Author: sunwearMAIL: shellcoder # 163.com shellcoder@hotmail.com also like to thank the help dencefire :) Intelligent ABC input method vulnerability has been discovered a long time, is widely used to crack the Internet cafe billing system. But few people go to study how he overflows. So I am also a free thing to analyze his overflow. Required tools: Ollydbg has a download place. First use OD to open the notebook. Then switch the input method to smart ABC, enter V, left arrow DELETE, Enter (spaces can also be). Then cause the process to die, then the information of OD will tell you the question in 7380 ****. And 7380 *** belongs to the address of Winabc.IME. After tracking, it is determined that the error command is an IMETOASCIIEX function, which is used to process the character. Every time you press a key, you will call the 0x7380AC95 function after the above action is completed. Here is the assembly code of this function 7380aca1 |> 66: 81FE 3D80 CMP Si, 803D; Si for the key of the key you press |. 7526 Jnz Short Winabc.7380Acce 7380ACA8 |. 803D B0298173> CMP BYTE PTR DS: [738129B0], 3; 3 input intermediate stage 7380ACAF | 0F84 E7010000 JE WINABC.7380AE9C7380ACB5 | 833D AC298173> CMP DWORD PTR DS: [738129AC], 17380ACBC | 0F8E DA010000 JLE WINABC.7380AE9C7380ACC2 | C605 B0298173> MOV BYTE.... PTR DS: [738129B0], 17380ACC9 |. E9 CE010000 JMP WinAbc.7380ae9c
Let's take a look at the code about 0x7380ac95
.. 7380ADB4 |> 56 PUSH ESI7380ADB5 | E8 58140000 CALL WINABC.7380C2127380ADBA | 85C0 TEST EAX, EAX7380ADBC | 74 20 JE SHORT WINABC.7380ADDE7380ADBE | 66:.. 83FE 76 CMP SI, 76; compare the 'v' 7380ADC2 | C605. B0298173> MOV BYTE PTR DS: [738129B0], 37380ADC9 |. 0f94c0 selected Al; not, = 0 7380ADCC |. A2 6C488173 MOV BYTE PTR DS: [7381486C], Al; is v, enter V input status 7380Add1 |. E8 F6110000 Call WinabC.7380BFCC 7380ADD6 |. 391D CC558173 CMP DWORD PTR DS: [738155CC], EBX7380ADDC |. EB 23 JMP Short Winabc.7380ae01
V is different, such as VABC input ABC English, and what is special characters and symbols. Let's find a problem with the problem 7380ac81 |. 33dB xor EBX, EBX ....... 7380ae08 |> 0fb7c6 Movzx Eax, Si; Case 3 of Switch 7380ACE27380AE0B |. 50 push eax7380ae0c |. E8 340a0000 Call Winabc.7380b8457380ae11 | 2BC3 SUB EAX, EBX7380AE13 |. 7380ae3b ....... 7380AE3B |> 381D 6C488173 CMP BYTE PTR DS: [7381486C], BL; DS: [7381486C] = 27380ae41 |. 74 22 JE SHORT WINABC.7380AE65; no skip takes place under normal circumstances 0x73811F52 certainly larger than 07380AE43 | 0FB705 521F817> MOVZX EAX, WORD PTR DS:. [73811F52]; DS: [73811F52] is 07380AE4A | 48 DEC EAX; FFFFFFFF7380AE4B | C605.. . CC758173> MOV BYTE PTR DS: [738175CC], 2 7380AE52 | 50 PUSH EAX7380AE53 | 68 561F8173 PUSH WINABC.73811F567380AE58 | E8 FA140000 CALL WINABC.7380C3577380AE5D | 881D 6C488173 MOV BYTE PTR DS: [7381486C], BL; function... Error 7380AE63 |. EB 31 JMP Short Winabc.7380ae96
If DEL is deleted V, DS: [73811F52] variable is 0, but DS: [7381486C] = 2 is not changed to 0, still in the middle of the input, DEC EAX is to obtain the length of the letter string other than V, result Here is 0xfffffffff, 7380AE5D |. 881D 6C488173 MOV BYTE PTR DS: [7381486C], the function in BL did not check.
7380C4C8 0FB745 10 MOVZX EAX, WORD PTR SS: [EBP 10]; eax = 0xffff7380C4CC 8BC8 MOV ECX, EAX7380C4CE 8BFB MOV EDI, EBX7380C4D0 037B 58 ADD EDI, DWORD PTR DS: [EBX 58] 7380C4D3 03F3 ADD ESI, EBX7380C4D5 8B75 0C MOV ESI, DWORD PTR SS: [EBP C] 7380C4D8 8BD1 MOV EDX, ECX7380C4DA C1E9 02 SHR ECX, 2; ecx = 0x3fff 7380C4DD 8943 54 MOV DWORD PTR DS: [EBX 54], EAX7380C4E0 03C3 ADD EAX, EBX7380C4E2 F3 : A5 rep MOVS DWORD PTR ES: [EDI], DWORD PTR DS>; Copy 0x3FFF INT See it, wrong place. It overflows here. There is also this problem 7380B416 / $ 803D C0558173> CMP BYTE PTR DS: [738155C0], 0AA 7380B41D |. 56 Push ESI7380B41E |. 74 2D Je Short Winabc.7380b44d7380b420 |. 66: 8B0D 545E81> MOV CX, Word PTR DS: [ . 73815E54]; cx = 0 7380B427 | 66:49 DEC CX; cx = 0xffff 7380B429 | 0FB7C1 MOVZX EAX, CX7380B42C | 66: 890D 545E81> MOV WORD PTR DS: [73815E54], CX7380B433 | 0FB690 405E817> MOVZX EDX... , Byte Ptr DS: [EAX 73815E40] 7380B43A |. 0fb680 415e817> Movzx Eax, Byte Ptr DS: [EAX 73815E41]
DS: 0x73815E54 indicates how many words / words DS: [738129B0] = 0 when the current input column will be used. When the last Chinese character in the input field is removed with the return, DS: [73815E54] = 0, DS: [738129B0] should be 3, indicating entering the input state. But we will enter a word, then enter any character, press "← ", Back, enter, get the default word for the previous word in the input box, and then press twice. Enter the first backup button, DS: [73815E54] = 1, but DS: [738129B0] did not become 3, press the backup button again, the function is executed here, the CX becomes 0xfffff, it is wrong.
Because the program can cause the IME HOOK process to exit. So the Internet cafe management software like Vientiane will immediately go back to the process. And the 3389 landing will also be wrong. However, there seems to have no effect on the remote host. . . Once some people say this can cause the remote host to restart. So just rumors. Think carefully, know why not affect the remote host.
