【OOB】MSHTML!CPasteCommand::ConvertBitmaptoPng heap-based buffer overflow学习
IE 11 MSHTML!CPasteCommand::ConvertBitmaptoPng heap-based buffer overflow学习
MS14-056, CVE-2014-4138
Time-line
8 May 2014: This vulnerability was submitted to ZDI.
9 June 2014: This vulnerability was acquired by ZDI.
23 June 2014: This vulnerability was disclosed to Microsoft by ZDI.
14 October 2014: This vulnerability was address by Microsoft in MS14-056.
21 December 2016: Details of this vulnerability are released.
越界访问漏洞
版本:Microsoft Internet Explorer 11.0.9600.16521
概述
图片被粘贴到IE11中,会把BMP格式转换成PNG格式,MSHTML!CPasteCommand::ConvertBitmaptoPng函数执行这个操作。
这个函数使用BMP图片的大小来储存转换好的PNG图片,如果转换后的PNG大于BMP则会发生溢出
CPasteCommand::ConvertBitmaptoPng 伪代码
函数原型
ConvertBitmaptoPng(
[IN] VOID* poBitmap,
UINT uBitmapSize,
[OUT] VOID** ppoPngImage,
UINT* puPngImageSize
)
{
// BMP到PNG的转换
CMemStm* poCMemStm;
IWICStream* poWicBitmap;
STATSTG oStatStg;
TSmartArray<unsigned char> poPngImage;
UINT uReadSize;
// Create a CMemStm for the PNG image.
CreateStreamOnHGlobal(NULL, True, poCMemStm);
// Create an IWICStream from the BMP image.
InitializeFromMemory(poBitMap, uBitmapSize,
&GUID_ContainerFormatBmp, &poWicBitmap)));
// Write BMP image in IWICStream to PNG image in CMemStm
WriteWicBitmapToStream(poWicBitmap, &GUID_ContainerFormatPng, poCMemStm);
// Get size of PNG image in CMemStm and save it to the output variable.
oCMemStm->Stat(&oStatStg, 0);
*puPngImageSize = oStatStg.cbSize.LowPart;
// Allocate memory for the PNG
//这一句产生问题,使用了BMP的大小给PNG分配内存
poPngImage->New(uBitmapSize);
// Go to start of PNG image in CMemStm
poCMemStm->Seek(0, STREAM_SEEK_SET, NULL, &pPositionLow);
// Read PNG image in CMemStm to allocated memory.
//这一句读入PNG的内容,导致溢出
poCMemStm->Read(poPngImage, *puPngImageSize, &uReadSize);
// Save location of allocated memory with PNG image to output variable.
*ppoPngImage = poPngImage;
}
POC
只有用js实现图片复制的脚本,图片本身需要另外生成