Yesterday, it’s reported that there is an IE 0day actively exploited in the wild. We did a quick analysis and have some interesting findings.
The exploit contains 4 parts:
- exploit.html – first stage exploiting web page (initialize variables and load the .SWF file).
- Moh2010.swf – encrypted SWF using DoSWF, it contains shellcode and heap spray code. After heap spray is done, it will load Protect.html to trigger the vulnerability.
- Protect.html – detect bowser/flash version and trigger the vulnerability.
- 111.exe – the trojan
The exploitation part is very simple, it only targets Windows XP SP3 and IE8. So there is no need to bypass ASLR , it only uses ROP payload to bypass Windows DEP. The ROP gadget is hard-coded and is from msvcrt.dll module.
0:008> u 0x77c15ed5
77c15ed5 94 xchg eax,esp
77c15ed6 c3 ret
The ROP payload calls kernel32!VirtualAlloc instead change the memory holding shellcode to RWX.
0c10104c 00000000 0c18fa00 00005500 00001000 kernel32!VirtualAllocEx
0:008> !address eax
0c120000 : 0c18f000 – 00006000
Type 00020000 MEM_PRIVATE
Protect 00000040 PAGE_EXECUTE_READWRITE
State 00001000 MEM_COMMIT
The actual shellcode was xor’ed with opcode 0xE2, and it also use hook hopping technique when calling APIs like urlmon!URLDownloadToCacheFileW, kernel32!CreateFileW and kernel32!WinExec etc, and hook hopping technique is commonly used to bypass common security protection like AV and HIPS. After successful exploitation, the shellcode will download a trojan from a remote server.
Coverage / Mitigation
McAfee NSP will release a UDS “UDS-HTTP: Microsoft internet Explorer Use-After-Free exCommand Heap Stray Code Execution” to cover the threat.
McAfee HIPS 8.0 P2 is able to block the 0day exploit with following Generic Buffer Overflow Protection signatures:
- 6013 – Suspicious Function Invocation – CALL Not Found
- 6048 – Suspicious Function Invocation – Different Stack
AV Detection is available in the current Beta DATs as “Exploit-IEexecCommand“
Leave a reply