CVE-2012-4792
IE8 CButton Object Use-After-Free Vulnerability
Windows XP SP3
IE 8.0.6001.18702
SRV*[DIR]*http://msdl.microsoft.com/download/symbols;
gflags.exe /i iexplore.exe +hpa +ust
windbg 실행
windbg.exe -g -G -o "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://192.168.11.17/poc.html
(200.e54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0bbb0fa8 ebx=05f34f30 ecx=00000052 edx=00000000 esi=00000000 edi=0bbb0fa8
eip=637848ae esp=0391f838 ebp=0391f8a4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
mshtml!CMarkup::OnLoadStatusDone+0x4ef:
637848ae 8b07 mov eax,dword ptr [edi] ds:0023:0bbb0fa8=????????
1:028> !heap -p -a edi
address 0bbb0fa8 found in
_DPH_HEAP_ROOT @ 141000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
bab7248: bbb0000 2000
7c957553 ntdll!RtlFreeHeap+0x000000f9
639943ef mshtml!CButton::`vector deleting destructor'+0x0000002f
63628a50 mshtml!CBase::SubRelease+0x00000022
63640d1b mshtml!CElement::PrivateRelease+0x00000029
6363d0ae mshtml!PlainRelease+0x00000025
63663c03 mshtml!PlainTrackerRelease+0x00000014
633a10b4 jscript!VAR::Clear+0x0000005c
6339fb4a jscript!GcContext::Reclaim+0x000000ab
6339fd33 jscript!GcContext::CollectCore+0x00000113
63405594 jscript!JsCollectGarbage+0x0000001d
633a92f7 jscript!NameTbl::InvokeInternal+0x00000137
633a6650 jscript!VAR::InvokeByDispID+0x0000017c
633a9c0b jscript!CScriptRuntime::Run+0x00002989
633a5ab0 jscript!ScrFncObj::CallWithFrameOnStack+0x000000ff
633a59f7 jscript!ScrFncObj::Call+0x0000008f
633a5743 jscript!CSession::Execute+0x00000175
1:028> kv
ChildEBP RetAddr Args to Child
0391f8a4 635c378b 06221fc0 05c8c6bc 05c8c6a8 mshtml!CMarkup::OnLoadStatusDone+0x4ef
0391f8c4 635c3e16 00000004 0391fd4c 00000000 mshtml!CMarkup::OnLoadStatus+0x47
0391fd10 636553f8 06223f48 00000000 00000000 mshtml!CProgSink::DoUpdate+0x52f
0391fd24 6364de62 06223f48 06223f48 05c9ed58 mshtml!CProgSink::OnMethodCall+0x12
0391fd58 6363c3c5 0391fde0 6363c317 00000000 mshtml!GlobalWndOnMethodCall+0xfb
0391fd78 77cf8734 001103e0 00000009 00000000 mshtml!GlobalWndProc+0x183
0391fda4 77cf8816 6363c317 001103e0 00008002 USER32!InternalCallWinProc+0x28
0391fe0c 77cf89cd 00000000 6363c317 001103e0 USER32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])
0391fe6c 77cf8a10 0391fe94 00000000 0391feec USER32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])
0391fe7c 026a2ec9 0391fe94 00000000 01cb8f58 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])
0391feec 026448bf 04470808 0040128e 030aeff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 (FPO: [Non-Fpo])
0391ffa4 5de05a60 01cb8f58 7c817067 0391ffec IEFRAME!LCIETab_ThreadProc+0x2c1 (FPO: [Non-Fpo])
0391ffb4 7c80b713 030aeff0 0040128e 7c817067 iertutil!CIsoScope::RegisterThread+0xab (FPO: [Non-Fpo])
0391ffec 00000000 5de05a52 030aeff0 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
실행시 crash가 발생하는데 메모리 해제된 CButton의 객체를 참조하여 생기게 된다. 그리고 edi가 참조하는 값을 eax에 넣고 [eax+0xdc]를 call한다. (vtable을 참조해서 call하는 구조이다.)
637848a9 e9ce44e5ff jmp mshtml!CLinePtr::GetAdjustedLineLength+0x12b (635d8d7c)
637848ae 8b07 mov eax,dword ptr [edi] ds:0023:0bbb0fa8=????????
637848b0 57 push edi
637848b1 8975b0 mov dword ptr [ebp-50h],esi
637848b4 8975c0 mov dword ptr [ebp-40h],esi
637848b7 8975c8 mov dword ptr [ebp-38h],esi
637848ba 8975c4 mov dword ptr [ebp-3Ch],esi
637848bd 8975cc mov dword ptr [ebp-34h],esi
637848c0 8975d0 mov dword ptr [ebp-30h],esi
637848c3 ff90dc000000 call dword ptr [eax+0DCh]
637848c9 56 push esi
637848ca 6837fdffff push 0FFFFFD37h
637848cf 56 push esi
- CButton 생성시 HeapAlloc하는 부분
- CButton HeapFree하는 부분
아래와 같이 bp를 걸어 Cbutton의 heap 주소 영역을 확인해 보면 확실하게 UAF 버그임을 알 수 있으며 edi 레지스터 값은 CButton 객체의 주소라는 것도 알 수 있다.
sxe ld:mshtml
bp 0x639944f7 ".printf \"Created CButton at %p\", eax;.echo;g";
bp 0x639943e9 ".printf \"Deleting CButton at %p\", esi;.echo;g"
1:029> bp 0x639944f7 ".printf \"Created CButton at %p\", eax;.echo;g";bp 0x639943e9 ".printf \"Deleting CButton at %p\", esi;.echo;g"
1:029> g
ModLoad: 63580000 63b2c000 C:\WINDOWS\system32\mshtml.dll
eax=00000000 ebx=00000000 ecx=01e70000 edx=7c93e4f4 esi=00000000 edi=00000000
eip=7c93e4f4 esp=0012877c ebp=00128870 iopl=0 nv up ei ng nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000296
ntdll!KiFastSystemCallRet:
7c93e4f4 c3 ret
2:039> g
Created CButton at 0b8f9fa8
Deleting CButton at 0b8f9fa8
(47c.638): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0b8f9fa8 ebx=05fbaf30 ecx=00000052 edx=00000000 esi=00000000 edi=0b8f9fa8
eip=637848ae esp=0391f838 ebp=0391f8a4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
mshtml!CMarkup::OnLoadStatusDone+0x4ef:
637848ae 8b07 mov eax,dword ptr [edi] ds:0023:0b8f9fa8=????????
또 html코드에 디버깅용으로 Math.atan2를 넣어 crash 발생 지점을 찾을 수 있다. 실행 결과 atan2 코드가 모두 실행 된후 crash가 발생 했는데 onload함수에서 helloWorld() 코드를 실행 시킨 이후에 CButton객체를 참조하는 것으로 알 수 있다.
sxe ld:jscript
bp jscript!JsAtan2 ".printf \"%mu\", poi(poi(poi(esp+14)+8)+8);.echo;g"
1:024> bp jscript!JsAtan2 ".printf \"%mu\", poi(poi(poi(esp+14)+8)+8);.echo;g"
1:024> g
Symbol search path is: SRV*C:\WebSymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 63380000 63434000 C:\WINDOWS\system32\jscript.dll
eax=00000000 ebx=00000000 ecx=012b0000 edx=7c93e4f4 esi=00000000 edi=00000000
eip=7c93e4f4 esp=0012dd70 ebp=0012de64 iopl=0 nv up ei ng nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000296
ntdll!KiFastSystemCallRet:
7c93e4f4 c3 ret
2:034> g
before get element a
before get element b
before create element q
before apply element e1(b) -> e2(q)
before appendChild create element button
before applyElement e1 -> e0
before e2 outertext
before e2 appendChild createElement body
All done inside try loop
collecting garbage
Done collecting garbage
(dc4.8ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0af4afa8 ebx=05f3cf30 ecx=00000052 edx=00000000 esi=00000000 edi=0af4afa8
eip=637848ae esp=0391f838 ebp=0391f8a4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
mshtml!CMarkup::OnLoadStatusDone+0x4ef:
637848ae 8b07 mov eax,dword ptr [edi] ds:0023:0af4afa8=????????
'System > Windows' 카테고리의 다른 글
| pydbg로 Fuzzer 만들기 (0) | 2014.04.27 |
|---|---|
| Windows에서의 스택 할당 (0) | 2013.12.28 |
| FileFuzz, Peach Fuzzer 링크 (0) | 2013.11.12 |
| 메모리 보호 기법 DEP/NX (1) | 2012.09.05 |
| windows bof [basic stack overflow] (2) | 2012.04.08 |
