Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Flash JIT and spraying info leak gadgets

From: Fermín J. Serna <fjserna () gmail com>
Date: Fri, 19 Jul 2013 12:52:41 -0700
Hi,

Back in Fall/2012 I did some research on Flash JIT code generation.
This research and lack of constant blinding resulted on the following
paper (including Win7/IE9 exploit code for CVE-2012-4787) where Flash
could be used for ASLR bypass on IE by spraying ROP info leak gadgets.

Document: http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets.pdf
Exploit code: http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets/

I just found today (without notification form Adobe) that Flash 11.8
implements JIT constant blinding. So consider this technique gone but
older versions may still be used for info leak purposes. :)

Enjoy,

---
Fermín J. Serna

Web & Blog: http://zhodiac.hispahack.com
Pgp key: http://zhodiac.hispahack.com/gpg/zhodiac.asc
Twitter: @fjserna
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: