Today, let’s get our hands dirty by analyzing an “interesting” sample that I found in-the-wild earlier today. There are multiple interesting parts of this sample; the first one is that they don’t really hide/obfuscate their stuff. They left it in plain text, and exposed the contents of their server. (By accident, I think.)
Let’s move to the second interesting point: the index.html contains a malicious Windows binary, coded in hex, which will be translated back to binary by calling the JavaScript unescape function. The author also used a document.write call, and (I think) was hoping that the translated binary would trigger a prompt by the browser to be downloaded. Here’s how it looked:
And here’s the decoded version:
However, after performing testing with several modern browsers, each of them in several versions, I still couldn’t get the “Download” prompt to appear. Instead, the browsers try to ‘render’ the output as a normal Web page:
So is it a failed exploit? I don’t think so. Let’s move to the second file and see… Oh wait, ieexp.htm? Let me guess: “Internet Explorer exploit”? Let’s take a look…
The first few lines of the exploit code. I’m very familiar with this heap stuff. This is Alexander Sotirov’s HeapLib, which has been adapted in Metasploit. Let’s scroll down a bit more…
That’s the shellcode part (keep scrolling)…
That’s the trigger…
So what is the “interesting” part here? It’s CVE-2012-4792 (or, as some might call it, the “watering hole attack”), and it’s taken from the initial release of the exploit in Metasploit framework (or maybe an earlier version). You can verify it from the history section of this code: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/wind ows/browser/ie_cbutton_uaf.rb
Next, let’s analyze the shellcode portion of the exploit…
Thanks to LibEmu, we are able to emulate the shellcode as shown. Please take a closer look at the URLDownloadToFile part: they are trying to download the index.html file that we analyzed earlier. Okay, this is interesting to me, since this is my first time dealing with this technique of hiding a malicious executable binary…
I performed a quick Google search with the exploit file name this morning, and easily found at least 26 more live exploit pages.
Besides CVE-2012-4792, there is another Java exploit which is also contained in this same website, but I won’t cover that in this write-up. Just know that updates/patches for these two vulnerabilities (for Internet Explorer and Java) have already been released; please keep your software (and yourself) up-to-date with this kind of threat.
That’s all from me for now. Till next time, stay safe!
–Adnan Shukor
Leave a reply
