CVE-2015-0311 분석 7일차

Console Log

0:005> .echo AD_ENV;dd 04bac054;.echo ba;dd 04c9905c  AD_ENV 04bac054  04cbc000 000006c2 04c99040 00000003 04bac064  04bac040 04cfa070 04cfafd0 00000000 04bac074  00000000 04bac0b0 00000000 00000000 04bac084  00000000 00000000 00000000 00000000 04bac094  00000000 00000000 00000000 00000000 04bac0a4  00000000 00000000 00000000 04bac0e8 04bac0b4  00000000 00000000 00000000 00000000 04bac0c4  00000000 00000000 00000000 00000000 ba 04c9905c  66df9f18 66e4353c 66df9f14 66df9f24 04c9906c  04b71080 04391000 04c98190 00000000 04c9907c  00000461 66e18084 04c1c158 00000000 04c9908c  00000000 66df9f0c 00000003 00000000 04c9909c  00000000 04c99100 00000000 00000000 04c990ac  00000000 00000000 00000000 00000000 04c990bc  00000000 00000000 00000000 00000000 04c990cc  00000000 00000000 00000000 00000000 0:005> g;.echo AD_ENV;dd 04bac054;.echo ba;dd 04c9905c  Breakpoint 2 hit AD_ENV 04bac054  04cb9000 00000f8a 04c99040 00000003 04bac064  04bac040 04cfa070 04cfafd0 00000000 04bac074  00000000 04bac0b0 00000000 00000000 04bac084  00000000 00000000 00000000 00000000 04bac094  00000000 00000000 00000000 00000000 04bac0a4  00000000 00000000 00000000 04bac0e8 04bac0b4  00000000 00000000 00000000 00000000 04bac0c4  00000000 00000000 00000000 00000000 ba 04c9905c  66df9f18 66e4353c 66df9f14 66df9f24 04c9906c  04b71080 04391000 04c98190 00000000 04c9907c  00000461 66e18084 04c1c158 00000000 04c9908c  00000000 66df9f0c 00000003 00000000 04c9909c  00000000 04c99100 00000000 00000000 04c990ac  00000000 00000000 00000000 00000000 04c990bc  00000000 00000000 00000000 00000000 04c990cc  00000000 00000000 00000000 00000000 0:005> g;.echo AD_ENV;dd 04bac054;.echo ba;dd 04c9905c  Breakpoint 2 hit AD_ENV 04bac054  04cb9000 00000f8a 04c99040 00000003 04bac064  04bac040 04cfa070 04cfafd0 00000000 04bac074  00000000 04bac0b0 00000000 00000000 04bac084  00000000 00000000 00000000 00000000 04bac094  00000000 00000000 00000000 00000000 04bac0a4  00000000 00000000 00000000 04bac0e8 04bac0b4  00000000 00000000 00000000 00000000 04bac0c4  00000000 00000000 00000000 00000000 ba 04c9905c  66df9f18 66e4353c 66df9f14 66df9f24 04c9906c  04b71080 04391000 04c98190 00000000 04c9907c  00000461 66e18084 04c1c158 00000000 04c9908c  00000000 66df9f0c 00000003 00000000 04c9909c  00000000 04c99100 00000000 00000000 04c990ac  00000000 00000000 00000000 00000000 04c990bc  00000000 00000000 00000000 00000000 04c990cc  00000000 00000000 00000000 00000000 0:005> g;.echo AD_ENV;dd 04bac054;.echo ba;dd 04c9905c  Breakpoint 2 hit AD_ENV 04bac054  04cb9000 00000f8a 04c99040 00000003 04bac064  04bac040 04cfa070 04cfafd0 00000000 04bac074  00000000 04bac0b0 00000000 00000000 04bac084  00000000 00000000 00000000 00000000 04bac094  00000000 00000000 00000000 00000000 04bac0a4  00000000 00000000 00000000 04bac0e8 04bac0b4  00000000 00000000 00000000 00000000 04bac0c4  00000000 00000000 00000000 00000000 ba 04c9905c  66df9f18 66e4353c 66df9f14 66df9f24 04c9906c  04b71080 04391000 04c98190 00000000 04c9907c  00000461 66e18084 04c1c158 00000000 04c9908c  00000000 66df9f0c 00000003 00000000 04c9909c  00000000 04c99100 00000000 00000000 04c990ac  00000000 00000000 00000000 00000000 04c990bc  00000000 00000000 00000000 00000000 04c990cc  00000000 00000000 00000000 00000000 0:005> g;.echo AD_ENV;dd 04bac054;.echo ba;dd 04c9905c  (e4c.ef4): Break instruction exception - code 80000003 (first chance) AD_ENV 04bac054  04cb9000 00000f8a 04c99040 00000003 04bac064  04bac040 04cfa070 04cfafd0 00000000 04bac074  00000000 04bac0b0 00000000 00000000 04bac084  00000000 00000000 00000000 00000000 04bac094  00000000 00000000 00000000 00000000 04bac0a4  00000000 00000000 00000000 04bac0e8 04bac0b4  00000000 00000000 00000000 00000000 04bac0c4  00000000 00000000 00000000 00000000 ba 04c9905c  66df9f18 66e4353c 66df9f14 66df9f24 04c9906c  04b71080 04391000 04c98190 00000000 04c9907c  00000461 66e18084 04c1c158 00000000 04c9908c  00000000 66df9f0c 00000003 00000000 04c9909c  00000000 04c99100 00000000 00000000 04c990ac  00000000 00000000 00000000 00000000 04c990bc  00000000 00000000 00000000 00000000 04c990cc  00000000 00000000 00000000 00000000 0:007> dd 04cb9000 04cb9000  ffffffff 04391000 00000000 00000000 04cb9010  00000000 00000000 00000000 00000000 04cb9020  00000000 00000000 00000000 00000000 04cb9030  00000000 00000000 00000000 00000000 04cb9040  00000000 00000000 00000000 00000000 04cb9050  00000000 00000000 00000000 00000000 04cb9060  00000000 00000000 00000000 00000000 04cb9070  00000000 00000000 00000000 00000000

from pykd import * DLL_NAME = 'Flash32_16_0_0_287' DllMain_Base = 0x20044b DllEntr_Base = 0x819e11 AVMCore_Base = 0x67b7e0 AVMUncompressViaZlib_Base = 0x6930c0 AVMObjectToString_Base = 0x68a0f0 AVMCompress_Base = 0x693c50 AVMUnCompress_Base = 0x693ce0 bp1 = AVMCompress_Base + 0x14 bp2 = AVMCompress_Base + 0x33 class ModuleLoadHandler(eventHandler): def __init__(self,moduleMask): eventHandler.__init__(self) self.moduleMask = moduleMask def onLoadModule(self,modBase,name): if name == self.moduleMask: dprintln("[*] Base : "+hex(modBase)) dprintln("[*] DllMain : "+hex(modBase+DllMain_Base)) dprintln("[*] DllEntry : "+hex(modBase+DllEntr_Base)) dprintln("[*] AVMCore : "+hex(modBase+AVMCore_Base)) dprintln("[*] toString : "+hex(modBase+AVMObjectToString_Base)) dprintln("[*] compress : "+hex(modBase+AVMCompress_Base)) dprintln("[*] uncompress: "+hex(modBase+AVMUnCompress_Base)) dprint("bp "+hex(modBase+AVMObjectToString_Base)[:-1]) dprint(";bp "+hex(modBase+AVMCompress_Base)[:-1]) dprint(";bp "+hex(modBase+AVMUnCompress_Base)[:-1]) #dprint(";bp "+hex(modBase+bp1)[:-1]) #dprint(";bp "+hex(modBase+bp2)[:-1]) dprintln(";g") breakin() return executionStatus.NoChange m = ModuleLoadHandler(DLL_NAME) go()

알게된 점

1. uaf 취약점이 trigger 되는 과정을 이제 전부 이해 했다.

2. 이제 진짜 flash player는 분석 하는데 힘이 부치다. 자동화 툴을 쓰는데 조금 더 심혈을 기울여 보자.

힘든 점

1. Flash Player 자체에서 안티디버깅인지 먼지는 몰겠지만 일정 시간이 넘어가면 코드가 실행이 안되는걸 걸어 놨다.

2. 이제 곧 해-낑을 해야되서 부담감이 온다.

3. 발표 자료도 만들어야되는데 ㅠㅠㅠㅠ

암튼 정리해서 트리거 하는 과정만 따로 올리도록 해야겠다.