构造WapAuthProvider::CreateInstance
函数分配并初始化一个WapAuthProvider
对象(0x78 字节),但未能完全初始化其状态。
调用析构函数时(在 中),偏移量 0x50 处的指针未初始化并被释放WapAuthProvider::~WapAuthProvider
:
prauthproviders!WapAuthProvider::~WapAuthProvider+0x38:
00007ffd`a91f3078 488b4b50 mov rcx,qword ptr [rbx+50h] ds:000001cf`efe35fd0=c0c0c0c0c0c0c0c0
0:011>
prauthproviders!WapAuthProvider::~WapAuthProvider+0x3c:
00007ffd`a91f307c 4883634000 and qword ptr [rbx+40h],0 ds:000001cf`efe35fc0=0000000000000000
0:011>
prauthproviders!WapAuthProvider::~WapAuthProvider+0x41:
00007ffd`a91f3081 48ff1578ad0000 call qword ptr [prauthproviders!_imp_LocalFree (00007ffd`a91fde00)] ds:00007ffd`a91fde00={KERNELBASE!LocalFree (00007ffd`ccdb0620)
这是使用未初始化数据的函数,请参见[0]
和[1]
:
void WapAuthProvider::~WapAuthProvider(__int64 this) {
void *v2; // rcx
void *v3; // rcx
*(_QWORD *)this = &WapAuthProvider::`vftable';
LocalFree(*(HLOCAL *)(this + 56));
v2 = *(void **)(this + 64);
*(_QWORD *)(this + 56) = 0i64;
LocalFree(v2);
v3 = *(void **)(this + 80); // <-- [0] uninitialized
*(_QWORD *)(this + 64) = 0i64;
LocalFree(v3); // <-- [1] free
*(_QWORD *)(this + 80) = 0i64;
}
winword.exe
cve-2022-21971.rtf
在 Word 中打开(1c84.11b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
verifier!AVrfpDphFindBusyMemoryNoCheck+0x8a:
00007ffd`78d84742 817ac0bbbbcdab cmp dword ptr [rdx-40h],0ABCDBBBBh ds:c0c0c0c0`c0c0c080=????????
0:011> kc
# Call Site
00 verifier!AVrfpDphFindBusyMemoryNoCheck
01 verifier!AVrfpDphFindBusyMemory
02 verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList
03 verifier!AVrfDebugPageHeapFree
04 ntdll!RtlDebugFreeHeap
05 ntdll!RtlpFreeHeap
06 ntdll!RtlpFreeHeapInternal
07 ntdll!RtlFreeHeap
08 KERNELBASE!LocalFree
09 prauthproviders!WapAuthProvider::~WapAuthProvider
0a prauthproviders!WapAuthProvider::`vector deleting destructor'
0b prauthproviders!WapAuthProvider::Release
0c prauthproviders!CClassFactory::CreateInstance
0d combase!CServerContextActivator::CreateInstance
0e combase!ActivationPropertiesIn::DelegateCreateInstance
0f combase!CApartmentActivator::CreateInstance
我已经在 Windows 10 x64 VM 和 Windows 11 x64 上使用写字板(但需要单击)和 Office Word 2019 复制了此内容。
本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。