Dailydave mailing list archives
Flash JIT and spraying info leak gadgets
From: Fermín J. Serna <fjserna () gmail com>
Date: Fri, 19 Jul 2013 12:52:41 -0700
Hi, Back in Fall/2012 I did some research on Flash JIT code generation. This research and lack of constant blinding resulted on the following paper (including Win7/IE9 exploit code for CVE-2012-4787) where Flash could be used for ASLR bypass on IE by spraying ROP info leak gadgets. Document: http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets.pdf Exploit code: http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets/ I just found today (without notification form Adobe) that Flash 11.8 implements JIT constant blinding. So consider this technique gone but older versions may still be used for info leak purposes. :) Enjoy, --- Fermín J. Serna Web & Blog: http://zhodiac.hispahack.com Pgp key: http://zhodiac.hispahack.com/gpg/zhodiac.asc Twitter: @fjserna _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Flash JIT and spraying info leak gadgets Fermín J . Serna (Jul 26)