Home page logo

dailydave logo Dailydave mailing list archives

Flash JIT and spraying info leak gadgets
From: Fermín J. Serna <fjserna () gmail com>
Date: Fri, 19 Jul 2013 12:52:41 -0700


Back in Fall/2012 I did some research on Flash JIT code generation.
This research and lack of constant blinding resulted on the following
paper (including Win7/IE9 exploit code for CVE-2012-4787) where Flash
could be used for ASLR bypass on IE by spraying ROP info leak gadgets.

Document: http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets.pdf
Exploit code: http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets/

I just found today (without notification form Adobe) that Flash 11.8
implements JIT constant blinding. So consider this technique gone but
older versions may still be used for info leak purposes. :)


Fermín J. Serna

Web & Blog: http://zhodiac.hispahack.com
Pgp key: http://zhodiac.hispahack.com/gpg/zhodiac.asc
Twitter: @fjserna
Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
  • Flash JIT and spraying info leak gadgets Fermín J . Serna (Jul 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]