Use-After-Use-After-Free: Exploit UAF by Generating Your Own

Presented at Black Hat Europe 2016, Nov. 4, 2016, 10:45 a.m. (60 minutes).

<span>This talk will introduce Use-After-Use-After-Free (UAUAF), a novel and relatively universal exploitation technique for UAF vulnerabilities in Adobe Flash. By leveraging a sequence of object occupations and releases, UAUAF can transform a UAF into a multi-class type confusion. Full memory access is gained upon the mitigations recently added by Adobe. More importantly, this talk will illustrate UAUAF by CVE-2016-1097, a real UAF 0day that I reported to Adobe in May. Exploitation process, i.e., from discovering the 0day, gaining full memory access, chaining ROP gadgets, to the final code execution will be presented in detail.</span>

Presenters:

• Guanxing Wen - Security Researcher, Pangu Team
  Guanxing Wen is member of Pangu Team. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining Pangu, Wen worked as a security researcher of Venustech ADLAB. He is actively involved in Bug Bounty Program, such as ZDI, Chrome VRP and is currently the top one bug contributor of IBB-Flash Bounty (@hhj4ck).

Links:

• Con Page
• Infocon Video
• Infocon Video (subtitles)
• YouTube Video

Similar Presentations:

• Black Hat USA 2020 Virtual / About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs?
• THOTCON 0xA (2019) / Hanging with Dangling Pointers in Linux Kernel
• 44CON 2016 / Leverage One-shot UAF to a Minigun