lecture: PWN Flash with Reflection and HashTables
Reflection is the ability of a program to examine, introspect, and modify its own structure and behavior at runtime. AVM2 which support Action Script 3 in Flash Player, however, did not implement reflection completely. In this topic, we will introduce how we implement an AS3 based fuzzing tool with random instantiations of new objects, random invocations of methods and random fields getter/setter using the implicit reflection in AS3. We will also discuss some other flash fuzzing issues like template, sanitizing, reproducing, code coverage and so on. This fuzzing system discovered more than 50 Flash vulnerabilities in several months, 23 of them have got CVE numbers. Some interesting findings will be shown in this topic.
HashTable is an internal structure which stores key and value pairs in AS3. We discovered that it can be a new exploit-friendly object like Vector, ByteArray and String to be used to bypass anti-UAF(Use After Free) mitigations(isolate heap, memory protector, length validation of Vector/ByteArray). We will pick one unreported(patched) UAF vulnerability as an example to show how we exploit one single UAF vulnerability to get read and write primitive and bypass all of modern mitigations in Win10 x64 1709 with the help of HashTable. More importantly, this exploitation technique we used could generally make many other Flash UAF vulnerabilities get arbitrary read and write primitive which can be used to bypass all of modern mitigations. At last, we will show the demo of it.