Yesterday, it was reported that an Internet Explorer zero-day threat was actively being exploited in the wild. We did a quick analysis and have some interesting findings.
The exploit contains four parts:
- Exploit.html. First-stage exploiting web page (initialize variables and load the .swf file).
- Moh2010.swf. Encrypted SWF using DoSWF, it contains shellcode and heap spray code. After the heap spray is done, it loads Protect.html to trigger the vulnerability.
- Protect.html. Detects browser/Flash version and triggers the vulnerability
- 111.exe. The Trojan
Unlike common exploits that have everything in HTML/JavaScript, this threat hides all important elements such as shellcode and heap spray code in the encrypted SWF file. The exploitation part is very simple. It targets only Windows XP SP3 and IE8. So there is no need to bypass ASLR; it uses only an ROP payload to bypass Windows data execution prevention. The ROP gadget is hardcoded from the msvcrt.dll module.
0:008> u 0x77c15ed5
msvcrt!_pi_by_2_to_61+0x12db:
77c15ed5 94 xchg eax,esp
77c15ed6 c3 ret
The ROP payload calls kernel32!VirtualAlloc to change the memory-holding shellcode to RWX.
0c10104c 00000000 0c18fa00 00005500 00001000 kernel32!VirtualAllocEx
0:008> !address eax
0c120000 : 0c18f000 – 00006000
Type 00020000 MEM_PRIVATE
Protect 00000040 PAGE_EXECUTE_READWRITE
State 00001000 MEM_COMMIT
Usage RegionUsageIsVAD
The actual shellcode is XORed with opcode 0xE2, and it also uses a hook-hopping technique when calling APIs like urlmon!URLDownloadToCacheFileW, kernel32!CreateFileW, and kernel32!WinExec. Hook hopping is commonly used to bypass common security protection like AV and HIPS. After successful exploitation, the shellcode will download a Trojan from a remote server.
Coverage/Mitigation
McAfee NSP will release the UDS “UDS-HTTP: Microsoft Internet Explorer Use-After-Free exCommand Heap Stray Code Execution” to cover the threat.
McAfee HIPS 8.0 P2 can block the zero-day exploit with the following Generic Buffer Overflow Protection signatures:
- 6013 – Suspicious Function Invocation – CALL Not Found
- 6048 – Suspicious Function Invocation – Different Stack
AV Detection is available in the current Beta DATs as “Exploit-IEexecCommand“
Thanks my colleagues Xiaobo Chen and Hirosh Joseph for the analysis.