In May this year,foreign security experts discovered an unknown Adobe exploit in the wild being used. In the vulnerability was disclosed after,Adobe released an upgrade patch for fix this vulnerability(APSB16-1 5),numbered CVE-2 0 1 6-4 1 1 7 The. At the same time,the CVE-2 0 1 6-4 1 1 7 vulnerability is classified as high-risk vulnerability,the CVSS Score is rated as 1 0. 0,It also affects Windows,Mac OS X,Linux and Chrome OS. Adobe on the release of vulnerability information mentioned in the,“Windows, mac, Linux and Chrome OS Adobe Flash Player 18.104.22.168 and earlier versions, there is a high risk vulnerability,successful exploitation of the vulnerability may cause the system to crash,or even the attacker can control the affected system.” 0x0 vulnerability profile CVE-2 0 1 6-4 1 1 7 is appear in the ActionScript of com. adobe. tvsdk. mediacore. timeline. operations. DeleteRangeTimelineOperation class in a type confusion vulnerability,which eventually could lead to remote code execution,in May this year when the first occurrence of field samples. In this class,there are the following two get,set interface(0-0),name placement,if we use this class as base class,in the sub-classes create a the same name of the object(0-1),The avm of the virtual machine in the explanation of the process an error occurs,causing the type of Confusion. ! (0-0) ! (0-1) 0x1 vulnerabilities related knowledge To learn more about this vulnerability in-depth principle,first of all we want to know about the avm of the virtual machine interpreter bytecode getproperty(0x66)the logic flow. adobe on github published through the avm of the virtual machine source code,and there are some reference document,although this is 3 years ago the code,but still can be used as a reference. First, we can see the getproperty command profile(Figure 1-0): ! Fig. (1-0) Simple to say is from an object, according to the back of the index to remove an attribute. We then look at the source code of the implementation: ! Figure(1-1) getBinding is based on our attribute name,and finally return to a bind ID value,and then according to this value to remove the different function or field value. This ID value consists of two parts,respectively is the lower three bits of the bit and the rest of the bit,low three bits of the bit saved is this property type,the rest of the bit to save this ID true value,an enumeration value as shown in Figure: ! Figure(1-2) Subsequent bindingKind is Will this ID value with the 7 phase,that is, remove the low three bits of the bit,then switch table according to this value for different operations,here with the vulnerability associated with the two,one is BKING_VAR(2),is generally the object,uint, etc. variables,one is BKING_GET(5),corresponding to the get interface,first of all, we see BKING_VAR: ! Figure(1-3) BindingToSlotId is right-shifted three bits,to get the Real ID value,then according to the ID value of the removed real value,getSlotAtom logic is also very simple,such as ID value is 0x5,then remove the object offset 0x5*4 value,of course, also be carried out to determine the type,as this type is a double type then remove the 8 bytes,if it is int type,then remove the 4 bytes. Comparison of the compilation instructions are as follows: ! Figure(1-4) And then we'll see BKING_GET: ! Figure(1-5) Follow coerceEnter function: ! Figure(1-6) This code is more complex,first of all explain a few nouns: Vtable:a save the as level(not native level)virtual function of the list object,inside the methods of the array Save to a different virtual function of the object corresponding to the MethodEnv,generally stored in the object+0x8 the offset position.