首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Adobe Flash Player < 10.1.53 .64 Action Script Type Confusion Exploit (DEP+ASLR
来源:http://www.abysssec.com 作者:Abysssec 发布时间:2011-04-20  

Source: http://www.abysssec.com/blog/2011/04/exploiting-adobe-flash-player-on-windows-7/

Adobe Flash player Action script type confusion exploit (DEP+ASLR bypass)

advisory text :

Here is another reliable windows 7 exploit . the main method used for exploitation is based on Haifei-li presentation at CanSecWest.
but as exploit code not relased and a lot of peoples like to see exploit code here is our code . 

exploitation detail :
For exploitation purpose on recent protections on windows 7 without any 3rd party (well flash is not 3rd party todays) , it is possible to use the same bug many times to leak the imageBase address and payload address. In our exploit we used three confusion to read String Objects address and accordingly imagebase address.

Step1: read shellcode string object pointer by confusing it with uint and use it to leak ImageBase.
Step2: leak address of the shellcode with the same pointer and NewNumber trick.
Step3: send imageBase & shellcode address as parameters to the RopPayload function, develop Rop payload string and again confuse the return value with uint to read address of RopPayload string.
Step4: send address of the rop payload as parameters to the last confused function that confuses string type with class object. And thus address of our rop payload will be used as vtable in the fake class object.
Note: In using strings as a buffer for shellcode in action script, it is important to use alphanumeric characters because the toString method converts our ascii character set to uincode thus make our shellcode unusable.

Here you can get our reliable exploit against windows 7 :
calc.exe payload

http://www.exploit-db.com/sploits/CVE-2010-3654_Win7.zip


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Wireshark <= 1.4.4 packet-dect
·IBM Tivoli Directory Server SA
·Google Chrome 10.0.648.205 Sta
·Wireshark 1.4.1-1.4.4 SEH Over
·Media Player Classic 6.4.9.1 P
·Windows Media Player 11 .ogg P
·FiSH-irssi v0.99 Evil ircd Buf
·MS Word Record Parsing Buffer
·Adobe Flash Player 10.2.153.1
·docuFORM Mercury WebApp 6.16a/
·SimplyPlay v.66 .pls File Buff
·NEdit 5.5 Format String Vulner
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved