CVE2014-0 3 2 2 0Day Exploit analysis-exploit warning-the black bar safety net

ID MYHACK58:62201442530
Type myhack58
Reporter 佚名
Modified 2014-02-25T00:00:00


Recently there was an IE 0day (CVE-2 0 1 4-0 3 2 2)is used to hang horse。 Although the vulnerability itself exists in IE,but in order to achieve success use,this sample also borrow a flash as an auxiliary,to break through the various protection. IE+flash combination also gives the analysis poses some challenges,not previously analyzed by this combination,just take this opportunity to detailed analysis,documentation Chapter,everyone together to exchange learning. If there is wrong place,also please criticism and.

This article relates to the content comprises: 1. The entire exploit Process Analysis. 2. The vulnerability causes. 3. The use of a flash uint vector for DEP/ASLR bypass technique. 4. Sample of ROP segments. 5. Samples of shellcode behavior.

1. As used herein, the sample

As used herein, the sample contains a total of three files Index.html (that's the html file,the original name of what I forgot) Tope. swf Erido.jpg These files in the online search basic can be found,I here is not to come out.

2. Entry point

The entire attack entry point is index.html,it will try to load the Tope. swf:




<embedsrc=Tope. swfwidth=10height=1 0></embed>


3. Tope. the swf is loaded and the heap spray

In the Tope. the swf is initialized,it first tries to obtain from the server”Erido.jpg”






_local1.the url ="Erido.jpg";

this. l. dataFormat = URLLoaderDataFormat. BINARY;

this. l. addEventListener(Event. COMPLETE,this. E_xx);

this. l. load(_local1);


[1] [2] [3] [4] [5] [6] [7] [8] [9] next