漏洞战争-cve-2013-0750
2 minute read
0x00 Prepare
1.firefox17.0下载链接
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/17.0/win32/zh-CN/Firefox%20Setup%2017.0.exe
2.firefox 17.0源码下载链接
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/17.0/source/firefox-17.0.source.tar.bz2
3.firefox官方符号表服务器地址(在windbg中添加File|Symbol File Path)
SRV*c:\symbollocal\*http://symbols.mozilla.org/firefox
0x01 分析
windbg|File|Symbol File Path|在最后添加;SRV*d:\symbollocal\*http://symbols.mozilla.org/firefox
windbg|File|添加资源文件路径C:\Users\klionsec7\Desktop\mozilla-release
打开firefox17.0
f6附加firefox.exe
g
firefox打开poc.html
(ae4.131c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=14405418 ebx=002dbbd8 ecx=002e1000 edx=14600000 esi=002dbb80 edi=072b0031
eip=693c2aa3 esp=002dba68 ebp=002dbaa0 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010287
*** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Mozilla
Firefox\mozjs.dll -
mozjs!js::NewProxyObject+0x1043:
693c2aa3 668939 mov word ptr [ecx],di ds:002b:002e1000=????
这里得到的中断下来的信息与书中不一致,这里得到的符号表对应的结果为mozjs!js::NewProxyObject+0x1043,书中得到的
结果为mozjs!ReplaceRegExpCallback+0x183,对应的汇编指令都是:mov word ptr [ecx],di
上面显示没有找到符号文件,查看当前符号路径,使用如下命令
.sympath
0:000> .sympath
Symbol search path is: srv*c:symbols*http://msdl.microsoft.com/download/symbols
结果中没有开始设置的firefox的符号表服务器地址,不知什么原因,调试器默认采用延迟模式加载符号,重新打开windbg,使
用如下命令添加firefox的符号表路径
f6附加firefox.exe
.sympath+ SRV*c:\symbollocal\*http://symbols.mozilla.org/firefox
.sympath
Symbol search path is: srv*c:symbols*http://msdl.microsoft.com/download/symbols;
SRV*c:\symbollocal\*http://symbols.mozilla.org/firefox
.reload
这里如果不.reload依然会找不到符号表,可参考如下链接
http://www.cnblogs.com/kissdodog/p/3729396.html
g
firefox打开poc.html
(984.a00): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0d4040d8 ebx=0045bf18 ecx=00460000 edx=0d600000 esi=0045bec0 edi=02200031
eip=6d752aa3 esp=0045bda8 ebp=0045bde0 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010287
*** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
mozjs!ReplaceRegExpCallback+0x183:
6d752aa3 668939 mov word ptr [ecx],di ds:002b:00460000=0000
kv
ChildEBP RetAddr Args to Child
0045bde0 6d799af8 05115710 0804d200 00000000 mozjs!ReplaceRegExpCallback+0x183 (FPO: [Non-Fpo])
[e:\builds\moz2_slave\rel-m-rel-w32-bld\build\js\src\jsstr.cpp @ 2099]
0045be10 6d79a333 00000001 0845f8e0 6d752920 mozjs!DoMatch+0xc8 (FPO: [Non-Fpo])
[e:\builds\moz2_slave\rel-m-rel-w32-bld\build\js\src\jsstr.cpp @ 1694]
0045be4c 6d7451e1 0045bec0 05410078 00000002 mozjs!str_replace_regexp+0x83 (FPO: [Non-Fpo])
[e:\builds\moz2_slave\rel-m-rel-w32-bld\build\js\src\jsstr.cpp @ 2278]
*** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\firefox.exe
0045bf6c 00310031 00310031 00310031 00310031 mozjs!js::str_replace+0x261 (FPO: [Non-Fpo])
[e:\builds\moz2_slave\rel-m-rel-w32-bld\build\js\src\jsstr.cpp @ 2464]
0045bf7c 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bf80 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bf84 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bf88 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bf8c 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bf90 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bf94 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bf98 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bf9c 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bfa0 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bfa4 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bfa8 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bfac 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bfb0 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bfb4 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
0045bfb8 00310031 00310031 00310031 00310031 firefox!__dyn_tls_init_callback <PERF> (firefox+0xb0031)
kv命令的结果中可以看到源码文件是jsstr.cpp,这里的kv的结果中的jsstr.cpp的路径并不是实际系统中的路径,可能是
windbg的bug,在本地磁盘中全局搜索jsstr.cpp文件,找到后用windbg打开[文件|打开源文件|]这时可以看到windbg中新出
现了一个源代码的面板,如果不手动打开,windbg不能自己找到,源代码面板中定位到如下位置:
static bool
ReplaceRegExpCallback(JSContext *cx, RegExpStatics *res, size_t count, void *p)
{
ReplaceData &rdata = *static_cast<ReplaceData *>(p);
rdata.calledBack = true;
size_t leftoff = rdata.leftIndex;
size_t leftlen = res->matchStart() - leftoff;
rdata.leftIndex = res->matchLimit();
size_t replen = 0; /* silence 'unused' warning */
if (!FindReplaceLength(cx, res, rdata, &replen))
return false;
size_t growth = leftlen + replen;
if (!rdata.sb.reserve(rdata.sb.length() + growth))
return false;
JSLinearString &str = rdata.str->asLinear(); /* flattened for regexp */
const jschar *left = str.chars() + leftoff;
rdata.sb.infallibleAppend(left, leftlen); /* skipped-over portion of the search value */
DoReplace(cx, res, rdata);定位到的位置
return true;
}
windbg的源代码面板定位到上面的DoReplace语句处,但是由于缺乏相应版本的符号表,在源码调试中无法直接定位到异常指
令对应的是DoReplace的哪一句代码.从windbg上设置的符号表服务器地址上对应的符号表一般都是最新的firefox版本的符
号表,这里调试的firefox的版本是17.0,并不是当前最新版本,所以找不到DoReplace中具体代码位置,为了解决这个问题需
要自动编译firefox17.0的源码.
编译需要用到:http://ftp.mozilla.org/pub/mozilla/libraries/win32/中的mozillabuildsetup1.7,eg.将
mozillabuildsetup1.7安装到C:\mozilla-build\,然后将firefox源码中的xulrunner\config目录复制到
c:\mozilla-build下,在c:\mozilla-build\config\mozconfig文件中设置如下:
ac_add_options --enable-application=browser
ac_add_options --enable-debug
ac_add_options --enable-tests
ac_add_options -trace-malloc
ac_add_options --disable-webgl
打开mozzillabuildsetup安装目录下的start-msvc10.bat来启动vs2010后,进入mozilla源码目录,执行make -f client.mk
build.
系统需要安装vs2010,这里不再继续,分析至此.