Tuesday, December 17, 2013

Aurora exploit still floating ...

It's been around two years since Microsoft released a patch for the IE 0day famously known as the Aurora exploit (CVE-2010-0249). We had blogged about this in the past when it was first seen in the wild on the 'GOV.CN' domain. This vulnerability targets IE version 6. Despite the passage of time, we continue to find live exploits for this vulnerability. Recently, we found a new URL which is serving the Aurora exploit code.

Exploit URL: hxxp://www.artbridal.com/bizcodi/gm/news.html

Let's take a look at the exploit code being delivered.
 

The exploit is delivered via obfuscated JavaScript code, although the level of obfuscation is not very high. Some of the strings and JavaScript function names are been obfuscated. The following is a snapshot of the de-obfuscated code.


If you observe the first image, the SPAN tag holds an IMG tag on which the 'onload' event calls an event handler  function 'eve'. This in turn creates an event object called 'e1', using the 'document.createEventObject' method. Then, by using an '.innerHTML' property, it assigns a null string to SPAN object 'sp1', but instead, the 'sp1' object is removed. In the function 'eve', the freed object is referenced, causing memory corruption in the form of an access violation in IE. To exploit this condition, the exploit code uses a typical heap spray technique to load the shellcode into memory for the execution. When the shellcode is executed, it tries to download a malicious file from the URL 'hxxp://fly-tld.ru/w.php?f=47&e=3'.  For a more detailed analysis, you can refer to this blog.
To obtain the aforementioned URL, the PE executable file was formed and extracted from the shell code in the exploit. The EXE was then examined using a debugger to extract the URL as can be seen below.


This URL is down at the moment, so further post exploitation analysis was not possible.

Reports:
VT URL Scan on found URL : 4/51 detections.
VT File Scan on EXE formed from Shellcode: 27/41 detections.

Various other URLs that have been seen in the past with similar patterns - '/w.php?f=(\d){2}&e=(\d){1,2}' include:

hxxp://synergyledlighting.net/w.php?f=56&e=4
hxxp://nicesextubes.co/w.php?f=18&e=6 
hxxp://iplaecrcocee.com/w.php?f=26&e=2
hxxp://iplaecrcocee.com/w.php?f=26&e=2
hxxp://examine.arsb.co.uk/w.php?f=20&e=2
hxxp://exciting.simssocialcheat.com/w.php?f=22&e=2
hxxp://oyacromifh.com/w.php?f=26&e=2
hxxp://eteaescopr.com/w.php?f=26&e=2


The obvious reason behind attacking old CVE's is the belief of attackers, that there are still un-patched and outdated browser's out there on end user machines. Sadly, they're correct. To avoid such attacks we suggest updating browsers with latest patches and migrating to the most recent version of the browser. 

Stay updated, Stay Safe!

Pradeep

No comments: