Instead of 32-bit IE, this year’s Pwn2Own competition selected 64-bit Internet Explorer as the target for the first time. 64-bit IE brings new challenges to exploit writers, for example, simple heap spraying technique will not work in 64-bit process. And in order to win the game, we also need to bypass the control flow guard (CFG) mitigation on windows 8.1 as well as the enhanced protected mode (EPM) sandbox of IE.
In this presentation, we will disclose the details of the 2 vulnerabilities we used to take down 64-bit IE in Pwn2Own 2015 for the first time. We will go through the poc exploit to demonstrate the techniques we used to work out a working IE 64-bit exploit. We will show how we achieved ASLR & CFG bypass and remote code execution in 64-bit IE with a single uninitialized memory bug. We will also discuss the bug we used to bypass IE’s EPM sandbox to achieve elevation of privilege.