试写foxit reader的ConvertToPDF功能的wrapper
相比于直接fuzzing大型程序本身,针对程序的某一特定功能写wrapper后再fuzzing则要高效的多。网上搜了下,仅有两篇关于foxit reader的wrapper文章,一个用python,另外一个用C++,而且针对的foxit reader版本也比较旧。本篇的目的通过分析C++的wrapper原理,来写出最新版foxit reader(Version: 9.1.0.5096)的ConvertToPDF功能的wrapper。
首先看下ConvertToPDF_x86.dll插件的反汇编部分
刚开始分配0x2760h大小的内存,然后可以看到
.text:10015BC7 mov ecx, eax
.text:10015BC9 call sub_100150C0
从这两句可以猜测ConvertToPDF_x86.dll插件中存在虚函数,因为ecx中存储有类实例的this指针,它作为隐藏的第一个参数传递给sub_100150C0。具体原理可参考http://www.openrce.org/articles/full_view/23。然后继续跟进sub_100150C0函数,如下
根据这段代码可以确定esi中存储有虚函数表的首地址,虚函数表的具体函数如下:
ConvertToPDF_x86.dll插件的主要构成函数如上图,我们只需函数之间的确定执行流程、每个函数的主要参数内容及个数即可完成wrapper。
主要的函数流程依次为
ConvertToPDF_x86!CreateFXURLToHtml+0x450
ConvertToPDF_x86!CreateFXURLToHtml+0xc90
ConvertToPDF_x86!CreateFXPDFConvertor+0x90
参数个数的确定,因为函数的调用约定遵循thiscall,所以每次调用完函数后,由被调用函数自动清除函数参数,具体代码为ret xx
64dd020c 0000000a 0:000:x86> bp ConvertToPDF_x86!CreateFXURLToHtml+0x450 0:000:x86> g Breakpoint 1 hit ConvertToPDF_x86!CreateFXURLToHtml+0x450: 64a73f10 55 push ebp 0:000:x86> uf ConvertToPDF_x86!CreateFXURLToHtml+0x450 ConvertToPDF_x86!CreateFXURLToHtml+0x450: 64a73f10 55 push ebp 64a73f11 8bec mov ebp,esp 64a73f13 6aff push 0FFFFFFFFh 64a73f15 68a804dc64 push offset ConvertToPDF_x86!ConnectedPDF::ConnectedPDFSDK::FCP_SendEmailNotification+0x2cc28 (64dc04a8) 64a73f1a 64a100000000 mov eax,dword ptr fs:[00000000h] 64a73f20 50 push eax 64a73f21 83ec14 sub esp,14h 64a73f24 53 push ebx
。。。。。。。。。。。。。。。。。。
ConvertToPDF_x86!CreateFXURLToHtml+0xb70: 64a74630 33c0 xor eax,eax 64a74632 8b4df4 mov ecx,dword ptr [ebp-0Ch] 64a74635 64890d00000000 mov dword ptr fs:[0],ecx 64a7463c 59 pop ecx 64a7463d 5f pop edi 64a7463e 5e pop esi 64a7463f 5b pop ebx 64a74640 8be5 mov esp,ebp 64a74642 5d pop ebp 64a74643 c20400 ret 4 //参数个数为1
参数内容为0x2
据此可以确定另外两个函数的参数个数和内容。
网上参考的的wrapper的具体代码内容如下
/* foxit-fuzz.cpp - simple console wrapper for ConvertToPDF_x86.dll @richinseattle / rjohnson@moflow.org NOTES: Must install the foxit pdf printer globally Harness targets foxit 9.0 API by default Can target 7.3.4 if FOXIT_734 is defined and ConvertToPDF_x86.734.dll is in path afl-fuzz.exe -i %INPUT_DIR% -o foxit_out -D %DynamoRIO_ROOT%\bin32 -t 20000 -- -coverage_module ConvertToPDF.dll -target_module foxit-fuzz.exe -target_method convert_to_pdf -nargs 2 -fuzz_iterations 5000 -- %CD%\foxit-fuzz.exe @@ NUL */ #include <Windows.h> #include <String.h> #include <iostream> using namespace std; typedef void * (__stdcall *CreateFXPDFConvertor_t)(); typedef int(__thiscall *InitLocale_t)(void *_this, int, wchar_t * lc_str); typedef int(__thiscall *InitPrinter_t)(void* _this, wchar_t *printer_name); typedef int(__thiscall *InitPdfConverter_t)(void* _this, int mode); #ifdef FOXIT_734 typedef int(__thiscall *ConvertToPdf_t)(void* _this, wchar_t *convert_buf, int p2, int p3); #else typedef int(__thiscall *ConvertToPdf_t)(void* _this, wchar_t *convert_buf, int p2, int p3, int p4, int p5, int p6, int p7, int p8); #endif typedef struct ConverterFuncTable_t { ConvertToPdf_t ConvertToPdf; InitPdfConverter_t InitPdfConverter; InitPrinter_t InitPrinter; //InitLocale_t InitLocale; } ConverterFuncTable; typedef struct ConverterClass_t { ConverterFuncTable_t *vfp_table; } ConverterClass; #ifdef FOXIT_734 char *target_library = "ConvertToPDF_x86.734.dll"; #else char *target_library = "ConvertToPDF_x86.dll"; #endif char *target_function = "CreateFXPDFConvertor"; wchar_t * printer_name = L"Foxit Reader PDF Printer"; ConverterClass *pdfconverter = NULL; int init_target_library() { int retVal = 0; CreateFXPDFConvertor_t CreateFXPDFConvertor = (CreateFXPDFConvertor_t)GetProcAddress(LoadLibraryA(target_library), target_function); // create an instance of CreateFXPDFConvertor pdfconverter = (ConverterClass *)CreateFXPDFConvertor(); ConverterFuncTable *vfp_table = pdfconverter->vfp_table; cout << "Function table: " << endl; cout << "CreateFXPDFConvertor: " << hex << CreateFXPDFConvertor << endl; cout << "InitPdfConverter: " << hex << vfp_table->InitPdfConverter << " CreateFXPDFConvertor+0x" << hex << (unsigned long)vfp_table->InitPdfConverter - (unsigned long)CreateFXPDFConvertor << endl; cout << "InitPrinter: " << hex << vfp_table->InitPrinter << " CreateFXPDFConvertor+0x" << hex << (unsigned long)vfp_table->InitPrinter - (unsigned long)CreateFXPDFConvertor << endl; cout << "ConvertToPdf: " << hex << vfp_table->ConvertToPdf << " CreateFXPDFConvertor+0x" << hex << (unsigned long)vfp_table->ConvertToPdf - (unsigned long)CreateFXPDFConvertor << endl << endl; // init converter retVal = vfp_table->InitPdfConverter(pdfconverter, 2); if (retVal) cout << "Error: InitPdfConverter(): " << retVal << endl; // init printer device retVal = vfp_table->InitPrinter(pdfconverter, printer_name); if (retVal) cout << "Error: InitPrinter(): " << retVal << endl; return retVal; } extern "C" __declspec(dllexport) int wmain(int argc, wchar_t *argv[]); extern "C" __declspec(dllexport) int convert_to_pdf(ConvertToPdf_t convert, wchar_t * converter_buf); int convert_to_pdf(ConvertToPdf_t convert, wchar_t * converter_buf) { #ifdef FOXIT_734 return convert(pdfconverter, converter_buf, 0, 0); #else return convert(pdfconverter, converter_buf, 0, 0, 0, 0, 0, 0, 0); #endif } int wmain(int argc, wchar_t *argv[]) { int retVal = 0; int converter_buf_count = 0; int converter_buf_size = 0; wchar_t *converter_buf = NULL; wchar_t *input_path = NULL; wchar_t *output_path = L"nul"; #ifdef FOXIT_734 cout << "foxit-fuzz (target v7.3.4) - rjohnson@moflow.org" << endl << endl; #else cout << "foxit-fuzz (target v9.0) - rjohnson@moflow.org" << endl << endl; #endif if (argc < 2) { wcout << "usage: " << argv[0] << " <input> [output]" << endl; return -1; } if (GetFileAttributesW(argv[1]) == -1) { cout << "error: input file path" << endl; return -1; } input_path = argv[1]; if (argc == 3) output_path = argv[2]; // setup buffer for converting PDF converter_buf_count = 0x1000; converter_buf_size = converter_buf_count * sizeof(wchar_t); converter_buf = (wchar_t *)calloc(converter_buf_count, sizeof(wchar_t)); wcsncpy_s(converter_buf, converter_buf_count, input_path, wcslen(input_path)); wcsncpy_s(converter_buf + (0x208 / sizeof(wchar_t)), converter_buf_count - (0x208 / sizeof(wchar_t)), output_path, wcslen(output_path)); // create pdfconverter class and initialize library if (init_target_library()) { cout << "Error intializing target library" << endl; return -1; } // execute wrapper for fuzzing retVal = convert_to_pdf(pdfconverter->vfp_table->ConvertToPdf, converter_buf); free(converter_buf); if (retVal) { cout << "Error: ConvertToPdf(): " << retVal << endl; return -1; } return 0; }
重点说明的代码为
wcsncpy_s(converter_buf + (0x208 / sizeof(wchar_t)), converter_buf_count - (0x208 / sizeof(wchar_t)), output_path, wcslen(output_path));
其中0x208表示input_path与output_path的间隔距离。
其实不用更改上述的任何代码,直接编译即可使用
用winafl时注意命令行要改为
afl-fuzz.exe -i %INPUT_DIR% -o foxit_out -D %DynamoRIO_ROOT%\bin32 -t 20000 -- -coverage_module ConvertToPDF.dll -coverage_module foxit-fuzz.exe -target_module foxit-fuzz.exe -target_method convert_to_pdf -nargs 2 -fuzz_iterations 5000 -- %CD%\foxit-fuzz.exe @@ NUL
否则报错,运行结果如下图所示:
跑了三天,一个crash都没有,,,,,,,估计已经被很多人跑了,fuzz好难
