Crafting a Full Exploit RCE fr... Note

Crafting a Full Exploit RCE from a Crash in Autodesk Revit RFA File Parsing

The author investigated a crash in Autodesk Revit 2025, initially found through fuzzing RFA files, which led to a type confusion vulnerability. This vulnerability was a result of deserializing a std::pair type. The crash occurs when the program tries to call a destructor on a non-vtable value. The author exploited the vulnerability to achieve remote code execution. The research involved reverse engineering and debugging. Tools like IDA Pro, WinDBG, and Time Travel Debugging were used. A cloud-based supply chain vulnerability in Axis Communications Plugin for Autodesk Revit, which could distribute corrupted RFA files, greatly aided the exploit. The author created a tool, "CompoundFileTool," and another tool that mimicked Revit's gzip behavior, which were essential to modify RFA files effectively. The goal was to manipulate the deserialized object's offset 0x0 to point to a controlled vtable. The author ultimately successfully achieved arbitrary code execution by exploiting the type confusion. The research also included reversing and understanding Autodesk's RFA format, including the format of compressed data in Global/Latest stream.
CdXz5zHNQW_dJZTAjgLHS.jpeg