new IE 0day coming-mshtml!CDwnBindInfo object use after free vulnerability -

一个影响IE8及以上版本的0day被国外某网站所披露,它通过挂马方式,针对CFR(Council on Foreign Relations)网站的用户进行定向攻击。

我们在@eromang及@yomuds的帮助下,并对其进行简单分析。我们发现其本质是mshtml!CDwnBindInfo对象释放后重用,引发内存崩溃,通过精心构造堆内存,攻击者可执行任意代码。

0:015> bl
0 e 3dc4ec35     0001 (0001)  0:**** mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c ".echo after init mshtml!CDwnBindInfo obj;du poi(esp+34);r;kb 3;"
2 eu             0001 (0001) (jscript!JsAtan2) ".printf "%mu", poi(poi(poi(esp+14)+8)+8);.echo;g"
0:015> g

.........

fire in the hole!!!
after init mshtml!CDwnBindInfo obj
022f5fc4  "http://blog.vulnhunt.com/"
eax=032c3e80 ebx=00000000 ecx=00000000 edx=00000054 esi=00236a88 edi=08000000
eip=3dc4ec35 esp=016aa220 ebp=016aa248 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c:
3dc4ec35 test    eax,eax
ChildEBP RetAddr  Args to Child
016aa248 3dce606e 00236a88 022f5fc4 022f5cac mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c
016aa340 3db8fbf5 001f73d8 00000000 00000000 mshtml!CDoc::FollowHyperlink2+0xa27
016aa3e8 3db8fb2c 001f73d8 00000000 00000040 mshtml!CWindow::FollowHyperlinkHelper+0x1ce
eax=032c3e80 ebx=00000000 ecx=00000000 edx=00000054 esi=00236a88 edi=08000000
eip=3dc4ec35 esp=016aa220 ebp=016aa248 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c:
3dc4ec35 test    eax,eax

0:008> bl
0 e 3dc4ec35     0001 (0001)  0:**** mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c ".echo after init mshtml!CDwnBindInfo obj;du poi(esp+34);r;kb 3;g"
1 d 032c3e80 w 1 0001 (0001)  0:****
2 e 3e388f09     0001 (0001)  0:**** jscript!JsAtan2 ".printf "%mu", poi(poi(poi(esp+14)+8)+8);.echo;g"

fire in the hole!!! object freed

after init mshtml!CDwnBindInfo obj
002445ac  "http://10.0.2.2:9090/??/happy/ne"
002445ec  "w/year/from/blog.vulnhunt.com/"
eax=032c2da0 ebx=00000000 ecx=00000000 edx=00000054 esi=00236a88 edi=08000000
eip=3dc4ec35 esp=016aa070 ebp=016aa098 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c:
3dc4ec35 test    eax,eax
ChildEBP RetAddr  Args to Child
016aa098 3dce606e 00236a88 002445ac 022f5cac mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c
016aa190 3db8fbf5 001f7568 00000000 00000000 mshtml!CDoc::FollowHyperlink2+0xa27
016aa238 3db8fb2c 001f7568 00000000 00000040 mshtml!CWindow::FollowHyperlinkHelper+0x1ce
(cfc.d28): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=10ab0d0c ebx=001fb488 ecx=00000052 edx=00000000 esi=00000000 edi=032c3e80
eip=3dc66271 esp=016ad79c ebp=016ad80c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mshtml!CMarkup::OnLoadStatusDone+0x504:
3dc66271 call    dword ptr [eax+0DCh]                 ds:0023:10ab0de8=????????

IE在渲染页面时,针对location.href的js调用,CDoc::SetupDwnBindInfoAndBindCtx会生成一个mshtml!CDwnBindInfo对象实例,并把对象指针保存在CDoc对象中。

HRESULT __cdecl CDoc::SetupDwnBindInfoAndBindCtx(int a1, int a2, HRESULT a3, int pcszURL, int a5, int a6, int a7, int a8, int a9, int a10, IBindCtx **ppBC, int a12, char a13, IUnknown *ppstgOpen)
{
…
v58 = 0;
if ( HeapAlloc(g_hProcessHeap, 8u, 0x54u) )
v22 = CDwnBindInfo::CDwnBindInfo(); /* allocated mshtml!CDwnBindInfo object */
else
v22 = 0;
*(_DWORD *)a10 = v22;
if ( !v22 )
goto LABEL_145;
lpString = (LPCWSTR)(a12 & 0x100);
if ( a12 & 0x100 )
*(_DWORD *)(v22 + 80) |= 8u;
if ( CDwnDoc::operator new() )
{
v23 = CDwnDoc::CDwnDoc();
v57 = v23;
}

该mshtml!CDwnBindInfo对象在mshtml!CDoc::FollowHyperlink2中被释放,而其在CDoc对象中的引用并没有释放。

0:008> ba w1 032c3e80
0:008> g
Breakpoint 1 hit
eax=02257130 ebx=00000000 ecx=032c3e80 edx=001794e8 esi=032c3e80 edi=032c3e80
eip=3db2b04c esp=016aa24c ebp=016aa25c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
mshtml!CDwnBindInfo::~CDwnBindInfo+0x11:
3db2b04c mov     dword ptr [edi+10h],offset mshtml!CDwnBindInfo::`vftable' (3db5d634) ds:0023:032c3e90={mshtml!CDwnBindInfo::`vftable' (3db5d634)}
0:008> knL 10
# ChildEBP RetAddr
00 016aa250 3dc4ece5 mshtml!CDwnBindInfo::~CDwnBindInfo+0x11
01 016aa25c 3db2a92d mshtml!CDwnBindInfo::`scalar deleting destructor'+0xd
02 016aa268 3db2a91f mshtml!CBaseFT::SubRelease+0x1f
03 016aa274 3db2ac05 mshtml!CBaseFT::Release+0x22
04 016aa27c 3dc4ff0c mshtml!CDwnBindInfo::Release+0x10
05 016aa340 3db8fbf5 mshtml!CDoc::FollowHyperlink2+0xe22
06 016aa3e8 3db8fb2c mshtml!CWindow::FollowHyperlinkHelper+0x1ce
07 016aa440 3dc3933a mshtml!CWindow::NavigateEx+0x155
08 016aa4c0 3e373a9a mshtml!COmLocationProxy::InvokeEx+0x2ab
09 016aa500 3e3739e6 jscript!IDispatchExInvokeEx2+0xf8
0a 016aa53c 3e374f26 jscript!IDispatchExInvokeEx+0x6a
0b 016aa5fc 3e374e80 jscript!InvokeDispatchEx+0x98
0c 016aa630 3e372d6d jscript!VAR::InvokeByName+0x135
0d 016aa678 3e372921 jscript!VAR::InvokeDispName+0x7a
0e 016aa80c 3e3713ab jscript!CScriptRuntime::Run+0x2061
0f 016aa8f4 3e3712e5 jscript!ScrFncObj::CallWithFrameOnStack+0xff

攻击者通过精心构造的堆布局数据,占用被释放的对象内存,后续window.location产生页面重新渲染时,引发对象重引用, 从而控制eip,执行任意代码。

部分攻击代码已可在internet中搜索得到,相信该0day很快将被大面积应用,用户请先使用google chrome、firefox等非IE浏览器,避免潜在的威胁。我们将持续关注该0day漏洞后续情况,敬请关注!

转载请注明来自WebShell'S Blog,本文地址:https://www.webshell.cc/4174.html