CVE-2014-6332调试分析

    这个漏洞是一个IE浏览器里，vbs方面的漏洞，yuange首先放出了这个漏洞的完整dve的利用，接下来各个安全团队都出了比较好的分析报告。这个漏洞本身的原理算是比较传统，但是利用技术非常巧妙。置位safemode后，shellcode相当于用脚本语言直接编写，通用性稳定性极强。闲暇之余，也忍不住调试一下。

调试环境Win7+IE8，参考了瀚海源的精简版yuange POC，因为里面有加入了通过vbs在调试器里打日志的方法，就直接用了，感谢分享。

漏洞原理：

先列出相关的数据结构：

typedef struct FARSTRUCT tagSAFEARRAY {
   unsigned short cDims;       // Count of dimensions in this array.
   unsigned short fFeatures;   // Flags used by the SafeArray
                        // routines documented below.
#if defined(WIN32)

   unsigned long cbElements;   // Size of an element of the array.
                        // Does not include size of
                        // pointed-to data.
   unsigned long cLocks;      // Number of times the array has been 
                        // locked without corresponding unlock.
#else
   unsigned short cbElements;
   unsigned short cLocks;
   unsigned long handle;      // Used on Macintosh only.
#endif
   void HUGEP* pvData;             // Pointer to the data.
   SAFEARRAYBOUND rgsabound[1];      // One bound for each dimension.
} SAFEARRAY;

typedef struct tagSAFEARRAYBOUND {
  ULONG cElements;
  LONG  lLbound;
} SAFEARRAYBOUND, *LPSAFEARRAYBOUND;

漏洞出在oleaut32!SafeArra