Upload File

black hat usa 2014: dynamic flash instrumentation for fun and profit - september 2014

  • Home
  • Business
  • Black Hat USA 2014: Dynamic flash instrumentation for fun and profit - September 2014
56
Dynamic Flash instrumentation for fun and profit Timo Hirvonen Black Hat USA 2014

Upload: gde-merkl

Post on 18-Nov-2014

238 views

Category:

Business


7 download

Report

DESCRIPTION

‘Flash EK’ skips landing page, goes Flash all the way, landing page, Sulo, Hirvonen.

TRANSCRIPT

  • 1. Dynamic Flash instrumentation for fun and profit Timo Hirvonen Black Hat USA 2014
  • 2. Motivation 2
  • 3. 3 RSA CVE-2011-060 9
  • 4. CosmicDuke CVE-2011-061 4 1
  • 5. 5 Youtube ad Styx EK
  • 6. 6 Fiesta EK CVE-2014-04 97
  • 7. 7 Fiesta EK CVE-2014-04 97
  • 8. 8 DoSWF
  • 9. Demo 9
  • 10. Original goals 10
  • 11. ExternalInterface.cal l() 11
  • 12. Loader.loadBytes() 12
  • 13. Standing on the shoulders of giants 13
  • 14. Jeong Wook (Matt) Oh 14
  • 15. 15 http://www.shmoocon.org/2012/presentations/Jeong_Wook_Oh_AVM%20Inception%20-%20ShmooCon2012.
  • 16. Adobe AS3 team 16
  • 17. 17 http://recon.cx/2012/schedule/attachments/ 43_Inside_AVM_REcon2012.pdf
  • 18. Key questions 18
  • 19. Where are the ActionScript methods called from? 19
  • 20. Chun Feng 20
  • 21. Chun Feng Microsoft Corporation The Butterfly Effect and the Shellcode Storm http://public.avast.com/caro2011/Chun%20Feng%20-%20The%20shellcode%20storm%20caused%20by%20the%20butterfly%20effect.pptx
  • 22. C:Documents and Settings mm.cfg 22
  • 23. 23 http://jpauclair.net/mm-cfg-secrets/
  • 24. func(MethodEnv*, int argc, uint32 *ap) 24
  • 25. Haifei Li 25
  • 26. 26 http://recon.cx/2012/schedule/attachments/ 43_Inside_AVM_REcon2012.pdf
  • 27. Hook at the end of verifyOnCall 27
  • 28. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.h
  • 29. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
  • 30. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
  • 31. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
  • 32. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
  • 33. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
  • 34. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
  • 35. How to get the method name? 37
  • 36. func(MethodEnv*, int argc, uint32 *ap) 38
  • 37. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.h
  • 38. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodInfo.pp
  • 39. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/PoolObject.h
  • 40. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp
  • 41. Nlk kasvaa sydess 43
  • 42. Arguments and return values 44
  • 43. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.cpp
  • 44. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp
  • 45. Design 47
  • 46. Open source FTW 48
  • 47. Intel Pin dynamic instrumentatio n framework 49
  • 48. Plugins 50
  • 49. Demo 51
  • 50. WIh geerte ict?a n 52
  • 51. https:// github.com/F-Secure/ Sulo 53
  • 52. Questions? 54 F-Secure Confidential
  • 53. 55 Thank you! [email protected] @TimoHirvonen
  • 54. 56

B.Sc. in Process Instrumentation and Control Engineering 2014€¦ · B.Sc. in Process Instrumentation and Control Engineering 2014 ... PICENG 111 Introduction to Process ... Analytical

Instrumentation System Design JAN 2014

RED HAT ENTERPRISE AGREEMENT AUSTRALIA · Red Hat Enterprise Agreement Page 1 of 5 (Australia) Red Hat Confidential Information November 2014 RED HAT ENTERPRISE AGREEMENT AUSTRALIA

Lavacon 2014 responsive design in your hat

NEDA May 2014 Tip of the Hat

Hat catalog 2010 2014

November 19, 2014 vs. Medicine Hat

2014 IEEE International Instrumentation and Measurement ...toc.proceedings.com/22722webtoc.pdf · Instrumentation and Measurement Technology Conference (I2MTC 2014) Pages 1-823 1/2

INSTRUMENTATION AND CONTROL ENGINEERING M. Tech. (Biomedical Instrumentation ... · 2015-04-02 · M. Tech. (Biomedical Instrumentation) Effective from A. Y. 2014-15 ... rhythmicity

Medicine Hat Construction Association 2014

B.Sc. in Process Instrumentation and Control Engineering 2014

Tipp 2014 - Third International Conference on Technology and Instrumentation … · 2014-05-30 · Tipp 2014 - Third International Conference on Technology and Instrumentation in

Black Hat SEO Techniques 2014

Testo (Connecting Industry instrumentation) Jan 2014

Red Hat Storage 2014 - Product(s) Overview

The HAT (Herault & Aude Times) September 2014

DE59 INSTRUMENTATION AND MEASUREMENTS ELEC DEC 2014

Elementary Particles Instrumentation Accelerators Dec 15, 2014 1

2014 04-17 Applied SCAP, Red Hat Summit 2014

CT Physics and Instrumentation RAD 323 2014

17484 Answe Key GATE 2014 instrumentation engineering

SQXF Instrumentation wires and connectors. Instrumentation & Quench heaters wires March 2014 J.C. Perez2 Instrumentation wires: AXON reference HH2619

QMI 2014 Instrumentation Catalog

Electronic Instrumentation Jan 2014

December 9, 2014 vs. Medicine Hat

NEDA June 2014 Tip of the Hat

INSTRUMENTATION LAB (2014-2015) - MLRITMmlritm.ac.in/sites/default/files/ics manual.pdf · instrumentation lab (2014-2015) document no: date of ... calibration of pressure gauges

Contemporary Automatic Program Analysis - Black Hat · Auditing Binary Instrumentation Crash ... //github.com/HockeyInJune/Contemporary-Automatic-Program-Analysis. ... •

INSTRUMENTATION 2014

Syllabus of TE (Instrumentation and control/Instrumentation Engg… · 2014-08-06 · Syllabus of TE (Instrumentation and control/Instrumentation Engg.) Rev. Syllabus W.E.F. academic

Pubcon 2014 - Adwords automation hat trick Adwords Scripts

Hard Hat - Summer 2014

IN2014 Instrumentation Engineering (GATE 2014)

BLRBAC Instrumentation and Classifications Guide (2014)

Venezia Glamour Winter’s Glamour Hat, Ear Warmers & …€¦ ·  · 2014-12-15Venezia Glamour Winter’s Glamour Hat, ... Venezia Glamour Winter’s Glamour Hat, Ear Warmers &