-
-
[求助]UAF的问题
-
发表于:
2016-10-2 11:49
2638
-
在 CVE-2014-0322 中,在 tope.as 里,函数 proc()里,是否存在地址访问越界?
function proc(_arg1:TimerEvent):void
{
........
_local4 = (_local4 & 0xFFFFFFFC);
_local27 = _local4;
if (_local21 > _local4) // Get flash.media.Sound对象虚函数表,然后 & 0xFFFF0000
{
// V2_BaseAddrss + a * 4 + b * 4 = WantAddress + 0x100000000 --> a + b = (W - V2 + 0x100000000) / 4
_local12 = (this.s[_local7][(0x40000000 + ((_local4 - _local21) / 4))] & 0xFFFF0000);
}
else
{
_local12 = (this.s[_local7][((_local4 - _local21) / 4)] & 0xFFFF0000);
};
_local32 = (_local12 / 65536);
_local29 = 0;
........
}
我自己的分析:
// start_addr = 98688个向量对象分配的首地址
// _local21 = 0x1A1B3008
// _local4 = this.s[_local7][((((_local4 +(_local29 * 0x1000))- _local21+68)/4))]
// = *(start_addr + 0x1000 * (98688 + n) + (4096 + 60))
// = *(start_addr + 0x1000 * (98688 + n + 1) + 60)
//
// 1MB = (1024字节 * 1024) = 0x100000 字节
// 1GB = (1MB * 1024) = 0x40000000 字节
// 4GB = (1GB * 4) = 0x100000000字节
//
// 第 _local7(_local7 = _local30) 个元素的size 为 0x3FFFFFF0(0x40000000 = 0x3FFFFFF0 + 0x10),0x10为头部大小,
// 需要乘以4,即头部大小为 :0x10 * 4 = 0x40 = 64字节,因此,
// &this.s[_local7][0x40000000] = (start_addr + (_local30-1) * 0x1000字节) + 0x40000000 * 0x4字节
// = 0x1a1b3000 + 0x100000000
//
// _local4 - _local21 = *(start_addr + 0x1000 * (98688 + n + 1) + 60) - 0x1A1B3008
//
// this.s[_local7][(0x40000000 + ((_local4 - _local21) / 4))] = &this.s[_local7][0x40000000] + (_local4 - _local21)
// = 0x1a1b3000 + 0x100000000 + *(start_addr + 0x1000*(98688+n+1)+60)- 0x1A1B3008
// = 0x100000000 - 0x8 + *(start_addr + 0x1000*(98688+n+1)+60)
//
即我的问题是:
this.s[_local7][(0x40000000 + ((_local4 - _local21) / 4))] 要访问的地址为 0x100000000 - 0x8 + *(start_addr + 0x1000*(98688+n+1)+60),显然已超过 4G(32位系统),那程序到这里不就已经出错了?是否我分析错了?
最后,附上 tope.as
Tope.zip
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
