Taming wild copies: from hopeless crash to working exploit presented at CanSecWest 2015

by Chris Evans,

Summary : In this talk, we will explore the exploitation of wild copies that lead to memory corruption. We define a wild copy as one where the size of the copy is enormous and the attacker cannot control it. Throughout the evolution of exploitation, we've seen the occasional trick to exploit wild copies, usually relying on a secondary bug or quirk. After recapping some past classics, we'll focus on a real wild copy bug in Adobe Flash, and exploit it without relying on any secondary issues. The exploit will cover advanced instances of modern techniques such as heap grooming, winning race conditions, controlled corruption and Flash-specific exploitation vectors. With any luck, we'll end up calculating all the way to the bar.