dynamic flash instrumentation for fun and profit · 2021. 1. 7. · 15...

Dynamic Flash instrumentation for fun and profit Timo Hirvonen Black Hat USA 2014

Upload: others

Post on 31-Jan-2021

2 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Dynamic Flash instrumentation for fun and profit

Timo Hirvonen Black Hat USA 2014
Motivation

2
3

RSA CVE-2011-060

9
4

CosmicDuke CVE-2011-061

1
5

Youtube ad à Styx EK
6

Fiesta EK CVE-2014-04

97
7

Fiesta EK CVE-2014-04

97
8

DoSWF
Demo

9
Original goals

10
ExternalInterface.call()

11
Loader.loadBytes()

12
Standing on the shoulders

of giants 13
Jeong Wook (Matt) Oh

14
15 http://www.shmoocon.org/2012/presentations/Jeong_Wook_Oh_AVM%20Inception%20-%20ShmooCon2012.pdf
Adobe AS3 team

16
17

http://recon.cx/2012/schedule/attachments/43_Inside_AVM_REcon2012.pdf
Key questions

18
Where are the ActionScript

methods called from?

19
Chun Feng

20
Chun Feng

Microsoft Corporation

The Butterfly Effect and the “Shellcode Storm”

http://public.avast.com/caro2011/Chun%20Feng%20-%20The%20shellcode%20storm%20caused%20by%20the%20butterfly%20effect.pptx
C:\Documents and Settings\

\mm.cfg

22
23

http://jpauclair.net/mm-cfg-secrets/
func(MethodEnv*, int argc, uint32 *ap)

24
Haifei Li

25
26

http://recon.cx/2012/schedule/attachments/43_Inside_AVM_REcon2012.pdf
“Hook at the end of verifyOnCall”

27
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.h
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
How to get the method

name? 37
func(MethodEnv*, int argc, uint32 *ap)

38
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.h
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodInfo.pp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/PoolObject.h
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp
Nälkä kasvaa syödessä

43
Arguments and

return values

44
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.cpp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp
Design

47
Open source FTW

48
Intel Pin dynamic

instrumentation framework

49
“Plugins”

50
Demo

51
Where can I get it? 52
https://github.com/F-Secure/Sulo

53
Questions?

© F-Secure Confidential 54
55

Thank you! [email protected]

@TimoHirvonen
56