CVE-2018-8174双杀漏洞分析复现及防御
来源:岁月联盟
时间:2020-01-29
vbscript!VbsIsEmpty:
6ab2c206 8bff mov edi,edi
0:006> dd 010526e0
010526e0 6ab11748 00000002 010345e0 0049e910 //引用计数变为0x02
010526f0 00000808 00000000 00000000 00000000
01052700 00000000 003af554 00000000 010526a8
01052710 5e163a1d 80000000 000000cd 00000000
01052720 00000000 00000000 00000000 00000000
01052730 00000000 00000000 00000000 00000000
01052740 00000000 00000000 5e163a16 80000000
01052750 000000d4 00000000 00000000 00000000
0:006> du 003af554
003af554 "cla4" //同样的地址cla4_obj1已经占位
第三次IsEmpty断点,参数为array_c:
Breakpoint 3 hit
eax=6ab1185c ebx=0289cb64 ecx=6ab6a9d8 edx=0289cadc esi=0104783c edi=00000001
eip=6ab2c206 esp=0289c9f8 ebp=0289ca08 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
vbscript!VbsIsEmpty:
6ab2c206 8bff mov edi,edi
0:006> dd poi(esp+C)
0049f1a0 0000600c 00000000 01051140 00375bc0 //00340308是array_c的data buffer
0049f1b0 02890002 0049ffc0 01050013 0289c9c0
0049f1c0 02890002 0049ffc0 01050001 0289c9c0
0049f1d0 6ab10002 0289c9fc 02890027 0049ffc0
0049f1e0 6ab10002 0289c9fc 02890001 0049ffc0
0049f1f0 6ab10002 0289c9fc 02890006 0049ffc0
0049f200 6ab10002 0289c9fc 02890001 0049ffc0
0049f210 6ab10002 0289c9fc 02890006 0049ffc0
0:006> dt ole32!safearray 00375bc0
+0x000 cDims : 1
+0x002 fFeatures : 0x892
+0x004 cbElements : 0x10
+0x008 cLocks : 0
+0x00c pvData : 0x00371888 Void //array_c数据元素地址
+0x010 rgsabound : [1] tagSAFEARRAYBOUND
0:006> dd 0x00371888
00371888 6ab10009 010526e4 01052718 6ab14211 //023b1f98类对象地址
00371898 6ab10009 0105271c 01052718 6ab14211
003718a8 6ab10009 0105271c 01052718 6ab14211
003718b8 6ab10009 0105271c 01052718 6ab14211
003718c8 6ab10009 0105271c 01052718 6ab14211
003718d8 6ab10009 0105271c 01052718 6ab14211
003718e8 6ab10009 0105271c 01052718 6ab14211
003718f8 5e2b1c00 8e000000 00690066 0065006c
0:006> dd 01052718
01052718 6ab100cd 00000000 00000000 00000000 //引用计数已经为0
01052728 00000808 00000000 00000000 01037bcc
01052738 00000001 00370d34 00000000 00000000
01052748 5e163a16 80000000 000000d4 00000000
01052758 00000000 00000000 00000000 00000000
01052768 00000000 00000000 00000000 00000000
01052778 00000000 00000000 5e163a0f 80000000
01052788 000000db 00000000 00000000 00000000
0:006> du 00370d34
00370d34 "cla2"
第四次IsEmpty断点,此时 MyClass2_obj2 占位已经完成:
//仍然查看 1052718 类对象地址
Class cla4 created at 1052718
Breakpoint 3 hit
eax=6ab1185c ebx=0289cb64 ecx=6ab6a9d8 edx=0289cadc esi=0104783c edi=00000001
eip=6ab2c206 esp=0289c9f8 ebp=0289ca08 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
vbscript!VbsIsEmpty:
6ab2c206 8bff mov edi,edi
0:006> dd 01052718
01052718 6ab11748 00000002 01034700 0049e910 //引用计数变为0x02
01052728 00000808 00000000 00000000 00000000
01052738 00000000 00370d34 00000000 010526e0
01052748 5e163a16 80000000 000000d4 00000000
01052758 00000000 00000000 00000000 00000000
01052768 00000000 00000000 00000000 00000000
01052778 00000000 00000000 5e163a0f 80000000
01052788 000000db 00000000 00000000 00000000
0:006> du 00370d34 //同样的地址cla4_obj2已经占位
上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] 下一页