Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache

In this talk, I will introduce “Ret2page“ - a new and generic exploitation technique. The key idea behind the new exploitation technique is to tame both the SLUB and BUDDY allocator. It aims to reduce time and memory consumption, and improve the success rate of physical page reuse. Moreover, to evaluate the effectiveness of the new exploitation technique and compare it with the well-known cross-cache attack techniques, I will analyze two typical Use-After-Free vulnerabilities fixed last year. Last but not least, to achieve the arbitrary kernel memory R/W ability and gain the root privilege, I will respectively detail how to exploit those two vulnerabilities, bypass the general mitigations(KASLR, PAN, etc), and build the universal Android rooting solutions. Presented by: Yong Wang Full Abstract and Presentation Materials: #retpage-the-art-of-exploiting-use-after-free-vulnerabilities-in-the-dedicated-cache-26290