CVE-2017-8463/KB4025497 エクスプローラーの脆弱性の解析
凄く単純だった・ω・
| SUB_L75EF4CCA: mov edi,edi push ebp mov ebp,esp push esi push edi push [ebp+10h] mov esi,ecx push [ebp+0Ch] mov eax,[esi] push [ebp+08h] call [eax+50h] mov eax,[esi+000000B4h] xor edi,edi cmp [eax+44h],edi jnz L75EF4D94 cmp dword ptr [ebp+08h],00002000h push ebx mov ebx,[SHDOCVW_dll_DelayImport_Ord.219] jz L75EF4D78 cmp dword ptr [ebp+08h],00008000h jz L75EF4D9A cmp dword ptr [ebp+08h],00020000h jnz L75EF4D93 push [eax+2Ch] push [ebp+0Ch] call [SHELL32_dll_DelayImport_Ord.24] cmp eax,edi jz L75EF4D78 push eax push [ebp+10h] call [SHELL32_dll_DelayImport_Ord.25] cmp eax,edi mov [ebp+08h],eax jz L75EF4D78 push eax call SUB_L75EECDA6 mov edi,eax test edi,edi jz L75EF4D6D mov eax,[esi+000000B4h] push 00000000h push [eax+2Ch] push edi call ebx test eax,eax jnz L75EF4D66 push 40000001h lea eax,[esi+10h] mov ecx,[eax] push edi push eax call [ecx+2Ch] L75EF4D66: push edi call [SHELL32_dll_DelayImport_Ord.155] L75EF4D6D: push [ebp+08h] call [SHELL32_dll_DelayImport_Ord.155] xor edi,edi L75EF4D78: mov eax,[esi+000000B4h] push edi push [ebp+0Ch] push [eax+2Ch] call ebx test eax,eax jz L75EF4D93 push edi mov ecx,esi call SUB_L75EF48B7 L75EF4D93: pop ebx L75EF4D94: pop edi pop esi pop ebp retn 000Ch |
元
| SUB_L75EF4CCA: mov edi,edi push ebp mov ebp,esp push ebx push esi push edi push [ebp+10h] mov edi,[ebp+08h] push [ebp+0Ch] mov esi,ecx mov eax,[esi] push edi call [eax+50h] mov eax,[esi+000000B4h] xor ebx,ebx cmp [eax+44h],ebx jnz L75EF4DA8 cmp edi,00002000h jz L75EF4D89 cmp edi,00008000h jz L75EF4DAF cmp edi,00020000h &n bsp;jnz L75EF4DA8 push [eax+2Ch] push [ebp+0Ch] call [SHELL32_dll_DelayImport_Ord.24] cmp eax,ebx jz L75EF4D89 push eax push [ebp+10h] call [SHELL32_dll_DelayImport_Ord.25] cmp eax,ebx mov [ebp+10h],eax jz L75EF4D89 push eax call SUB_L75EECDA6 mov edi,eax cmp edi,ebx jz L75EF4D80 mov eax,[esi+000000B4h] push ebx push [eax+2Ch] push edi call [SHDOCVW_dll_DelayImport_Ord.219] test eax,eax jnz L75EF4D79 push 20000000h push edi push ebx call SUB_L75F502D5 test eax,eax jz L75EF4D79 push 40000001h lea eax,[esi+10h] mov ecx,[eax] push edi push eax call [ecx+2Ch] L75EF4D79: push edi call [SHELL32_dll_DelayImport_Ord.155] L75EF4D80: push [ebp+10h] call [SHELL32_dll_DelayImport_Ord.155] L75EF4D89: mov eax,[esi+000000B4h] push ebx push [ebp+0Ch] push [eax+2Ch] call [SHDOCVW_dll_DelayImport_Ord.219] test eax,eax jz L75EF4DA8 push ebx mov ecx,esi call SUB_L75EF48B7 L75EF4DA8: pop edi pop esi pop ebx pop ebp retn 000Ch |
変更後
結構違うように見えるけど赤字の部分だけが違う箇所
| SUB_L7151D107: push ebp mov ebp,esp push esi push edi push [ebp+10h] mov esi,ecx push [ebp+0Ch] mov eax,[esi] push [ebp+08h] call [eax+50h] mov eax,[esi+000000B4h] xor edi,edi cmp [eax+44h],edi jnz L7151D1CF cmp dword ptr [ebp+08h],00002000h push ebx mov ebx,[SHDOCVW_dll_DelayImport_Ord.219] jz L7151D1B3 cmp dword ptr [ebp+08h],00008000h jz L7151D1D5 cmp dword ptr [ebp+08h],00020000h jnz L7151D1CE push [eax+2Ch] push [ebp+0Ch] call [SHELL32_dll_DelayImport_Ord.24] cmp eax,edi jz L7151D1B3 push eax push [ebp+10h] call [SHELL32_dll_DelayImport_Ord.25] cmp eax,edi mov [ebp+08h],eax jz L7151D1B3 push eax call SUB_L7151915B mov edi,eax test edi,edi jz L7151D1A8 mov& nbsp; eax,[esi+000000B4h] push 00000000h push [eax+2Ch] push edi call ebx test eax,eax jnz L7151D1A1 push 20000000h push 40000001h |
Win2000 SP4 6.0.2800.2032
これで良さそう・ω・
Translate
Comments