The Latest in IT Security

A Dive into the Water Hole


Today, let’s get our hands dirty by analyzing an “interesting” sample that I found in-the-wild earlier today. There are multiple interesting parts of this sample; the first one is that they don’t really hide/obfuscate their stuff. They left it in plain text, and exposed the contents of their server. (By accident, I think.)

directory listing of the attack server

Let’s move to the second interesting point: the index.html contains a malicious Windows binary, coded in hex, which will be translated back to binary by calling the JavaScript unescape function. The author also used a document.write call, and (I think) was hoping that the translated binary would trigger a prompt by the browser to be downloaded. Here’s how it looked:

the index.html (with a hex-coded binary)

And here’s the decoded version:

the decoded version

However, after performing testing with several modern browsers, each of them in several versions, I still couldn’t get the “Download” prompt to appear. Instead, the browsers try to ‘render’ the output as a normal Web page:

how it would be displayed in a browser

So is it a failed exploit? I don’t think so. Let’s move to the second file and see… Oh wait, ieexp.htm? Let me guess: “Internet Explorer exploit”? Let’s take a look…

first part of the exploit script

The first few lines of the exploit code. I’m very familiar with this heap stuff. This is Alexander Sotirov’s HeapLib, which has been adapted in Metasploit. Let’s scroll down a bit more…

the shellcode part

That’s the shellcode part (keep scrolling)…

the trigger

That’s the trigger…

So what is the “interesting” part here? It’s CVE-2012-4792 (or, as some might call it, the “watering hole attack”), and it’s taken from the initial release of the exploit in Metasploit framework (or maybe an earlier version). You can verify it from the history section of this code: ows/browser/ie_cbutton_uaf.rb

Next, let’s analyze the shellcode portion of the exploit…

shellcode emulation

Thanks to LibEmu, we are able to emulate the shellcode as shown. Please take a closer look at the URLDownloadToFile part: they are trying to download the index.html file that we analyzed earlier. Okay, this is interesting to me, since this is my first time dealing with this technique of hiding a malicious executable binary…

I performed a quick Google search with the exploit file name this morning, and easily found at least 26 more live exploit pages.

Besides CVE-2012-4792, there is another Java exploit which is also contained in this same website, but I won’t cover that in this write-up. Just know that updates/patches for these two vulnerabilities (for Internet Explorer and Java) have already been released; please keep your software (and yourself) up-to-date with this kind of threat.

That’s all from me for now. Till next time, stay safe!

–Adnan Shukor

Leave a reply





Latest Comments

Social Networks