MS07-0 0 4 General overflow of the method-completion-bug warning-the black bar safety net

ID MYHACK58:62200714594
Type myhack58
Reporter 佚名
Modified 2007-03-17T00:00:00


This article ms07-0 0 4 as an example, explores this vulnerability of the General method, to restore the ie method, as well as the heap spray technology.

The topic is!

by axis

Date: 2007-02-13


MS07-0 0 4 out there for some time, I wrote an analysis paper, and for this released a POC.

In fact, because we can control the point to the memory address of 0x00xxxxxx, except that the first byte is 0 0 Not In control, the next three bytes can be controlled, so that in fact we have a very large range of choice.

Many people have the common headache, here I for this exp gives a generic address.

Because this vulnerability is special, so may be this address can only be applied to this one address.


0 0 4 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 4 8 1B DD BB........... H brasenia 0 0 4 2 0 0 1 0 0 0 0 0 0 0 0 0 0C 0 0 0 1 0 0 C8 9A F2 E1 0 8 EA A4 E1....... 葰 lizard reel

Note 0x00420011 place is 0c

And in the vulnerability of the use of the pointer is a call [ecx+10h]

So the coverage of the address need to subtract 10h

And this 0x00420011 address, and ie-related, in all current windows platforms, regardless of language, and version, as well as all of the ie versions, is fixed to 0c

So we use this address, it becomes a call 0x00420011

Went 0x0c000000 to execute the code went

And this time, the pile has been our heap spray, so the code will continue execution into our shellcode to go.

Here the selection of 0c, the benefit is that because double-byte instructions, very easy to do the heap spray。

In fact, these ie vulnerabilities, the main problem there are several

  1. Versatility above have been resolved.

  2. Stability (trigger the vulnerability probability) ms07-0 0 4 This stability I think is good

  3. Do not hang ie On that point may be a detailed way, before the thought just simply restore the stack balanced as you can, in fact, restore the stack balance is useless, because this is a heap overflow, overwriting the stack pointer, and the heap has been our destruction clean up, so the back will always be in a dll. error. While the stack is inherently balanced, and does not need recovery.

So this kind of vulnerability, to achieve not hang ie the effect I say is not linked to ie, not to make ie dead, you need to restore the heap. And the cattle after discussion, to obtain two kinds of methods: one is hook RtlCreateHeap, hook RtlAllocHeap re-allocation of a heap; another method is: hook RtlFreeHeap not get hang up on it. Or everyone what other good methods, welcome Supplement.

  1. Robustness Since stack overflow, so for access to a multi-page memory 0x0c0c0c0c have been something else occupied, so to run within a shellcode to go, it is this vulnerability and why bad reasons.

This problem belongs to the such vulnerability of birth defects. swan had been raised with the memory empty way to get the heap address is pushed into the memory that high, but I tried to find work. luoluo proposed to use java to allocate memory and do the heap spray。 This is a viable method, and also have poc implementation, the memory allocated in the 0x21xxxxxx near, 0x24 this command is also very good, you can do the heap spray。

ms07-0 0 4 In addition to the last point of the multi-page I the problem didn't solve, the other are already solved, including bypass firewall. the poc code is inconvenient to come out, the article will stop here.