The exception in the exception--by means of a system of exception handling exception achieve incredible exploit-vulnerability warning-the black bar safety net

2016-04-20T00:00:00
ID MYHACK58:62201673799
Type myhack58
Reporter tombkeeper
Modified 2016-04-20T00:00:00

Description

Memory read, write, execute attribute is system security the most important one of the mechanisms. Usually, if you want to overwrite the data in memory, you must first ensure that the block of memory having a write attribute, if you want to execute a piece of code in memory, you must first ensure that the block of memory having executable attribute, otherwise it will throw an exception. However, the Windows System exception handling process there are some small Exceptions, with these exceptions, it can be known which can not write and write, known for its non-execution and execution.

0x01 directly rewritable read-only memory

I'm at CanSecWest 2 0 1 4 the speech of the ROPs are for the 9 9% describes a fun IE browser exploit technique: by modifying the JavaScript object is in certain signs, thus closing the safe mode, so IE can load similar to WScript. The Shell of such a dangerous object, and thereby execute arbitrary code and completely without regard to the DEP.

However, to modify the SafeMode flag is not so IE can load the dangerous object is the only method.

IE some of the interface is actually with the HTML, which HTML is usually stored in the programming. dll resources, for example: print preview is res://programming. dll/preview. dlg, organize favorites is res://programming. dll/orgfav. dlg, the page attribute is res://programming. dll/docppg. ppg.

IE browser to the HTML to create a separate rendering instances, as well as independent of the JavaScript engine instance. And for the HTML created by the JavaScript engine instance, the SafeMode itself is closed.

So, just the JavaScript code is inserted into the programming. the dll's resources, and then trigger the IE of the corresponding functions, the inserted code will be treated as IE's own function code in SafeMode turn off the JavaScript instance under execution.

However, the PE resource section is read-only, if you try to use a can for any address to be written into the vulnerability directly rewrite the programming. dll resource, it will trigger a write access violation to:

|

1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4

|

eax=0 0 0 0 0 0 4 1 ebx=1e2e31b0 ecx=0 0 0 0 0 0 0 0 edx=0 0 0 0 0 0 8 3 esi=1e2e31b0 edi=68b77fe5 eip=69c6585f esp=0363ac00 ebp=0363ac84 iopl=0 nv up ei pl nz na pe cy cs=0 0 2 3 ss=002b ds=002b es=002b fs=0 0 5 3 gs=002b efl=0 0 0 1 0 2 0 7 jscript9! Js::JavascriptOperators::OP_SetElementI+0x117: 69c6585f 88040f mov byte ptr [edi+ecx],al ds:002b:68b77fe5=7 6 0:0 0 8> ! exchain 0363b0f0: jscript9! DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+1 5 7 0 (69b421d1) 0363b648: jscript9! DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+1 5 7 0 (69b421d1) 0363bab8: jscript9! DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+1 5 7 0 (69b421d1) 0363bb78: jscript9! DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+28c0 (69c71564) 0363bbc0: jscript9! DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+2 8 9 8 (69c7150f) 0363bc44: jscript9! DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+276a (69d0dedd) 0363c588: MSHTML! _except_handler4+0 (66495fa4) CRT scope 0, filter: MSHTML! ... Omitted... (6652bbe8) func: MSHTML!... Omitted... (6652bbf1) 0363c62c: user32! _except_handler4+0 (7569a61e) CRT scope 0, func: user32! UserCallWinProcCheckWow+1 2 3 (7 5 6 6 4 4 5 6) 0363c68c: user32! _except_handler4+0 (7569a61e) CRT scope 0, filter: user32! DispatchMessageWorker+15e (756659b7) func: user32! DispatchMessageWorker+1 7 1 (756659ca) 0363f9a8: ntdll! _except_handler4+0 (776a71f5) CRT scope 0, filter: ntdll! RtlUserThreadStart+2e (776a74d0) func: ntdll! RtlUserThreadStart+6 3 (776a90eb) 0363f9c8: ntdll! FinalExceptionHandler+0 (776f7428)

---|---

At the top of the exception handling chain, the mshtml. dll in the exception handler will eventually call kernel32! RaiseFailFastException (a). If g_fFailFastHandlerDisabled flag is false, it will terminate the current process:

1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2

|

int __thiscall RaiseFailFastExceptionFilter(int this) { signed int *v1; // esi@1 CONTEXT v2; // ST04_4@2 signed int v3; // eax@2 UINT v4; // ST08_4@4 HANDLE v5; // eax@4

v1 = (signed int )this; if ( ! g_fFailFastHandlerDisabled ) { v2 = *(CONTEXT )(this + 4); g_fFailFastHandlerDisabled = 1; RaiseFailFastException((PEXCEPTION_RECORD )this, v2, 2u); v3 = 1 6 5 3; if ( v1 ) v3 = *v1; v4 = v3; v5 = GetCurrentProcess(); TerminateProcess(v5, v4); } return 0; }

---|---

However, if g_fFailFastHandlerDisabled flag is true, the exception handling chain will be executed to kernel32! The unhandledexceptionfilter (), and the final implementation of kernel32! CheckForReadOnlyResourceFilter (): a

1 2 3 4 5 6 7 8 9

|

int __stdcall CheckForReadOnlyResourceFilter(int a1) { int result; // eax@2

if ( BasepAllowResourceConversion ) result = CheckForReadOnlyResource(a1, 0); else result = 0; return result; }

---|---

[1] [2] next