Wednesday, June 20, 2012

CVE-2012-1875 Encoded Reach Back Decoding

One of the first things I do when I get a new exploit sample (e.g. CVE-2012-1875), is try to determine what (or where) the payload is, after which I'll try to obtain it for further analysis.  In the case of the two samples provided by Contagio (, I looked through the html pages in search of an "in the clear" redirect or a script.  Immediately, the variable "vbc" jumped out at me (see snippet below).

var vbc =("NewYoukv10EBNewYoukv4B5BNewYoukvC933NewYoukvB966NewYoukv0171NewYoukv3480NewYoukv110BNewYoukvFAE2NewYoukv05EBNewYoukvEBE8NewYoukvFFFFNewYoukvF8FFNewYoukv1013NewYoukv1111NewYoukv754E"+

The first thing that stands out is the delimiter "NewYoukv".  Once removed, we end up with something like this:

When approaching this in this manner, however, don't forget to swap the bytes (remember our good friend unicode?).  This will give us something like this:

Or, we can always look down the html script a little to see what's going on with this variable:
- var xbc=vbc.replace(/NewYoukv/g,"%u");   
- var gjb=unescape(xbc);

We're not quite out of the woods yet though.  This is because we still need to XOR the script with 0x11 to reveal the reach back to the malicious payload.  The two pics below show a "before and after" comparison of the tail section of two different samples - the reach back is revealed in the "decoded" section.  Now all we gotta do is grab the two executable for analysis (before they are taken down) and implement the appropriate mitigation strategies.

No comments:

Post a Comment