Overview
Explore advanced exploitation techniques for Adobe Flash Player in the context of Control Flow Guard (CFG) protection. Delve into the challenges posed by CFG implementation on Windows 8.1 and Windows 10, and discover innovative approaches to bypass this security measure. Learn about leveraging the Flash Player's JIT compiler to circumvent CFG, and understand the subsequent hardening measures implemented by Microsoft and Adobe. Examine three practical data-only attacks that avoid CFG restrictions, including a method to execute arbitrary commands without shellcode or ROP. Gain insights into the difficulties of detecting and protecting against these sophisticated data-only attacks. While focusing on Flash Player vulnerabilities, acquire knowledge of techniques applicable to exploiting other software on CFG-enabled systems.
Syllabus
Intro
Agenda
Overview of CFG
CVE-2015-0311 Overview
Control flow hijacking attempt detected!
Approaches
Flash JIT compiler
Leveraging the JIT compiler to bypass CFG
Current status
JIT hardening
Data-only attacks: related work
The Security Settings object
Gaining (unauthorized) access to the camera & mic
From Remote sandbox to Local Trusted sandbox
Executing commands without shellcode nor ROP
Crafted state
Thank you!
Taught by
Black Hat