1.简介
整数溢出本质上还是栈溢出或者堆溢出.本来对复制的长度有检查,但是由于无符号数和有符号数混淆,正数变负数等没有处理好整数的原因,导致绕过了
长度检查.
CVE-2011-0027-Microsoft Data Access 组件堆溢出漏洞
搜索相关的ie类方法:
关键字 site:http://www.geoffchappell.com/
下断,附加,加载poc,断下:
(f80.6f4): Break instruction exception - code 80000003 (first chance)
eax=7ff9e000 ebx=00000000 ecx=00000000 edx=77c1d23d esi=00000000 edi=00000000
eip=77bb3540 esp=0355f7b4 ebp=0355f7e0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
77bb3540 cc int 3
0:013> bl
0 eu 0001 (0001) (crecordset::put_cachesize)
1 eu 0001 (0001) (crecordset::get_cachesize)
0:013> g
(f80.410): Unknown exception - code e0000001 (first chance)
(f80.410): Unknown exception - code e0000001 (first chance)
(f80.410): Unknown exception - code e0000001 (first chance)
(f80.410): Unknown exception - code e0000001 (first chance)
Breakpoint 0 hit
eax=40000358 ebx=03bdb248 ecx=6a8ed340 edx=00000000 esi=023ff494 edi=00000000
eip=6a97c957 esp=023feea8 ebp=023ff390 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
msado15!CRecordset::put_CacheSize:
6a97c957 8bff mov edi,edi
未完待续........