![Page 1: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/1.jpg)
Flash内存管理与漏洞利用
Hearmen北京大学软件安全研究小组
![Page 2: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/2.jpg)
目录
AVM2 虚拟机简介
CVE-2015-0313
CVE-2015-3043
CVE-2015-5119
![Page 3: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/3.jpg)
攻击演示
uCVE-2015-3043
![Page 4: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/4.jpg)
AVM2 虚拟机简介
uAVM2是目前使用的 flash player的核心,所有的ActionScript 3代码都由AVM2来执行
u采用Jit与解释器混合执行的方式,大幅提升flash的运行效率
![Page 5: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/5.jpg)
ActionScript 3执行流程
u《avm2overview》
ActionScript 3bytecode
Constant pool
堆栈初始化
常量池初始化
JIT
解释器
机器语言编译器
AVM 2
![Page 6: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/6.jpg)
AVM2 内存管理
u使用MMgc进行内存管理
u延缓引用计数,标记/清除算法
u从操作系统中申请大量保留空间,按页交予垃圾回收机
制GC进行管理。
![Page 7: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/7.jpg)
AVM2 内存管理
HeapBlock
4k4k
4k
4k4k
4k4k
4k
4k4k
4k4k
4k
4k4k
4k4k
4k
4k4k
HeapBlock
HeapBlock
HeapBlock
HeapBlock
![Page 8: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/8.jpg)
GCHeap
Free[0]
Free[1]
Free[2]
Free[3]
Free[4]
Free[5]
……
Free[30]
1 block 1 block 1 block1 block
2 block 2 block 2 block2 block
3 block 3 block 3 block3 block
4 block 4 block 4 block4 block
5 block 5 block 5 block5 block6 block 6 block 6 block6 block
128 block
… block
… block
… block
FreeLists
![Page 9: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/9.jpg)
CVE-2015-0313
ByteArray.Clear()
![Page 10: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/10.jpg)
利用步骤
堆喷射,控制内存布局
触发漏洞,更改Vector的length属性
任意地址读写,布局shellcode
更改对象虚表,接管程序运行流程
![Page 11: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/11.jpg)
ByteArray
uByteArrayObject
uBuffer
uBuffer大小以4k倍数增长
u通过FixedMalloc进行内存分配
![Page 12: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/12.jpg)
FixedMalloc
FixedMalloc::Alloc(size){
if(size < kLargestAlloc) // 32bit 2032FindAllocate(size)->FixedAlloc()
elseLargeAlloc(size)
}
![Page 13: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/13.jpg)
FixedBlock
![Page 14: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/14.jpg)
FixedAlloc
FixedAlloc
FixedBlock FixedBlockFixedBlock FixedBlock
Freeitem
Freeitem
m_firstFree
firstFree
m_firstBlock
![Page 15: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/15.jpg)
Uint Vector
![Page 16: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/16.jpg)
内存布局
data
data
Data_1
data
data
data
data
Data_2
data
data
Worker
data
data
FixedBlock
data
data
Block Head
Vector<uint>
Vector<uint>
Vector<uint>
si32Main
![Page 17: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/17.jpg)
FixedBlock
![Page 18: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/18.jpg)
稳定性的考虑
uByteArray.clear之前的额外操作
ØGCHeap内存释放,将HeapBlock挂入freelist末尾
ØGCHeap内存分配,从freelist头部开始遍历。
![Page 19: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/19.jpg)
CVE-2015-3043
ØFlash在解析Flv中Nellymoser压缩的<tag>时,没有对buffer长度进行正确的检验,从而导致的堆溢出
Ø被溢出的对象大小是0x2000
Ø该漏洞出现过 两次
![Page 20: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/20.jpg)
内存布局
Vector<uint>
Vector<uint>
Free
Vector<uint>
Vector<uint>
Vector<uint>
Vector<uint>
Corrupt Buffer
Vector<uint>
Vector<uint>
Vector<uint>
Vector<uint>
Corrupt Obj
Vector<uint>
Vector<Obj>
加载flv 重新布局
![Page 21: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/21.jpg)
Object Vector
![Page 22: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/22.jpg)
GC::Alloc
GC::Alloc{
if(size < kLargestAlloc) //1968GCAlloc()
elseGCLargeAlooc::Alloc()
}
![Page 23: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/23.jpg)
GCBlock
![Page 24: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/24.jpg)
GCAlloc
GCAlloc
GCBlock GCBlockGCBlock GCBlock
Freeitem
Freeitem
m_firstFree
firstFree
m_firstBlock
Freeitem
Freeitem
Freeitem
Freeitem
m_qlist
![Page 25: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/25.jpg)
GCLargeBlock
![Page 26: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/26.jpg)
CVE-2015-5119
![Page 27: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/27.jpg)
内存布局
![Page 28: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/28.jpg)
Class2
![Page 29: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/29.jpg)
另一种办法
uObject Vector
u通过GC直接在内存中查找 Vector
uObj -> Vector[ i ]
![Page 30: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/30.jpg)
优雅的利用
uNo ROP
uAS完成操作
uBypass CFG
![Page 31: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/31.jpg)
FunctionObject
uAS中的函数对象
uFunction.apply ; Function.call;Function()
![Page 32: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/32.jpg)
FunctionObject
uCore可由FunctionObject查找
![Page 33: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/33.jpg)
AS3_call
![Page 34: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/34.jpg)
Demo
u完全使用AS代码操作API
u只能精确控制两
个参数
u调用的函数参数
个数需为三或四
![Page 35: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/35.jpg)
Flash_18_0_0_209/232
uVector长度验证
u隔离堆
u强随机化
![Page 36: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/36.jpg)
长度验证
uUint Vector
uObject Vector
![Page 37: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/37.jpg)
绕过验证
u堆溢出
uString对象
u更改长度字段/更改起始指针
u任意地址读
![Page 38: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/38.jpg)
绕过验证
uVectorObject
u更改数据对象指针
uCookie作为length
u交换Vector<uint>长度与Cookie
![Page 39: Flash内存管理与漏洞利用 - paper.seebug.org Conf/KCon/2015/Flash 虚拟机... · ActionScript 3执行流程!《avm2overview》 ActionScript 3 bytecode Constant pool 堆栈初始化](https://reader030.vdocuments.pub/reader030/viewer/2022040102/5e0515a08833c4249b0759f9/html5/thumbnails/39.jpg)
谢谢