Black Hat Europe资料eu-15-Chen-Hey-Man-Have-You-Forgotten-To-Initialize-Your-Memory-wp.pdfVIP

Hey Man, Have You Forgotten to Initialize Your Memory? Qihoo 360 Vulcan Team @360Vulcan Background This year’s IE target: - 64-bit process - Bypass EPM without restart/relogin - New Mitigations: Isolated Heap, Deferred Freed, Control Flow Guard - EMET There are some import rule changes this year which makes it more difficult than previous years. This is the first time in Pwn2Own history that 64-bit IE is used as target. Exploiting 64-bits process is much more difficult than 32-bit, for example, the simple heap spraying technique which is often used in 32-bit exploit does not work any more. Also, this year’s contest enables the enhanced protected mode of ie, which means ie child process runs in AppContainer and has no access to most of the system resources. We need to bypass EPM without restarting/relogging the computer. In the last year, Microsoft adds some new exploit mitigations to IE, which effectively kills many use after free bug. In this paper, we will show the details of the vulnerabilities and the exploit techniques we used to knock over IE in the contest. We hope guys who are interested in advanced browser exploit will like this. From Uninitialized memory bug to RCE (CVE-2015-1745) It is an uninitialized memory bug, we use it to achieve RCE. So what is uninitialized memory bug? It is one category of memory corruption bugs. When you write program, you will access memory. When your program use local variables, global variables or dynamic-allocated buffers, you are accessing to memory data. If your program uses some memory data before initializing it, then you may get unpredictable result. This is called uninitialized memory bug. Two example: Uninitialized heap memory: int *unitialized_heap_buffer = (int *)malloc(10 * sizeof(int)); Int unitialized_value = unit