CVE-2018-8174双杀漏洞分析复现及防御

0178afd0  6fb61748 00000002 05fd1f78 08477f88
0178afe0  00000e08 00000000 00000000 05fd5efc
0178aff0  00000000 088d6fe4 00000000 00000000
0178b000  ???????? ???????? ???????? ????????
0:005> du 088d6fe4
088d6fe4  "Trigger"
第二次断点：
执行到第二个 ISEmpty ,即析构函数中的ISEmpty的时候（在Erase array_a的时候，会触发Class_Terminate析构函数），此时Set array_b(0)=array_a(1)已执行;则：
Breakpoint 3 hit
eax=6fb6185c ebx=044bcf48 ecx=6fbba9d8 edx=044bcec0 esi=05faf54c edi=00000001
eip=6fb7c206 esp=044bcddc ebp=044bcdec iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
vbscript!VbsIsEmpty:
6fb7c206 8bff            mov     edi,edi
0:005> dd poi(esp+c)
05fbbf30  c0c0600c c0c0c0c0 05fc5ed4 082a4fe8        //data buffer 在082a4fe8
05fbbf40  c0c00000 c0c0c0c0 0178afd0 c0c0c0c0
05fbbf50  044bd334 05fbbf80 c0c00001 c0c0c0c0
05fbbf60  044b400c 77431fd0 05fc5e88 01721020
05fbbf70  c0c00000 c0c0c0c0 c0c0c0c0 c0c0c0c0
05fbbf80  044bd578 05fbbfa0 c0c0c0c0 c0c0c0c0
05fbbf90  c0c00000 c0c0c0c0 c0c0c0c0 c0c0c0c0
05fbbfa0  044bd7bc 05fbbfe0 c0c00001 c0c0c0c0
0:005> dd 082a4fe8                                    //safearray结构
082a4fe8  08920001 00000010 00000000 012edfe0       
082a4ff8  00000002 00000000 ???????? ????????
082a5008  ???????? ???????? ???????? ????????
0:005> dt ole32!safearray 082a4fe8
   +0x000 cDims            : 1
   +0x002 fFeatures        : 0x892
   +0x004 cbElements       : 0x10
   +0x008 cLocks           : 0
   +0x00c pvData           : 0x012edfe0 Void        //array_b数据元素地址
   +0x010 rgsabound        : [1] tagSAFEARRAYBOUND
  
0:005> dd 0x012edfe0 lc
012edfe0  c0c00009 c0c0c0c0 0178afd0 c0c0c0c0        //类型还是0x09，array_b(0)中此时保存着类对象地址
012edff0  00000000 00000000 00000000 00000000
012ee000  ???????? ???????? ???????? ????????
0:005> ln poi(0178afd0 )        //类对象地址 0178afd0
(6fb61748)   vbscript!VBScriptClass::`vftable'   |  (6fb6c518)   vbscript!__pfnDefaultDliNotifyHook2
Exact matches:
    vbscript!VBScriptClass::`vftable' =
   
0:005> dd 0178afd0
0178afd0  6fb61748 00000004 05fd1f78 08477f88
0178afe0  00000e08 00000000 00000000 05fd5efc
0178aff0  00000001 088d6fe4 00000000 00000000
0178b000  ???????? ???????? ???????? ????????
0:005> du 088d6fe4             //类名称
088d6fe4  "Trigger"
第三次断点： 此时 Erase已经执行完毕：
Breakpoint 3 hit
eax=6fb6185c ebx=044bd284 ecx=6fbba9d8 edx=044bd1fc esi=05faf54c edi=00000001
eip=6fb7c206 esp=044bd118 ebp=044bd128 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
vbscript!VbsIsEmpty:
6fb7c206 8bff            mov     edi,edi
//此时查看object的地址为空，
0:005> dd 0178afd0
0178afd0  ???????? ???????? ???????? ????????
0178afe0  ???????? ???????? ???????? ????????
0178aff0  ???????? ???????? ???????? ????????
0:005> !heap -p -a 0178afd0
    address 0178afd0 found in
    _DPH_HEAP_ROOT @ 1721000
    //in free-ed allocation 表示已经被释放
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    1722e38:          178a000             2000

上一页  [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20]  下一页

 4/21   首页 上一页 2 3 4 5 6 7 下一页 尾页