cve-2015-5122 Vulnerability Analysis

Hacktem burst the second 0day, analyzed the next, make a record.

Initially, the POC allocates an array-type _AR structure.

First time Assignment

At this point the a[0]–a[1e-1] has been assigned a value of vector.<uint> (62) structure.

Any query can be found to the length of the vector that has been assigned a value of 62 for the generated array 0~1e

Then the 1e~7e between the ar[i] is assigned, each module is vector.<uint> (8), where the first byte sets the Mark bit, which is used to quickly locate the out-of-bounds unit.

To view the corresponding memory, you can find that the length of the 1e~7e is 8 vector.<uint> (8)

A[i] The array 1e~2e is assigned after the value is assigned

Total A[i] Memory

Assigns a value to the cell 1e~2e in A[i], and assigns the object to a Textline object

Start assigning values

Memory space after assignment ends

At this time A[i] is assigned, the whole structure of a

Gets the object that corresponds to the Textline

Set the Opaquebackground property for textline cells in 1e~2e in a[i], which causes AVM to allocate a memory space of size 0x390 for each cell

Get the corresponding Textline object

The function that calls 0418E3B3 at first is used to return the corresponding Textline cell, and after acquiring the cell, the memory of 0x390 size is created at 0418E3FECC by call EAX, in which case the VALUEOF2 operation is then judged. Success will then enter the VALUEOF2 judgment, resulting in UAF, and before the call EAX return to the 0x390 of the memory space offset 0x320 Place 6a assignment, through the careful memory layout, can cause 6a to be written to the length of the vector domain.

After the entire memory allocation has ended

Generated vector<uint> (62)

The generated vector<8>

The generated backgroundobj space

Assigns a value to the Opaquebackgroind property of the Textline object, where the object assigned is MYCLASS32, because the array is a byte property, and assigning values at this time will result in the VALUDFO function call of the MyClass class.

Into the valueof function, release the Textline object in A[i], size

The Backgroudobj before release

After completely releasing 5 backgroudobj.

Immediately after the release, the length of the 1e~7e data unit in A[i] is reset, because the memory management mechanism in AVM causes the previously allocated memory to be allocated preferentially, resulting in the memory of the 5 backgroudobj that were previously freed occupied by 10 cells in the re-allocated AR array.

As shown in the memory source last unit, all the previous units have been reassigned

By comparing the freed five backgroundobj, it is possible to search in memory for the memory that was freed before the units were reused, as shown in.

The earlier mention of this operation causes the valueof function of the corresponding MyClass class to be called, in which we release 5 Backgroundobj objects, using the 1e~7e unit size by resetting Ar[i], The space before the 5 Backgroundobj objects is re-occupied, and after the valueof function returns, in the corresponding operation thereafter, the x320 in the previous 5 Backgroundobj objects will be assigned to x190, due to the ar[i after resetting. The cell size is x190, so that the length value of the vector in one of the units is set from 62 to 6a.

The whole process such as

The ar[3b] unit is set, where the length field is already assigned a value of 6a.

Gets the a[i], and sets the length of its adjacent vector structure to 40000000, thus acquiring an ultra-long full-memory read-write vector

Generated global memory read-write vector

cve-2015-5122 Vulnerability Analysis