Windbg包含一个额外的扩展 MSEC.dll, 可以通过加载该DLL来判断一个Crash是否有可利用性, 尤其是对于空指针的Crash. 使用也很简单, 首先下载后将其放在 Debugging Tools for Windows (x86)\winext文件下. 使用Windbg加载Crash
1 2 3 4 5 6 7
(f34.524): Access violation - code c0000005 (!!! second chance !!!) eax=03f860b8 ebx=00000000 ecx=03f860b8 edx=00000000 esi=03f860b8 edi=00000000 eip=65ac68e0 esp=03df9c30 ebp=03df9c44 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\MSHTML.dll - MSHTML!CreateCoreWebView+0x9db30: 65ac68e0 f7470800000010 test dword ptr [edi+8],10000000h ds:0023:00000008=????????
然后加载MSEC.dll
1
0:013> !load winext\MSEC.dll
判断是否可利用
1 2 3 4 5 6 7 8 9
0:013> !exploitable
!exploitable 1.6.0.0 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\System32\jscript9.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\msvcrt.dll - Exploitability Classification: PROBABLY_NOT_EXPLOITABLE Recommended Bug Title: Read Access Violation near NULL starting at MSHTML!CreateCoreWebView+0x000000000009db30 (Hash=0xcf51cc36.0xd0bfbfe5)
This is a user mode read access violation near null, and is probably not exploitable.