{"id":13185,"date":"2015-07-09T16:50:48","date_gmt":"2015-07-09T08:50:48","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=13185"},"modified":"2015-07-13T17:22:05","modified_gmt":"2015-07-13T09:22:05","slug":"hacking-team-%e8%a2%ab%e9%a7%ad-%e6%b5%81%e5%87%ba%e8%b3%87%e6%96%99%e4%b8%ad%e7%99%bc%e7%8f%be-flash%e9%9b%b6%e6%99%82%e5%b7%ae%e6%bc%8f%e6%b4%9e%e6%94%bb%e6%93%8a%e7%a8%8b%e5%bc%8f","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=13185","title":{"rendered":"\u5099\u6536\u722d\u8b70\u7684 Hacking Team \u88ab\u99ed ! \u6d41\u51fa\u8cc7\u6599\u4e2d\u767c\u73fe Flash\u96f6\u6642\u5dee\u6f0f\u6d1e\u653b\u64ca\u7a0b\u5f0f"},"content":{"rendered":"<p>\u4ee5\u5354\u52a9\u57f7\u884c\u76e3\u63a7\u4efb\u52d9,\u51fa\u552e\u9593\u8adc\u7a0b\u5f0f\u7d66\u5404\u570b\u653f\u5e9c\u8207\u57f7\u6cd5\u55ae\u4f4d\u800c\u5099\u53d7\u722d\u8b70\u7684Hacking Team\u516c\u53f8,\u8fd1\u65e5<a href=\"https:\/\/www.csoonline.com\/article\/2943968\/data-breach\/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html\">\u906d\u5230\u653b\u64ca<\/a>\uff0c\u7e3d\u91cf\u8fd1400GB\u7684\u516c\u53f8\u5167\u90e8\u6587\u4ef6\u8207\u8cc7\u6599\u88ab\u516c\u958b\u3002\u66fe\u8868\u793a<a href=\"https:\/\/mashable.com\/2014\/02\/23\/hacking-team-spyware-governments\/\">\u4e0d\u8ddf\u6975\u6b0a\u570b\u5bb6\u505a\u751f\u610f<\/a>,\u4ee5\u8ca9\u552e\u865f\u7a31\u5408\u6cd5\u6514\u622a\u901a\u8a0a\u5de5\u5177\u7d66\u653f\u5e9c\u548c\u57f7\u6cd5\u6a5f\u69cb\u7684\u7fa9\u5927\u5229\u516c\u53f8Hacking Team, \u59cb\u7d42\u6c92\u6709\u6b63\u5f0f\u516c\u5e03\u8207\u4ed6\u5011\u5408\u4f5c\u55ae\u4f4d\u7684\u540d\u55ae\uff0c\u5728\u6b64\u6b21\u6d29\u9732\u7684\u6587\u4ef6\u4e2d\uff0c\u5305\u542b\u4e86Hacking Team\u7684\u5ba2\u6236\u8cc7\u6599\u3001\u8ca1\u52d9\u6587\u4ef6\u3001\u5408\u7d04\u3001\u5167\u90e8E-mail\u90f5\u4ef6\uff0c\u6839\u64da<a href=\"https:\/\/www.ibtimes.co.uk\/hacking-team-hacked-spy-tools-sold-oppressive-regimes-sudan-bahrain-kazakhstan-1509460\">International Business Time\u5831\u5c0e<\/a>\uff0c\u4f7f\u7528\u5176\u63d0\u4f9b\u7684\u7a0b\u5f0f\u7684\u570b\u5bb6\u5305\u542b\uff1a<br \/>\n\u57c3\u53ca\u3001\u4f9d\u7d22\u6bd4\u4e9e\u3001\u6469\u6d1b\u54e5\u3001\u5948\u53ca\u5229\u4e9e\u3001\u8607\u4e39\u3001\u667a\u5229\u3001\u54e5\u502b\u6bd4\u4e9e\u3001\u5384\u74dc\u591a\u3001\u6d2a\u90fd\u62c9\u65af\u3001\u58a8\u897f\u54e5\u3001\u5df4\u62ff\u99ac\u3001\u7f8e\u570b\u3001\u4e9e\u585e\u62dc\u7136\u3001\u54c8\u85a9\u514b\u65af\u5766\u3001\u99ac\u4f86\u897f\u4e9e\u3001\u8499\u53e4\u3001\u65b0\u52a0\u5761\u3001\u97d3\u570b\u3001\u6cf0\u570b\u3001\u70cf\u8332\u5225\u514b\u65af\u5766\u3001\u8d8a\u5357\u3001\u6fb3\u5927\u5229\u4e9e\u3001\u8cfd\u666e\u52d2\u65af\u3001\u6377\u514b\u3001\u5fb7\u570b\u3001\u5308\u7259\u5229\u3001\u7fa9\u5927\u5229\u3001\u76e7\u68ee\u5821\u3001\u6ce2\u862d\u3001\u4fc4\u7f85\u65af\u3001\u897f\u73ed\u7259\u3001\u745e\u58eb\u3001\u5df4\u6797\u3001\u963f\u66fc\u3001\u6c99\u70cf\u5730\u963f\u62c9\u4f2f\u3001\u963f\u62c9\u4f2f\u806f\u5408\u5927\u516c\u570b\u3002<\/p>\n<p><a href=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/07\/alert.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-13195\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/07\/alert.jpg\" alt=\"alert \u75c5\u6bd2\u8b66\u8a0a\" width=\"700\" height=\"479\" srcset=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/07\/alert.jpg 700w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/07\/alert-300x205.jpg 300w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/07\/alert-600x411.jpg 600w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u5728\u9019\u4e9b\u6a94\u6848\u4e2d\u767c\u73fe\u4e86Hacking Team\u6240\u958b\u767c\u7684\u653b\u64ca\u5de5\u5177\uff0c\u76ee\u524d\u767c\u73fe\u76843\u6b3e\u653b\u64ca\u7a0b\u5f0f\u4e2d\uff0c\u6709\u5169\u6b3e\u9396\u5b9aFlash Player\u7684\u5b89\u5168\u6f0f\u6d1e\uff0c\u4e00\u6b3e\u9396\u5b9aWindows\u6838\u5fc3\u6f0f\u6d1e\uff0c\u4e14\u7576\u4e2d\u53ea\u6709\u4e00\u500bFlash\u6f0f\u6d1e\u66fe\u88ab\u63ed\u9732\u3002<\/p>\n<p>\u53e6\u4e00\u6b3eFlash\u96f6\u6642\u5dee\u6f0f\u6d1e\u88abHacking Team\u63cf\u8ff0\u70ba\u300c\u6700\u8fd14\u5e74\u4f86\u6700\u5b8c\u7f8e\u7684Flash\u6f0f\u6d1e\u300d\u3002\u5728\u6587\u4ef6\u4e2d\u767c\u73fe\u4e86\u91dd\u5c0d\u6b64\u4e00\u6f0f\u6d1e\u6982\u5ff5\u6027\u9a57\u8b49\u653b\u64ca\u7a0b\u5f0f\uff0c\u5b83\u6703\u5f71\u97ff\u5404\u5927\u700f\u89bd\u5668\u53caFlash Player 9\u4ee5\u5f8c\u7684\u7248\u672c\uff0c\u5305\u542b\u6700\u65b0\u7684Adobe Flash 18.0.0.194\u5728\u5167\u3002<\/p>\n<p>\u4e8b\u5be6\u4e0a\u9019\u500bFlash\u6f0f\u6d1e,\u5148\u524d\u5df2\u7d93\u6709\u5e7e\u500b\u6f0f\u6d1e\u4f7f\u7528\u9019\u7a2e\u00a0<em>valueOf\u00a0<\/em>\u4f0e\u5006\uff0c\u5305\u62ec\u88ab\u7528\u5728 Pwn2Own 2015\u7684 CVE-2015-0349\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2015\/07\/hackingteam1.png\" alt=\"\" width=\"550\" height=\"94\" \/><\/p>\n<p><em>\u57161\u3001Hacking Team\u5c0d\u6f0f\u6d1e\u7684\u63cf\u8ff0<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Adobe Flash Player<\/strong><strong><em>\u6f0f\u6d1e\u8cc7\u8a0a<\/em><\/strong><\/p>\n<p>\u5916\u6d29\u7684\u8cc7\u6599\u4e2d\u5305\u542b\u4e00\u500b\u53ef\u4ee5\u555f\u52d5Windows\u8a08\u7b97\u6a5f\u7684Flash\u96f6\u6642\u5dee\u6982\u5ff5\u8b49\u660e\u78bc\uff08POC\uff09\u4ee5\u53ca\u4e00\u500b\u5e36\u6709\u771f\u6b63\u653b\u64cashellcode\u7684\u6b63\u5f0f\u7248\u672c\u3002<\/p>\n<p>\u5728POC\u4e2d\u6709\u4e00\u500b\u8aaa\u660e\u6587\u4ef6\u8a73\u8ff0\u4e86\u9019\u500b\u96f6\u6642\u5dee\u6f0f\u6d1e\uff08\u5982\u4e0b\u5716\u6240\u793a\uff09\u3002\u5b83\u6307\u51fa\u8a72\u6f0f\u6d1e\u53ef\u4ee5\u5f71\u97ffAdobe Flash Player 9\u53ca\u66f4\u65b0\u7684\u7248\u672c\uff0c\u800c\u4e14\u684c\u9762\/Metro\u7248\u672c\u7684IE\u3001Chrome\u3001Firefox\u548cSafari\u90fd\u6703\u53d7\u5230\u5f71\u97ff\u3002\u5916\u90e8\u5831\u544a\u6307\u51fa\u6700\u65b0\u7248\u672c\u7684Adobe Flash\uff08\u7248\u672c18.0.0.194\uff09\u4e5f\u53d7\u5230\u5f71\u97ff\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2015\/07\/hackingteam2.png\" alt=\"\" width=\"550\" height=\"241\" \/><\/p>\n<p><em>\u57162\u3001Hacking Team\u5c0d\u6f0f\u6d1e\u7684\u63cf\u8ff0<\/em><\/p>\n<p>Adobe \u4e5f\u627f\u8a8d\u4e86\u9019\u9805\u6f0f\u6d1e\u4e26\u767c\u5e03\u4e86<a href=\"https:\/\/helpx.adobe.com\/security\/products\/flash-player\/apsa15-03.html\">\u5b89\u5168\u516c\u544a<\/a>\u3002\u9019\u4efd\u5b89\u5168\u516c\u544a\u8b49\u5be6\u6b64\u6f0f\u6d1e\u5df2\u5217\u5165 CVE \u8cc7\u6599\u5eab\u7576\u4e2d\uff0c\u7de8\u865f\u70ba\u00a0CVE-2015-5119\u3002Adobe \u5b89\u5168\u516c\u544a\u66f4\u78ba\u8a8d\u4eca\u65e5\u300c\u6240\u6709\u300d\u4f7f\u7528\u4e2d\u7684 Flash Player \u7248\u672c\u90fd\u5b58\u5728\u9019\u9805\u6f0f\u6d1e\u3002<\/p>\n<p>\u6240\u6709 Flash Player \u4f7f\u7528\u8005\u7686\u61c9\u7acb\u5373\u4e0b\u8f09\u6700\u65b0\u4fee\u6b63\u7a0b\u5f0f\uff0c\u5426\u5247\u5c07\u6709\u5371\u96aa\u3002Adobe \u5df2\u7d93\u91cb\u51fa\u4fee\u6b63\u7a0b\u5f0f<a href=\"https:\/\/helpx.adobe.com\/security\/products\/flash-player\/apsb15-16.html\">APSB15-16<\/a>,\u5f37\u70c8\u5efa\u8b70\u76e1\u66f4\u65b0\u3002\u672c\u6708\u7a0d\u65e9\u6211\u5011\u5373\u6307\u51fa <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/exploit-kits-and-malvertising-a-troublesome-combination\/\">Flash Player \u906d\u6f0f\u6d1e\u653b\u64ca\u5957\u4ef6\u9396\u5b9a\u7684\u983b\u7387\u8d8a\u4f86\u8d8a\u9ad8<\/a>\uff0c\u800c\u9019\u6a23\u7684\u8da8\u52e2\u4f3c\u4e4e\u6c92\u6709\u8f49\u8b8a\u7684\u8de1\u8c61\u3002<\/p>\n<p><strong><em>\u6839\u672c\u539f\u56e0\u5206\u6790<\/em><\/strong><\/p>\n<p>\u8aaa\u660e\u6587\u4ef6\u9084\u4ecb\u7d39\u4e86\u8a72\u6f0f\u6d1e\u7684\u6839\u672c\u539f\u56e0\u3002\u9019\u662f\u4e00\u500bByteArray\u985e\u5225\u7684Use-After-Free\uff08UAF\uff09\u6f0f\u6d1e:<\/p>\n<ul>\n<li>\u7576\u4f60\u6709\u4e00\u500bByteArray\u7269\u4ef6<em>ba<\/em>\uff0c\u4e26\u5c07\u5176\u7d66\u503c<em>ba[0]=Object<\/em>\uff0c\u5b83\u6703\u547c\u53eb\u6b64\u7269\u4ef6\u7684<em>valueOf<\/em>\u51fd\u6578<\/li>\n<li>\u9019<em>valueOf<\/em>\u51fd\u6578\u53ef\u4ee5\u88ab\u8986\u5beb\uff0c\u6240\u4ee5\u80fd\u5920\u8b8a\u66f4\u7269\u4ef6<em>valueOf<\/em>\u51fd\u6578\u4e2d\u7684<em>ba<\/em>\u503c<\/li>\n<li>\u5982\u679c\u4f60\u91cd\u65b0\u5206\u914d<em>valueOf<\/em>\u51fd\u6578\u5167\u7684<em>ba<\/em>\u8a18\u61b6\u9ad4\uff0c\u5c31\u6703\u5c0e\u81f4UAF\uff0c\u56e0\u70ba<em>ba[0]=Object<\/em>\u6703\u5132\u5b58\u539f\u672c\u7684\u8a18\u61b6\u9ad4\uff0c\u4e26\u4e14\u5728<em>valueOf<\/em>\u51fd\u6578\u88ab\u547c\u53eb\u5f8c\u4f7f\u7528\u3002<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<p><strong><em>\u6b63\u5f0f\u7248\u6f0f\u6d1e\u653b\u64ca\u78bc\u5206\u6790<\/em><\/strong><\/p>\n<p>\u89f8\u767cUAF\u6f0f\u6d1e\u5f8c\uff0c\u5b83\u6703\u7834\u58de<em>Vector.&lt;unit&gt;<\/em>\u9577\u5ea6\u4f86\u9054\u5230\u8b80\u5beb\u7a0b\u5e8f\u4e2d\u4efb\u610f\u8a18\u61b6\u9ad4\u7684\u80fd\u529b\u3002\u4e00\u65e6\u5177\u5099\u9019\u80fd\u529b\uff0c\u6f0f\u6d1e\u653b\u64ca\u78bc\u53ef\u4ee5\u9032\u884c\u4ee5\u4e0b\u52d5\u4f5c\uff1a<\/p>\n<ul>\n<li>\u641c\u5c0b\u7a0b\u5e8f\u5167<em>dll<\/em>\u7684\u57fa\u5740\uff0c\u7136\u5f8c\u627e\u5230<em>VirtualProtect<\/em>\u4f4d\u5740<\/li>\n<li>\u627e\u5230\u5305\u542b\u5728<em>ByteArray<\/em>\u5167\u7684shellcode\u4f4d\u5740<\/li>\n<li>\u547c\u53eb<em>VirtualProtect<\/em>\u4f86\u5c07shellcode\u8a18\u61b6\u9ad4\u6539\u8b8a\u6210\u53ef\u57f7\u884c\u3002<\/li>\n<li>\u5728AS3\u7a0b\u5f0f\u78bc\u4e2d\u6709\u5b9a\u7fa9\u4e00\u500b\u540d\u70ba<em>Payload<\/em>\u7684\u7a7a\u975c\u614b\u51fd\u6578\u3002<\/li>\n<li>\u627e\u5230<em>Payload<\/em>\u51fd\u6578\u7269\u4ef6\u4f4d\u5740\uff0c\u7136\u5f8c\u627e\u5230<em>Payload<\/em>\u51fd\u6578\u7269\u4ef6\u6240\u5305\u542b\u7684\u771f\u5be6\u51fd\u6578\u7a0b\u5f0f\u78bc\u4f4d\u5740\u3002<\/li>\n<li>\u7528shellcode\u4f4d\u5740\u8986\u5beb\u771f\u6b63\u51fd\u6578\u7a0b\u5f0f\u78bc\u4f4d\u5740<\/li>\n<li>\u547c\u53ebAS3\u5167\u7684\u975c\u614b\u51fd\u6578<em>Payload<\/em>\uff0c\u9019\u5c07\u5c0e\u81f4\u547c\u53eb\u4e86shellcode<\/li>\n<li>Shellcode\u88ab\u57f7\u884c\u5f8c\uff0c\u91cd\u7f6e\u975c\u614b\u51fd\u6578\u4f4d\u5740\u3002<\/li>\n<\/ul>\n<p>\u6211\u5011\u53ef\u4ee5\u770b\u5230\u9019\u7a2e\u6f0f\u6d1e\u653b\u64ca\u65b9\u5f0f\u80fd\u5920\u7528\u8986\u5beb\u4e00\u500b\u975c\u614b\u51fd\u6578\u7a0b\u5f0f\u78bc\u4f4d\u5740\u7684\u65b9\u5f0f\u4f86\u7e5e\u904e<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/exploring-control-flow-guard-in-windows-10\/\">\u63a7\u5236\u6d41\u9632\u8b77\uff08Control Flow Guard\uff09<\/a>\u3002<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u5df2\u7d93\u80fd\u5920\u7acb\u5373\u4fdd\u8b77\u4f7f\u7528\u8005\u514d\u65bc\u6b64\u4e00\u5a01\u8105\u800c\u7121\u9700\u4efb\u4f55\u66f4\u65b0\u3002\u8da8\u52e2\u79d1\u6280<a href=\"https:\/\/t.rend.tw\/?i=MzcxNw\">Deep Discovery<\/a>\u4e2d\u6240\u5305\u542b\u5e36\u6709\u8173\u672c\u5206\u6790\u5f15\u64ce\u7684\u6c99\u7bb1\u6280\u8853\u53ef\u4ee5\u7528\u4f86\u5075\u6e2c\u6b64\u884c\u70ba\u6240\u9020\u6210\u7684\u5a01\u8105\u3002<a href=\"https:\/\/www.trendmicro.com\/us\/business\/complete-user-protection\/\">\u8da8\u52e2\u79d1\u6280\u4f01\u696d\u5b89\u5168\u5957\u88dd\u8edf\u9ad4<\/a>\u5167\u7aef\u9ede\u9632\u8b77\u7522\u54c1\u7684\u700f\u89bd\u5668\u6f0f\u6d1e\u9632\u8b77\u529f\u80fd\u53ef\u4ee5\u5728\u4f7f\u7528\u8005\u9023\u5230\u5e36\u6709\u6b64\u6f0f\u6d1e\u653b\u64ca\u78bc\u7684\u7db2\u9801\u6642\u52a0\u4ee5\u5c01\u9396\u3002\u700f\u89bd\u5668\u6f0f\u6d1e\u9632\u8b77\u53ef\u4ee5\u5c0d\u6297\u91dd\u5c0d\u700f\u89bd\u5668\u6216\u76f8\u95dc\u5916\u639b\u7a0b\u5f0f\u7684\u6f0f\u6d1e\u653b\u64ca\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Windows \u6838\u5fc3\u6f0f\u6d1e<br \/>\n<\/strong>\u6b64\u6f0f\u6d1e\u5b58\u5728\u65bc Open Font Type Manager (\u958b\u653e\u5b57\u578b\u7ba1\u7406\u7a0b\u5f0f) \u6a21\u7d44\uff0c\u4e5f\u5c31\u662f ATMFD.dll\uff0c\u7531 Adobe \u6240\u63d0\u4f9b\u3002\u9019\u500b DLL \u5728\u7cfb\u7d71\u4e2d\u662f\u4ee5\u6838\u5fc3\u6a21\u5f0f (Kernel Mode) \u57f7\u884c\uff0c\u56e0\u6b64\u99ed\u5ba2\u53ef\u5229\u7528\u9019\u500b\u6f0f\u6d1e\u4f86\u63d0\u5347\u81ea\u5df1\u7684\u6b0a\u9650\u800c\u4e0d\u88ab\u6c99\u76d2\u6a21\u64ec\u5206\u6790\u9632\u79a6\u6a5f\u5236\u6240\u767c\u73fe\u3002<\/p>\n<p><strong><em>\u63ed\u958b\u6f0f\u6d1e\u7684\u9762\u7d17<\/em><\/strong><\/p>\n<p>\u6b64\u6f0f\u6d1e\u7684\u6839\u6e90\u5f88\u7c21\u55ae\uff0c\u7576\u61c9\u7528\u7a0b\u5f0f\u547c\u53eb\u67d0\u4e9b GDI API (\u4e5f\u5c31\u662f\uff1a<em>GDI32!NamedEscape<\/em>) \u7684\u51fd\u5f0f\u6642\uff0c\u53ef\u4ee5\u6307\u5b9a\u8981\u7528\u4f86\u8655\u7406\u5b57\u578b\u8cc7\u6599\u7684\u9a45\u52d5\u7a0b\u5f0f\u3002\u800c ATMFD.dll \u5c31\u662f\u9019\u6a23\u4e00\u500b\u5b57\u578b\u9a45\u52d5\u7a0b\u5f0f\u3002\u7136\u800c\uff0c\u7576\u8a72\u6a21\u7d44\u5728\u8655\u7406\u5b57\u578b\u8cc7\u6599\u6642\uff0c\u6703\u56e0\u70ba\u4e00\u500b\u5e36\u6b63\u8ca0\u865f\u6578\u5b57\u7684\u5ef6\u5c55\u554f\u984c (signed number extending) \u800c\u5c0e\u81f4\u7de9\u885d\u5340\u6ea2\u4f4d\u3002<\/p>\n<p>\u7528\u4e00\u6bb5\u7c21\u55ae\u7684\u7a0b\u5f0f\u78bc\u4f86\u8aaa\u660e\u9019\u500b\u6f0f\u6d1e\u7684\u539f\u7406\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2015\/07\/hacking-team-windows-kernel-a.png\" alt=\"\" width=\"458\" height=\"297\" \/><br \/>\n<em>\u5716 3\uff1a\u7c21\u5316\u7684\u6f0f\u6d1e\u7a0b\u5f0f\u78bc<\/em><\/p>\n<p>\u5e36\u6b63\u8ca0\u865f\u7684\u6578\u5b57\u5ef6\u5c55\u554f\u984c\u51fa\u73fe\u5728\u7b2c 5 \u884c\u3002\u7576 i \u539f\u672c\u662f 0x8000 \u6642\uff0c\u4e00\u6307\u5b9a\u5230 index \u9019\u500b\u8b8a\u6578\u4e0a\u5c31\u6703\u8b8a\u6210 0xffff8000 (\u539f\u56e0\u662f i \u7684\u8cc7\u6599\u985e\u578b\u662f short\uff0c\u800c index \u7684\u985e\u578b\u662f int\uff0c\u800c\u5f9e short \u8b8a\u6210 int \u5fc5\u9808\u5ef6\u5c55) \u3002\u5982\u6b64\u4e00\u4f86\uff0c\u7b2c 6 \u884c\u7a0b\u5f0f\u78bc\u7684\u689d\u4ef6\u5f0f\u5c31\u6703\u6210\u7acb\uff0c\u56e0\u70ba index \u662f\u4e00\u500b\u5f88\u5c0f\u7684\u8ca0\u6578\u3002\u800c\u7b2c 8 \u884c\u7684 index*2+6 \u540c\u6a23\u4e5f\u6703\u662f\u500b\u8ca0\u6578\uff0c\u56e0\u6b64 buffer_base[index*2+6] \u6703\u6307\u5411 buffer_base \u9019\u500b\u7de9\u885d\u5340\u4e4b\u524d\u7684\u67d0\u500b\u4f4d\u7f6e (\u800c\u975e\u6307\u5411\u7de9\u885d\u5340\u5167)\u3002<\/p>\n<p>\u5728\u6f0f\u6d1e\u653b\u64ca\u7a0b\u5f0f\u78bc\u7576\u4e2d\uff0c\u7531\u65bc\u8981\u8f09\u5165\u5b57\u578b\u7de9\u885d\u5340\u4e2d\u7684\u5167\u5bb9\u662f\u7531\u99ed\u5ba2\u6240\u8a2d\u8a08\u7684\uff0c\u56e0\u6b64\u99ed\u5ba2\u53ef\u5229\u7528\u9019\u500b\u6f0f\u6d1e\u4f86\u5c07\u7279\u6b8a\u5167\u5bb9\u5beb\u5165\u7de9\u885d\u5340\u524d\u65b9\u3002<\/p>\n<p><a href=\"https:\/\/www.trendmicro.tw\/tw\/enterprise\/cloud-solutions\/deep-security\/index.html\">\u8da8\u52e2\u79d1\u6280Deep Security<\/a>\u7684\u6f0f\u6d1e\u9632\u8b77\u53ef\u4ee5\u5229\u7528\u4ee5\u4e0bDPI\u898f\u5247\u4f86\u4fdd\u8b77\u4f7f\u7528\u8005\u7684\u7cfb\u7d71\u514d\u65bc\u76f8\u95dc\u6f0f\u6d1e\u653b\u64ca\uff1a<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>1006824 \u2013 Adobe Flash ActionScript3 ByteArray Use After Free\u6f0f\u6d1e<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>\u6709\u95dc\u9019\u8d77\u8cc7\u6599\u5916\u6d29\u7684\u66f4\u591a\u8cc7\u8a0a\u548c\u5176\u4ed6\u6f0f\u6d1e\u653b\u64ca\u7d30\u7bc0\uff0c\u8acb\u53c3\u95b1<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak\/\"><em>\u672a\u4fee\u88dc\u7684 Flash Player \u6f0f\u6d1e\u4ee5\u53ca\u5176\u4ed6 Hacking Team \u8cc7\u6599\u5916\u6d29\u4e8b\u4ef6\u7576\u4e2d\u767c\u73fe\u7684\u6982\u5ff5\u9a57\u8b49\u653b\u64ca (Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak)<\/em><\/a>\u3002\u672a\u4f86\u82e5\u6709\u66f4\u9032\u4e00\u6b65\u7684\u6d88\u606f\uff0c\u6211\u5011\u5c07\u9678\u7e8c\u66f4\u65b0\u9019\u7bc7\u6587\u7ae0\u3002<\/p>\n<p><strong><em>\u76f8\u95dc\u6587\u7ae0\uff1a<\/em><\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/blog.trendmicro.com.tw\/?p=13261\">\u53c8\u4f86\u4e86!! Hacking Team \u8cc7\u6599\u5916\u6d29\u6dfb\u65b0\u7684 Adobe Flash \u96f6\u6642\u5dee\u6f0f\u6d1e (CVE-2015-5123)<\/a><\/li>\n<li><a href=\"https:\/\/blog.trendmicro.com.tw\/?p=13251\">Hacking Team \u8cc7\u6599\u5916\u6d29\u4e8b\u4ef6\u53c8\u4e00\u500bAdobe Flash Player \u6f0f\u6d1e\u96f6\u6642\u5dee\u6f0f\u6d1e\u66dd\u5149<\/a><\/li>\n<li><a href=\"https:\/\/blog.trendmicro.com.tw\/?p=13211\">\u7576\u5fc3\u52d2\u7d22\u8edf\u9ad4\u5229\u7528Hacking Team \u5916\u6d29\u7684 Adobe Flash\u6f0f\u6d1e\u767c\u52d5\u653b\u64ca<\/a><\/li>\n<li><a href=\"https:\/\/blog.trendmicro.com.tw\/?p=13202\">Hacking Team \u7684 Flash \u96f6\u6642\u5dee\u6f0f\u6d1e\u653b\u64ca,\u5df2\u88ab\u6536\u9304\u5230\u6f0f\u6d1e\u653b\u64ca\u5957\u4ef6!<\/a><\/li>\n<li><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/hacking-team-flash-zero-day-tied-to-attacks-in-korea-and-japan-on-july-1\/\">Hacking Team \u7684 Flash \u96f6\u6642\u5dee\u6f0f\u6d1e\u6d89\u53ca 7 \u6708 1 \u65e5\u97d3\u570b\u548c\u65e5\u672c\u6240\u906d\u5230\u7684\u653b\u64ca (Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan\u2026 on July 1)<\/a><\/li>\n<\/ul>\n<p>\u25ce\u539f\u6587\u53c3\u8003\u4f86\u6e90:<\/p>\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak\/\">Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak<\/a>\u4f5c\u8005\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/author\/peterpi\/\">Peter Pi\uff08\u5a01\u8105\u5206\u6790\u5e2b\uff09<\/a><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/a-look-at-the-open-type-font-manager-vulnerability-from-the-hacking-team-leak\/\">A Look at the Open Type Font Manager Vulnerability from the Hacking Team Leak<\/a>| \u00a0 \u4f5c\u8005\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/author\/jacktang\/\">Jack Tang (\u5a01\u8105\u5206\u6790\u5e2b)<\/a><\/p>\n<p>\u60f3\u4e86\u89e3\u66f4\u591a\u95dc\u65bc\u7db2\u8def\u5b89\u5168\u7684\u79d8\u8a23\u548c\u5efa\u8b70\uff0c\u53ea\u8981\u5230<a href=\"https:\/\/www.facebook.com\/trendmicrotaiwan\">\u8da8\u52e2\u79d1\u6280\u7c89\u7d72\u7db2\u9801<\/a> \u6216\u4e0b\u9762\u7684\u6309\u9215\u6309\u8b9a<\/p>\n<p><iframe loading=\"lazy\" style=\"border: none; overflow: hidden; width: 350px; height: 62px;\" src=\"https:\/\/www.facebook.com\/plugins\/likebox.php?id=255176705131&amp;width=350&amp;connections=0&amp;stream=false&amp;header=false&amp;height=62\" width=\"300\" height=\"150\" frameborder=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p><span style=\"color: red;\"><b>\u300a\u63d0\u9192\u300b<\/b><\/span>\u5728\u7c89\u7d72\u9801\u6a6b\u5e45,\u8b9a\u7684\u53f3\u908a\u4e09\u89d2\u5f62\u9078\u64c7<strong>\u63a5\u6536\u901a\u77e5<\/strong>\u548c<strong>\u65b0\u589e\u5230\u8208\u8da3\u4e3b\u984c\u6e05\u55ae<\/strong>,\u91cd\u8981\u901a\u77e5\u8207\u597d\u5eb7\u4e0d\u6f0f\u63a5<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4ee5\u5354\u52a9\u57f7\u884c\u76e3\u63a7\u4efb\u52d9,\u51fa\u552e\u9593\u8adc\u7a0b\u5f0f\u7d66\u5404\u570b\u653f\u5e9c\u8207\u57f7\u6cd5\u55ae\u4f4d\u800c\u5099\u53d7\u722d\u8b70\u7684Hacking Team\u516c\u53f8,\u8fd1\u65e5\u906d\u5230\u653b\u64ca\uff0c\u7e3d [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[1922,185,2197,156,1989,8,179],"tags":[1036,2188,2187,107,84],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/13185"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13185"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/13185\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}