$hell on Earth

Recommendations

Info

Here is a minimal PoC that triggers this vulnerability: var arrMovieClips:Array = new Array(0x500); for ( var i = 0; i < arrMovieClips.length; ++ i ) { arrMovieClips[i] = swfRoot.createEmptyMovieClip(“mc” + i, swfRoot.getNextHighestDepth()); } var mc:MovieClip = arrMovieClips[arrMovieClips.length - 0x100]; var t = new Transform(mc); var geom = _global[“flash”][“geom”]; var OriginalMatrix = flash.geom.Matrix; geom.addProperty(‘Matrix’,function() { for ( var i = arrMovieClips.length - 0x200; i < arrMovieClips.length; ++ i ) arrMovieClips[i].removeMovieClip(); return OriginalMatrix; }, function() {} ); var m = t.matrix; Exploitation of CVE-2016-1016 Exploitation of this vulnerability occurred by triggering the free of MovieClip objects within the custom accessor on the geom object and replacing them with custom AS3 objects. At this point, the addresses of controlled objects are known and passed on to the last vulnerability in the userland exploit. CVE-2016-1016 Patch To patch this vulnerability, Adobe modified the handler for Transform objects in AS2 by adding a stack variable to store the contents of the matrix prior to calling the copy routine. Although hijacking the matrix property of flash.geom is still possible to free the original matrix property, nothing malicious can occur. 26 | <strong>$hell</strong> on Earth: From Browser to System Compromise
Here is a snippet of code showing the AS2 handler for Transform objects before the patch: case 101: v10 = (char *)(v9 + 40); return sub_5D2AF6((int)v10, v1); After the patch, we can see that a copy of the matrix structure is made prior to calling the vulnerable function: case 101: qmemcpy(&v14, v10 + 11, 0x1Cu); return sub_5E9D60((int)&v14, &v2->thisMaybe); CVE-2016-1017 – Adobe Flash AS2 LoadVars Decode Use-After-Free Vulnerability Now that the address of kernel32 is known as well as the address of a custom object, the second and last Adobe Flash use-after-free vulnerability is used to complete the userland exploit. The issue lies in the LoadVars class in the decode method. The decode method is designed to parse URL-encoded strings with one or more name and value pairs. These name and value pairs are added to the object as properties. The issue occurs due to support for watching modifications of properties. Specifically, the Object class provides a watch method, which can be used to call a function whenever a property on any given object is modified. Since LoadVars.decode is explicitly designed to set properties on an object, it was possible to set a watch handler for a property to be assigned and trigger a use-afterfree vulnerability. 27 | <strong>$hell</strong> on Earth: From Browser to System Compromise
Page 1 and 2: $hell on Earth: Fr
Page 3 and 4: The winning submissions to Pwn2Own
Page 5 and 6: Here are some of the welcome improv
Page 7 and 8: Pwn2Own 2015 Zeguang Zhao (Team509)
Page 9 and 10: The vulnerability is triggered with
Page 11 and 12: Here is a snippet of the original c
Page 13 and 14: } if ( !(unsigned __int8)_mthid_isG
Page 15 and 16: Here is the location within JavaScr
Page 17 and 18: Exploitation of CVE-2016-1857 The e
Page 19 and 20: The following code triggers the vul
Page 21 and 22: CVE-2016-1796 - Apple OS X libATSSe
Page 23 and 24: Google Chrome Vulnerability to Kern
Page 25: ZDI-CAN-3612 Patch This is the root
Page 29 and 30: CVE-2016-1017 Patch To patch this v
Page 31 and 32: Adobe Flash Vulnerability to Kernel
Page 33 and 34: Finally, the pointer to the string
Page 35 and 36: This shows how PostIAMShellHookMess
Page 37 and 38: The patch itself looks straightforw
Page 39 and 40: As they do with all vulnerabilities
Page 41 and 42: Exploitation of CVE-2016-1018 Explo
Page 43 and 44: } } } a1[a3 + 345] = v6; a1[a3 + 34
Page 45 and 46: This is how GreGetUFI looked before
Page 47 and 48: Microsoft Edge Vulnerability to Ker
Page 49 and 50: The graph below represents the targ
Page 51 and 52: GetIntegerString returns the value
Page 53 and 54: Figure 6: AddAgent code diff Figure
Page 55 and 56: Consider the following JavaScript c
Page 57 and 58: The second heap spray was composed
Page 59 and 60: D3DKMT_GDIMODEL_SYSMEM_PRESENTHISTO
Page 61 and 62: Nevertheless, execution continues a
Page 63 and 64: Conclusion Although all of the afor
Page 65: TREND MICRO TM Trend Micro Incorpor

$hell on Earth

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?