curiosul Posted May 13, 2011 Report Posted May 13, 2011 (edited) Internet Explorer CSS 0day on Windows 7 on Vimeo1) Advisory informationTitle : Adobe Flash player Action script type confusion Version : flash10h.dllDiscovery : Malware writersExploit : Abysssec Information Security and VUlnerability Research GroupVendor : AdobeImpact : CriticalContact : info [at] abysssec.comTwitter : @abysssecCVE : CVE-2010-36542) Vulnerable versionAdobe Flash Player 10.1.53 .64 prior versions3) Vulnerability informationClass 1- Type ConfusionImpactSuccessfully exploiting this issue allows remote attackers to execute code under the context of targeted browser.Remotely ExploitableYesLocally ExploitableYes4) Vulnerability detailHere we have type confusion vulnerability in ActionScript bytecode language. The cause of these vulnerabilities is because of implementation of verification process in AS3 jit engine that because of some miscalculation in verifying datatype atoms, some data replaces another type of data and the confusion results in faulty machine code.Action script has the following structure. First our scripts are compiled using an action script compiler like flex to AS3 ByteCodes and embed it to DoABC, DoAction or DoInitAction tags in swf file format. When flash player opens the swf file, bytecodes are compiled to a jitted machine code through verification and generation process. Verification process is responsible for checking bytecodes to be valid instructions and it pass the valid bytecodes to generation process, thus generation process produces the machine code in memory.According to Dion Blazakis’s JIT Spray paper:Exploitation:For exploitation purpose on recent protections on windows 7 without any 3rd party, it is possible to use the same bug many times to leak the imageBase address and payload address. In our exploit we used three confusion to read String Objects address and accordingly imagebase address.Step1: read shellcode string object pointer by confusing it with uint and use it to leak ImageBase.Step2: leak address of the shellcode with the same pointer and NewNumber trick.Step3: send imageBase & shellcode address as parameters to the RopPayload function, develop Rop payload string and again confuse the return value with uint to read address of RopPayload string.Step4: send address of the rop payload as parameters to the last confused function that confuses string type with class object. And thus address of our rop payload will be used as vtable in the fake class object.Note: In using strings as a buffer for shellcode in action script, it is important to use alphanumeric characters because the toString method converts our ascii character set to uincode thus make our shellcode unusable.5) ConclusionFinally we got the point that memory leakages are extremely useful in modern exploitation to bypass DEP, ASLR protections. It would be possible to find same atom confusion situation and other object leakage in adobe flash player. Kudos to haifei li for his great research, although it was not that simple to implement a reliable exploit with just slides without attending in talk.6) Refrenceshttp://www.cansecwest.com/csw11/Flash_ActionScript.ppthttp://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf7) Exploit-CodeHere you can get our reliable exploit against windows 7 :calc.exe payloadDownload :Download for free on Filesonic.comif you need other payloads for sure you know how to change it as always feedbacks are welcomed and you can follow @abysssec in twitter to getting updates .#Sursa:Exploiting Adobe Flash Player on Windows 7 | Abysssec Security ResearchHappy Hunting ! Edited May 13, 2011 by curiosul Quote
ROFL Posted May 13, 2011 Report Posted May 13, 2011 5 months ago: Mon, Dec 20, 2010 3:33pm EST (Eastern Standard Time) Quote
curiosul Posted May 13, 2011 Author Report Posted May 13, 2011 5 months ago: Mon, Dec 20, 2010 3:33pm EST (Eastern Standard Time)Si? Atata timp cat merge nu ma intereseaza data! Quote
qbert Posted May 13, 2011 Report Posted May 13, 2011 defapt asta parca asta a fost publicat ca overflow in chrome. Quote