CVE-2018-8174双杀漏洞分析复现及防御

来源:岁月联盟 编辑:猪蛋儿 时间:2020-01-29
C:/TOOLS/windbg_cn/WinDbg(x86)>gflags.exe /i iexplore.exe +ust +hpa
//winDbg 附加IE调试后可以捕捉到此崩溃现场
//汇编
..
76aa4966 8b4608          mov     eax,dword ptr [esi+8]
76aa4969 85c0            test    eax,eax
76aa496b 0f8454f5ffff    je      OLEAUT32!VariantClear+0xc3 (76aa3ec5)
76aa4971 8b08            mov     ecx,dword ptr [eax]  ds:0023:06076fd0=????????
..
//command
0:013> g
(e84.548): Access violation - code c0000005 (first chance)                        //访问已经释放的内存,从而崩溃
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=06076fd0 ebx=06192fe0 ecx=00000009 edx=00000002 esi=06192fe0 edi=00000009
eip=76aa4971 esp=0457d02c ebp=0457d034 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
OLEAUT32!VariantClear+0xb3:
76aa4971 8b08            mov     ecx,dword ptr [eax]  ds:0023:06076fd0=????????
0:005> !heap -p -a eax
    address 06076fd0 found in
    _DPH_HEAP_ROOT @ 17e1000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)     //对象所在的内存已经被释放
                                    17e3e38:          6076000             2000
    728390b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    774e65f4 ntdll!RtlDebugFreeHeap+0x0000002f
    774aa0aa ntdll!RtlpFreeHeap+0x0000005d
    774765a6 ntdll!RtlFreeHeap+0x00000142
    76b898cd msvcrt!free+0x000000cd
    7141406c vbscript!VBScriptClass::`scalar deleting destructor'+0x00000019   
    7141411a vbscript!VBScriptClass::Release+0x00000043            //调用类的析构函数,释放了VBSClass对象,也就是脚本中的Trigger实例
    76aa4977 OLEAUT32!VariantClear+0x000000b9
    6bfce433 IEFRAME!Detour_VariantClear+0x0000002f
    76abe325 OLEAUT32!ReleaseResources+0x000000a3
    76abdfb3 OLEAUT32!_SafeArrayDestroyData+0x00000048
    76ac5d2d OLEAUT32!SafeArrayDestroyData+0x0000000f
    76ac5d13 OLEAUT32!Thunk_SafeArrayDestroyData+0x00000039
    7145267f vbscript!VbsErase+0x00000057                        //call 了vbscript!VbsErase 此函数对应脚本中的`Erase array_a    `
    71403854 vbscript!StaticEntryPoint::Call+0x00000011
    7140586e vbscript!CScriptRuntime::RunNoEH+0x00001c10
    71404ff6 vbscript!CScriptRuntime::Run+0x00000064
在VBScriptClass::Release函数中的逻辑:
VBScriptClass *__stdcall VBScriptClass::Release(VBScriptClass *this)
{
  VBScriptClass *this_1; // ebx@1
  volatile LONG *v2; // edi@1
  VBScriptClass *result_1; // [sp+14h] [bp+8h]@1
  this_1 = this;
  v2 = (volatile LONG *)((char *)this + 4);
  result_1 = (VBScriptClass *)InterlockedDecrement((volatile LONG *)this + 1);// 引用计数 -1,引用计数保存在&VBScriptClass+0x4的位置
  if ( !result_1 )                                                            // result为引用计数,为零则进入内存释放
  {
    InterlockedIncrement(v2);
    VBScriptClass::TerminateClass(this_1);                                    // 脚本重载了类Terminate的析构函数,在重载的函数中又增加了array_b对Object的引用

上一页  [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20]  下一页

上一篇:Redis未授权访问漏洞复现
下一篇:CVE-2019-0708 漏洞分析及相关测试

最近更新

随机推荐