- Windows 7 SP1 32-bit
- IE 11
1 2 3 4 5 6 7 8 9 10
0x2 Vulnerability Reproduce
Run the poc and get crash in windbg:
Here we get Access violation exception
Next we need to locate this code in jscript9.dll in IDA Pro. The address is 0x695b0de2 and we need to get base address of this DLL:
start address is 0x693b0000, so the address we want to check in IDA Pro is :
2:051> ? 695b0de2 - 693b0000 + 10000000
so the address is 0x 10200de2.
In IDA Pro, locate the code:
based on the code:
1 2 3 4
we can guess, eax has C++ object base address and that address -4 should contain vtable address. To verifiy the assumption. Modify the PoC:
1 2 3 4 5 6 7 8 9 10 11
however, since the dll is not loaded when we restart debugging. We can use windbg command
sxe ld:modulename command to break when jscript9.dll first time load, and then we can set the breakpoint on that address.
As you can see, we get the vtable address.
Next rewrite the poc:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
The poc create IMG object and attribute loop.So we need to find out these two addresss. First of all, set hpa and ust
gflags /i iexplore.exe +hpa +ust
Then use IE to open poc file, and attach to windbg,
x MSHTML!CImgElement::* to list all clmgelement functions
CreateElement function will create object. set breakpoint here and run
bp MSHTML!CImgElement::CreateElement; g
Click messagebox in webpage and we hit the breakpoint:
HeapAlloc creates a buffer, size is 0x5c and the address is in eax, 0x0d524fa0.
Address 0x0d524fa0 will be IMG object’s address. But why?
Keep going on
since before calling MSHTML!CImgElement::CImgElement, ecx contains eax value 0d524fa0
dps command (display pointers and symbols):
This is vtable address.
next try to search Attribute object base address
It is a constructor function. Put a breakpoint here.
g, will hit alert(1); in poc. click ok.
keep step in and reach here:
so attribute object base address in ebx and its value is 0x0d5a2fa0
so address of IMG is 0x0d524fa0 address of Attribute is 0x0d5a2fa0.
Back to PoC:
This line will assign an IMG object to a memeber of the attribute object. Lets search which function can do this:
MSHTML!CAttribute::put_nodeValue can do this. set the breakpoint:
bp MSHTML!CAttribute::put_nodeValue and go
and we reach MSHTML!CAttribute::put_nodeValue:
check the call stack:
Seems the breakpoint is correct. put_nodeValue seems the entry of the assignment. Keep going.
t to trace down
now we can see, IMG object address is copied to attribute object and offset is 0x30
next in POC:
We want to locate the address of this code, first of all,
s-d 0x0 L?0x7fffffff 41424344 to find the 41424344 and then execute the code and find the extra one, that should be the address of the 41424344 in the poc code.
then keep goin, press
g and after alert(4) popup,
s-d 0x0 L?0x7fffffff 41424344
we have new address 0x14162fc8
!heap -p -a 14162fc8
we found useraddr is 14162fc0, so the memory is allocated from 14162fc0 and 41424344' address is 8 bytes behind it.
HeapAlloc assign memory, the address is 12fd1fc0
step in and check edi:
now remember IMG object address is 0x0d524fa0
the whole process is :
back to POC:
and finally got: