CVE-2018-8174双杀漏洞分析复现及防御
来源:岁月联盟
时间:2020-01-29
//winDbg 附加IE调试后可以捕捉到此崩溃现场
//汇编
..
76aa4966 8b4608 mov eax,dword ptr [esi+8]
76aa4969 85c0 test eax,eax
76aa496b 0f8454f5ffff je OLEAUT32!VariantClear+0xc3 (76aa3ec5)
76aa4971 8b08 mov ecx,dword ptr [eax] ds:0023:06076fd0=????????
..
//command
0:013> g
(e84.548): Access violation - code c0000005 (first chance) //访问已经释放的内存,从而崩溃
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=06076fd0 ebx=06192fe0 ecx=00000009 edx=00000002 esi=06192fe0 edi=00000009
eip=76aa4971 esp=0457d02c ebp=0457d034 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
OLEAUT32!VariantClear+0xb3:
76aa4971 8b08 mov ecx,dword ptr [eax] ds:0023:06076fd0=????????
0:005> !heap -p -a eax
address 06076fd0 found in
_DPH_HEAP_ROOT @ 17e1000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) //对象所在的内存已经被释放
17e3e38: 6076000 2000
728390b2 verifier!AVrfDebugPageHeapFree+0x000000c2
774e65f4 ntdll!RtlDebugFreeHeap+0x0000002f
774aa0aa ntdll!RtlpFreeHeap+0x0000005d
774765a6 ntdll!RtlFreeHeap+0x00000142
76b898cd msvcrt!free+0x000000cd
7141406c vbscript!VBScriptClass::`scalar deleting destructor'+0x00000019
7141411a vbscript!VBScriptClass::Release+0x00000043 //调用类的析构函数,释放了VBSClass对象,也就是脚本中的Trigger实例
76aa4977 OLEAUT32!VariantClear+0x000000b9
6bfce433 IEFRAME!Detour_VariantClear+0x0000002f
76abe325 OLEAUT32!ReleaseResources+0x000000a3
76abdfb3 OLEAUT32!_SafeArrayDestroyData+0x00000048
76ac5d2d OLEAUT32!SafeArrayDestroyData+0x0000000f
76ac5d13 OLEAUT32!Thunk_SafeArrayDestroyData+0x00000039
7145267f vbscript!VbsErase+0x00000057 //call 了vbscript!VbsErase 此函数对应脚本中的`Erase array_a `
71403854 vbscript!StaticEntryPoint::Call+0x00000011
7140586e vbscript!CScriptRuntime::RunNoEH+0x00001c10
71404ff6 vbscript!CScriptRuntime::Run+0x00000064
在VBScriptClass::Release函数中的逻辑:
VBScriptClass *__stdcall VBScriptClass::Release(VBScriptClass *this)
{
VBScriptClass *this_1; // ebx@1
volatile LONG *v2; // edi@1
VBScriptClass *result_1; // [sp+14h] [bp+8h]@1
this_1 = this;
v2 = (volatile LONG *)((char *)this + 4);
result_1 = (VBScriptClass *)InterlockedDecrement((volatile LONG *)this + 1);// 引用计数 -1,引用计数保存在&VBScriptClass+0x4的位置
if ( !result_1 ) // result为引用计数,为零则进入内存释放
{
InterlockedIncrement(v2);
VBScriptClass::TerminateClass(this_1); // 脚本重载了类Terminate的析构函数,在重载的函数中又增加了array_b对Object的引用
上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] 下一页