Our Advanced Windows Exploitation (AWE) live course in Columbia, Maryland is fast approaching with a start-date of October 24. Not only is the first time we have offered this training outside of BlackHat, it is also the first time we are able to offer a full 5 days of training and a limited number of seats are still available for this intense course.
Along with the new site and extra day of training, we have also updated one of the modules with a very interesting vulnerability discovered by Chris Rohlf and Yan Ivnitskiy of Matasano Security in June 2011. We decided that this particular vulnerability would make an intriguing case study so we developed the integer overflow vulnerability into a working Mozilla Firefox exploit, controlling an invalid Javascript Array object index value being used to access element properties.
[image_frame style=”framed_shadow” width=”512″ height=”366″ align=”center”]https://www.offsec.com/images/awe2011_00.png[/image_frame]
The reduceRight method executes a user defined callback function once for each element present in the array. As you can make the array point out of bounds, the attacker can pass a fake sprayed object address to the callback function. At this point code execution can be gained in different ways triggering a method of the fake object.
Code execution on Windows 7 obviously requires some fun playing with pointers and memory to bypass DEP and ASLR protections, both of which this exploit manages to do.
[image_frame style=”framed_shadow” width=”512″ height=”366″ align=”center”]https://www.offsec.com/images/awe2011_01.png[/image_frame]
This proves to be our most exciting AWE class so far. If you would like to learn how to take your exploitation skills to the next level, sign-up now while there’s still time and available seats.
