Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Dynamic Flash instrumentation for fun and profit
Timo Hirvonen Black Hat USA 2014
Motivation
2
3
RSA CVE-2011-060
9
4
CosmicDuke CVE-2011-061
1
5
Youtube ad à Styx EK
6
Fiesta EK CVE-2014-04
97
7
Fiesta EK CVE-2014-04
97
8
DoSWF
Demo
9
Original goals
10
ExternalInterface.call()
11
Loader.loadBytes()
12
Standing on the shoulders
of giants 13
Jeong Wook (Matt) Oh
14
15 http://www.shmoocon.org/2012/presentations/Jeong_Wook_Oh_AVM%20Inception%20-%20ShmooCon2012.pdf
Adobe AS3 team
16
17
http://recon.cx/2012/schedule/attachments/43_Inside_AVM_REcon2012.pdf
Key questions
18
Where are the ActionScript
methods called from?
19
Chun Feng
20
Chun Feng
Microsoft Corporation
The Butterfly Effect and the “Shellcode Storm”
http://public.avast.com/caro2011/Chun%20Feng%20-%20The%20shellcode%20storm%20caused%20by%20the%20butterfly%20effect.pptx
C:\Documents and Settings\
\mm.cfg
22
23
http://jpauclair.net/mm-cfg-secrets/
func(MethodEnv*, int argc, uint32 *ap)
24
Haifei Li
25
26
http://recon.cx/2012/schedule/attachments/43_Inside_AVM_REcon2012.pdf
“Hook at the end of verifyOnCall”
27
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.h
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
How to get the method
name? 37
func(MethodEnv*, int argc, uint32 *ap)
38
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.h
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodInfo.pp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/PoolObject.h
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp
Nälkä kasvaa syödessä
43
Arguments and
return values
44
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.cpp
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp
Design
47
Open source FTW
48
Intel Pin dynamic
instrumentation framework
49
“Plugins”
50
Demo
51
Where can I get it? 52
https://github.com/F-Secure/Sulo
53
Questions?
© F-Secure Confidential 54
55
Thank you! [email protected]
@TimoHirvonen
56