这个漏洞是一个IE浏览器里,vbs方面的漏洞,yuange首先放出了这个漏洞的完整dve的利用,接下来各个安全团队都出了比较好的分析报告。这个漏洞本身的原理算是比较传统,但是利用技术非常巧妙。置位safemode后,shellcode相当于用脚本语言直接编写,通用性稳定性极强。闲暇之余,也忍不住调试一下。
调试环境Win7+IE8,参考了瀚海源的精简版yuange POC,因为里面有加入了通过vbs在调试器里打日志的方法,就直接用了,感谢分享。
漏洞原理:
先列出相关的数据结构:
typedef struct FARSTRUCT tagSAFEARRAY {
unsigned short cDims; // Count of dimensions in this array.
unsigned short fFeatures; // Flags used by the SafeArray
// routines documented below.
#if defined(WIN32)
unsigned long cbElements; // Size of an element of the array.
// Does not include size of
// pointed-to data.
unsigned long cLocks; // Number of times the array has been
// locked without corresponding unlock.
#else
unsigned short cbElements;
unsigned short cLocks;
unsigned long handle; // Used on Macintosh only.
#endif
void HUGEP* pvData; // Pointer to the data.
SAFEARRAYBOUND rgsabound[1]; // One bound for each dimension.
} SAFEARRAY;
typedef struct tagSAFEARRAYBOUND {
ULONG cElements;
LONG lLbound;
} SAFEARRAYBOUND, *LPSAFEARRAYBOUND;
漏洞出在oleaut32!SafeArra