During the research of the Flash vulnerability I’ve managed to create a functional PoC.
The process of the exploit is the following:
- Spray the heap in order to achieve the following:
- The aforementioned path conditions would pass.
- A DWORD memory overwrite with user controlled target and value would take place when the vulnerability is triggered.
- Allocate a placeholder for the shellcode. The target of the memory overwrite would be some function pointer, the value would be the location of the shellcode’s placeholder.
- Trigger the vulnerability.
- Free the placeholder of the shellcode.
- Allocate the shellcode by spraying the heap.
- Trigger some function which calls the function pointer.
The reason that there are 2 passes for allocating the shellcode is the fact that after the arbitrary overwrite occurs, some random chunks are also written to the location of the shellcode, hence the block has to be freed and re-allocated.
The exploit contains the following components:
- Exploit.fla/as – main code
- HeapLib.as – ActionScript3 Heap Spraying library
The Heap Spraying library bypasses the ActionScript’s maximum execution time limitation by using a Timer that allocates small chunks at each iteration.
It provides two basics functions:
1) alloc(value, size)
- TriggerVuln.swf - malformed SWF which triggers the vulnerability (i.e: intf_count=0)
- TriggerFunc.fla – ActionScript2 code which triggers a call to the function pointer by invoking LoadVars.sendAndLoad
- Exploit.htm – HTML wrapper for the Exploit.as
The exploit has been tested against Windows XP SP3 with IE7. Flash is assumed to be loaded at VA 0x10000000. However, since the vulnerable code is wrapped by a permissive SEH handler, brute-force is possible (not covered by the PoC).
The binaries and source code of the PoC can be found here.