Using Ghidriff to look at heap buffer overflow example
嗯,用户让我总结一篇文章的内容,控制在100字以内,而且不需要特定的开头。首先,我需要仔细阅读文章内容,理解其主要观点。 文章主要讲的是使用Ghidriff工具分析软件补丁,特别是针对rAthena框架中的一个堆缓冲区溢出漏洞(CVE-2025-58447)。作者展示了如何通过比较补丁前后的二进制文件,找出代码变化,进而理解漏洞修复的机制。 用户可能是一位网络安全爱好者或者研究人员,对逆向工程和漏洞分析感兴趣。他们希望快速了解文章的核心内容,而不需要详细的技术步骤。 所以,我需要提炼出关键点:Ghidriff工具、堆溢出漏洞、补丁分析、修复机制。然后用简洁的语言把这些点连贯起来,确保在100字以内。 可能的结构是:介绍工具和分析对象,说明分析过程和结果。这样既清晰又符合用户的要求。 </think> 文章介绍了使用Ghidriff工具分析软件补丁的过程,重点研究了rAthena框架中一个堆缓冲区溢出漏洞(CVE-2025-58447)的修复机制。通过比较补丁前后的二进制文件差异,揭示了漏洞修复的关键代码变化,并展示了如何通过代码检查防止溢出攻击。 2025-11-2 01:49:26 Author: fluxsec.red(查看原文) 阅读量:27 收藏

The dragon who finds the vulnerable.

Introduction

I wanted to showcase using Ghidriff to analyse a software patch which was applied to fix a heap buffer overflow in a login server, which can lead to remote code execution. I will be looking at CVE-2025-58447 which was present in rAthena, an online game server framework. The report claims a denial of service, and Remote Code Execution (RCE). Two caveats to this blog post:

  • The project is open source, meaning the source code is available to review alongside any decompilation attempts.
  • I will not be looking to exploit the overflow for RCE or altering other heap data structures.

Ghidriff

Ghidriff uses Ghidra’s engine to analyse two binaries and essentially, spot the difference, showing you the pseudo-C of what changed between the binaries.

There are other tools out there, such as for Binary Ninja (my choice of RE platform) and IDA, but unfortunately these are in the form of plugins which are paid features of those tools, which I don’t have access to doing this for learning / as a hobby.

Software (discounting web applications, so we are referring to things such as VPN gateways, Microsoft Office products, Firewalls, etc etc) can be exploited through a number of means - buffer overflows, race conditions, integer under/over flows, etc. A zero-day refers to a vulnerability in some software which is not yet patched by the vendor, and is often used in the context where it allows an adversary to use that vulnerability to execute code or read memory (such as in-memory passwords in a VPN gateway). There are teams around the world, both legitimate and criminal, who race to find zero-days for software to hack into some infrastructure.

N-days however are vulnerabilities which have been patched by the vendor, but may or may not have been patched by the organisation using that software / hardware. Schrodinger’s vulnerability, if you will. It is though analysing n-days with patch diffing (aka, patched vulnerabilities) that we can reverse engineer where the bug was, and work backwards from that in seeing how to exploit it (reading memory, causing a denial of service, or worse - allowing code execution).

N-days are of interest to both defenders and attackers. For defenders they are valuable for triage and detection engineering; for attackers, they lower the amount of discovery work needed to weaponise a bug.

Technical steps

Now we can get into using Ghidriff to get this moving!

First - you need to download the pre-patch binary, and the patched binary. In this case, we can build the project from source by downloading it from GitHub and using git to select a before and after build. For what it is worth, I build the binaries in release mode, to make this as realistic as possible.

Next, we need to ensure we have Ghidra installed as well as Ghidriff - the instructions for both can be found on their GitHub pages.

Now, we can run Ghidriff via the commandline to generate output, we can simply run:

ghidriff .\old.exe .\new.exe --sxs

Adding the –sxs flag tells the tool to also output a side-by-side view of the diff, which makes it a little easier for us to rationalise. Looking at the side-by-side output for this we can see some very clear code changes (left: un-patched binary, right: patched binary):

Ghidriff

The difference between the two binaries affects only one function, and the majority of the changes to it can be pictured in the green diff on the right hand side.

From looking at this - we can see something very interesting. There is a section of code just above the loop which involve uVar9 and uVar10. What is going on here?

Very clearly, we can see the diff is checking some input length against a size of 0x21. If the size is greater than 0x21, then the program will use the maximum size (0x21), otherwise, it will use the given size. The if statement in the middle of the green diff shows this process happening. That prevents the out-of-bounds heap write and the resulting heap corruption.

Later, it then passes uVar9 into FUN_14003e6b0 - where we know now uVar9 has had its bounds checked. In the pre-patch example on the left, you can see the function receives pcVar5 in the same position, and there is no such bounds checking performed.

Turning this corruption into a reliable exploit would require additional, environment-specific steps (e.g. heap grooming and mitigation bypasses).


文章来源: https://fluxsec.red/using-ghidriff-to-examine-heap-buffer-overflow
如有侵权请联系:admin#unsafe.sh