Black Hat Europe资料eu-15-Pi-New-Tool-For-Discovering-Flash-Player-0-day-Attacks-In-The-Wild-From-Various-Channels-wp.pdfVIP

New Tool for Discovering Flash Player 0-day Attacks in the Wild from Various Channels @heisecode 1, Background In 2014, Microsoft introduced isolated heap and memory protector to avoid IE UAF exploits, it is harder to exploit PC using IE as a target. In late 2014 when did a plan for 2015, I thought Flash Player will be most popular attack target in PC, So I did some research for catching flash 0-day attack in 2015 and finally have some results. There are two important factors to discover 0-day attacks, one is how to get more effective samples in the wild, another is how to identify 0-day from large number of samples. I found some sample channels which can provide effective samples in the wild and develop a tool to help me identify these samples. 2, Sample Channels 1 Products’ feedback There are usually many SWF samples from kinds of products or engines’ detection feedback. This channel is most effective channel, because the samples have been filtered by products and engines’ rules, and the number of samples is large. There are many new feedback added every day, so need to process them every day. 2 URL Crawl Attackers always prepare several exploits in a URL, use which exploit depends on the software version installed in the victims’ PC. So products or engines’ feedback may contain many old CVEs detection just because some users installed old Java version or IE version. I get these old CVEs detection URLs from feedback and crawl these URLs to get the whole exploits based in these URLs, and there may have a Flash exploit. 3 Download from VT Intelligence I can download many SWF samples from /intelligence Based on some research, attackers may submit their exploits or POCs to VT to check AV detection. And some 0-days firstly submitted to VT before they were publicly disclosed. 4 URL Pattern Exploit Kits and so