Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion (ASLR + DEP Bypass)

EDB-ID:

17187


Author:

Abysssec

Type:

remote


Platform:

Windows

Date:

2011-04-19


Source: http://www.abysssec.com/blog/2011/04/exploiting-adobe-flash-player-on-windows-7/

Adobe Flash player Action script type confusion exploit (DEP+ASLR bypass)

advisory text : 

Here is another reliable windows 7 exploit . the main method used for exploitation is based on Haifei-li presentation at CanSecWest. 
but as exploit code not relased and a lot of peoples like to see exploit code here is our code .  

exploitation detail :
For exploitation purpose on recent protections on windows 7 without any 3rd party (well flash is not 3rd party todays) , it is possible to use the same bug many times to leak the imageBase address and payload address. In our exploit we used three confusion to read String Objects address and accordingly imagebase address.

Step1: read shellcode string object pointer by confusing it with uint and use it to leak ImageBase.
Step2: leak address of the shellcode with the same pointer and NewNumber trick.
Step3: send imageBase & shellcode address as parameters to the RopPayload function, develop Rop payload string and again confuse the return value with uint to read address of RopPayload string.
Step4: send address of the rop payload as parameters to the last confused function that confuses string type with class object. And thus address of our rop payload will be used as vtable in the fake class object.
Note: In using strings as a buffer for shellcode in action script, it is important to use alphanumeric characters because the toString method converts our ascii character set to uincode thus make our shellcode unusable.

Here you can get our reliable exploit against windows 7 :
calc.exe payload

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17187.zip (CVE-2010-3654_Win7.zip)