process is exited. Because Partial Variables and EBP must be fully covered before stack overflow overwrites the RET address, this check mechanism is simple and effective and is recommended.

-- EOF --