Early into the flash vulnerability analysis-vulnerability warning-the black bar safety net

2015-07-21T00:00:00
ID MYHACK58:62201564898
Type myhack58
Reporter 佚名
Modified 2015-07-21T00:00:00

Description

Cut-off date by hackting team leaks the derived has been patched or will be patched 0day has reached 6 months. 3 by the ValueOf function induced flash vulnerabilities, 2 ring0 can lead to mentioning the right of the font parsing vulnerability, adobe or. dll kernel font parsing components, as well as a from the mail data leaks out of the Internet Explorer 11 UAF vulnerability.

Flash vulnerability the Debug analysis of the common basic there are two categories. One is the need to debug trace FLASH ActionScript script to run on the AVM of the virtual machine inside the JITed Code. Let's say hackting team this time leaking out the 3 a flash vulnerability. Such flash vulnerability the Debug analysis is not mastering certain skills is very easy to get lost JITed Code. Then a class is the flash control in parsing the flash file some of the elements in the time parsing code handled improperly, resulting in vulnerability of produce, can be attributed to the file format vulnerability category. Early into flash vulnerabilities analysis, the present article is recorded after a class of the flash vulnerability.

Black-Box Analysis of the vulnerability process

This is a flash player in ring3 the following reading comes with malformations of the font in the swf file causes an integer overflow vulnerability. The vulnerability already has a CVE number, CVE-2 0 1 2-1 5 3 5,need to install the accessories provided in the corresponding flash version. Windbg attach to the browser process, directly run 1. html you can trigger the crash.

!

The crash is happening in Flash32_11_2_202_233. ocx module which in this case stack frame has been destroyed.

!

Before the collapse only done 3 times push,so we from the stack to find return address is 103EF640 it. The collapse of the previous layer function is sub_103EF4A0 it. Then IDA rebase the base address of the function corresponding to the position of the mark. Windbg re-attach the IE process. Use the sxe ld:Flash32_11_2_202_233. ocx in the flash to load when interrupted. Then in a crash the previous layer function to the next breakpoint. F5 to let the code execution to the premises. And then use VMWare to do a snapshot of a fixed load base address. Later in the analysis I flash the ocx control is loaded in the base address are all available snapshots is fixed at 0×1 0 0 0 0 0 0 0 it.

Finally, the problem of the way the code is

!

Tracking what eax the sources listed below associated with the code

!

Need to continue to identify 63A of the push esi the esi source. Presumably derived from the 6 2 7 The instruction at the

!

Use the following command to print the confirmation

bp 103EF627 ” . echo 103EF627 eax is ;r eax; gc;”

bp 103EF63A ” . echo 103EF63A esi is; r esi; gc;”

!

You can see esi is indeed made of 6 2 of 7 instruction at the assignment. And fixed is 020befb0

!

The need for 0x020befb0 address under the write-off point to observe is who put here the data contamination.

!

A total of 3 times interrupt in the second interrupt time 1e0d0008 of the data has been contaminated.

!

To 1e0d0008 write data statement is this one

!

You can see the pollution source from the eax on. Contaminated is the address of esi+8. in.

Use the following command to observe the dirty data and the contamination of address changes.

!

Can see is written in the memory is esi+8 is 020ba060 as the initial value in 10h increments to 020befc0 it. And eax initial value is 10h which is always a fixed value 1e0cfff8 it. That is in this memory area all with a 1e0cfff8 to do the relevant position is filled. And the final call crash the place is call poi(poi(020befb0)+8)i.e. call ((1e0cfff8+8)+8) (call 1e0d0008)。 Exactly corresponding.

!

!

Note that the above under the ba write-off point of time in the following loop statement

103ef5f6 8 3 4 6 0 8 0 8 add dword ptr [esi+8],8

This instruction will be poi(020befb0)and then do a plus 8 operation. Then look at the esi source.

!

[1] [2] [3] [4] next