poc来源为 exploit-db

测试环境为WINDOWS SP3

首先打开windows media player windbg附加

开启页堆 !gflag +hpa

0:011> g
(7f0.2f8): Access violation - code c0000005 (!!! second chance !!!)
eax=00008000 ebx=00132060 ecx=000002a4 edx=027ffd38 esi=00147000 edi=00149000
eip=73b722cc esp=027ffd04 ebp=027ffd30 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
iccvid!CVDecompress+0x11e:
73b722cc f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:011> kb
ChildEBP RetAddr  Args to Child              
027ffd30 73b7cbf3 00000004 00003731 00000068 iccvid!CVDecompress+0x11e
027ffd60 73b766c8 0012c8d0 00000000 00132530 iccvid!Decompress+0x11d
027ffdac 73b41938 0012c8d0 00000001 0000400d iccvid!DriverProc+0x1bf
027ffdd0 7cf8fa9e 73b5b500 0000400d 027ffde8 MSVFW32!ICSendMessage+0x2b
027ffe00 7cf8f9e9 73b5b500 00000000 00132530 quartz!CVFWDynLink::ICDecompress+0x3e
027ffec0 7cf90a55 01b6c258 01b6a658 00000000 quartz!CAVIDec::Transform+0x282
027ffeec 7cf90939 01b6c258 00000000 01b836d0 quartz!CVideoTransformFilter::Receive+0x110
027fff00 7cf8e67a 01b79c5c 01b6c258 027fff40 quartz!CTransformInputPin::Receive+0x33
027fff10 7cf90ca0 01b6c258 00040103 01b836d0 quartz!CBaseOutputPin::Deliver+0x22
027fff40 7cf90e1c 027fff70 027fff6c 00000000 quartz!CBaseMSRWorker::TryDeliverSample+0x102
027fff84 7cf8ce30 00000000 01b836d0 01b836d0 quartz!CBaseMSRWorker::PushLoop+0x15e
027fff9c 7cf8dbe6 00000000 7cf8a121 00000000 quartz!CBaseMSRWorker::DoRunLoop+0x4a
027fffa4 7cf8a121 00000000 000a0178 027fffec quartz!CBaseMSRWorker::ThreadProc+0x39
027fffb4 7c80b713 01b836d0 00000000 000a0178 quartz!CAMThread::InitialThreadProc+0x15
027fffec 00000000 7cf8a10c 01b836d0 00000000 kernel32!BaseThreadStart+0x37
0:011> ub iccvid!Decompress+0x11d

iccvid!Decompress+0x102:
73b7cbd8 ffb698000000    push    dword ptr [esi+98h]
73b7cbde 57              push    edi
73b7cbdf ff7528          push    dword ptr [ebp+28h]
73b7cbe2 ff752c          push    dword ptr [ebp+2Ch]
73b7cbe5 ff7530          push    dword ptr [ebp+30h]
73b7cbe8 ff7514          push    dword ptr [ebp+14h]
73b7cbeb ff765c          push    dword ptr [esi+5Ch]
73b7cbee e8bb55ffff      call    iccvid!CVDecompress (73b721ae)

 

 

73b7cbee e8bb55ffff      call    iccvid!CVDecompress (73b721ae)这个涵数有漏洞 

IDA单独查看该函数  进行详细分析