Home > Others

CVE-2014-0322 (MS14-012) Exploit

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Recently, I have studied the heap spraying method for array objects such as intarray and int32array in JS. I have mentioned the method of array object heap spraying in the previous article. I will not repeat it here. Today, mainly to cve-2014-0322 this vulnerability as an example, let's take a look at the specific use of array object heap spraying, and how to convert the UAF type to any address read/write, at the same time, let's take a look at how to ensure that the IE vulnerability will not crash when used.

UAF can be converted to any address for read/write operations. It is nothing more than program flow control. It mainly refers to vulnerability-triggered point functions and subsequent processing processes. As long as there is a write operation on the released object memory, most of them can be used in the future. They can be combined with arrays to read and write arbitrary addresses.

The benefits of converting to any address read/write are easier process control and subsequent triggering of shellcode. In this example, the shellcode trigger draws on the shellcode trigger idea in the original sample. All of them modify pvftable and then call the corresponding Array Function to trigger shellcode.

For how to ensure that the IE vulnerability will not crash after being exploited, we can now think of using the temporary stack constructed by the drop operation to redirect to achieve the use of shellcode, restores ESP to the original stack space, restores the modified memory, and finally JMP to the correct Array Function. This method has its own limitations, but it also has its advantages. The limitation is that for different functions, there may be requirements for registers, and the EBP minus value is not fixed when its ESP is restored, and hard encoding is required as needed. The advantage is that the choice of a function is in our hands. Only one function can implement this method, which is universal, because the internal call process of the same function is certain, in this way, the recovery process is relatively simple. The Code is as follows: win7 + ie10.

  


CVE-2014-0322 (MS14-012) Exploit

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More