black hat usa 2014: dynamic flash instrumentation for fun and profit - september 2014
DESCRIPTION
‘Flash EK’ skips landing page, goes Flash all the way, landing page, Sulo, Hirvonen.TRANSCRIPT
- 1. Dynamic Flash instrumentation for fun and profit Timo Hirvonen Black Hat USA 2014
- 2. Motivation 2
- 3. 3 RSA CVE-2011-060 9
- 4. CosmicDuke CVE-2011-061 4 1
- 5. 5 Youtube ad Styx EK
- 6. 6 Fiesta EK CVE-2014-04 97
- 7. 7 Fiesta EK CVE-2014-04 97
- 8. 8 DoSWF
- 9. Demo 9
- 10. Original goals 10
- 11. ExternalInterface.cal l() 11
- 12. Loader.loadBytes() 12
- 13. Standing on the shoulders of giants 13
- 14. Jeong Wook (Matt) Oh 14
- 15. 15 http://www.shmoocon.org/2012/presentations/Jeong_Wook_Oh_AVM%20Inception%20-%20ShmooCon2012.
- 16. Adobe AS3 team 16
- 17. 17 http://recon.cx/2012/schedule/attachments/ 43_Inside_AVM_REcon2012.pdf
- 18. Key questions 18
- 19. Where are the ActionScript methods called from? 19
- 20. Chun Feng 20
- 21. Chun Feng Microsoft Corporation The Butterfly Effect and the Shellcode Storm http://public.avast.com/caro2011/Chun%20Feng%20-%20The%20shellcode%20storm%20caused%20by%20the%20butterfly%20effect.pptx
- 22. C:Documents and Settings mm.cfg 22
- 23. 23 http://jpauclair.net/mm-cfg-secrets/
- 24. func(MethodEnv*, int argc, uint32 *ap) 24
- 25. Haifei Li 25
- 26. 26 http://recon.cx/2012/schedule/attachments/ 43_Inside_AVM_REcon2012.pdf
- 27. Hook at the end of verifyOnCall 27
- 28. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.h
- 29. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
- 30. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
- 31. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
- 32. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
- 33. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
- 34. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
- 35. How to get the method name? 37
- 36. func(MethodEnv*, int argc, uint32 *ap) 38
- 37. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.h
- 38. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodInfo.pp
- 39. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/PoolObject.h
- 40. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp
- 41. Nlk kasvaa sydess 43
- 42. Arguments and return values 44
- 43. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.cpp
- 44. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp
- 45. Design 47
- 46. Open source FTW 48
- 47. Intel Pin dynamic instrumentatio n framework 49
- 48. Plugins 50
- 49. Demo 51
- 50. WIh geerte ict?a n 52
- 51. https:// github.com/F-Secure/ Sulo 53
- 52. Questions? 54 F-Secure Confidential
- 53. 55 Thank you! [email protected] @TimoHirvonen
- 54. 56