'Yahoo'에 해당되는 글 1건
- 2007/09/25 Yahoo! Webcam ActiveX 취약점에 대한 디스어셈블리
Yahoo! Webcam ActiveX 취약점에 대한 디스어셈블리.
다음 링크에서 소개되고 있는 취약점에 대한 개인적인 disassembly입니다.
http://research.eeye.com/html/alerts/zeroday/20070606.html
call strcpy를 하는 부분에서 버퍼 오버플로우가 발생하게 됩니다.. 이 루틴의 여러 종류의 COM 메쏘드를 통해서 불리울 수 있다.
exploit은 http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0131.html과 http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0133.html 참조하기를 바랍니다.
Disassembling
ywcvwr
02700000 02723000 ywcvwr C (export symbols) ywcvwr.dll
.text:03971000 ; Input MD5 : 75BB9620F65D004B02331B6EE87DEEA7
.text:03971000
.text:03971000 ; File Name : C:\Program Files\Yahoo!\Messenger\ywcvwr.dll
.text:03971000 ; Format : Portable executable for 80386 (PE)
.text:03971000 ; Imagebase : 10000000
.text:03971000 ; Section 1. (virtual address 00001000)
.text:03971000 ; Virtual size : 00015356 ( 86870.)
.text:03971000 ; Section size in file : 00016000 ( 90112.)
.text:03971000 ; Offset to raw data for section: 00001000
.text:03971000 ; Flags 60000020: Text Executable Readable
.text:03971000 ; Alignment : default
.text:03971000 ; OS type : MS Windows
.text:03971000 ; Application type: DLL 32bit
.text:03971000
Base in File: 03971000
Loaded: 02700000
Point of Interest: 027067bc
-02700000=67bc
03971000+67bc=39777BC- 00001000= 39767BC
.text:039767A2 push eax ; char *
.text:039767A3 push 3FFh ; cbData
.text:039767A8 lea eax, [ebp-434h]
.text:039767AE push eax ; lpData
.text:039767AF push offset ValueName ; "WebcamServer"
.text:039767B4 lea ecx, [ebp-34h]
.text:039767B7 call sub_39731E9
.text:039767BC mov eax, [esi+2FCh]
0397676B
.text:0397676B or dword ptr [ebp-4], 0FFFFFFFFh
.text:0397676F test eax, eax
.text:03976771 mov [esi+2FCh], eax
.text:03976777 jz loc_3976867
.text:0397677D push 80000001h
.text:03976782 push offset aSoftwareYahooP ; "Software\\Yahoo\\Pager\\"
.text:03976787 lea ecx, [ebp-34h]
.text:0397678A call sub_397324C
.text:0397678F lea ecx, [esi+220h]
.text:03976795 mov dword ptr [ebp-4], 1
.text:0397679C call ds:?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::c_str(void)
call sub_39731E9
.text:039767A2 push eax ; char *
.text:039767A3 push 3FFh ; cbData
.text:039767A8 lea eax, [ebp-434h]
.text:039767AE push eax ; lpData
.text:039767AF push offset ValueName ; "WebcamServer"
.text:039767B4 lea ecx, [ebp-34h]
.text:039767B7 call sub_39731E9
.text:039767BC mov eax, [esi+2FCh]
.text:039767C2 mov ebx, [eax]
call sub_39731E9
.text:0397C913 push 80000001h
.text:0397C918 push offset aSoftwareYahooP ; "Software\\Yahoo\\Pager\\"
.text:0397C91D lea ecx, [ebp-30h]
.text:0397C920 call sub_397324C
.text:0397C925 push offset aWebcam_yahoo_c ; "webcam.yahoo.com"
.text:0397C92A push 63h ; cbData
.text:0397C92C lea eax, [ebp-94h]
.text:0397C932 push eax ; lpData
.text:0397C933 push offset ValueName ; "WebcamServer"
.text:0397C938 lea ecx, [ebp-30h]
.text:0397C93B mov byte ptr [ebp-4], 11h
0397C93F call sub_39731E9
sub_39731E9
.text:039731E9 ; int __stdcall sub_39731E9(LPCSTR lpValueName,char *lpData,DWORD cbData,char *)
.text:039731E9 sub_39731E9 proc near ; CODE XREF: sub_397671E+99#p
.text:039731E9 ; sub_397C7C5+17A#p
.text:039731E9
.text:039731E9 Type= dword ptr -8
.text:039731E9 hKey= dword ptr -4
.text:039731E9 lpValueName= dword ptr 8
.text:039731E9 lpData= dword ptr 0Ch
.text:039731E9 cbData= dword ptr 10h
.text:039731E9 arg_C= dword ptr 14h
.text:039731E9
.text:039731E9 push ebp
.text:039731EA mov ebp, esp
.text:039731EC push ecx
.text:039731ED push ecx
.text:039731EE and [ebp+Type], 0
.text:039731F2 push esi
.text:039731F3 mov esi, ecx
.text:039731F5 lea eax, [ebp+hKey]
.text:039731F8 push eax ; phkResult
.text:039731F9 lea ecx, [esi+4]
.text:039731FC call ds:?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::c_str(void)
.text:03973202 push eax ; lpSubKey
.text:03973203 push dword ptr [esi] ; hKey
.text:03973205 call ds:RegOpenKeyA
.text:0397320B test eax, eax
.text:0397320D pop esi
.text:0397320E jnz short loc_3973232
.text:03973210 lea eax, [ebp+cbData]
.text:03973213 push eax ; lpcbData
.text:03973214 push [ebp+lpData] ; lpData
.text:03973217 lea eax, [ebp+Type]
.text:0397321A push eax ; lpType
.text:0397321B push 0 ; lpReserved
.text:0397321D push [ebp+lpValueName] ; lpValueName
.text:03973220 push [ebp+hKey] ; hKey
.text:03973223 call ds:RegQueryValueExA
.text:03973229 push [ebp+hKey] ; hKey
.text:0397322C call ds:RegCloseKey
.text:03973232
.text:03973232 loc_3973232: ; CODE XREF: sub_39731E9+25#j
.text:03973232 cmp [ebp+Type], 1
.text:03973236 jz short loc_3973245
call strcpy
.text:03973238 push [ebp+arg_C] ; char *
.text:0397323B push [ebp+lpData] ; char *
.text:0397323E call strcpy
.text:03973243 pop ecx
.text:03973244 pop ecx
.text:03973245
.text:03973245 loc_3973245: ; CODE XREF: sub_39731E9+4D#j
.text:03973245 mov eax, [ebp+lpData]
.text:03973248 leave
.text:03973249 retn 10h
.text:03973249 sub_39731E9 endp
'리버스 엔지니어링' 카테고리의 다른 글
| 인터넷 개인 정보 뒷조사 도구-말티고(Maltego) (0) | 2007/10/24 |
|---|---|
| Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops (0) | 2007/10/22 |
| Basic NTLMSSP Parsing SchemeLMO TypeNTLMSSP Message (0) | 2007/10/11 |
| Yahoo! Webcam ActiveX 취약점에 대한 디스어셈블리 (0) | 2007/09/25 |
| Norman Sandbox AnalyzerStartupSetting Filename and optionsStartCompletedResults (1) | 2007/09/25 |
| MS 06-074에 대한 Diffing Result (0) | 2007/09/25 |
Prev
Rss Feed