JIT Spraying Never Dies

Recommendations

Info

Craft some WebGL Shader and make sure it’s able to generate the desired JIT gadget at certain fixed offset Use that particular JIT gadget as a trampoline to bypass CFG, and later transfer to the main shellcode or other ROP gadget if necessary The Detailed Bypass Implementation If for some reason WARP is not enabled on the system by default, do some magic to make it come into play at runtime After spraying a big enough space, some JIT gadget will be expected to appear at certain predictable address. (Sometimes some searching work may be needed) Trigger WARP Shader JIT in a repeated manner by creating/linking new WebGL program object and drawing on the Canvas in a loop
The Possibility of Exploiting 64-bit Browser * Spraying 9G is big enough to make some address covered, but it still needs some searching to find the JIT gadget within each 1/2G section. Data Code * In fact no need to spray such a huge space if AAR is acquired, the Check this option to add JIT page address can be deduced by leaking WARP module base. support for D3D10
Page 1 and 2: JIT Spraying Never Dies - Bypass CF
Page 3 and 4: About Speakers • Bing Sun - Bing
Page 5 and 6: Background Knowledge • Direct3D &
Page 7 and 8: Software Rasterizer & WARP • Soft
Page 9 and 10: GLSL & HLSL • Shading Language -
Page 11 and 12: WebGL and Its Usage • WebGL (Web
Page 13 and 14: The Basic Principle of CFG • Abou
Page 15 and 16: Known CFG Bypass Methods • Call V
Page 17 and 18: The Security Assessment on WARP Sha
Page 19 and 20: Separation of Data and Code Data Co
Page 21 and 22: The Weakness of WARP Shader JIT Eng
Page 23 and 24: No CFG for JITed Code Data Code
Page 25 and 26: WARP Module Not Loaded Web page con
Page 27 and 28: The Solution to Challenge I & II
Page 29 and 30: The Solution to Challenge III • S
Page 31 and 32: The Solution to Challenge III (cont
Page 33 and 34: MS16-063 typedarray.subarray(ropsta
Page 35: CVE-2016-0193 (jmp) esi -> Fake vft
Page 39 and 40: Demo - MS16-063
Page 41 and 42: Extra Demo • Other 0day CFG/DEP B
Page 43 and 44: Demo - CFG/DEP Bypass 0day II Creat
Page 45 and 46: Q&A • You are welcomed to send qu

JIT Spraying Never Dies

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?