CVE-2017-0037: the IE11&Edge Type Confusion from the PoC to the half of the Exploit-vulnerability warning-the black bar safety net

Some time ago Google Project Zero(PJ0)of the exposure a on IE11 and Edge of a type confusion caused by code execution vulnerabilities, Microsoft has not introduced about this vulnerability patch, I am on this vulnerability analysis, and by PoC constructed the half of the Exploit, why is half of it, first of all the vulnerabilities the attack surface is relatively narrow, only the control Array in+0x4 position value, by type confusion would think that this value is a pointer, then call the pointer to a certain offset of the virtual function when we can control this pointer value, the virtual function can also be controlled. So you can hijack the program flow reaches the code to perform the effect. But this one involves a ASLR issue, due to the address randomization, leading us to even control the jump after, not by the info leak to construct the ROP, that is, the DEP is also unable to bypass.
Here I also have to take into account the yuan brother of DVE, but since we don’t have the RW primitives, and therefore we control the key pointer of the conditions is too limited, leading to want GodMod to the execution of the script method seems to be not too feasible or I have not found? Seeking large cattle advise! in.
So here, I wrote one in the turn off DEP when you can use the exploit, and share with everyone from the PoC to the Exp of the whole process, have to say the process is still very cumbersome, because looking for this Array+0x4 location of controls how the value can be a DWORD SHOOT, I talked to a Layout::TableBoxBuilder class under a lot of function.
PJ0 CVE-2017-0037 PoC address:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1011
Now, Microsoft has not updated this exp patch, but someone using 0patch patch this vulnerability, in fact I look and feel less like a from the fundamental solution to this vulnerability issue:
https://0patch.blogspot.jp/2017/03/0patching-another-0-day-internet.html
Although this Type Confusion attack surface is limited, but the Type Confusion this vulnerability is very common, it’s the principle of the General case is due to the function of the process, not the object type a strict check, the cause can by some means to cause the type of Confusion, through to other controllable types of control can be achieved code execution effect, even arbitrary memory read and write, such as Memory Corruption。
Okay, not much to say! Below we go into today’s analysis, we first vulnerability analysis of the environment:
Windows 7 x64 sp1 build 7601
IE 11.0.9600.17843
! [](/Article/UploadPic/2017-3/2017321151923405. png? www. myhack58. com)
Vulnerability analysis
The first vulnerability is the key to the emergence in the boom (), the PoC defines a table table, wherein the tag defines the table id to th1, in the boom()function referenced in the To, followed by a setInterval to set the event.
Running the PoC, you can capture to vulnerability to collapse, attach Windbg to.
0:003:x86> r
eax=00000038 ebx=0947ffb0 ecx=0947ffb0 edx=00000002 esi=00000064 edi=6e65c680
eip=6e20fc87 esp=086abdc0 ebp=086abdec iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML! Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningelement+0x2c3d36:
6e20fc87 833800 cmp dword ptr [eax],0 ds:002b:00000038=???
You can see that here eax as a pointer, a reference to an invalid address, causing a crash directly back crash position of the context, it can be seen in the cmp Assembly instruction before call a function Layout::Patchable >::Readable and.
And the eax register is exactly Readable function’s return value. We are in this function call to call the next position of the Breakpoints, re-executing windbg to.
0:007:x86> r
eax=0a020590 ebx=007e79f0 ecx=007e79f0 edx=007e79f0 esi=00000064 edi=69ad8080
eip=6968fc82 esp=0900b878 ebp=0900b8a4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
MSHTML! Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningelement+0x2c3d31:
6968fc82 e86df072ff call MSHTML! Layout::Patchable >::Readable (68dbecf4)
You can see that the ecx register as the first parameter, take a look at the parameters stored in the object.
0:007:x86> dps ecx
007e79f0 68d82230 MSHTML! Layout::FlowItem::the vftable' 007e79f4 00000000 //this value will be Readable in the function reference 007e79f8 00000009 007e79fc 007ec8d4 007e7a00 0a020660 007e7a04 00000064 007e7a08 00000064 007e7a0c 007e79f0 007e7a10 007e79f0 007e7a14 68d82230 MSHTML! Layout::FlowItem::the vftable’
007e7a18 00000000
007e7a1c 00000009
007e7a20 007ec8d4
007e7a24 0a01fc60
007e7a28 00000000
007e7a2c 00000000
007e7a30 007e7a14
007e7a34 007e7a14
The parameters of the stored object is a Layout::FlowItem::`the vftable virtual table, followed by IDA to analyze what this function function.
int __thiscall Layout::Patchable>::Readable(int this)
{
int v1; // eax@2
int result; // eax@4
if ( *(_BYTE )((_DWORD *)(__readfsdword(44) + 4 * _tls_index) + 36) )
// get the tls array
{
result = this + 16;
}
else
{
v1 = *(_DWORD *)(this + 4);
if ( ! v1 ) // this position will check this a + 0x4 a position of value, if it is 0, the process proceeds to the processing
v1 = this;//get the vftable pointer
result = v1 + 16;

[1] [2] [3] [4] [5] next