[Dailydave] Flash JIT and spraying info leak gadgets
Fermín J. Serna
fjserna at gmail.com
Fri Jul 19 15:52:41 EDT 2013
Hi,
Back in Fall/2012 I did some research on Flash JIT code generation.
This research and lack of constant blinding resulted on the following
paper (including Win7/IE9 exploit code for CVE-2012-4787) where Flash
could be used for ASLR bypass on IE by spraying ROP info leak gadgets.
Document: http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets.pdf
Exploit code: http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets/
I just found today (without notification form Adobe) that Flash 11.8
implements JIT constant blinding. So consider this technique gone but
older versions may still be used for info leak purposes. :)
Enjoy,
---
Fermín J. Serna
Web & Blog: http://zhodiac.hispahack.com
Pgp key: http://zhodiac.hispahack.com/gpg/zhodiac.asc
Twitter: @fjserna
More information about the Dailydave
mailing list