使用winafl对qtcore.dll的一次fuzz尝试

记录winafl对qtcore.dll的一次fuzz尝试

主要还是看到了CVE-2020-25291 - Kingsoft WPS Office Remote Heap Corruption Vulnerability这篇文章,于是乎想试试使用winafl来fuzz,恰好有师傅在安全客上发了一篇相关的文章:一次对WPS漏洞挖掘的尝试

借此来自己尝试一下

安装winafl

可以参考这篇文章:手把手教你 | 漏洞挖掘系列之WinAFL从安装到使用

安装步骤一步步来,没啥大问题,不过我原先就折腾完这个winafl的安装了,要是早点看到这篇文章就能省点时间

寻找fuzz点

根据文章CVE-2020-25291 - Kingsoft WPS Office Remote Heap Corruption Vulnerability里的栈回溯和文章的分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
0:000> !heap -p -a cc53afbc
    address cc53afbc found in
    _DPH_HEAP_ROOT @ 6731000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                cc36323c:         cc53afa8               58 -         cc53a000             2000
    6f13ab70 verifier!AVrfDebugPageHeapAllocate+0x00000240
    77a9909b ntdll!RtlDebugAllocateHeap+0x00000039
    779ebbad ntdll!RtlpAllocateHeap+0x000000ed
    779eb0cf ntdll!RtlpAllocateHeapInternal+0x0000022f
    779eae8e ntdll!RtlAllocateHeap+0x0000003e
    6f080269 MSVCR100!malloc+0x0000004b
    6f08233b MSVCR100!operator new+0x0000001f
    6b726c67 QtCore4!QImageData::create+0x000000fa
    6b726b54 QtCore4!QImage::QImage+0x0000004e
    6b7a0e21 QtCore4!png_get_text+0x00000436
    6b79d7a8 QtCore4!QImageIOHandler::setFormat+0x000000de
    6b79d457 QtCore4!QPixmapData::fromFile+0x000002bf
    6b725eb4 QtCore4!QImageReader::read+0x000001e2
    6d0ca585 kso!kpt::VariantImage::forceUpdateCacheImage+0x0000254e
    6d0c5964 kso!kpt::Direct2DPaintEngineHelper::operator=+0x00000693
    6d0c70d0 kso!kpt::RelativeRect::unclipped+0x00001146
    6d0c8d0c kso!kpt::VariantImage::forceUpdateCacheImage+0x00000cd5
    6d451d5c kso!BlipCacheMgr::BrushCache+0x0000049a
    6d451e85 kso!BlipCacheMgr::GenerateBitmap+0x0000001d
    6d453227 kso!BlipCacheMgr::GenCachedBitmap+0x00000083
    6d29bb92 kso!drawing::PictureRenderLayer::render+0x000009b6
    6d450fb1 kso!drawing::RenderTargetImpl::paint+0x00000090
    6d29b528 kso!drawing::PictureRenderLayer::render+0x0000034c
    6d2a2d83 kso!drawing::VisualRenderer::render+0x00000060
    6d2b8970 kso!drawing::SingleVisualRenderer::drawNormal+0x000002b5
    6d2b86a7 kso!drawing::SingleVisualRenderer::draw+0x000001e1
    6d2b945e kso!drawing::SingleVisualRenderer::draw+0x00000046
    6d3d0142 kso!drawing::ShapeVisual::paintEvent+0x0000044a
    680a2b5c wpsmain!WpsShapeTreeVisual::getHittestSubVisuals+0x000068f1
    6d0e36df kso!AbstractVisual::visualEvent+0x00000051
    6d3cbe97 kso!drawing::ShapeVisual::visualEvent+0x0000018f
    6d0eba90 kso!VisualPaintEvent::arriveVisual+0x0000004e

0:000> dt _DPH_BLOCK_INFORMATION cc780e18-0x20
verifier!_DPH_BLOCK_INFORMATION
   +0x000 StartStamp       : 0xc0c0c0c0
   +0x004 Heap             : 0xc0c0c0c0 Void
   +0x008 RequestedSize    : 0xc0c0c0c0
   +0x00c ActualSize       : 0xc0c0c0c0
   +0x010 Internal         : _DPH_BLOCK_INTERNAL_INFORMATION
   +0x018 StackTrace       : 0xc0c0c0c0 Void
   +0x01c EndStamp         : 0xc0c0c0c0

可以看到奔溃的地方应该是在QtCore4.dll里的QImageReader::read函数,这个应该就是fuzz的目标函数了,在fuzz前还需要了解下QtCore的编程API是怎么调用的

编写fuzz代码

根据一次对WPS漏洞挖掘的尝试文章里的思路,我修改了下fuzz的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#include <windows.h>
#include <cstdio>
#include <cstdlib>

int fuzz(HMODULE Qt4, char* file_name) {

	int qt_imageReader_read = (int)Qt4 + 0x65CD2;
	int qt_ImageReader = (int)Qt4 + 0x47BFD2;
	int qt_setFileName = (int)Qt4 + 0x47C29C;
	int qt_Image = (int)Qt4 + 0x1B8AC;
	int qt_closeQfile = (int)Qt4 + 0x11DBB;
	int qt_Qstring = (int)Qt4 + 0x54E9;

	char* val_stack = file_name;

	// int* qfile;
	char* image = (char*)malloc(0x400);
	char* qstring = (char*)malloc(0x400);
	char* reader = (char*)malloc(0x400);

	__asm {
		pushad

		mov ecx, image
		call qt_Image

		mov ecx, reader
		call qt_ImageReader

		mov ecx, qstring
		push val_stack
		call qt_Qstring

		mov ecx, reader
		mov edi, qstring
		push edi
		call qt_setFileName

		mov ecx, reader
		mov eax, image
		mov edi, 0
		push eax
		call qt_imageReader_read

		mov ecx, reader
		mov esi, [ecx]
		mov ecx, [esi + 8]
		call qt_closeQfile

		popad
	}
	free(image);
	free(qstring);
	free(reader);
	return 0;
}

int main(int argc, char* argv[]) {
	if (argc < 2) {
		printf("Usage: %s <image file>\n", argv[0]);
		return 0;
	}
	//HMODULE qtcore = LoadLibrary(TEXT("C:\\Users\\ru7n\\AppData\\Local\\Kingsoft\\WPS Office\\11.2.0.9453\\office6\\QtCore4.dll"));
	HMODULE qtcore = LoadLibrary(TEXT("G:\\winafl\\bin32\\wps_qtcore\\QtCore4.dll"));
	if (qtcore != NULL) {
		fuzz(qtcore, argv[1]);
	}
	return 0;
}

我下载的wps版本是11.2.0.9453的,然后几个函数的偏移也是根据ida里的分析结果来修改的,编译好后用afl-fuzz进行fuzz就行

fuzz效果:

2B8800.png

踩坑

  • 一次对WPS漏洞挖掘的尝试文章里所说,我们要调用Qfile的close方法来把文件给关闭
  • 重新使用最新的DynamoRIO编译下winafl
  • LoadLibrary相对应dll的时候,如果一直失败,可能是缺了该dll的依赖文件

总的来说,是一次宝贵的经验,虽然折腾了很久

参考链接

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

beginner