The exploit for this vulnerability has two parts:
A. JavaScript heap spray code and x86 Shellcode
B. A short of special XML/SPAN tag elements
The first part of this exploit is a combination of the shellcode and heap spray technology, when it is running, it will be allocating memory blocks until it reaches address 0x0FFF0000, the size of each memory block is 1MB, the shellcode will be put into the address near the end of each block.
Heap spray:
The second part is the trigger of this vulnerability. The issue occurred in mshtml.dll, IE uses this dll to handle the XML/SPAN tags. This exploit used the special character ਊ (hex:0x0a0a) to construct the value of SRC in the first <Image> label, like below:
When mshtml.dll is processing such special XML/SPAN tags, it will allocate a structural memory block to handle these elements. During the process, it will release the memory block that contains these elements but continue referring the block in the next process, with the leak of sanity checks, this vulnerability will be trigged. This is a common object point overwrite tricks.
Here is the working flow of this exploit:
<1> Overwrite object point -> call to 0x0a0a0a0a
<2> Execute the shellcode
<3>Download the malware
336
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
