CVE-2014-1776 IE11 VGX.DLL UAF漏洞分析及利用 发表于 2017-02-20 | 分类于 漏洞利用 | 暂无评论 # 1. 漏洞分析 由于是UAF的漏洞,因此先开启`HPA`和`UST`然后用WinDbg附加并打开POC页面 ```html IE Case Study - STEP1 ``` 访问后WinDbg崩溃,可以看到错误是发生在`CMarkup::IsConnectedToPrimaryMarkup`函数,并且这个释放的堆大小为`0x428` ![image_1b9cphm1q1m0e1susc1m1ok10nbm.png-25.9kB][1] [1]: http://static.zybuluo.com/birdg0/5j89yatcb89krz866irayxjq/image_1b9cphm1q1m0e1susc1m1ok10nbm.png [2]: http://static.zybuluo.com/birdg0/pwfp6up97p7o1vfj8u3xjxvh/image_1b9cs2ugm1hrbjhc19k11vcj17vl13.png [3]: http://static.zybuluo.com/birdg0/efrmvsj6cksurbaw9i707n5k/1.png [4]: http://static.zybuluo.com/birdg0/r8f2cnpunv84t6cocguq44ol/2.png [5]: http://static.zybuluo.com/birdg0/9vxdvdigbwd6qkp1ozqquag3/3.png [6]: http://static.zybuluo.com/birdg0/fmsaysbjrruil2n0s4j0ogpz/4.png [7]: http://static.zybuluo.com/birdg0/b1lmt6ljnptuq1h5x1mgfsmn/5.png [8]: http://static.zybuluo.com/birdg0/4zjc0zmquwsu6jrhf3njlmi1/6.png [9]: http://static.zybuluo.com/birdg0/2gwc2fiz8wdwwtat5pijbvf7/image_1b9corp961r711ra21b75o17k0i9.png [10]: https://github.com/birdg0/exp/blob/master/browser/ie11-cve-2014-1776-exp.html 下面尝试下对释放后的堆进行占位 ```html IE Case Study - STEP1 ``` 先去掉`HPA`和`UST`,由于`CMarkup::IsConnectedToPrimaryMarkup`函数也会在其他地方调用,因此对`CBase::put_BoolHelper`函数里的`CMarkup::IsConnectedToPrimaryMarkup`进行下断 ``` bp MSHTML!CBase::put_BoolHelper "bc *; bp MSHTML!CMarkup::IsConnectedToPrimaryMarkup 3; g" ``` ![image_1b9cs2ugm1hrbjhc19k11vcj17vl13.png-122.4kB][2] # 2. 漏洞利用 用IDA打开mshtml.dll,跳转到`CMarkup::IsConnectedToPrimaryMarkup`函数 ![1.png-95.7kB][3] 我们能控制`ecx`指向的内容,让其执行绿色标识的块,再看调用`CMarkup::IsConnectedToPrimaryMarkup`的函数`CMarkup::OnCssChange` ![2.png-192.8kB][4] `esi`指向的正是我们能控制的内容,然后看`CMarkup::IsPendingPrimaryMarkup`函数 ![3.png-43kB][5] `CMarkup::Root`函数 ![4.png-18.8kB][6] 这里要特别注意的是最后的`mov eax, [eax+ecx-24h]`,再看`CElement::EnsureFormatCacheChange`函数 ![5.png-26kB][7] 最后看`CView::AddInvalidationTask`函数 ![6.png-104.5kB][8] 这里`esi`的值就是调用前push进来的`edx`,`edx`为`[eax+1Ch]`,而`eax`就是调用`CMarkup::Root`函数后的返回值,特别注意`inc dword ptr [edi+248h]`,这可以使任意地址处的数据加1,到这就跟`CVE-2014-0322`很类似了。 漏洞利用的内存布局总结如下: ``` Conditions to control the bug and force an INC of dword at magic_addr + 0x1b: X = [ptr+0A4h] ==> Y = [X+0ch] ==> [Y+208h] is 0 [Y+630h+248h] = [Y+878h] val to inc! <====== [Y+630h+380h] = [Y+9b0h] has bit 16 set [Y+630h+3f4h] = [Y+0a24h] has bit 7 set [Y+1044h] is 0 U = [ptr+118h] ==> [U] is 0 => V = [U-24h] => W = [V+1ch], [W+0ah] has bit 1 set & bit 4 unset [W+44h] has bit 7 set [W+5ch] is writable [ptr+198h] has bit 12 set ``` # 3. 完整EXP(上帝模式) ```html IE Case Study - STEP1 ``` ![image_1b9corp961r711ra21b75o17k0i9.png-50.9kB][9] 完整EXP下载地址:[https://github.com/birdg0/exp/blob/master/browser/ie11-cve-2014-1776-exp.html][10]