本文介绍了一种针对IE浏览器mshtml.dll组件中特定XML/SPAN标签处理漏洞的攻击方式。该漏洞利用分为两部分:一是使用JavaScript堆喷射技术和x86 Shellcode;二是通过特殊构造的XML/SPAN标签触发漏洞。文章详细描述了如何通过对象指针覆盖来调用恶意代码,并最终执行Shellcode。
The exploit for this vulnerability has two parts:
A. JavaScript heap spray code and x86 Shellcode
B. A short of special XML/SPAN tag elements
The first part of this exploit is a combination of the shellcode and heap spray technology, when it is running, it will be allocating memory blocks until it reaches address 0x0FFF0000, the size of each memory block is 1MB, the shellcode will be put into the address near the end of each block.
Heap spray:
The second part is the trigger of this vulnerability. The issue occurred in mshtml.dll, IE uses this dll to handle the XML/SPAN tags. This exploit used the special character ਊ (hex:0x0a0a) to construct the value of SRC in the first <Image> label, like below:
When mshtml.dll is processing such special XML/SPAN tags, it will allocate a structural memory block to handle these elements. During the process, it will release the memory block that contains these elements but continue referring the block in the next process, with the leak of sanity checks, this vulnerability will be trigged. This is a common object point overwrite tricks.
Here is the working flow of this exploit:
<1> Overwrite object point -> call to 0x0a0a0a0a
<2> Execute the shellcode
<3>Download the malware
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
