Analyze the latest Flash sample together with your hands

1. Purpose
 
 
The purpose of this article is to briefly introduce the Flash sample analysis process, and some commonly used tools for analyzing Flash samples include self-written mini programs.
The content in this article includes: extraction of Flash files, viewing of structures, disassembly and decompilation of ActionScript, locating and extraction of shellcode in ActionScript, and shellcode debugging.
This article does not cover the analysis and debugging of the cause of the vulnerability.
 
 
 
2. samples used
 
The use of this article is a use of CVE-2012-0754 vulnerabilities in the Flash sample, is a relatively new Flash Vulnerability samples.
Sample Source: ContagioDump
I would like to recommend this blog to you. This blog often releases some of the latest virus samples. If you mine them carefully, you can find a collection of samples, which is very useful.
 
3. Extract Flash files from Doc
 
After the downloaded sample is decompressed, the original sample is named "Iran's Oil and Nuclear Situation.doc" in the original folder ".
Wait, isn't it a Flash sample? How is it a doc file? You may be wondering if LZ has sent an error link.
In fact, the real Flash sample is embedded in this doc file, this method is not the first time to be used, the CVE-2010-0609 (if you remember wrong) sample is also embedded in the Excel file out.
 
When you open a Word document, there will eventually be a bear (??) The mysterious creature said "Hi ~" to you ~", LZ feels weird...
 
 
 
Open the Word document in the hexadecimal editor and you can see that the file is an Office file in ole ss format,
In this case, you can directly search for the string "FWS" (uncompressed SWF header features) and "CWS" (Compressed SWF header features) to locate the Flash files.
 
 

 
I wrote a python script to extract the embedded Flash file named extract_swf.py from the Office file. The usage is as follows:
 
Code:
Extract_swf.py [office file path]
In this example, we use:
 
Code:
C: \ CVE-2012-0754_E92A4FC283EB2802AD6D0E24C7FCC857 \ original \ extract_swf> extract_s
Wf. py "C: \ CVE-2012-0754_E92A4FC283EB2802AD6D0E24C7FCC857 \ original \ Iran's Oil and
Nuclear Situation.doc _"
The output is as follows:
Code:
Extract_swf.py 1.0
[+] Searching embeded swf file in C: \ CVE-2012-0754_E92A4FC283EB2802AD6D0E24C7FCC
857 \ original \ Iran's Oil and Nuclear Situation.doc _
[+] Find embeded swf file at offset 0x2e08
[+] Save embeded swf file to C: \ CVE-2012-0754_E92A4FC283EB2802AD6D0E24C7FCC857 \ o
Riginal \ Iran's Oil and Nuclear Situation.doc__offset_0x2e08.swf =
The extracted Flash file is named "Iran's Oil and Nuclear Situation.doc__offset_0x2e08.swf =". This is the real sample file.
 
 
4. Use SWF Investigator to view Flash file information
 
 
The following describes a tool named SWF Investigator released by Adobe Lab.
The function is very powerful. You can view the Flash file structure, decompile the Event code, compile the Event code, directly run flash, or even use it to Fuzz Flash files.
Is it a bit exciting? click the following link to download it: [Download SWF Investigator]
 
When using SWF Investigator, you must install Adobe AIR first. You can download it from here: [Download Adobe AIR]
 
Drag the previously extracted SWF file to SWF Investigator to view various information.
Click "Tag View" to View each Tag. The DoABC2 Tag contains the WordPress 3.0 bytecode.
After the DoABC2 tag is selected, you can see the post-assembly ActionScript code in the right window, a series of pushint... WriteInt is actually working on heap spray.
 

 
 
It is a little difficult to directly look at bytecode. At this time, we need a decompilation tool of ActionScript 3.0.
 
 
 
5. decompile the ActionScript script
 
 
The tool used here is AS3 Sorcerer, Which is http://www.as3sorcerer.com /.
You can also use Sothink Flash Decompiler, but both are commercial software. If you use free software, you can try HP's SWF Scan. The effect is good, but sometimes the source code is decompiled incorrectly.
 
Drag the previously extracted SWF file into AS3 Sorcerer to view the decompiled source code. The CVE-2012-0754.as3 in the attachment contains the complete source code.
Both ActionScript 3.0 and JavaScript are based on The ECMA standard. Basically, JavaScript samples can be understood.
 
 
 


 
From the source code analysis, we can see that the _ local2 variable contains shellcode data.
The process of writing _ Loca to shellcode is as follows:
1. First DEFINE _ local2, the type is ByteArray (byte array)
2. Use a series of writeInt functions to call and write data
3. Call the custom Encrypt2 function to decrypt the real shellcode.
The related code is as follows:
Code:
Var _ local2 = new ByteArray ();
_ Local2.endian = Endian. LITTLE_ENDIAN;
_ Local2.writeInt (2590463591 );
_ Local2.writeInt (213916234 );
_ Local2.writeInt (3076656754 );
_ Local2.writeInt (1088421207 );
_ Local2.writeInt (700118367 );
........................
Encrypt2 (_ local2 );
 
Here we need to extract the decrypted shellcode data, with the following options:
 
1. Read the entire logic, including the Encrypt2 function, and use the familiar programming language to restore the entire logic to get shellcode data.
The disadvantage of this method is that, if the shellcode generation logic is very complex, it will be very difficult to restore to other languages.
 
2. Execute the corresponding ActionScript to print the shellcode data.
 
Here we will introduce the second method.
 
 
 
 
6. Use SWF Investigator to compile and execute ActionScript
 
SWF Investigator contains a powerful tool called AS3 Compiler, which can compile and execute the script of ActionScript 3.0.
Select Utilities => AS3 Compiler in the menu to call up this tool.
 
The following code is used to prepare the script to run:
 
Code:
Namespace ns = "utils. AS3Compiler ";
Use namespace ns;
Namespace nu = "flash. utils"
Use namespace nu;
Var HexChr: Array = new Array ();
HexChr [0] = '0'; HexChr [1] = '1'; HexChr [2] = '2'; HexChr [3] = '3 '; hexChr [4] = '4'; HexChr [5] = '5'; HexChr [6] = '6'; HexChr [7] = '7 '; hexChr [8] = '8'; HexChr [9] = '9'; HexChr [10] = 'a'; HexChr [11] = 'B '; hexChr [12] = 'C'; HexChr [13] = 'D'; HexChr [14] = 'E'; HexChr [15] = 'F ';
 
Public function Bin2HexString (arr: ByteArray): String
{
Var str = "";
Var len = arr. length;
Var I = 0;
While (I <len ){
Var B = arr [I];
Str + = HexChr [(B> 4) & 0xf];
Str + = HexChr [B & 0xf];
I ++;
}
Return str;
}
 
The code above defines a function used to convert the data in the byte array into a hex encode string.
In the next step, copy the Code related to _ local2 and the code of the Encrypt2 function. Note that the "static" attribute in the Encrypt2 function definition is removed.
Finally, add the following code to print the data in _ local2:
Code:
Printer. print (Bin2HexString (_ local2 ));
The authorization code is in compile.txt in the attachment. You can view it on your own.
Copy the complete code to the source code window on the left of AS3 Compiler, click compile to compile, and then click Run to Run, you can see the Hex Encoding data of shellcode in the output window on the right:
 
 
 
7. debug shellcode
 
Convert the shellcode string from the previous output to the binary data (SC. bin in the attachment) to start debugging.
You have different tools and methods for debugging shellcode. I use a self-developed ShellcodeDbg tool.
 
It doesn't matter what tools are used for debugging. The only thing you need to note is that you need to open the original document and keep the handle of the original document in the debugging process when debugging the shellcode file. The reason is described later.
 
Set ollydbgas as a timer and run shellcodedbg.exe "SC. bin" "Iran's Oil and Nuclear Situation.doc". There will be an Int3 breakpoint hit to arouse OD.
After the Int3 breakpoint is skipped, the last jmp eax will jump to the shellcode.
At the beginning, Shellcode is nothing more than decryption, obtaining API addresses and other routine tasks. Then we can see a loop like this:
Code:
00343E1B 33DB xor ebx, ebx
00343E1D 83C3 04 add ebx, 4
00343E20 6A 00 push 0
00343E22 53 push ebx
00343E23 FF57 FC call dword ptr [edi-4]; kernel32.GetFileSize
00343E26 3B07 cmp eax, dword ptr [edi] // edi = 01a06c, that is, the size of the original doc file
00343E28 ^ 75 F3 jnz short 00343E1D
 
The preceding Code cyclically tests the file handle value (starting from 4), uses the corresponding handle value to call GetFileSize, and checks whether the returned size is equal to 01a06c (the size of the original doc file ), A suitable handle is found to continue running.
This is a common behavior of the shellcode sample. Because the source file contains further shellcode or PE file data, shellcode needs to extract the data from it.
That's why we started to open and retain a handle to the original document.
 
The code after shellcode and the behavior of the subsequently generated PE file will not be discussed here. If you are interested, please play with yourself.