PDF Reader 퍼징 도전기(4) - DLL 변경

(3)에서 ezPDF2HWP.dll에서 export에서 대상 함수를 찾기 힘들어 offset으로 함수를 찾아 시도해봤지만 오류가 떠서 다른 dll로 변경해보았다.

 

ezPDF2HWP.dll -> ez2HTML.dll, export에서 pdf2html으로 퍼징을 시도해 보았다.

 

이전 fuzzme 코드 (3)

typedef int (__cdecl *TARGET)(wchar_t* filename);
TARGET funcPtr;
extern "C" __declspec(dllexport) int fuzzme(wchar_t* path);
// LPCSTR = long pointer constant string = const char *

void __cdecl pdf2hwpA(char *param_1,char *param_2,int param_3,int *param_4)
extern "C" __declspec(dllexport) __declspec(noinline) int fuzzme(wchar_t* path) {
	int result = funcPtr(path);
	return result;
}
wchar_t* charToWChar(const char* text)
{
	size_t size = strlen(text) + 1;
	wchar_t* wa = (wchar_t*)malloc(sizeof(wchar_t) * size);
	mbstowcs(wa, text, size);
	return wa;
}

int fuzzme(wchar_t* path) {
	funcPtr(path);
	return 0;
}
int main(int argc, char* argv[]) {
	HMODULE DLLHandle = LoadLibrary(L"C:\\Program Files (x86)\\Unidocs\\ezPDFEditor\\ezPDF2HWP.dll"); // dll base address?
	
	if (DLLHandle == NULL) {
		printf("Cannot load ezPDF2HWP.dll\n");
		return -1;
	}

	if (DLLHandle) {
		funcPtr = (TARGET)
	}
	int func = (int)DLLHandle + 0xB640;//0xb410;//0x1000B640
	funcPtr = (TARGET)func;
	printf("funcPtr addr: 0x%p\n", funcPtr);
	printf("file name: %s\n", argv[1]);
	
	int reusult = fuzzme(charToWChar(argv[1]));
	return 0;
}

 

새로운 코드

typedef int (__cdecl *TARGET)(wchar_t* filename);
TARGET funcPtr;
extern "C" __declspec(dllexport) int fuzzme(wchar_t* path);
// LPCSTR = long pointer constant string = const char *

/*
extern "C" __declspec(dllexport) __declspec(noinline) int fuzzme(wchar_t* path) {
	int result = funcPtr(path);
	return result;
}
*/
wchar_t* charToWChar(const char* text)
{
	size_t size = strlen(text) + 1;
	wchar_t* wa = (wchar_t*)malloc(sizeof(wchar_t) * size);
	mbstowcs(wa, text, size);
	return wa;
}
int fuzzme(wchar_t* path) {
	funcPtr(path);
	return 0;
}
int main(int argc, char* argv[]) {
	HMODULE DLLHandle = LoadLibrary(L"C:\\Program Files (x86)\\Unidocs\\ezPDFEditor\\PDF2HTML.dll"); // dll base address?
	int isexecuted = 0;

	if (DLLHandle) {
		funcPtr = (TARGET)GetProcAddress(DLLHandle, "PDFtoHTML");
		isexecuted = fuzzme(charToWChar(argv[1]));
	}

	printf("isececuted: %d\n", isexecuted);
	return isexecuted;
}

 

코드를 새로 짠 후, 모듈은 제대로 로드된 듯 보였고, 퍼저도 제대로 돌아가는 듯 싶었다.

Module loaded, ezPDFEditor.exe
Module loaded, ezPDFEditorModule.dll
Module loaded, ezPDFConvertModule.dll
Module loaded, ezPDFConvertModule.dll
Module loaded, dynamorio.dll
Module loaded, winafl.dll
Module loaded, drwrap.dll
Module loaded, drmgr.dll
Module loaded, drreg.dll
Module loaded, drx.dll
Module loaded, COMCTL32.dll
Module loaded, profapi.dll
Module loaded, Wldp.dll
Module loaded, UxTheme.dll
Module loaded, Windows.Storage.dll
Module loaded, SspiCli.dll
Module loaded, AppCore.dll
Module loaded, WININET.dll
Module loaded, WINMM.dll
Module loaded, gdiplus.dll
Module loaded, oledlg.dll
Module loaded, OLEACC.dll
Module loaded, MSIMG32.dll
Module loaded, IPHLPAPI.DLL
Module loaded, WINSPOOL.DRV
Module loaded, VERSION.dll
Module loaded, GDI32.dll
Module loaded, bcryptPrimitives.dll
Module loaded, imagehlp.dll
Module loaded, ucrtbase.dll
Module loaded, ole32.dll
Module loaded, OLEAUT32.dll
Module loaded, msvcrt.dll
Module loaded, SHLWAPI.dll
Module loaded, KERNELBASE.dll
Module loaded, SHELL32.dll
Module loaded, msvcp_win.dll
Module loaded, COMDLG32.dll
Module loaded, SECHOST.dll
Module loaded, KERNEL32.dll
Module loaded, RPCRT4.dll
Module loaded, PSAPI.DLL
Module loaded, win32u.dll
Module loaded, IMM32.dll
Module loaded, gdi32full.dll
Module loaded, USER32.dll
Module loaded, WS2_32.dll
Module loaded, ADVAPI32.dll
Module loaded, SHCORE.dll
Module loaded, combase.dll
Module loaded, ntdll.dll
Module loaded, ezPDFConvertDll.dll
Module loaded, ezPDFEditorModule.dll

 

하지만 test case에서 계속 오류가 발생하였으며 Harness에서 문제가 발생하였다고 의심되며, 다른 함수를 찾거나 harness를 다시 작성해봐야겠다.