When the rules for this year's Pwn2Own contest came out, there was only less than one month left for us to prepare for our Internet Explorer Exploit. It was not an easy task to pop up a calc on this year's IE target, where you need to conquer the 64-bit IE child process, the control flow guard (CFG) on windows 8.1 as well as the enhanced-protected mode (EPM) of IE11.
This was the first time that 64-bit IE was used in the contest, which means more stronger ASLR that makes simple heap-spraying techinque does not work as it does on 32-bit process. Also on Windows 8.1, CFG is heavily used in user mode processes which makes it harder to transfer the execution-flow to our shellcode. And at last, we need to bypass the EPM sandbox without user interfaction and without re-starting/re-login the computer. We are glad that we finally made it, with two 0day vulnerabilities, which have already been patched by Microsfot in June 2015.
In this presentation, we will describe (for the first time) the details of the two vulnerabilities we used to take down 64-bit IE in this year's Pwn2Own. By going through the poc exploit, we will show how we achieved ASLR & CFG bypass and remote code execution in 64-bit IE with a single uninitialized memory bug. And, we will also discuss the TOCTOU vulnerability we used to bypass IE's EPM sandbox to achieve elevation of privilege.
Throughout the talk, we will describe several methods you may use to bypass exploit mitigtions (such as ASLR, CFG) on 64-bit IE,
to achieve remote code execution with your memory corruption bug.
Hey Man, Have You Forgotten To Intialize Your Memory? blackhat 2015
7 Likes
7 Dislikes
1,562 views views
117K followers
People & Blogs
Upload TimePublished on 5 Mar 2016
Related keywords
infosec news
information security manager
blackhat asia 2019
blackhat 2019
infosec twitter
blackhat 2018
black hat seo technique
blackhat europe
blackhat badger sekiro
black hat x reader
black hat cartoon
black hat x dr flug
cyber securityとは
blackhat conference 2019
cyber security cloud
black hat full movie
blackhat badger
blackhat forum
information security foundation 勉強
infosec rotkreuz
cyber security framework
information security policy template
infosecurity utrecht
infosec ups system
cyber security news
cyber security act
infosecurity
blackhat full movie
infosec blog
black hat badger
information security foundation 参考書
information security management system
cyber security conference
black hat seo
cyber security pro
black hat movie
blackhat imdb
infosec podcast
black hat cast
cyber security pro 新しいネットワークが検出されました
cyber security cloud managed rules
cyber security measures
information security governance
infosec global
infosecurity europe 2020
infosec health
infosec magazine
information security 日本語
infosec 19
black hat anime
information security foundation
infosecurity magazine
cyber security tokyo
black hat meaning
black hatch
information security definition
information security pdf
infosec europe 2019
cyber security market
infosec institute
infosec 2019 london
information security foundation 難易度
black hatch gamefowl
cyber security management system
information security certifications
blackhat film
cyber security pro アンインストール
information security specialist
cyber security 意味
cyber security analyst
information security policy
black hat usa 2019
information security forum
information security news
infosec conferences
information security officer
infosekta
cyber security japan
blackhat trailer
information security analyst
cyber security university
black hat hacker
black hat forum
cyber security company
black hat hacking
black hat villainous
blackhat conference
information security foundation based on iso/iec 27001
by Yuki Chen & Linan Hao
Không có nhận xét nào:
Đăng nhận xét