44CON LONDON 2015 has ended
Thursday, September 10 • 19:35 - 20:29
Exploiting 64-bit IE on Windows 8.1 - The Pwn2Own Case Study

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Instead of 32-bit IE, this year's Pwn2Own competition selected 64-bit Internet Explorer as the target for the first time.
64-bit IE brings new challenges to exploit writers, for example, simple heap spraying technique will not work in 64-bit process.
And in order to win the game, we also need to bypass the control flow guard (CFG) mitigation on windows 8.1 as well as the enhanced protected mode (EPM) sandbox of IE.

In this presentation, we will disclose the details of the 2 vulnerabilities we used to take down 64-bit IE in Pwn2Own 2015 for the first time.
We will go through the poc exploit to demonstrate the techniques we used to work out a working IE 64-bit exploit.
We will show how we achieved ASLR & CFG bypass and remote code execution in 64-bit IE with a single uninitialized memory bug.
We will also discuss the bug we used to bypass IE's EPM sandbox to achieve elevation of privilege.

avatar for Yuki Chen

Yuki Chen

Yuki Chen is the core member of 360Vulcan Team from 360 Safeguard offensive and defensive research group. In March this year, 360Vulcan Team successfully exploited 64-bit Internet Explorer with EPM enabled at Pwn2Own 2015 in vancouver. Yuki Chen has 6+ years’ experience in security... Read More →

Thursday September 10, 2015 19:35 - 20:29 BST
Track 1

Attendees (0)