windows media player MS ǰ MIDI Ȯڸ
ó ϴ ġ Ǿϴ.
ؿ Ʈ vupen.com ̿ м ,
̿ ߰ ٴ ۾ ҽϴ.
Բ Ǿ, κ
ش κп ߰ ۼ Դϴ.
Ư MIDI ˿ ߰Ͽϴ.
Ǽڵ Ŀ ǿǰ ,
ġ URL ϴ.
http://technet.microsoft.com/ko-kr/security/bulletin/ms12-004
Internet Explorer ÷ο advanced exploitation (MS12-004)
[ ]
ȳϼ.
2012 ʺ ִ CVE . ߿ ϳ CVE-2012-003 ҰϷ մϴ.
̵ ̺귯 , MIDI ó ϴ մϴ.
ֿ MS ؼ ġ ƽϴ.(MS12-004)
ſ ̱ ݵ ġ Ͻñ⸦ մϴ.
Űǵƿ MIDI ĺ, "MIDI is an industry-standard protocol, first defined in 1982" ɴϴ.
MIDI 30 ݱ MS 鿡 Ű ֽϴ.
ϰ ִ , ̸ exploitϴ ʽϴ.
̵ ÷̾ ͽ÷η MIDI Ľ ϴ ҴǸ,
ִ 0x440 Ʈ Ⱑ ϰ ˴ϴ. 0x440 Ʈ̳ Ⱑ Կ ұϰ,
Ϲ IE Ǵ exploit ʽϴ.
(⼭ ణ ִµ, + 0x440 ƴ, ۸ 0x440Դϴ.
Ʒ ð ũ 0x400̹Ƿ, overwritingǴ ũ 0x40Դϴ.)
VUPEN α IE9,8,7,6 reliableϰ exploit ν
帱 ̴ϴ. , ASLR DEP ȸϸ鼭 .
Hi everyone,
2012 has just begun with its bunch of very interesting CVEs. One of them is CVE-2012-0003, a critical vulnerability affecting Windows Multimedia Library and related to MIDI file handling. It was patched last week by Microsoft as part of the MS12-004 security bulletin.
Due to the criticality of this vulnerability, we highly recommend applying the patch as soon as possible!
From Wikipedia we can read: "MIDI is an industry-standard protocol, first defined in 1982". So basically, 30 years after its creation, this format is still causing troubles to software vendors such as Microsoft.
By itself, the vulnerability is quite common but exploitation is not trivial. When an application such as Windows Media Player or Internet Explorer parses a MIDI file, a static heap buffer is allocated but up to 0x440 bytes can be written to. Nevertheless, due to the large allocation size, common exploitation techniques for Internet Explorer might not work with this vulnerability which makes exploitation really challenging.
In this blog we will demonstrates the criticality of this vulnerability by showing how it can be reliably exploited via Internet Explorer 9/8/7/6 to achieve code execution by bypassing ASLR/DEP.
1. м
ٽ κк 帮ڽϴ.
MIDI ũ chunk Ÿ ϴ. ϳ MThd ٸ ϳ MTrkԴϴ.
Ʒ ô ǥ chunk Դϴ.
1. Technical Analysis of the Vulnerability
Here are the key points of this vulnerability. A MIDI file mainly contains two types of chunks, one named MThd and the other MTrk. Here follow the structures of both chunks:
Offset |
Field |
Size |
0 |
Type = 'MThd'
|
4 |
4 |
Length = 6
|
2 |
6 |
format
|
2 |
8 |
tracks
|
2 |
10 |
division
|
2 |
Offset |
Field |
Size |
0 |
Type = 'MTrk'
|
4 |
4 |
Length
|
var |
var |
delta_time
|
var |
var |
event
|
var |
MIDI ˿ ߰մϴ
ϱ ؼ MIDI parser ѹ ϴ.
parser ãƺٰ MIDI parser ߽߰ϴ.
http://phpmidiparser.com/
Generate a Report Ŭϸ ǻ MIDI Ͽ ְ
parsing HTML report · ǵݴϴ.
µ report ª ̴µ, ܿ page(> page 1/35) ֱ Դϴ.
page ̵Ͻø鼭 ͵ ֽϴ.

ǻͿ ִ MIDI ϳ øų(*.mid ˻ϸ ⺻ ͵ ֽϴ)
Ȥ Ʈ ٸ ÷ MIDI Ͽ ø ˴ϴ.
report ϳ MThd ûũ Դϴ.

ø, ù 12Ʈ MThd ûũ MIDI ˸ κμ,
4D 54 68 64(MThd) MIDI signature, 00 00 00 06 ڿ
value ̸ Ÿϴ. ( 6Դϴ.)
value 00 00 / 00 01 / 01 80 ǹմϴ.
- ̱Ʈ ƼƮ (0 = ̱, 1 = Ƽ, 2 = Ƽ)
- Ʈ
- time division (ʴ )
(ôٽ MIDI BIG ENDIANԴϴ.)
MThd ûũ MTrk ûũ մϴ.
MIDI , Ʈ Ʈ ٸ DZ ָ ִµ,
Ʈ ٷ MTrk ûũ ˴ϴ. , 10 Ʈ ִٸ MTrk 10 ˴ϴ.
MTrk ûũ MTrk + MIDI Command ̷ ֽϴ.
MTrk signature 4D 54 72 6B ְ, ڿ ûũ ũⰡ 4Ʈ ɴϴ.
Track ֿ 캸, ϴ ǹ Note On Ŀǵ尡 ǰ
ڷ ǥ(Note) ɴϴ.
¿ pan Ѵٴ, (velocity) Ѵٴϴ ǿ ΰ ,
, , ۰ , DZ Ե ֽϴ.
ϳ ڸ,

Ʈ ö report Track 2 ߰κ ܾ ε,
ù ° ٿ Pan ϳ. ¿콺Ŀ Ҹ ϴ Դϴ.
ش 64ε, 16δ 0x40̰, 00 0A 40 ° Դϴ.
0x0A "Pan" Ÿ define Դϴ.
ù Ʈ 0x00 ߿ѵ, ̺Ʈ tick Ŀ ̺Ʈ մϴ.
⼱ 00 ǾǷ, ٷ ̺Ʈ ˴ϴ.
⼭ tick̶, ð μ, ռ MThd ʴ ð
˴ϴ. , ʴ 60̰, tick 60 Ǹ, δ 1ʰ ˴ϴ.
ϴ κμ, ̰
07 ǹϴ defined ֽϴ.

° Track DZ⸦ ϴ κԴϴ. Fretless Bass õǾ.

Note Onε, ̴ Ŀǵμ, ǹ Ϳ شմϴ.
Ŀǵ̱ մϴ.

D2 D "" Ÿ define ̰, D 2 Ÿ긦 ǹմϴ.
velocity ǹ ǥϴ Դϴ.
[43 ticks] 16 ٲ㺸 0x2B, Ƿ 2B 26 00 ǹ̰ Ȯϴ.
, "0x2B ticks Ŀ 2Ÿ 0x00 ض" ĿǵԴϴ.
ٵ ٷ , 82 20 90 26 6E [288 ticks] ġ ʽϴ.
288 16 ٲٸ 0x01 0x20ε, HEX 0x82 0x20̱ Դϴ.
غ tick شϴ hex 1Ʈ 2Ʈ ؾϴ bit masking
־ ϴ. tick 255 ۴ٸ Ʈ, ũٸ ̻ Ʈ ʿϱ Դϴ.
0x82 2 10000010ε, ֻ Ʈ(MSB) ٷ bit masking Դϴ.
bit masking 1 tick ¦ ѵ, ϸ ϴ.
- tick ù Ʈ о bit masking 1 Ȯմϴ.
- 1̶, Ʈ ߰ оɴϴ. ⼭ bit masking 1 Ȯմϴ.
- 1̶, Ʈ оͼ bit masking մϴ.
- Ʈ bit masking 0 ˴ϴ.
̷ ִ 4Ʈ tick ֽϴ.
߿ bit masking 0 Ǹ, ̻ ʽϴ.
Ƿ tick ũ 1Ʈ~4Ʈ ̰ ˴ϴ.
߿ѵ, ̷ о Ʈ bit masking ֿ ̾
˴ϴ.
, 82 20 90 26 6E ,
- 0x82 => 10000010 => bit masking 1̹Ƿ Ʈ оɴϴ.
- 0x20 => 00100000 => bit masking 0̹Ƿ ̻ ʽϴ.
- о ֿ սϴ. 1000001000100000
- bit masking մϴ. 00000100100000
- 10 ٲߴϴ. => 288 ticks == [288 ticks]
tick ̷ ϸ ǰ,
( tick ̿ ϴ. Ʈ ߿մϴ.)
° Ʈ 0x90 event type channel ÿ Ÿ μ, 4Ʈ о մϴ.
=> 0x9, 0x0 ( м ־ ߿ κԴϴ.)
0x9 note on event ǹϰ, 0x0 channel ǹմϴ.
⼭ channel̶, MIDI Ʈ Ҹ ϴ Դϴ.
event typeδ ͵ ֽϴ.
Hex |
Binary |
Data |
Description |
8x |
1000xxxx |
nn vv |
Note off (key is released)
nn |
note number |
vv |
velocity |
|
9x |
1001xxxx |
nn vv |
Note on (key is pressed)
nn |
note number |
vv |
velocity |
|
Ax |
1010xxxx |
nn vv |
Key after-touch
nn |
note number |
vv |
velocity |
|
Bx |
1011xxxx |
cc vv |
Control Change
cc |
controller number |
vv |
new value |
|
Cx |
1100xxxx |
pp |
Program (patch) change
|
Dx |
1101xxxx |
cc |
Channel after-touch
|
Ex |
1110xxxx |
bb tt |
Pitch wheel change (2000H is normal or no change)
bb |
bottom (least sig) 7 bits of value |
tt |
top (most sig) 7 bits of value |
|
ٵ ٷ Ҵ,

Note Onӿ ұϰ 0x90 ʽϴ.
Ƹ MIDI 뷮 ̱ 쿡 ϴ.
ٸ report Track 1 ϳ ýϴ.
( κԴϴ. 迡.. ο ߰߿ Ƽ ֽϴ.)

Track Name Ÿ κε, ø..
[0x43] [0x6F] .... [0x72] κ "Come Together" ڿ شϰ,
ڿ ̸ 13ε, 0D شմϴ.
FF 03ε, [0xFF] "ΰ (metadata) event" ǹϸ,
[0x03] "Track Name" ǹմϴ.
ʵ忡 شϴ ٸ ϴ.
Hex |
Binary |
Data |
Description |
00 |
00000000 |
nn ssss |
Sets the track's sequence number.
nn |
02 (length of 2-byte sequence number) |
ssss |
sequence number |
|
01 |
00000001 |
nn tt .. |
Text event- any text you want.
nn |
length in bytes of text |
tt |
text characters |
|
02 |
00000010 |
nn tt .. |
Same as text event, but used for copyright info.
|
03 |
00000011 |
nn tt .. |
Sequence or Track name
|
04 |
00000100 |
nn tt .. |
Track instrument name
|
05 |
00000101 |
nn tt .. |
Lyric
|
06 |
00000110 |
nn tt .. |
Marker
|
07 |
00000111 |
nn tt .. |
Cue point
|
2F |
00101111 |
00 |
This event must come at the end of each track |
51 |
01010001 |
03 tttttt |
Set tempo
tttttt |
microseconds/quarter note |
|
58 |
01011000 |
04 nn dd ccbb |
Time Signature
nn |
numerator of time sig. |
dd |
denominator of time sig.
etc |
cc |
number of ticks in metronome click |
bb |
number of 32nd notes to the quarter note |
|
59 |
01011001 |
02 sf mi |
Key signature
sf |
sharps/flats
-7 |
7 flats |
0 |
key of C |
7 |
7 sharps |
|
mi |
major/minor
|
|
7F |
01111111 |
xx dd .. |
Sequencer specific information
xx |
number of bytes to be sent |
dd |
data
|
|
MIDI α̶ metadata parsing
ϴ. ð fuzzing ѹ غ߰ڳ䤻
MIDI ߰ м ġڽϴ.
ó ̷ ư~ ˰ м Դϴ.
ٽ ̾ϴ.
MIDI óϱ ̵ winmm.dll ִ mseOpen() ̶ Լ ̿ؼ
ΰ ۸ Ҵմϴ.
Before processing the file, Windows Media allocates two buffers in "mseOpen()" in winmm.dll:
.text:76B5CDB1 mov edi, [ebp+arg_4]
.text:76B5CDB4 mov eax, [edi+10h]
.text:76B5CDB7 lea eax, ds:94h[eax*8]
.text:76B5CDBE cmp eax, 10000h
.text:76B5CDC3 mov [ebp+var_4], 7
.text:76B5CDCA jnb loc_76B5CED7
.text:76B5CDD0 push ebx
.text:76B5CDD1 push esi
.text:76B5CDD2 push eax
.text:76B5CDD3 call winmmAlloc(x) // allocate a buffer (ù ° Ҵ)
.text:76B5CDD8 mov esi, eax
.text:76B5CDDA xor ebx, ebx
.text:76B5CDDC cmp esi, ebx
.text:76B5CDDE jz loc_76B5CED5
.text:76B5CDE4 push 400h
.text:76B5CDE9 call winmmAlloc(x) // allocate a second buffer of size 0x400
// ( 0x400 ° Ҵ)
|
ι ° ҴǴ ۴ B1 ̶ θڽϴ. ( + 0x40Ʈ ŭ bof ϴ)
MTrk chunk Ľ̵Ǵ ۵˴ϴ.
Quartz.dll ִ smfReadEvents() Լ ó ϴ.
The second buffer will be noted b1 in the following. This specific vulnerability lies in the way certain events from the MTrk chunk are parsed. These events are first read in "smfReadEvents()", defined in quartz.dll:
.text:74903483 loc_74903483:
.text:74903483 push [ebp+arg_C]
.text:74903486 lea eax, [ebp+var_14]
.text:74903489 push eax
.text:7490348A push esi
.text:7490348B call smfGetNextEvent(x,x,x) // read an event to var_8 (var_8 event о)
.text:74903490 test eax, eax
.text:74903492 jnz loc_749035B1
.text:74903498 mov ecx, [ebp+var_8]
.text:7490349B cmp cl, 0F0h
.text:7490349E jnb short loc_749034EC
|
event ش ù° Ʈ ĺǰ e1 , e2, e3
θڽϴ. Ecx=0x00e3e2e1
ù Ʈ 0x90 note on event ĺȴٴ Դϴ.
Ecx Ǵ smfGetNextEvent ecx ֱ Դϴ.
(.text:74903498 mov ecx, [ebp+var_8])
Ecx=0x00e3e2e1 Ʈ 0x00 , 0xFF ̺Ʈ ٸ ̺Ʈ
ִ 3Ʈ̱ ϴ.
ռ ȴ ǥ ٽ ø ذ ̴ϴ.
Hex |
Binary |
Data |
Description |
8x |
1000xxxx |
nn vv |
Note off (key is released)
nn |
note number |
vv |
velocity |
|
9x |
1001xxxx |
nn vv |
Note on (key is pressed)
nn |
note number |
vv |
velocity |
|
Ax |
1010xxxx |
nn vv |
Key after-touch
nn |
note number |
vv |
velocity |
|
Bx |
1011xxxx |
cc vv |
Control Change
cc |
controller number |
vv |
new value |
|
Cx |
1100xxxx |
pp |
Program (patch) change
|
Dx |
1101xxxx |
cc |
Channel after-touch
|
Ex |
1110xxxx |
bb tt |
Pitch wheel change (2000H is normal or no change)
bb |
bottom (least sig) 7 bits of value |
tt |
top (most sig) 7 bits of value |
|
տ Ҵ report ,

⼭ 0x90 0x26 0x6E ̷ 3Ʈ ̺ƮԴϴ.
̰ ecx , 0x006E2690 ȴٴ Դϴ.
little endiaṉ 0x90 0x26 0x6E 0x00 ˴ϴ
߰ ϰڽϴ.
E1 < 0xF0 event մϴ.
ڵ Ʒ 2° ϴ ̴ϴ
̴ meta data event 0xFF ƴ ϴ ǹմϴ.
ڵ鿡 event ҴǾ ־ 迭 8° offset ϴ.
An event is identified by its first byte and noted e1 e2 e3 in the following, so that ECX = 0x00e3e2e1.
Only events where e1 < 0xF0 are of interest.
In the next piece of code, the event is written at offset 8 in an array previously allocated:
.text:749034B4 loc_749034B4:
.text:749034B4
.text:749034B4 mov eax, [esi+10h]
.text:749034B7 add eax, [ebp+var_14]
.text:749034BA movzx ecx, cl
.text:749034BD mov [edi], eax // write a first dword (ù ° 4Ʈ )
.text:749034BF and dword ptr [esi+10h], 0
.text:749034C3 add edi, 4 offset ̵
.text:749034C6 and dword ptr [edi], 0 // write 0 (0 )
.text:749034C9 movzx eax, byte ptr [ebp+var_8+2] var+8 ̺Ʈ ֽϴ
.text:749034CD movzx edx, byte ptr [ebp+var_8+1] (0x90 0x26 0x6E 0x00)
eax = 0x6E, edx = 0x26 ǰڳ
.text:749034D1 shl eax, 8 eax = 0x0000006E ==> 0x00006E00
.text:749034D4 or eax, edx ==> 0x00006E26
.text:749034D6 shl eax, 8 ==> 0x006E2600
.text:749034D9 add edi, 4 offset ̵
.text:749034DC or eax, ecx ==> 00x006E2690 .. ̷ ؼ ù Ʈ ݳ ׳ &0x00ffffff =_=
.text:749034DE
.text:749034DE loc_749034DE:
.text:749034DE mov [edi], eax // write the event (EVENT )
.text:749034E0 add edi, 4
.text:749034E3 add dword ptr [ebx+8], 0Ch // increment the entry counter (entry Counter ) ü˼
.text:749034E7 jmp loc_749035A2
EDI ( 迭 ּ)
==> [EAX] [0000] [EVENT] ° ˴ϴ.
⼭ EVENT ߿մϴ.
|
迭 winmm.dll midiOutPlayNextPolyEvent() Լ ߿ ó˴ϴ.
This array is next handled by "midiOutPlayNextPolyEvent()", in winmm.dll:
.text:76B5D0B2 mov eax, [ebp+wParam]
.text:76B5D0B5 mov ecx, [ebx+eax] // read an event to ecx (event о ecx Ҵ)
.text:76B5D0B8 add ebx, 4
.text:76B5D0BB mov eax, ecx
.text:76B5D0BD mov [esi+24h], ebx
.text:76B5D0C0 shr eax, 18h
.text:76B5D0C3 and ecx, 0FFFFFFh // ecx = e3 e2 e1
|
Ʒ κп α e1 0x7F ū ƴ кϰ ˴ϴ.
帰 ǥ Ÿֵ e1 0x80 ϱ Դϴ.
At this moment, the application distinguishes whether or not e1 > 7Fh:
.text:76B5D1B6 loc_76B5D1B6:
.text:76B5D1B6 cmp [ebp+hmo], ebx
.text:76B5D1B9 mov esi, [edi+84h]
.text:76B5D1BF jz loc_76B5D276
.text:76B5D1C5 test cl, cl // cl = e1 (ecx = 0x006E2690), e1 = 0x90
.text:76B5D1C7 mov al, cl // al = e1
.text:76B5D1C9 mov ebx, ecx
.text:76B5D1CB js short loc_76B5D1E3 // jump if (80h <= e1 <= FFh)
[...]
.text:76B5D1E3 loc_76B5D1E3:
.text:76B5D1E3 mov edx, ecx
.text:76B5D1E5 shr edx, 8 // dl = e2 edx(, ecx) 8Ʈ right shifting => 0x00006E26
.text:76B5D1E8 mov [edi+54h], cl
.text:76B5D1EB mov byte ptr [ebp+wParam+3], dl
.text:76B5D1EE shr ebx, 10h // bl = e3 ebx(, ecx) 16Ʈ right shfting => 0x0000006E
|
Ʒ ڵ忡 ֵ,
̵ e1 & 0xF0 0x80 Ȥ 0x90 Ư ƾ ȣմϴ.
, Note On(ǹ ) Ȥ Note Off(ǹ ) ̺Ʈ شϴ κԴϴ.
As we can see in the following lines, Windows Media specifically processes events where e1 & F0h = 80h or 90h:
.text:76B5D1F1 loc_76B5D1F1:
.text:76B5D1F1 mov dl, al // dl = e1
.text:76B5D1F3 and dl, 0F0h
.text:76B5D1F6 cmp dl, 90h
.text:76B5D1F9 mov [ebp+var_1], dl
.text:76B5D1FC jz short loc_76B5D203 // 0x90
.text:76B5D1FE cmp dl, 80h
.text:76B5D201 jnz short loc_76B5D25F // 0x80
|
쿡 ʿ Ҵƾ B1 ۿ ϱ ؼ e1 e2 մϴ.
, channel note(ǥ) 꿡 մϴ.
For such cases, an offset is computed according to e1 and e2 to write data to the buffer b1 allocated above:
.text:76B5D203 loc_76B5D203:
.text:76B5D203 movzx edx, byte ptr [ebp+wParam+3] // edx = e2 (0x006E2690) => 0x00000026
.text:76B5D207 and eax, 0Fh // eax = e1 & 0Fh (0x006E2690) => 0x00000000
.text:76B5D20A shl eax, 7 0x00000000 => 0x00000000
.text:76B5D20D add eax, edx => 0x00000026
.text:76B5D20F cdq eax() bit Ȯ
.text:76B5D210 sub eax, edx
.text:76B5D212 sar eax, 1 => 2
.text:76B5D214 cmp [ebp+var_1], 80h
.text:76B5D218 jz short loc_76B5D244
|
EAX = ((e1 & 0x0F) * 2^7 + e2) / 2 ˴ϴ.
B1 ġ ˴ϴ.
E1 E2 Ư Ǹ, EAX 0x400 ̻ մϴ.
(0x400 B1 Ҵ ũԴϴ)
, E1 0x9F ϶,
((0x9F & 0x0F) * (27) + e2) / 2 = 0x780 + e2 ˴ϴ.
⼭ Ǵ ۰ 2 迭 ̸, 迭 ϳ ũ 2^7, 0x80 ˴ϴ.
0x9x x channel ǹϹǷ, ä ϳ ִ 0x80 ̰,
ᱹ x 0x80 2 迭 Ǵ Դϴ.
⼭ e2 0x7F ̶̻ e1+e2 0x800̻ ǰ 2 EAX
0x400 ̻ ֽϴ. α Ҵ ۿ ʿ ⸦ õ Դϴ.
ex> 0x0000889F
=> 9F & 0x0F = 0xF
=> 0xF * 0x80(2^7) = 0x780
=> 0x780 + 0x88 = 0x808
=> 0x808/2 = 0x404
e1 & 0xF0 0x90̳ 0x80̳ Ȥ e3 1 Ư Ʈ Ű, ҽŰ մϴ.
e1 & 0xF0 0x90 ,
At the end, EAX = ((e1 & 0Fh) * 2^7 + e2) / 2.
This is where the data in b1 is going to be altered. Note that for particular values of e1 and e2, it is possible to get EAX > 400h. For example, e1 = 9Fh => 0Fh * 2^7 = 780h. Then if e2 > 7Fh, e1 + e2 > 800h which makes EAX >= 400h and the program writes past the bounds of the allocated buffer.
Depending on whether e1 & F0h = 90h or 80h, or even e3 = 1, it is possible to increment or decrement an arbitrary byte. For example with e1 & F0h = 90h:
.text:76B5D21E add esi, eax
.text:76B5D220 test byte ptr [ebp+wParam+3], 1
.text:76B5D224 mov al, [esi] // read a byte in b1 (b1 Ʈ о)
[...]
.text:76B5D23E inc al
.text:76B5D240 mov [esi], al // increment that byte (Ŵ)
|
E1 & 0xF0 0x80 ,
If e1 & F0h = 80h:
.text:76B5D248 lea edx, [eax+esi]
.text:76B5D24B mov al, [edx] // read a byte in b1 (b1 Ʈ о)
[...]
.text:76B5D25B dec al
.text:76B5D25D mov [edx], al // decrement that byte (ҽŴ)
|
B1 0x400 Ʈ ũ⸦ ,
E1 0x8F 0x9F̸鼭 ÿ e2 0x7F ̻ ÷ο찡 մϴ.
, B1 ִ 0x40 Ʈŭ ϰ,
̴ ڵ带 ϱ մϴ.
Since b1 is 0x400 bytes long, a heap overflow occurs when e1 = 8Fh or 9Fh and when e2 > 7Fh. In practice, it becomes possible to corrupt the 0x40 bytes following b1, which is enough to achieve arbitrary code execution.
⼭ 0x80 == 128̶ ڴ, ǥ ִ Note ִ شϴ ˴ϴ.
ǥ ø ̷ ϴ ذ ǽ ̴ϴ.
Octave # |
Note Numbers |
C |
C# |
D |
D# |
E |
F |
F# |
G |
G# |
A |
A |
B |
0 |
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
1 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
2 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
3 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
4 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
5 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
6 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
7 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
8 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
9 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
10 |
120 |
121 |
222 |
123 |
124 |
125 |
126 |
127 |
|
ᱹ, Note ǹϴ e2 ִ 127 Ѿ鼭 ٸ ϰ Ǵ
Array index overflow Դϴ.
e1 ߸ ϴ. 迭 κ pointingϰ ,
e2 迭 scope Ѿ鼭 ϴ Դϴ.
ǹ ֱѵ.. ϴ س ϰڽϴ.
- 16 ä Ƿ b1 ũ 16*0x80 0x800 Ǿϴ ƴѰ?
- note ִ밪 127 ִ 255 Ƿ overwriting
0x40 ƴ 0x80 Ǿϴ ƴѰ?
- Ǵ src ΰ?
2. ASLR / DEP ȸ
Internet Explorer ȿ εǾ ֱ , reliableϰ exploitϴ
մϴ.
÷ο vftable , vftable Ҽӵ
带 ȣν ڵ尡 ǵ մϴ. ׳ windows media player
exploitѴٰ ġ, vftable ġŰ ͵ ư, Ͽ overwriting
ߴϴ ش 带 ȣ ִ ־ϹǷ Ȯ ſ ϴ.
ݸ, Internet Explorer java script ̿Ͽ heap Ӱ Ʈ Ƿ
ó reliable exploit ϴٰ ϴ Դϴ.
Winmm.dll DllProcessAttach() Լ mshtml.dll _DllMainStartup().
Լ Ͽ Ҵ մϴ.
Լ ϴ heap java script ϴ heap ٸ ̾ٸ
Ʈ ǹ ˴ϴ.
2. Advanced Exploitation With ASLR/DEP Bypass
Since the vulnerable module can be loaded in Internet Explorer, it is possible to achieve a reliable exploitation of this flaw.
As we can see in "DllProcessAttach()" in winmm.dll and "_DllMainStartup()" in mshtml.dll, both libraries use the same heap for their allocations:
In "DllProcessAttach()":
.text:76B43F8F mov eax, large fs:18h // GetProcessHeap inlined
.text:76B43F95 mov eax, [eax+30h]
.text:76B43F98 mov eax, [eax+18h]
.text:76B43F9B mov _hHeap, eax
|
In "_DllMainStartup()":
.text:3CEAC930 call GetProcessHeap()
.text:3CEAC936 push eax
.text:3CEAC937 mov _g_hProcessHeap, eax
|
̿Ͽ IE ü ϴ մϴ.
, ̷ exploit ϱ ؼ ü ãϴ. ˴ϴ.
- ۿ Ʈ Ʈ Ҵմϴ.
- vTable 巯, mshtml.dll ̽ 巹 ˾Ƴ ؼ Ʈ ̸ ϴ.
As a result, it is possible to exploit this vulnerability to corrupt an Internet Explorer object.
Usually, exploitating such vulnerabilities consists in finding an object whose size is equal to the vulnerable buffer's size. In that case, exploitation can be achieved in the following way: allocate contiguously the vulnerable buffer, a string and an object. Once done overwrite the string's length to disclose the vTable and deduce mshtml.dll's base address:

ο ۸ Ҵϰ ι Ű ü vTable ° ϴ.
Allocate then a new buffer and trigger the vulnerability a second time to overwrite the object's vTable:

ROP ڵ spraying Ű üκ Լ θ Ǹ α 帧
ٲ ֽϴ.
, ̷ ų ־ ϸ, ־ ŭ
ü Ҵ ־߸ մϴ.
MIDI event parsing ̹Ƿ, Ű մϴ.
0x100 Ʈ ۴ٸ, IE ŭ ü
, MS12-004 (츮 Ϸ ) 0x400 Ʈŭ ۸ 鼭
mshtml.dll 0x3FC 0x400 XREF ϱ ϴ.
, reliableϰ ִµ, ٷ CImplAry Ư ü ̿ϴ Դϴ.
0x400 Ʈŭ 迭 ϰ, 迭 Ȯϰ ν vTable ˾Ƴ ְ,
α 帧 ְԵ˴ϴ.
CImpAry ٷ Ʈ key Ǵ ü Դϴ.
̷ 迭 Ұ νϽ ֽϴ.
CElement::Close() ҵ CElement::CloneAttributes() ȣϰ, Ӽ ϱ ؼ CattrArray::Clone() ȣ˴ϴ. Ʒ CAttrArray::Clone() ڵԴϴ.
At that point, spray the heap with a dynamic ROP for mshtml.dll and call a function from the corrupted object to redirect the execution flow.
(Un)fortunately, this method requires the vulnerability to trigger twice and only works as long as it is possible to allocate an object of a given size. For sizes < 0x100 bytes, IE provides enough objects for that method to work but in the particular case of the MS12-004 vulnerability, the buffer is 0x400 bytes long, and doing an XREF on 3FCh or 400h in mshtml.dll does not provide any interesting object allocation.
A reliable exploit for this vulnerability can however be created by taking advantage of a particular CImplAryobject. The idea consists in creating an array of size 0x400, and precisely altering its content to disclose an arbitrary vTable and redirect the execution flow.
Such an array can be created for instance when an element is cloned. As we can see, "CElement::Clone()" leads to call "CElement::CloneAttributes()" and eventually "CAttrArray::Clone()" to clone the attributes. The following lines belong to "CAttrArray::Clone()":
.text:3D06A356 call CAttrArray::operator new(uint) // allocate a new CAttrArray object (CAttrArrayü )
.text:3D06A35B cmp eax, edi
.text:3D06A35D jz short loc_3D06A368
.text:3D06A35F mov ecx, eax
.text:3D06A361 call CAttrArray::CAttrArray(void) // initialize the object (ü ʱȭ)
.text:3D06A366 mov edi, eax
.text:3D06A368
.text:3D06A368 loc_3D06A368:
.text:3D06A368 test edi, edi
.text:3D06A36A mov esi, [ebp+arg_4]
.text:3D06A36D mov [esi], edi
.text:3D06A36F jz loc_3D0F5DE5
|
α Ұ Ӽ ִ üũմϴ.
At that point, the application checks whether the original element contains an attribute:
.text:3D06A375 mov eax, [ebx+4]
.text:3D06A378 shr eax, 2 // eax represents the number of attributes (eax Ӽ ȣ )
// associated with the original element ( ҿ )
.text:3D06A37B js loc_3D053663
.text:3D06A381 cmp eax, [edi+8]
.text:3D06A384 jbe loc_3D0F5DF1
.text:3D06A38A push 10h
.text:3D06A38C call CImplAry::EnsureSizeWorker(uint,long)
|
Ӽȣ 0 ƴ϶ IE 0x10 * (CImplAry::EnsureSizeWorker() Ӽ) ŭ Ҵմϴ.
Ʈ 0x40̶ Ӽ ٸ IE Ȯ 0x400 ŭ 迭 Ѵٴ
ҸԴϴ. ̷ Ӽ ߿ CAttrValue::Copy() ˴ϴ.
If this number is not NULL, IE allocates 10h * #attributes in "CImplAry::EnsureSizeWorker()". As a result, if the original element has 0x40 attributes defined, IE allocates exactly 0x400 bytes for the new array. These attributes are next copied by "CAttrValue::Copy()":
.text:3D06A3D9 mov byte ptr [esi+1], 0
.text:3D06A3DD call CAttrValue::Copy
|
ũƮ Selet Ʈ ϰ Ӽ մϴ.
Consider now the following script, which creates a new Select element, associates various attributes and clones the node:
var test = document.createElement("select")
test.obj0 = "AAAAAAAAAAAAAAAAAAAA"
test.obj1 = this
[...]
test.obj8 = alert
[...]
test.obj12 = new Date()
var cl0ne = test.cloneNode(true)
|
簡 ǰ CImplAry Ʒ ˴ϴ.
Once cloned, the CImplAry looks like this:

Ӽ ʵ ̷ , 0x10Ʈ ũ Ǿ ִٴ
ֽϴ. ָ ŷ κε, κе ŸԵ Ÿϴ.
MSDN õǾ ֵ 0x08 string Ÿ, 0x09 ü , 0x03 Ÿϴ. (Ÿ ~)
obj0 0bj8 , 0bj12 Ÿ Դϴ.
Actually an attribute is identified by three fields and uses 0x10 bytes in memory. Pay attention to the bytes in red on Figure 3. They represent the variant types as defined in MSDN: 0x08 indicates a string, 0x09 an object, 0x03 an integer etc.
The following figure shows obj0, obj8 and obj12 as represented in memory:

α Ӽ Ÿ , Ÿ ŷϱ , ÷ο 迭
Ű type confuse Ű ֽϴ.
Figure5 CImplAry Ǿ ִ ֽϴ.
Since the application specifically relies on the variant type to determine the type of the attribute, it becomes possible with a heap overflow to corrupt the array and force the browser to confuse types. Figure 5 shows the CImplAry after incrementing and decrementing two bytes:

Figure5 obj0 ü Ǿ , ݴ obj1 Ʈ Ǿϴ.
̰ ASLR DEP ȸϱ ؼ ü vTable ڹٽũƮ ° .
On Figure 5, obj0 is now an object while obj1 is a string. It is then possible to bypass ASLR/DEP by leaking the object'svTable using JavaScript. This gives the following result:

ᱹ ̷ Ʈ Ű CAttrValue::GetIntoVariant()Լ ϴ κп
մϴ.
Then the corrupted string is used to trigger the vulnerability in "CAttrValue::GetIntoVariant()" and reach a CALL instruction leading to arbitrary code execution despite ASLR/DEP:

Ʈ ϴ ε ˴ϴ. Ʈ ϴٸ
˷ּ.
IE9/8/7/6 reliableϰ ˴ϴ. ( Ҵ 0x230̻)
̷ α 帰 ٿ ſ ̹Ƿ ݵ ġϽñ ٶϴ.
Two bytes need to be altered for that method to work. If you manage to do it with only one, please let us know! Note also that this method works reliably with all Internet Explorer versions including 9/8/7 and even IE6, since heapAlloc is used for sizes > 0x230.
As demonstrated in this blog, this vulnerability is really critical thus we highly recommend applying the patch as soon as possible!
ϰ ִ ASLR/DEP ȸ ϰ ϸ ϴ.
[overflowǴ ] [STRING Ʈ] [VFTABLE Ʈ]
ϴ ̷ ALLOCǵ ǵ , ( dz!)
overflowǴ ۸ overflowѼ STRING Ʈ
NULL ֹ, Ȥ STRING Ʈ LENGTH
÷ϴ. (ڵ ASCIIĿ , APP ȯ濡 ϴ.)
̷ , STRING ڹٽũƮ Ű,
VFTABLE Բ Ƣϴ
VFTABLE ּҰ DLL ּҸ ֽϴ
- VFTABLE ַ DLL ּҵ Ƿ
- DLL ּҴ ּ - OFFSET ϸ ˴ϴ
- DLL ּҰ Ƣ APP Ŀ ٸϴ
EXPLOIT ,
[overflowǴ ] [VFTABLE Ʈ]
̷Ը ϰ, VFTABLE 0x41414141
ٲٸ ߿ 带 ȣ EIP 0x41414141 ˴ϴ
ռ DLL ּҸ ȰϿ ROP 뿩 ֽϴ.
̻ MS12-004 ΰ Ĩϴ.
ڸ.. e1 شϴ 0x8F̰ų 0x9F 迭 Ҹ Ű ǰ,
ÿ e2 0x7f Ŀ 迭 scope Ѿ ٸ ǵ ִ Դϴ.
Fuzzing ؼ ã´ٰ ϸ, ÿ offset ǵϰ,
ѵ ؾ ߽ų ִ, Դٰ Ϲ Ȳ overflow
ص crash ̱ (vftable ) Ƿ ϴ Դϴ.
߰ IBM Security System's X-Force Research Shane Garrett 밡 ߰ų,
e1 e2 taint analysis Ʈ .
߰ ñߴ κе ȸ Ǹ ߰ϵ ϰڽϴ.
߸ ̳ Ʋ ˷ּ!
|
Expibrairrart9 Jun 28, 2013 02:58 |
louie voutan 494 49
louise vittom 557 42
schultertaschen 942 23
louie vatoon 509 26
handtaschen online kaufen 772 28
louisvuitto 803 58
vintage taschen 950 07
loubs taschen 427 94
taschen shop 359 82
armani taschen 934 67
chloe taschen 861 78
luis vitton taschen 768 31
taschen online 797 94
second hand taschen 347 44
louie vuton 703 15
|

|
dokdokay Dec 23, 2013 01:24 |
լѬ߬߬ ֬ެڬ߬ ԬѬ߬ڬ٬Ѭڬ ٬լѬӬѬ߬֬߬ڬ, ڬӬܬ ֬Ҭݬ ڬ߬ Ӭݬ֬ ڬڬ߬ 4 % Ӭ֬ ެ֬֬ ެڬ. ٬ݬ֬Ҭݬ֬߬ڬ ڬ߬ެ ߬ѬڬܬѬެ ԬڬҬѬ֬ Ҭݬ ߬Ѭ֬ݬ֬߬ڬ, ֬ , Ҭ֬ܬݬ֬٬ Ӭ۬. ѬڬҬݬ֬ Ӭݬڬ߬ڬ ֬Ҭݬ֬߬ڬ ѬݬܬԬݬ ߬ ݬ֬Ѭݬ߬ ߬ѬҬݬլѬ֬ Ѭ߬Ѭ : ܬѬجլ ֬ݬӬ֬ ߬ڬ ެڬѬ֬ ڬڬ, Ӭ٬Ѭ߬߬ ֬Ҭݬ֬߬ڬ֬ ڬ߬Ԭ |

|
Mitchelnor Jul 04, 2014 11:55 |
ެ߬Ѭݬ߬ Ҭ լѬ Ҭݬ֬ެ ݬլ, ߬ Ѭ ڬ ݬܬ ج֬߬ڬ߬Ѭ. Ҭݬ֬ެ ߬ Ѭ߬ լݬ جڬ٬߬, ߬ լѬӬݬ ݬ լ֬ݬѬ جڬ٬߬ լڬܬެ߬. ٬ެ֬߬֬߬ڬ Ԭެ߬Ѭݬ߬Ԭ ѬѬܬ֬ Ӭݬڬ ߬ ֬լܬڬӬ߬ ߬ܬڬ, Ӭ٬ӬѬ Ѭ٬߬ Ҭݬ֬٬߬ ج֬߬ڬ, Ӭݬڬڬ ߬ جլ֬߬ڬ լ֬֬.
լӬ ج֬߬ڬ߬ ߬ ӬѬج߬Ѭ Ѭ جڬ٬߬ լ֬ݬ߬Ԭ ֬ݬӬ֬ܬ, Ҭլ֬ Ҭ֬Ӭ, ٬լӬ լ֬֬ ֬ެ, ެ ߬ ߬ج߬ ܬݬѬլӬѬ Ӭ ٬լӬ ߬ . Ҭ ֬֬ެ֬߬, Ԭެ߬Ѭݬ߬ Ҭ, ֬֬Ҭ ѬҬ ԬѬ߬ լ֬جլ֬߬ڬ լݬج߬ Ҭ Ӭլ ڬլ ӬѬ.
Ѭ ӬѬ, ۬ Ӭ ڬݬ֬լӬѬ߬ڬ, ߬, ݬڬݬ ެج߬ ެ Ѭ۬ woman-help.ru, Ԭլ լѬ߬ լҬ߬Ѭ ڬ߬ެѬڬ ެ߬Ԭ, Ѭ Ӭݬ߬֬ ج֬߬ڬ. ߬Ѭ ެج߬ ߬ ݬܬ ٬߬Ѭܬެڬ Ӭ֬ެ Ӭ֬ެ֬߬߬ެ ҬѬެ ݬ֬֬߬ڬ լڬѬԬ߬ڬܬ Ҭݬ֬ ج֬߬ܬԬ ԬѬ߬ڬ٬ެ, ߬ ߬Ѭ۬ Ѭլ֬ ֬߬ ٬߬Ѭ ڬ ֬ڬѬݬڬѬ ҬݬѬ Ԭڬ߬֬ܬݬԬڬ.
Ѭ٬ ߬ Ѭ۬ ެج߬ ٬ѬڬѬ ֬ެ ֬ڬѬݬڬ, Ѭܬج ܬ߬ݬڬӬѬ ٬ѬҬݬ֬ӬѬ߬ڬ جլ֬߬ڬ Ӭ֬ ֬Ҭ֬ެ ݬѬҬѬ߬ Ѭ߬Ѭݬڬ٬. |

|
Henryneuby Feb 17, 2019 10:56 |
Howdy! pharmacy technician training online buy sildenafil no prescription purchase finasteride beneficial site |

|
FNJohn Feb 17, 2019 01:27 |
Приветик девочки! Я тута располнела не на шутку, хочу как то сбросить вес, а заниматься на тренажерах прям Лень )) Тут нашла сайтик, который предлагает жиросжигатели для женщин, кто нибудь пробовал такие? Есть ли эффект от них?? |

|
kentrd2 Feb 18, 2019 11:32 |
Sexy teen photo galleries
http://free.porn.site.instasexyblog.com/?melina
oma hermine porn movies cartoon ass porn free porn dvd preview anime porn sights free fantasy teacher porn
|

|
Normanwit Feb 24, 2019 09:08 |
Hi there! alprazolam online pharmacy pharmacy technician online course top rated canadian pharmacies online excellent internet site |

|
Normanwit Feb 25, 2019 03:52 |
Hello there! online pharmacy no prescription needed us online pharmacy canadapharmacy com beneficial website |

|
Normanwit Feb 25, 2019 01:36 |
Hello! hydrocodone online pharmacy canadian online pharmacies us pharmacy no prior prescription very good web page |

|
Normanwit Feb 25, 2019 11:45 |
Hello! online pharmacy technician course cvs pharmacy - online pharmacy - shop for wellness and ... canadian pharmacies very good internet site |

|
Normanwit Feb 26, 2019 02:27 |
Hello! purchase valtrex online no prescription order finasteride reputable mexican pharmacies online very good site |

|
Normanwit Feb 26, 2019 08:43 |
Howdy! buy valacyclovir pills buy propecia no rx online pharmacy with no prescription excellent internet site |

|
Normanwit Feb 27, 2019 07:57 |
Howdy! buy valtrex no prescription buy propecia online online pharmacy without a prescription very good web page |

|
Normanwit Feb 27, 2019 01:36 |
Howdy! purchase valtrex online no prescription buy finasteride pills mail order prescriptions from canada beneficial website |

|
sharleneav11 Mar 15, 2019 04:50 |
Daily updated super sexy photo galleries
http://inuyasha.porn.allproblog.com/?autumn
milley porn porns website top porn actress video porn emoticons iphone crazy clinic porn
|

|
ElmerFic Mar 26, 2019 09:46 |
Hi there! online direct payday loan lenders no credit check beneficial internet site http://paydayloansps.website |

|
rondaxn18 Apr 08, 2019 03:22 |
Hot sexy porn projects, daily updates
http://wwxxxsexcom.fetlifeblog.com/?elena
gay porn for more rea porn videos free porn mpvies midgets submit porn videos hungarian porn prison whipping movie
|

|
Hope Apr 09, 2019 12:02 |
Thanks, this website is really useful.
_____ _______
buy sildenafil online buy sildenafil online viagra pills |

|
heidirr11 May 04, 2019 11:48 |
New project started to be available today, check it out
http://uk.porn.xblognetwork.com/?kaylie
free outdoor porn thumbnails free porn sitess barl legal porn joy porn lefe porn
|

|
myrtlesq16 May 29, 2019 07:30 |
Hot galleries, thousands new daily.
http://gorillagirlsart.allproblog.com/?evelyn
free porn movise jap bath girls getting back porn huge fat cock porn lesbian porn video clips free porn in my email
|

|
olgaib3 Jun 20, 2019 09:37 |
Hot teen pics
http://bbw.lesbian.fetlifeblog.com/?alivia
kim kardashian full porn video porn angelina jolie look alike saints and sinners porn shop blackpool porn lsm crazy sex porn video
|

|
josephinete1 Jul 13, 2019 07:41 |
Hot galleries, daily updated collections
http://fetishmeeting.instasexyblog.com/?diana
gay porn reviews stag homme mature tube porn videos lexi martinez porn pregnant porn movie porn lebian
|

|
Rodneygaxaf Jul 31, 2019 04:26 |
Hello there! http://canadian-drugsale.com/ - online pharmacy technician program clomid online pharmacy pharmacy online |

|
TerrySig Aug 03, 2019 11:27 |
us best online pharmacy accredited best online pharmacy technician programs cvs pharmacy online refill |

|
Williamtarce Aug 05, 2019 06:08 |
Hi there! http://onlinepharmaciescanadarx.com/#best-online-pharmacy-no-prescription - online pharmacies beneficial web site. |

|
keriqx69 Aug 06, 2019 02:42 |
Enjoy daily galleries
http://sexstoresonline.bestsexyblog.com/?emma
top female porn star crazy porn galerys strawberry blondes porn vids free porn no membership no fees emanuelle diniz porn star
|

|
Williamtarce Aug 06, 2019 05:37 |
Hello there! http://onlinepharmaciescanadarx.com/#online-pharmacy-reviews - best canadian online pharmacy reviews good web site. |

|
Michaelgew Aug 09, 2019 03:36 |
http://imitrex-sumatriptan.com/ - buy imitrex with no prescription buy imitrex cheap buy imitrex online without prescription |

|
WilliamVakly Aug 14, 2019 11:02 |
buy medication without a prescription online pharmacies in usa pharmacyonline,com/#canada pharmacy on line no prescription |

|
molliees1 Aug 21, 2019 11:40 |
Hot teen pics
http://wwwhotmailcom.ebenewoodkit.alexysexy.com/?johana
porn forum ftv mommy fucks black porn porn teen video russian porn delhi young latina porn picture
|

|
GeraldBus Aug 24, 2019 10:51 |
canadian discount online drugstore buy canadian prescription drugs online pharmacies usa/#buying cialis from canada pharmacy |

|
GeraldBus Aug 25, 2019 07:01 |
cialis usa pharmacy canadian pharmacy drugstore cialis from cadnadian pharmacys/#canadian pharmacy shipping usa cialis, viagra whithout ... |

|
warrenes2 Sep 06, 2019 11:13 |
Enjoy our scandal amateur galleries that looks incredibly dirty
http://nsfwgirlfriend.relayblog.com/?aleah
trash talkin tricks porn video nice ass porn movie see her video free porn sisters in the hood porn tube porn tits
|

|
Jesusscy Sep 20, 2019 11:11 |
cvs pharmacy online application walgreens online pharmacy what is the best online pharmacy without prescriptions needed |

|
brigittevx11 Sep 24, 2019 12:20 |
Enjoy daily galleries
http://katrinapic.xblognetwork.com/?alena
horny secretary porn strip angry facial porn zshare porn birthday sex porn video you porn simmons
|

|
Arianasts Oct 14, 2019 12:03 |
generic viagra online canada pharmacy online pharmacy no prescription online pharmacy no prescription canada |

|
glenws18 Oct 16, 2019 10:27 |
Nude Sex Pics, Sexy Naked Women, Hot Girls Porn
http://pornavatarporn.bestsexyblog.com/?miya
busty porn star vids nsfw porn catalina taylor free porn raised skirt porn high def porn for free
|

|
| | | |