Nytro Posted February 17, 2012 Report Posted February 17, 2012 [h=2]Exploiting Adobe Flash Player on Windows 7[/h]Posted by shahin in advisory, Exploits / BUG Decryption, Fuzzing / Auditing, reversingello again . as a lot of readers like windows 7 exploits here is other one . [h=2]1) Advisory information[/h] [TABLE] [TR] [TD=width: 638] Title : Adobe Flash player Action script type confusion Version : flash10h.dll Discovery : Malware writers Exploit : Abysssec Information Security and Vulnerability Research Group Vendor : http://www.adobe.com Impact : Critical Contact : info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-3654[/TD] [/TR] [/TABLE] [h=2]2) Vulnerable version[/h] [TABLE] [TR] [TD=width: 638]Adobe Flash Player 10.1.53 .64 prior versions[/TD] [/TR] [/TABLE] [h=2]3) Vulnerability information[/h] [TABLE] [TR] [TD=width: 638]Class 1- Type Confusion Impact Successfully exploiting this issue allows remote attackers to execute code under the context of targeted browser. Remotely Exploitable Yes Locally Exploitable Yes[/TD] [/TR] [/TABLE] [h=2]4) Vulnerability detail[/h] Here we have type confusion vulnerability in ActionScript bytecode language. The cause of these vulnerabilities is because of implementation of verification process in AS3 jit engine that because of some miscalculation in verifying datatype atoms, some data replaces another type of data and the confusion results in faulty machine code. Action script has the following structure. First our scripts are compiled using an action script compiler like flex to AS3 ByteCodes and embed it to DoABC, DoAction or DoInitAction tags in swf file format. When flash player opens the swf file, bytecodes are compiled to a jitted machine code through verification and generation process. Verification process is responsible for checking bytecodes to be valid instructions and it pass the valid bytecodes to generation process, thus generation process produces the machine code in memory. According to Dion Blazakis’s JIT Spray paper: To handle this runtime typing requirement, the ActionScript interpreter represents internal objects using tagged pointers – internal, this object is called an “atom”. Tagged pointers are a common implementation technique to differentiate between those objects stored by value and those stored by reference using the same word sized memory cell. A tagged pointer stores type information in the least significant bits and stores a type specific values in the most significant bits. As shown in Illustration 1, the ActionScript atom is 32 bits wide; it allocates 3 bits to store the type information and uses 29 bits for the value. So if it would be possible to confuse verifier too act an atom as another atom by some bytecode changes it would be possible to generate faulty code that most of the times lead to disclosing a vtable pointer call to the attacker. The bug is perfectly presented in Haifei li recent slides. We have OriginalClass and RefClass with the same functions. Func1 – OriginalClass return a class objects, but Func1 – RefClass returns another type. By changing a byte in the bytecode we have confused AS3 to execute RefClass functions in the main class. After that verifier confuses the return type of the function with an OriginalClass object and generate faulty code with the vtable under the control of the return value. Exploitation: For exploitation purpose on recent protections on windows 7 without any 3rd party, it is possible to use the same bug many times to leak the imageBase address and payload address. In our exploit we used three confusion to read String Objects address and accordingly imagebase address. Step1: read shellcode string object pointer by confusing it with uint and use it to leak ImageBase. Step2: leak address of the shellcode with the same pointer and NewNumber trick. Step3: send imageBase & shellcode address as parameters to the RopPayload function, develop Rop payload string and again confuse the return value with uint to read address of RopPayload string. Step4: send address of the rop payload as parameters to the last confused function that confuses string type with class object. And thus address of our rop payload will be used as vtable in the fake class object. Note: In using strings as a buffer for shellcode in action script, it is important to use alphanumeric characters because the toString method converts our ascii character set to uincode thus make our shellcode unusable. [h=2]5) Conclusion[/h] Finally we got the point that memory leakages are extremely useful in modern exploitation to bypass DEP, ASLR protections. It would be possible to find same atom confusion situation and other object leakage in adobe flash player. Kudos to haifei li for his great research, although it was not that simple to implement a reliable exploit with just slides without attending in talk. [h=2]6) Refrences[/h] http://www.cansecwest.com/csw11/Flash_ActionScript.ppt http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf [h=2]7) Exploit-Code[/h] Here you can get our reliable exploit against windows 7 : calc.exe payload Download : CVE-2010-3654_Win7 if you need other payloads for sure you know how to change it as always feedbacks are welcomed and you can follow @abysssec in twitter to getting updates . Happy Hunting !Sursa: Exploiting Adobe Flash Player on Windows 7 | Abysssec Security Research Quote
