Adobe Flash Player < 10.1.53 .64 Action Script Type Confusion Exploit (DEP+ASLR bypass)

2011.04.20
Credit: Abysssec
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Source: http://www.abysssec.com/blog/2011/04/exploiting-adobe-flash-player-on-windows-7/ Adobe Flash player Action script type confusion exploit (DEP+ASLR bypass) advisory text : Here is another reliable windows 7 exploit . the main method used for exploitation is based on Haifei-li presentation at CanSecWest. but as exploit code not relased and a lot of peoples like to see exploit code here is our code . exploitation detail : For exploitation purpose on recent protections on windows 7 without any 3rd party (well flash is not 3rd party todays) , it is possible to use the same bug many times to leak the imageBase address and payload address. In our exploit we used three confusion to read String Objects address and accordingly imagebase address. Step1: read shellcode string object pointer by confusing it with uint and use it to leak ImageBase. Step2: leak address of the shellcode with the same pointer and NewNumber trick. Step3: send imageBase & shellcode address as parameters to the RopPayload function, develop Rop payload string and again confuse the return value with uint to read address of RopPayload string. Step4: send address of the rop payload as parameters to the last confused function that confuses string type with class object. And thus address of our rop payload will be used as vtable in the fake class object. Note: In using strings as a buffer for shellcode in action script, it is important to use alphanumeric characters because the toString method converts our ascii character set to uincode thus make our shellcode unusable. Here you can get our reliable exploit against windows 7 : calc.exe payload http://www.exploit-db.com/sploits/CVE-2010-3654_Win7.zip

References:

http://www.exploit-db.com/sploits/CVE-2010-3654_Win7.zip
http://www.kb.cert.org/vuls/id/298081
http://www.vupen.com/english/advisories/2011/0344
http://www.vupen.com/english/advisories/2011/0192
http://www.vupen.com/english/advisories/2011/0191
http://www.vupen.com/english/advisories/2011/0173
http://www.vupen.com/english/advisories/2010/3111
http://www.vupen.com/english/advisories/2010/2918
http://www.vupen.com/english/advisories/2010/2906
http://www.vupen.com/english/advisories/2010/2903
http://www.turbolinux.co.jp/security/2011/TLSA-2011-2j.txt
http://www.securitytracker.com/id?1024660
http://www.securitytracker.com/id?1024659
http://www.securityfocus.com/bid/44504
http://www.redhat.com/support/errata/RHSA-2010-0934.html
http://www.redhat.com/support/errata/RHSA-2010-0867.html
http://www.redhat.com/support/errata/RHSA-2010-0834.html
http://www.redhat.com/support/errata/RHSA-2010-0829.html
http://www.adobe.com/support/security/bulletins/apsb10-28.html
http://www.adobe.com/support/security/bulletins/apsb10-26.html
http://www.adobe.com/support/security/advisories/apsa10-05.html
http://support.apple.com/kb/HT4435
http://security.gentoo.org/glsa/glsa-201101-09.xml
http://security.gentoo.org/glsa/glsa-201101-08.xml
http://secunia.com/advisories/43026
http://secunia.com/advisories/43025
http://secunia.com/advisories/42926
http://secunia.com/advisories/42401
http://secunia.com/advisories/42183
http://secunia.com/advisories/42030
http://secunia.com/advisories/41917
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00002.html
http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
http://contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html
http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash1


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top