March 18, 2017

Breaking CFI.

Exploiting CVE-2015-5122 using COOP

By Michael Aminov, Co-Founder & Chief Architect

Introduction.

CFI1 has most certainly set the standard for exploit mitigations, and has inspired many implementations such Microsoft CFG2, Microsoft RFG3, PaX Team’s RAP™4 and Clang’s CFI5.
In this series of posts we’re going to demonstrate how modern CFI implementations can be circumvented.
Specifically in this post we’ll be demonstrating an advanced code reuse technique, Counterfeit Object-Oriented Programming6 (COOP) utilizing an old vulnerability to conform to the theoretical boundaries of CFI.

The Vulnerability.
CVE-2015-5122 is a use-after-free vulnerability that was used by Hacking Team to exploit Adobe Flash Player (<= 18.0.0.203). An analysis of the vulnerability itself can be found here. Note that by leveraging this vulnerability we are able to gain a full read-write primitive to the process memory.
We based our work on Metasploit’s implementation of CVE-2015-5122 which can be found here. In order to achieve a read/write primitive the vulnerability is used to overwrite the length member of a vector object. The vector object is wrapped with a class named ExploitByteArray that contains the methods write(addr, data) and read(addr) that provide the full read/write primitives. Code execution is gained by defining a fake “magic” method10 in the Exploiter class, and overriding its virtual function pointer with an address of choice.
The metasploit implementation first calls VirtualProtect in order to change a sprayed stack-pivot stub’s page protection to READWRITE_EXECUTE, and then uses the magic method a second time to call the executable stub and commence a ROP chain.

image-1

CFI1 has most certainly set the standard for exploit mitigations, and has inspired many implementations such Microsoft CFG2, Microsoft RFG3, PaX Team’s RAP™4 and Clang’s CFI5.
In this series of posts we’re going to demonstrate how modern CFI implementations can be circumvented.
Specifically in this post we’ll be demonstrating an advanced code reuse technique, Counterfeit Object-Oriented Programming6 (COOP) utilizing an old vulnerability to conform to the theoretical boundaries of CFI. stub and commence a ROP chain.

you may also like

read more Article

Attack Trend: Malicious MS Office attachments on the rise.

The form of the attack varies from ransomware to banking trojans, but the number of underlying techniques are limited.

By Michael Aminov, Founder & Chief Architect

18 March, 2018
read more Article

Title Here

Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat.

By Author

18 March, 2018

Want to know more?

Contact Us.

REQUEST A DEMO