Debug Instrumentation via Flash ActionScript


Check Point posted this interesting tidbit

Debug Instrumentation via Flash ActionScript

Browser plug-ins have always been an attractive target for attackers to exploit. In the last couple of years, the most prevalent attack platform was undoubtedly – Flash. With 250+ CVEs in 2016 alone, and incorporation in practically every exploit kit, Flash exploits are everywhere and deserve our attention.

As researchers, we stumble upon many cases where we are required to analyze exploits found in the wild and collect as much information as possible regarding the exploit`s internal workings. This process quite often proves to be tedious and very time consuming, making the research task far from optimal. As most of an exploit’s juicy parts (such as ROP chains, Shellcodes and payload) are generated at runtime, we decided to take a different approach and make this process much more informative by utilizing the existing abilities found in native level debuggers.

Using this approach, we were able to gain a much wider view into the inner working of Flash-based exploits, making the research process much quicker and easier to manage.

This report explains the details of our approach and its advantages as well as showing some popular use cases in which it can be applied. But before diving in to Flash exploration techniques, let’s quickly go over the SWF basics.

Even if I disagree on “blaming it all on Flash” because “250+ CVE” as I think that any popular technology would be targeted the same way, the article is still pretty good at showing and explaining step by step how such exploitation is made and can make you learn a great deals about the Flash internals.

Also when you run out of ideas to obfuscate your code you can find plenty of new ideas in those exploits :smiley:

**edit:** added the page saved as PDF Debug Instrumentation via Flash ActionScript _ Check Point Blog.pdf (1.5 MB) updated link, it's working again


Link doesn’t work, at least now:


yep, not sure why, I added the PDF of the page to the post
once published on the internet it never goes away :wink: