CVE-2014-0322 IE10 CMarkup UAF漏洞分析及利用 发表于 2017-02-13 | 分类于 漏洞利用 | 暂无评论 # 1.漏洞分析 由于这是关于堆的漏洞,为了方便分析先用`gflags`开启`iexplore.exe`的`HPA`和`UST`,然后用WinDbg附加IE进程后访问POC页面 ```html ``` 访问后造成Crash ![image_1b8om95s2q1sk7l1t2g17r617gg9.png-11.3kB][1] [1]: http://static.zybuluo.com/birdg0/0720esvnhj8wpvvvkzmvk2u6/image_1b8om95s2q1sk7l1t2g17r617gg9.png [2]: http://static.zybuluo.com/birdg0/ca0cksznqxj9oxhd4l9di0ok/image_1b8omnjpr31514rk1a2v1gdfnem.png [3]: http://static.zybuluo.com/birdg0/2i4vwhpx607uvkwm5d6w7j9o/image_1b8onef0gehe1ntb1nmnk9j2jp1g.png [4]: http://static.zybuluo.com/birdg0/gagst224a9bet2zzpgpx20tc/image_1b8on5liu190n1d2polje74135t13.png [5]: http://static.zybuluo.com/birdg0/zag2dfaj4r8xvztc7httmvaw/image_1b8qkvhp7nls13tg151urvbekj1t.png [6]: http://static.zybuluo.com/birdg0/ey3vjfvlwmjpuyibbycrh423/image_1b8qlo1ji11gf1s1h87meg6s102a.png [7]: http://static.zybuluo.com/birdg0/ldgktdslnmskdada6jdsacxr/image_1b8qmsi246331d281mh91ipjnc62n.png [8]: http://static.zybuluo.com/birdg0/1bkyrip6dh4y2fim2uczb3us/image_1b8qnjuc6v4q1paqcmu1nvv1edt34.png [9]: https://github.com/birdg0/exp/blob/master/browser/ie10-cve-2014-0322-exp.html 查看下`esi`指向的堆 ![image_1b8omnjpr31514rk1a2v1gdfnem.png-35.3kB][2] 可以看到`esi`指向了释放后的堆,并从堆的栈回溯可以知道是`this.outerHTML = this.outerHTML`释放了堆,再查看下栈回溯 ![image_1b8onef0gehe1ntb1nmnk9j2jp1g.png-29.2kB][3] 到这就清楚了造成漏洞的原因,先是`this.outerHTML = this.outerHTML`释放了堆,之后调用`appendChild`时又使用了之前释放的堆,非常典型的UAF。 # 2. 漏洞利用 查看下发生错误的位置 ![image_1b8on5liu190n1d2polje74135t13.png-9.7kB][4] 错误发生在`mshtml+0x22100c`的位置,首先尝试下马上对释放后的堆进行占位,关闭HPA和UST,然后下断点`bp mshtml + 0x22100c`访问页面 ```html ``` 可以看到成功进行了占位 ![image_1b8qkvhp7nls13tg151urvbekj1t.png-217.3kB][5] 之后用IDA来分析下`mshtml.dll` ![image_1b8qlo1ji11gf1s1h87meg6s102a.png-66.5kB][6] 接下来看下`UpdateMarkupContentsVersion`中的逻辑 ![image_1b8qmsi246331d281mh91ipjnc62n.png-145.8kB][7] 总结下内存布局 ``` Object size = 0x340 = 832 offset: value 94h: 0c0af010h (X = [obj_addr+94h] = 0c0af010h ==> Y = [X+0ch] = raw_buf_addr ==> [Y+1c0h] is 0) 0ach: 0c0af00bh (X = [obj_addr+0ach] = 0c0af00bh ==> inc dword ptr [X+10h] ==> inc dword ptr [0c0af01bh]) 1a4h: 11111h (X = [obj_addr+1a4h] = 11111h < 15f90h) ``` # 3. EXP ```html ``` 这个EXP主要是通过关闭`ActiveXObject`的警告框(上帝模式)使用`WScript.shell`和`ADODB.Stream`来实现 ![image_1b8qnjuc6v4q1paqcmu1nvv1edt34.png-106.3kB][8] 完整EXP下载地址:[https://github.com/birdg0/exp/blob/master/browser/ie10-cve-2014-0322-exp.html][9]