Type confusion vulnerability instance analysis-vulnerability warning-the black bar safety net

Type confusion vulnerability in General is the type of data A as data of Type B to resolve the reference, which may lead to illicit access to data and thus execute arbitrary code.
This article by IE type confusion vulnerability examples and Word type confusion vulnerability examples for analysis, to learn to understand the type confusion vulnerability principle.
Example one: IE/Edge type confusion vulnerability CVE-2017-0037）
Vulnerability cause: a function of process, not of the object type a strict check, leading to type confusion.
Analysis Environment: Win7 and IE11
Analysis tools: Windbg, od, IDA Pro
!
In the PoC defined in a table tag defines the table id to th1, in boom()reference, and then setInterval to set the event.
Vulnerability cause analysis:
Running the PoC, with the OD or Windbg attached and loaded to run, the crash occurs, as in the following figure
!
!
From the point of collapse you can see eax as a pointer, a reference to an invalid address, causing the crash, but on one instruction is a call, as follows
!
This invalid return value from this call, at this time we push against that in this call at the next breakpoint,
!
ecx as a parameter, the stored object is a Layout::FlowItem::the vftable virtual table ! [](https://r.sinaimg.cn/large/Article/8abbe161657ffd95360e14dbee7d5a57) This value will be in the Readable function references, as in the following figure ! [](https://r.sinaimg.cn/large/Article/3841b2d14e5d6c1ca0f25ff85e5bca80) ! [](https://r.sinaimg.cn/large/Article/bec2af611992baecd35551c52ebb45f6) Here to read the virtual table+4 value to 0 when this pointer is assigned the value v1, then v1+16 after the return, and therefore, Layout::FlowItem::the vftable belongs to a pointer of this situation is normal, the function will return to normal enter the subsequent processing logic.
!
Let the program continue to run, it will call the function again, this time ecx is not a virtual table object, but an int Array object, here we can use a conditional breakpoint to track the two objects of the creation process, focus on two objects to create a function, A is the FlowItem::`the vftable corresponding to the virtual table of the object, the other is to trigger the collapse of the int Array object. These two function’s return value, which is the eax register to store the pointer to the two create an object pointer.
!
!
By the condition of the breakpoint, the output of each int Array object to create the object information
!
!
By tracking you can see the first call the Readable function ecx is a normal FlowItem object, and the second call when ecx is an int Array Object. Layout::Patchable >::Readable function is processing the virtual table object to the function, due to the boom()function in the reference th1. align lead Readable function to get the second reference, since there is no object in the property inspector, and cause the second call when the table object is passed, the final type of confusion crash.
Analysis of the use of key points
First, we analyze the collapse point of the context, through the process toward look at whether there are available points,
!
In the judgment of the eax return value is not equal to 0, it will continue to go down with a Readable function, and eax will continuously reference back to a call edi, which is a virtual function, if we can control the edi it is possible here to achieve code execution effect. Wherein there is a control-flow protection mechanisms CFG(call __guard_check_icall_fptr), Win7 system is not turned on so there is no need to consider pass.
!

[1] [2] [3] next