返回列表 发帖

【VC】一个IE补丁的源代码

//////////////////////////////////////////////////////////////// // jscriptpatch.cpp //============================================================== // Patch for the IE createTextRange() vulnerability. // // Derek Soeder - eEye Digital Security - 03/24/2006 //////////////////////////////////////////////////////////////// #define WIN32_LEAN_AND_MEAN #include #include //////////////////////////////// // TranslateRVAToRawPtr //////////////////////////////// PBYTE TranslateRVAToRawPtr( PBYTE pbBase, DWORD dwRVA) { PIMAGE_NT_HEADERS ppe; PIMAGE_SECTION_HEADER psect; DWORD dw; //---------------- ppe = (PIMAGE_NT_HEADERS)(pbBase + ((PIMAGE_DOS_HEADER)pbBase)->e_lfanew); psect = IMAGE_FIRST_SECTION(ppe); for (dw = ppe->FileHeader.NumberOfSections; dw != 0; dw--, psect++) { if (dwRVA >= psect->VirtualAddress && (dwRVA - psect->VirtualAddress) < psect->SizeOfRawData) return pbBase + (dwRVA - psect->VirtualAddress + psect->PointerToRawData); } //for(dw) return NULL; } //TranslateRVAToRawPtr() //////////////////////////////// // CreateJScriptPatchDLL //////////////////////////////// BOOL CreateJScriptPatchDLL( char *szOriginalDLL, char *szPatchDLL) { HMODULE hmod; DWORD cbmodsize; PIMAGE_NT_HEADERS ppe; PIMAGE_SECTION_HEADER psect; DWORD dwsectnum; PDWORD pdw; PVOID pvend; DWORD dw; DWORD dwrva, dwrvadest; PBYTE pb; LONG lofs; DWORD dwlen; BOOL bebp; HANDLE hfile; PBYTE pbdest; DWORD cb; DWORD dwerr; //---------------- load the original DLL with virtual alignments and relocations applied hmod = LoadLibraryEx(szOriginalDLL, NULL, DONT_RESOLVE_DLL_REFERENCES); if (hmod == NULL) return FALSE; dwrva = 0; dwrvadest = 0; //---------------- search for an executable section with sufficient unused space ppe = (PIMAGE_NT_HEADERS)(((PBYTE)hmod) + ((PIMAGE_DOS_HEADER)hmod)->e_lfanew); if (ppe->Signature != IMAGE_NT_SIGNATURE) { FreeLibrary(hmod); SetLastError(ERROR_INVALID_EXE_SIGNATURE); return FALSE; } psect = IMAGE_FIRST_SECTION(ppe); for (dwsectnum = 0; dwsectnum != ppe->FileHeader.NumberOfSections; dwsectnum++, psect++) { if ( (psect->Characteristics & (IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_CNT_CODE)) != (IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_CNT_CODE) ) { continue; } if ( ((psect->Misc.VirtualSize & 0x0FFF) != 0) && ((psect->Misc.VirtualSize & 0x0FFF) <= 0x1000 - 0x20) && // patch code will be <= 0x20 bytes (psect->SizeOfRawData > psect->Misc.VirtualSize) && (psect->SizeOfRawData - psect->Misc.VirtualSize >= 0x20) ) { dwrvadest = psect->VirtualAddress + psect->Misc.VirtualSize; break; } } //for(dwsectnum) if (dwsectnum == ppe->FileHeader.NumberOfSections) { FreeLibrary(hmod); SetLastError(-1); return FALSE; } //---------------- search image for 0x74-case switch table cbmodsize = ppe->OptionalHeader.SizeOfImage; pdw = (PDWORD)hmod; pvend = pdw + (cbmodsize / 4) - /*0x74 /*IE 5.0 SP4 only has 0x72 cases*/0x72; for ( ; pdw != pvend; pdw = (PDWORD)((PBYTE)pdw + 1)) { if (*pdw >= (DWORD)hmod && (*pdw - (DWORD)hmod) < cbmodsize) { for (dw = 1; dw != /*0x74*/0x72; dw++) { if (pdw[dw] < (DWORD)hmod || (pdw[dw] - (DWORD)hmod) > cbmodsize) break; } if ( dw == /*0x74*/0x72 && // overlapping cases are a "signature" for the switch table pdw[0x00] == pdw[0x02] && pdw[0x00] == pdw[0x63] && pdw[0x00] == pdw[0x64] && pdw[0x01] == pdw[0x5A] && pdw[0x17] == pdw[0x1B] && pdw[0x5E] == pdw[0x5F] ) { break; } } } //for(pdw) if (pdw == pvend) { FreeLibrary(hmod); SetLastError(-1); return FALSE; } //---------------- search case 0x23 code for VT_EMPTY assignment instruction pb = (PBYTE)(pdw[0x23]); lofs = 0; dwlen = 0; bebp = FALSE; for (dw = 0x40; dw != 0; dw--, pb++) { if (pb[0x00] != 0x66) // 66h: operand size prefix (';vt'; is a WORD-size field) continue; if (pb[0x01] == 0xC7) // C7h/0: MOV mem, imm { switch (pb[0x02]) { case 0x44: // ModRM=44h: 8-bit offset, SIB if (pb[0x03] != 0x24 || pb[0x05] != 0 || pb[0x06] != 0) // SIB=24h: ESP continue; lofs = (LONG)*(char*)(pb + 0x04); dwlen = 0x07; bebp = FALSE; break; case 0x45: // ModRM=45h: 8-bit offset, EBP if (pb[0x04] != 0 || pb[0x05] != 0) continue; lofs = (LONG)*(char*)(pb + 0x03); dwlen = 0x06; bebp = TRUE; break; case 0x84: // ModRM=84h: 32-bit offset, SIB if (pb[0x03] != 0x24 || pb[0x08] != 0 || pb[0x09] != 0) // SIB=24h: ESP continue; lofs = *(LONG*)(pb + 0x04); dwlen = 0x0A; bebp = FALSE; break; case 0x85: // ModRM=85h: 32-bit offset, EBP if (pb[0x07] != 0 || pb[0x08] != 0) continue; lofs = *(LONG*)(pb + 0x03); dwlen = 0x09; bebp = TRUE; break; default: continue; } } else if (pb[0x01] == 0x83) // 83h/4: AND mem, simm8 { switch (pb[0x02]) { case 0x64: // ModRM=64h: 8-bit offset, SIB if (pb[0x03] != 0x24 || pb[0x05] != 0) //SIB=24h: ESP continue; lofs = (LONG)*(char*)(pb + 0x04); dwlen = 0x06; bebp = FALSE; break; case 0x65: // ModRM=65h: 8-bit offset, EBP if (pb[0x04] != 0) continue; lofs = (LONG)*(char*)(pb + 0x03); dwlen = 0x05; bebp = TRUE; break; case 0xA4: // ModRM=A4h: 32-bit offset, SIB if (pb[0x03] != 0x24 || pb[0x08] != 0) // SIB=24h: ESP continue; lofs = *(LONG*)(pb + 0x04); dwlen = 0x09; bebp = FALSE; break; case 0xA5: // ModRM=A5h: 32-bit offset, EBP if (pb[0x07] != 0) continue; lofs = *(LONG*)(pb + 0x03); dwlen = 0x08; bebp = TRUE; break; default: continue; } } else continue; if ((lofs & 3) != 0) // variable will always be DWORD-aligned on stack continue; if (bebp) { if (lofs > -0x04 || lofs < -0x800) // EBP-relative must be negative continue; } else { if (lofs < 0 || lofs > 0x800) // ESP-relative must be positive continue; } dwrva = (UINT_PTR)pb - (UINT_PTR)hmod; break; } //for(dw) FreeLibrary(hmod); if (dw == 0) { SetLastError(-1); return FALSE; } //---------------- read original JScript.dll into memory hfile = CreateFile(szOriginalDLL, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL); if (hfile == INVALID_HANDLE_VALUE) return FALSE; cbmodsize = GetFileSize(hfile, NULL); if (cbmodsize == INVALID_FILE_SIZE) { dwerr = GetLastError(); CloseHandle(hfile); SetLastError(dwerr); return FALSE; } pb = (PBYTE)LocalAlloc(LMEM_FIXED, cbmodsize); if (pb == NULL) { dwerr = GetLastError(); CloseHandle(hfile); SetLastError(dwerr); return FALSE; } if (!ReadFile(hfile, pb, cbmodsize, &cb, NULL) || cb != cbmodsize) { dwerr = GetLastError(); CloseHandle(hfile); LocalFree(pb); SetLastError(dwerr); return FALSE; } CloseHandle(hfile); //---------------- patch in-memory file and write it to patched DLL ppe = (PIMAGE_NT_HEADERS)(pb + ((PIMAGE_DOS_HEADER)pb)->e_lfanew); psect = IMAGE_FIRST_SECTION(ppe); psect += dwsectnum; pbdest = TranslateRVAToRawPtr(pb, dwrvadest); psect->Misc.VirtualSize += 0x20; pbdest[0x00] = 0x60; // PUSHAD pbdest[0x01] = 0x8D; // LEA EDI, [{ESP,EBP}+ofs32] pbdest[0x02] = 0xBC; pbdest[0x03] = (bebp ? 0x25 : 0x24); *(LONG*)(pbdest + 0x04) = (bebp ? lofs : lofs + 0x20); // (0x20 to compensate for PUSHAD effect on stack) pbdest[0x08] = 0x33; // XOR EAX, EAX pbdest[0x09] = 0xC0; *(DWORD*)(pbdest + 0x0A) = 0xABABABAB; // STOSD / STOSD / STOSD / STOSD pbdest[0x0E] = 0x61; // POPAD pbdest[0x0F] = 0xE9; // JMP rel32 *(DWORD*)(pbdest + 0x10) = (dwrva + dwlen) - (dwrvadest + 0x14); pbdest = TranslateRVAToRawPtr(pb, dwrva); pbdest[0x00] = 0xE9; // JMP rel32 *(DWORD*)(pbdest + 0x01) = dwrvadest - (dwrva + 5); hfile = CreateFile(szPatchDLL, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hfile == INVALID_HANDLE_VALUE) { dwerr = GetLastError(); LocalFree(pb); SetLastError(dwerr); return FALSE; } if (!WriteFile(hfile, pb, cbmodsize, &dw, NULL) || dw != cbmodsize) { dwerr = GetLastError(); CloseHandle(hfile); LocalFree(pb); SetLastError(dwerr); return FALSE; } CloseHandle(hfile); LocalFree(pb); SetLastError(ERROR_SUCCESS); return TRUE; } //CreateJScriptPatchDLL() //////////////////////////////// // WinMain //////////////////////////////// int WINAPI WinMain( IN HINSTANCE hInstance, IN HINSTANCE hPrevInstance, IN LPSTR lpCmdLine, IN int nShowCmd) { char szsystem32[MAX_PATH+8]; char szoriginal[MAX_PATH+40]; char szpatch[MAX_PATH+40]; UINT u; DWORD dwerr; //---------------- if ( lpCmdLine != NULL && ((strstr(lpCmdLine, "/?") != NULL) || (strstr(lpCmdLine, "-?") != NULL)) ) { MessageBox(NULL, ":::\n" "::: Microsoft Internet Explorer createTextRange patch\n" "::: eEye Digital Security - www.eeye.com - 03/24/2006\n" ":::\n", "eEye Digital Security", MB_OK); return -1; } //---------------- get %SystemRoot%\system32 path u = GetSystemDirectory(szsystem32, sizeof(szsystem32) - 1); if (u == 0 || u >= sizeof(szsystem32) - 1) { dwerr = GetLastError(); return (dwerr == 0 ? ERROR_PATH_NOT_FOUND : (int)dwerr); } if (szsystem32[u-1] != ';\\';) { szsystem32 = ';\\';; szsystem32[u+1] = 0; } else szsystem32 = 0; _snprintf(szoriginal, sizeof(szoriginal), "%sjscript.dll", szsystem32); szoriginal[sizeof(szoriginal)-1] = 0; _snprintf(szpatch, sizeof(szpatch), "%sjscript-eeye-patch20.dll", szsystem32); szpatch[sizeof(szpatch)-1] = 0; //---------------- create patched JScript.dll if (!CreateJScriptPatchDLL(szoriginal, szpatch)) { dwerr = GetLastError(); return (dwerr == 0 ? -1 : (int)dwerr); } return 0; } //WinMain()

【VC】一个IE补丁的源代码

是IE的什么漏洞??
IE的洞似乎不少。

TOP

【VC】一个IE补丁的源代码

不错的,支持

TOP

【VC】一个IE补丁的源代码

好东西!!

TOP

返回列表 回复 发帖