The Latest in IT Security

Never Ending 0day Story

18
Sep
2012

Yesterday, it’s reported that there is an IE 0day actively exploited in the wild. We did a quick analysis and have some interesting findings.

The exploit contains 4 parts:

  • exploit.html – first stage exploiting web page (initialize variables and load the .SWF file).
  • Moh2010.swf – encrypted SWF using DoSWF, it contains shellcode and heap spray code.  After heap spray is done, it will load Protect.html to trigger the vulnerability.
  • Protect.html – detect bowser/flash version and trigger the vulnerability.
  • 111.exe – the trojan

Not like common exploits having everything in HTML/JavaScript, it hides all important stuff like shellcode and heap spray code in the encrypted SWF file.
The exploitation part is very simple, it only targets Windows XP SP3 and IE8. So there is no need to bypass ASLR , it only uses ROP payload to bypass Windows DEP. The ROP gadget is hard-coded and is from msvcrt.dll module.

0:008> u 0x77c15ed5
msvcrt!_pi_by_2_to_61+0x12db:
77c15ed5 94              xchg    eax,esp
77c15ed6 c3              ret

The ROP payload calls kernel32!VirtualAlloc instead change the memory holding shellcode to RWX.
0c10104c 00000000 0c18fa00 00005500 00001000 kernel32!VirtualAllocEx
0:008> !address eax
0c120000 : 0c18f000 – 00006000
Type     00020000 MEM_PRIVATE
Protect  00000040 PAGE_EXECUTE_READWRITE
State    00001000 MEM_COMMIT
Usage    RegionUsageIsVAD

The actual shellcode was xor’ed with opcode 0xE2, and it also use hook hopping technique when calling APIs like urlmon!URLDownloadToCacheFileW, kernel32!CreateFileW and kernel32!WinExec etc, and hook hopping technique is commonly used to bypass common security protection like AV and HIPS. After successful exploitation, the shellcode will download a trojan from a remote server.

Coverage / Mitigation

McAfee NSP will release a UDS “UDS-HTTP: Microsoft internet Explorer Use-After-Free exCommand Heap Stray Code Execution” to cover the threat.

McAfee HIPS 8.0 P2 is able to block the 0day exploit with following Generic Buffer Overflow Protection signatures:

  • 6013 – Suspicious Function Invocation – CALL Not Found
  • 6048 – Suspicious Function Invocation – Different Stack

AV Detection is available in the current Beta DATs as “Exploit-IEexecCommand

Leave a reply


Categories

TUESDAY, FEBRUARY 20, 2018

Featured

Archives

Latest Comments

Social Networks