Matt Molinyawe is a vulnerability analyst and exploit developer for HP’s Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, he worked at L-3 Communications, USAA, and General Dynamics – Advanced Information Systems. Matt has a BS in Computer Science from the University of Texas at Austin.
AbdulAziz Hariri is a vulnerability analyst and exploit developer for the HP Zero Day Initiative. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to joining the ZDI, he was a member of the Morgan Stanley CERT team doing incident response and malware analysis. Abdul holds a BS in Computer Science from the University of Balamand.
Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin.
[Abstract] In March 2014, Pwn4Fun was introduced as part of the annual Pwn2Own contest at CanSecWest. It provided the opportunity for sponsors to participate in the contest. All Pwn4Fun prize winnings were donated to charity.
HP Zero Day Initiative (ZDI) successfully targeted Microsoft’s Internet Explorer (IE) with a full exploit that bypassed the IE sandbox. The exploit was composed of three components. The first component dealt with the exploitation of a use-after-free found in IE that bypassed ASLR and DEP. The second dealt with the continuation and cleanup of this exploit. The third and final component dealt with bypassing the sandbox. In this presentation, we will cover each of these components in-depth.
We will demonstrate this Pwn4Fun exploit. We will also briefly talk about the newest mitigations introduced by Microsoft.