Yahoo! Webcam ActiveX 취약점에 대한 디스어셈블리

Yahoo! Webcam ActiveX 취약점에 대한 디스어셈블리.

음 링크에서 소개되고 있는 취약점에 대한 개인적인 disassembly입니다.

http://research.eeye.com/html/alerts/zeroday/20070606.html

call strcpy를 하는 부분에서 버퍼 오버플로우가 발생하게 됩니다.. 이 루틴의 여러 종류의 COM 메쏘드를 통해서 불리울 수 있다.

exploit http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0131.html http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0133.html 참조하기를 바랍니다.

Disassembling

ywcvwr

02700000 02723000 ywcvwr C (export symbols) ywcvwr.dll

.text:03971000 ; Input MD5 : 75BB9620F65D004B02331B6EE87DEEA7

.text:03971000

.text:03971000 ; File Name : C:\Program Files\Yahoo!\Messenger\ywcvwr.dll

.text:03971000 ; Format : Portable executable for 80386 (PE)

.text:03971000 ; Imagebase : 10000000

.text:03971000 ; Section 1. (virtual address 00001000)

.text:03971000 ; Virtual size : 00015356 ( 86870.)

.text:03971000 ; Section size in file : 00016000 ( 90112.)

.text:03971000 ; Offset to raw data for section: 00001000

.text:03971000 ; Flags 60000020: Text Executable Readable

.text:03971000 ; Alignment : default

.text:03971000 ; OS type : MS Windows

.text:03971000 ; Application type: DLL 32bit

.text:03971000

Base in File: 03971000

Loaded: 02700000

Point of Interest: 027067bc

-02700000=67bc

03971000+67bc=39777BC- 00001000= 39767BC

.text:039767A2 push eax ; char *

.text:039767A3 push 3FFh ; cbData

.text:039767A8 lea eax, [ebp-434h]

.text:039767AE push eax ; lpData

.text:039767AF push offset ValueName ; “WebcamServer”

.text:039767B4 lea ecx, [ebp-34h]

.text:039767B7 call sub_39731E9

.text:039767BC mov eax, [esi+2FCh]

0397676B

.text:0397676B or dword ptr [ebp-4], 0FFFFFFFFh

.text:0397676F test eax, eax

.text:03976771 mov [esi+2FCh], eax

.text:03976777 jz loc_3976867

.text:0397677D push 80000001h

.text:03976782 push offset aSoftwareYahooP ; “Software\\Yahoo\\Pager\\”

.text:03976787 lea ecx, [ebp-34h]

.text:0397678A call sub_397324C

.text:0397678F lea ecx, [esi+220h]

.text:03976795 mov dword ptr [ebp-4], 1

.text:0397679C call ds:?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::c_str(void)

call sub_39731E9

.text:039767A2 push eax ; char *

.text:039767A3 push 3FFh ; cbData

.text:039767A8 lea eax, [ebp-434h]

.text:039767AE push eax ; lpData

.text:039767AF push offset ValueName ; “WebcamServer”

.text:039767B4 lea ecx, [ebp-34h]

.text:039767B7 call sub_39731E9

.text:039767BC mov eax, [esi+2FCh]

.text:039767C2 mov ebx, [eax]

call sub_39731E9

.text:0397C913 push 80000001h

.text:0397C918 push offset aSoftwareYahooP ; “Software\\Yahoo\\Pager\\”

.text:0397C91D lea ecx, [ebp-30h]

.text:0397C920 call sub_397324C

.text:0397C925 push offset aWebcam_yahoo_c ; “webcam.yahoo.com”

.text:0397C92A push 63h ; cbData

.text:0397C92C lea eax, [ebp-94h]

.text:0397C932 push eax ; lpData

.text:0397C933 push offset ValueName ; “WebcamServer”

.text:0397C938 lea ecx, [ebp-30h]

.text:0397C93B mov byte ptr [ebp-4], 11h

0397C93F call sub_39731E9

sub_39731E9

.text:039731E9 ; int __stdcall sub_39731E9(LPCSTR lpValueName,char *lpData,DWORD cbData,char *)

.text:039731E9 sub_39731E9 proc near ; CODE XREF: sub_397671E+99#p

.text:039731E9 ; sub_397C7C5+17A#p

.text:039731E9

.text:039731E9 Type= dword ptr -8

.text:039731E9 hKey= dword ptr -4

.text:039731E9 lpValueName= dword ptr 8

.text:039731E9 lpData= dword ptr 0Ch

.text:039731E9 cbData= dword ptr 10h

.text:039731E9 arg_C= dword ptr 14h

.text:039731E9

.text:039731E9 push ebp

.text:039731EA mov ebp, esp

.text:039731EC push ecx

.text:039731ED push ecx

.text:039731EE and [ebp+Type], 0

.text:039731F2 push esi

.text:039731F3 mov esi, ecx

.text:039731F5 lea eax, [ebp+hKey]

.text:039731F8 push eax ; phkResult

.text:039731F9 lea ecx, [esi+4]

.text:039731FC call ds:?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::c_str(void)

.text:03973202 push eax ; lpSubKey

.text:03973203 push dword ptr [esi] ; hKey

.text:03973205 call ds:RegOpenKeyA

.text:0397320B test eax, eax

.text:0397320D pop esi

.text:0397320E jnz short loc_3973232

.text:03973210 lea eax, [ebp+cbData]

.text:03973213 push eax ; lpcbData

.text:03973214 push [ebp+lpData] ; lpData

.text:03973217 lea eax, [ebp+Type]

.text:0397321A push eax ; lpType

.text:0397321B push 0 ; lpReserved

.text:0397321D push [ebp+lpValueName] ; lpValueName

.text:03973220 push [ebp+hKey] ; hKey

.text:03973223 call ds:RegQueryValueExA

.text:03973229 push [ebp+hKey] ; hKey

.text:0397322C call ds:RegCloseKey

.text:03973232

.text:03973232 loc_3973232: ; CODE XREF: sub_39731E9+25#j

.text:03973232 cmp [ebp+Type], 1

.text:03973236 jz short loc_3973245

call strcpy

.text:03973238 push [ebp+arg_C] ; char *

.text:0397323B push [ebp+lpData] ; char *

.text:0397323E call strcpy

.text:03973243 pop ecx

.text:03973244 pop ecx

.text:03973245

.text:03973245 loc_3973245: ; CODE XREF: sub_39731E9+4D#j

.text:03973245 mov eax, [ebp+lpData]

.text:03973248 leave

.text:03973249 retn 10h

.text:03973249 sub_39731E9 endp

Leave a Reply