Exploiting Adobe Flash Player on Windows 7

[curiosul]

Internet Explorer CSS 0day on Windows 7 on Vimeo

1) Advisory information

Title : Adobe Flash player Action script type confusion

Version : flash10h.dll

Discovery : Malware writers

Exploit : Abysssec Information Security and VUlnerability Research Group

Vendor : Adobe

Impact : Critical

Contact : info [at] abysssec.com

Twitter : @abysssec

CVE : CVE-2010-3654

2) Vulnerable version

Adobe Flash Player 10.1.53 .64 prior versions

3) Vulnerability information

Class

1- Type Confusion

Impact

Successfully exploiting this issue allows remote attackers to execute code under the context of targeted browser.

Remotely Exploitable

Yes

Locally Exploitable

Yes

4) Vulnerability detail

Here we have type confusion vulnerability in ActionScript bytecode language. The cause of these vulnerabilities is because of implementation of verification process in AS3 jit engine that because of some miscalculation in verifying datatype atoms, some data replaces another type of data and the confusion results in faulty machine code.

Action script has the following structure. First our scripts are compiled using an action script compiler like flex to AS3 ByteCodes and embed it to DoABC, DoAction or DoInitAction tags in swf file format. When flash player opens the swf file, bytecodes are compiled to a jitted machine code through verification and generation process. Verification process is responsible for checking bytecodes to be valid instructions and it pass the valid bytecodes to generation process, thus generation process produces the machine code in memory.

According to Dion Blazakis’s JIT Spray paper:

Exploitation:

For exploitation purpose on recent protections on windows 7 without any 3rd party, it is possible to use the same bug many times to leak the imageBase address and payload address. In our exploit we used three confusion to read String Objects address and accordingly imagebase address.

Step1: read shellcode string object pointer by confusing it with uint and use it to leak ImageBase.

Step2: leak address of the shellcode with the same pointer and NewNumber trick.

Step3: send imageBase & shellcode address as parameters to the RopPayload function, develop Rop payload string and again confuse the return value with uint to read address of RopPayload string.

Step4: send address of the rop payload as parameters to the last confused function that confuses string type with class object. And thus address of our rop payload will be used as vtable in the fake class object.

Note: In using strings as a buffer for shellcode in action script, it is important to use alphanumeric characters because the toString method converts our ascii character set to uincode thus make our shellcode unusable.

5) Conclusion

Finally we got the point that memory leakages are extremely useful in modern exploitation to bypass DEP, ASLR protections. It would be possible to find same atom confusion situation and other object leakage in adobe flash player. Kudos to haifei li for his great research, although it was not that simple to implement a reliable exploit with just slides without attending in talk.

6) Refrences

http://www.cansecwest.com/csw11/Flash_ActionScript.ppt

http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf

7) Exploit-Code

Here you can get our reliable exploit against windows 7 :

calc.exe payload

Download :Download for free on Filesonic.com

if you need other payloads for sure you know how to change it

as always feedbacks are welcomed and you can follow @abysssec in twitter to getting updates .

#Sursa:Exploiting Adobe Flash Player on Windows 7 | Abysssec Security Research

Happy Hunting !

Edited May 13, 2011 by curiosul

[ROFL]

5 months ago: Mon, Dec 20, 2010 3:33pm EST (Eastern Standard Time)

[curiosul]

5 months ago: Mon, Dec 20, 2010 3:33pm EST (Eastern Standard Time)

Si? Atata timp cat merge nu ma intereseaza data!

[qbert]

defapt asta parca asta a fost publicat ca overflow in chrome.