dynamic flash instrumentation for fun and profit · 2021. 1. 7. · 15...
TRANSCRIPT
-
Dynamic Flash instrumentation for fun and profit
Timo Hirvonen Black Hat USA 2014
-
Motivation
2
-
3
RSA CVE-2011-060
9
-
4
CosmicDuke CVE-2011-061
1
-
5
Youtube ad à Styx EK
-
6
Fiesta EK CVE-2014-04
97
-
7
Fiesta EK CVE-2014-04
97
-
8
DoSWF
-
Demo
9
-
Original goals
10
-
ExternalInterface.call()
11
-
Loader.loadBytes()
12
-
Standing on the shoulders
of giants 13
-
Jeong Wook (Matt) Oh
14
-
15 http://www.shmoocon.org/2012/presentations/Jeong_Wook_Oh_AVM%20Inception%20-%20ShmooCon2012.pdf
-
Adobe AS3 team
16
-
17
http://recon.cx/2012/schedule/attachments/43_Inside_AVM_REcon2012.pdf
-
Key questions
18
-
Where are the ActionScript
methods called from?
19
-
Chun Feng
20
-
Chun Feng
Microsoft Corporation
The Butterfly Effect and the “Shellcode Storm”
http://public.avast.com/caro2011/Chun%20Feng%20-%20The%20shellcode%20storm%20caused%20by%20the%20butterfly%20effect.pptx
-
C:\Documents and Settings\
\mm.cfg
22
-
23
http://jpauclair.net/mm-cfg-secrets/
-
func(MethodEnv*, int argc, uint32 *ap)
24
-
Haifei Li
25
-
26
http://recon.cx/2012/schedule/attachments/43_Inside_AVM_REcon2012.pdf
-
“Hook at the end of verifyOnCall”
27
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.h
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
-
How to get the method
name? 37
-
func(MethodEnv*, int argc, uint32 *ap)
38
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.h
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodInfo.pp
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/PoolObject.h
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp
-
Nälkä kasvaa syödessä
43
-
Arguments and
return values
44
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.cpp
-
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp
-
Design
47
-
Open source FTW
48
-
Intel Pin dynamic
instrumentation framework
49
-
“Plugins”
50
-
Demo
51
-
Where can I get it? 52
-
https://github.com/F-Secure/Sulo
53
-
Questions?
© F-Secure Confidential 54
-
55
Thank you! [email protected]
@TimoHirvonen
-
56