Recently there was an IE 0day (CVE-2 0 1 4-0 3 2 2)is used to hang horse。 Although the vulnerability itself exists in IE,but in order to achieve success use,this sample also borrow a flash as an auxiliary,to break through the various protection. IE+flash combination also gives the analysis poses some challenges,not previously analyzed by this combination,just take this opportunity to detailed analysis,documentation Chapter,everyone together to exchange learning. If there is wrong place,also please criticism and.
This article relates to the content comprises: 1. The entire exploit Process Analysis. 2. The vulnerability causes. 3. The use of a flash uint vector for DEP/ASLR bypass technique. 4. Sample of ROP segments. 5. Samples of shellcode behavior.
As used herein, the sample contains a total of three files Index.html (that's the html file,the original name of what I forgot) Tope. swf Erido.jpg These files in the online search basic can be found,I here is not to come out.
The entire attack entry point is index.html,it will try to load the Tope. swf:
<embedsrc=Tope. swfwidth=10height=1 0></embed>
In the Tope. the swf is initialized,it first tries to obtain from the server”Erido.jpg”
_local1.the url ="Erido.jpg";
this. l. dataFormat = URLLoaderDataFormat. BINARY;
this. l. addEventListener(Event. COMPLETE,this. E_xx);
this. l. load(_local1);