Home
Business
Black Hat USA 2014: Dynamic flash instrumentation for fun and profit - September 2014
1 56
100%
Actual Size
Fit Width
Fit Height
Fit Page
Automatic
Dynamic Flash instrumentation for fun and profit Timo Hirvonen Black Hat USA 2014
Black Hat USA 2014: Dynamic flash instrumentation for fun and profit - September 2014
Embed Size (px)
344 x 292
429 x 357
514 x 422
599 x 487
DESCRIPTION
‘Flash EK’ skips landing page, goes Flash all the way, landing page, Sulo, Hirvonen.
Citation preview
1. Dynamic Flash instrumentation for fun and profit Timo
Hirvonen Black Hat USA 2014
2. Motivation 2
3. 3 RSA CVE-2011-060 9
4. CosmicDuke CVE-2011-061 4 1
5. 5 Youtube ad Styx EK
6. 6 Fiesta EK CVE-2014-04 97
7. 7 Fiesta EK CVE-2014-04 97
8. 8 DoSWF
9. Demo 9
10. Original goals 10
11. ExternalInterface.cal l() 11
12. Loader.loadBytes() 12
13. Standing on the shoulders of giants 13
14. Jeong Wook (Matt) Oh 14
15. 15
http://www.shmoocon.org/2012/presentations/Jeong_Wook_Oh_AVM%20Inception%20-%20ShmooCon2012.
16. Adobe AS3 team 16
17. 17 http://recon.cx/2012/schedule/attachments/
43_Inside_AVM_REcon2012.pdf
18. Key questions 18
19. Where are the ActionScript methods called from? 19
20. Chun Feng 20
21. Chun Feng Microsoft Corporation The Butterfly Effect and
the Shellcode Storm
http://public.avast.com/caro2011/Chun%20Feng%20-%20The%20shellcode%20storm%20caused%20by%20the%20butterfly%20effect.pptx
22. C:Documents and Settings mm.cfg 22
23. 23 http://jpauclair.net/mm-cfg-secrets/
24. func(MethodEnv*, int argc, uint32 *ap) 24
25. Haifei Li 25
26. 26 http://recon.cx/2012/schedule/attachments/
43_Inside_AVM_REcon2012.pdf
27. Hook at the end of verifyOnCall 27
28.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.h
29.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
30.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
31.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
32.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
33.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
34.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/exec.cpp
35. How to get the method name? 37
36. func(MethodEnv*, int argc, uint32 *ap) 38
37.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.h
38.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodInfo.pp
39.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/PoolObject.h
40.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp
41. Nlk kasvaa sydess 43
42. Arguments and return values 44
43.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/MethodEnv.cpp
44.
https://github.com/adobe-flash/avmplus/blob/65a05927767f3735db37823eebf7d743531f5d37/core/AbcParser.cpp
45. Design 47
46. Open source FTW 48
47. Intel Pin dynamic instrumentatio n framework 49
48. Plugins 50
49. Demo 51
50. WIh geerte ict?a n 52
51. https:// github.com/F-Secure/ Sulo 53
52. Questions? 54 F-Secure Confidential
53. 55 Thank you! [email protected] @TimoHirvonen
54. 56
LOAD MORE