About SWF'S Famous Loophole

That is, CVE-2007-0071, flash9x.ocx has problems, the version has been affecting 9.0.115.

The vulnerability itself is very simple. The direction of Dowd's thinking is not divorced from the public, but the key lies in a series of techniques that are quite effective.

The specific details Dowd wrote a wonderful paper. It is estimated that many people have seen it and many people have done it.

I read it carefully once, but for some reason, I didn't go to make the final product, and I didn't plan to do it later. This thing is not how to trigger the use of hand, but some supplements to the errata and other minor problems.

The first obstacle is the SWF file format, which will take you between two and three hours.

It is recommended to download a Sothink SWF Decomplier. Of course, it is best to have a Flash CS3.

The reference is, of course, Adobe's own SWF file format PDF.

Like many file formats, SWF consists of a header and a series of blocks.

SWF is divided into two kinds: compression and non compression, but both of them retain the basic header blocks. The compression method is zlib, which can be decompressed by standard zlib. The compressed SWF is better handled first (or when it is exported to choose a non compression mode), so that the original data looks more convenient.

There are various kinds of labels and data in block format. In most cases, the length is marked by 6 bytes and 4 bytes. Sometimes, in order to save, when the block length is within 63 bytes, two bytes are used to represent the labels and lengths. This is a bit cumbersome and needs to be calculated.

There is also a variable number representation. The longest use of 5 bytes to represent a 32 bit integer is also for saving. This is also a bit cumbersome.

After analyzing the file format, we probably write a program that can block parse. It is better to disassemble the blocks into files, and then assemble them.

The second obstacle is ActionScript. It will be hard to say how much time it takes.

The reference document is, of course, Adobe's own PDF, but it is used as a manual, just remember the function of bytes of 0 * 620 * 630 * 47.

Let's talk about the so-called MaskTable first.

This is a table used to check whether your AS is legal. Basically, it can be understood as a char[255], less than zero indicating that the operand does not exist, greater than zero, basically representing the length of the parameter of this operand.

For example, the value of 0 * 47 corresponding table offset 0 * 47 is 0, indicating that the operand (0 * 47) has no parameters.

So modifying this table is equivalent to modifying the check specification, for example, the modified offset 0xF9 is 0 x 20. When inspecting the 0xf9 operand, it will skip 0 * 20 bytes, which can cover up some evil operations in the middle.

Because inspection and execution are separate, and the operation that does not exist in itself is not executed. Therefore, we can do some bad things when we check it, because no operation, such as 0xf9, is simply skipping a byte.

The simplest part of the AS byte paper is given out, simple explanation, the first is to save EIP for later recovery context; the second is to take a pointer to prepare for modifying EIP, and this pointer is just pointing to the next AS byte to be executed; the third is more critical, and it needs to be a jump, because this address will be covered to EIP, which is the first to be implemented after the control. As for the meaning of its AS byte, it is optional, preferably NOP like operation, and the fourth, fifth is to write the pointer to the AS analytic function saved on the stack to return the address. Finally, of course, it is a AS in the AS, which allows the parse function to be returned and controlled.

It should be noted that Dowd is not the best solution, but the easiest solution to understand. So it is best not to use this Marker+ double meaning operation after understanding, and there can be a simpler way.

With regard to the Mask table, all versions of controls can be easily found by searching related characters.

Parsing places can read the breakpoints of Mask, where the execution can search for a large switch case in IDA, where the breakpoints can be equal to the conditional breakpoints of a given Marker.

Sometimes there may be third obstacles, that is, clearly passed the inspection but not implemented.

It seems best not to modify the function that you edit in Flash CS3, and modify it directly with its own AS bytecode.

After recovering the context assurance function, the program flow is normal after execution.

With regard to other platforms and browsers, as well as different versions of flash, Dowd is clearly misleading.

Because you have to write a place, different versions of the site are not necessarily writable, so different versions are easy to hang up, so even if you can trigger many times, it is useless to write in a mess, especially in the case of a higher version.

About failure.

Failure is the case, the control itself is not randomly loaded, but if the flash9x.ocx default loading address is occupied, it also hung up.

This is the first time to see conflicts with office series, so office is very difficult to use.

If you have to give it a try, you can consider what is going on.

When SWF is embedded, xls can be opened, and word opens and closes the editor. This problem must be solved.

Personally feel that this SWF can be done without response to win the other browser, and a total of 500 bytes, is indeed very yellow and very violent, hope that the domestic do not come this way, it is a bit scary.