The Flash JIT Spraying is Back
Transcript of The Flash JIT Spraying is Back
The Flash JIT Spraying is Back Hints for Flash Vulnerability Researchers
Ming-chieh Pan (Nanika) <[email protected]>Senior vulnerability researcher, Net-Hack Inc.
Sung-ting Tsai (TT) <[email protected]>Staff Research Engineer, Trend Micro.
XOR Trick http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf
•0x3C909090^0x3C909090^0x3C909090^0x3C909090^ …•0x1A1A0101: 90 NOP •0x1A1A0102: 90 NOP •0x1A1A0103: 90 NOP •0x1A1A0104: 3C35 CMP AL, 35
XOR JIT Spraying doesn’t workin Flash 10.1
• @asintsov: No JIT-SPRAY in Flash 10.1. Pages with code are crypted )) But idea will never die, that i show on HITB in AMS)
• Jun 13, 2010 6:18 AM
Flash JIT Hacking
• Flash parser tool– https://github.com/sporst/SWFREtools/
• We need an easy way to set breakpoint in the JIT code to observe the memory.
• Using our AVM fuzzer, we found a new way to make JIT spraying works.
• Magic number: 0x2d 0x01 0x20 0xb4
Magic Number - pushint
• Push an int value onto the stack. • Format – pushint – index
• Forms – pushint = 45 (0x2d)
• Stack – … => …, value
• 0x2d 0x01
index
• Index 1->60178
Magic Number - pushnull
• Push null. • Format – pushnull
• Forms – pushnull = 32 (0x20)
• Stack – … => …, null
• 0x20
Magic Number - in
• Determine whether an object has a named property.
• Format – in
• Forms – in = 180 (0xb4)
• Stack – …, name, obj => …, result
AVM code Insert(modify)
• Select method body• Change the code to
pushint/pushnull/in
breakpoint
• The second pushnull could crash the flash• Set Ollydbg just in time debugger• Focus on ESP+C
[ESP+C]
• It could find our JIT code page and we can analyze.
• Remember pushint/pushnull/in?• Push eb12• Push 1• Call 007b7c80
Idea never die
• Can we control it?• Try to put another
integer.• Try to put 2 pushint.
JIT again bypass DEP• 0291C019 90 NOP• 0291C01A 90 NOP• 0291C01B 90 NOP• 0291C01C 3C 68 CMP AL,68• 0291C01E 4E DEC ESI• 0291C01F EB 09 JMP SHORT 0291C02A
• 0291C02A 90 NOP• 0291C02B 90 NOP• 0291C02C 90 NOP• 0291C02D 3C 68 CMP AL,68• 0291C02F 4E DEC ESI• 0291C030 EB 09 JMP SHORT 0291C03B
Bypass ASLR
• Spraying with numbers of push opcodes might be a problem.
• It needs a lot of push opcodes.• It needs to modify the AVM struct max_stack.• When it is more than 2047, it could fail.
File Size and Zlib
• Spraying more method bodies could cause large file size.
• Zlib could help:– 20.5 Mb->71.9k
File Size Spraying
Control the MEM
Reliable?
• 68 9090903C PUSH 3C909090• 68 4EEB0900 PUSH 9EB4E• 8BCB MOV ECX,EBX• E8 527CCAFD CALL flash.007B7C80• Success rate:
6/17 = 35% ↓
• We need more luck!
Another NOP JIT code
• jump • Format – jump – offset
• Forms – jump = 16 (0x10)
• Stack – … => …
• 0x10 00 00 00
JIT NOP
• 0140B1DC 00EB ADD BL,CH• 0140B1DE 00EB ADD BL,CH• 0140B1E0 00EB ADD BL,CH
• Success rate:1/2 = 50% ↓
Conclusion
• Our hints might help you to find useful flash opcodes.
• The in opcode is similar to XOR.
• More techniques are coming soon.
Hacks in Taiwan Conference 2011http://www.hitcon.org/hit2011/en/