Overview
Syllabus
Intro
Why Google Pixel Phone Is A Tough Target
Remote Attack Surface of Smart Phones
Experience of Pwning Android Devices
The Exploit Chain(TiYunZong)
Torque in Chrome v8
JSFunction Memory Layout
The Bug(CVE-2019-5877)
Trigger the Bug
How to Exploit
Exploit Strategy
Chrome' s Multi-Process Architecture
The Mojo Interface Definition of Content Decryption Module (CDM)
The Implementation of the Initialized Function of CDM
The Fucntion RegisterCdm
Trigger UAF
Exploit the ERP Bug
The Format of the Scratch Memory
Where is the Bug
of a Ring Buffer
Read And Write Pointer
Allocate Space From Ring Buffer
Overwrite Exist Instructions
CP Instruction Sequence of Executing IOCTL_KGSL GPU COMMAND
The Process of Exploiting CVE-2019-10567
Demo
Taught by
Black Hat