Black Hat USA 2014: Dynamic flash instrumentation for fun and profit - September 2014

1. Dynamic Flash instrumentation for fun and profit Timo Hirvonen Black Hat USA 2014

2. Motivation 2

3. 3 RSA CVE-2011-060 9

4. CosmicDuke CVE-2011-061 4 1

5. 5 Youtube ad Styx EK

6. 6 Fiesta EK CVE-2014-04 97

7. 7 Fiesta EK CVE-2014-04 97

8. 8 DoSWF

9. Demo 9

10. Original goals 10

11. ExternalInterface.cal l() 11

12. Loader.loadBytes() 12

13. Standing on the shoulders of giants 13

14. Jeong Wook (Matt) Oh 14

15. 15 http://www.shmoocon.org/2012/presentations/Jeong_Wook_Oh_AVM%20Inception%20-%20ShmooCon2012.

16. Adobe AS3 team 16

17. 17 http://recon.cx/2012/schedule/attachments/ 43_Inside_AVM_REcon2012.pdf

18. Key questions 18

19. Where are the ActionScript methods called from? 19

20. Chun Feng 20

21. Chun Feng Microsoft Corporation The Butterfly Effect and the Shellcode Storm http://public.avast.com/caro2011/Chun%20Feng%20-%20The%20shellcode%20storm%20caused%20by%20the%20butterfly%20effect.pptx

22. C:Documents and Settings mm.cfg 22

23. 23 http://jpauclair.net/mm-cfg-secrets/

24. func(MethodEnv*, int argc, uint32 *ap) 24

25. Haifei Li 25

26. 26 http://recon.cx/2012/schedule/attachments/ 43_Inside_AVM_REcon2012.pdf

27. Hook at the end of verifyOnCall 27

28. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.h

29. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp

35. How to get the method name? 37

36. func(MethodEnv*, int argc, uint32 *ap) 38

37. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.h

38. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodInfo.pp

39. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/PoolObject.h

40. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp

41. Nlk kasvaa sydess 43

42. Arguments and return values 44

43. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.cpp

44. https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp

45. Design 47

46. Open source FTW 48

47. Intel Pin dynamic instrumentatio n framework 49

48. Plugins 50

49. Demo 51

50. WIh geerte ict?a n 52

51. https:// github.com/F-Secure/ Sulo 53

52. Questions? 54 F-Secure Confidential

53. 55 Thank you! [email protected] @TimoHirvonen

54. 56

Black Hat USA 2014: Dynamic flash instrumentation for fun and profit - September 2014

Business

Transcript of Black Hat USA 2014: Dynamic flash instrumentation for fun and profit - September 2014