The creativity and research seen in Anti-virus evasion is interesting, not to consider the "maturing" nature of AV industry :)
We have, multiple times in the past, came across Microsoft Office related exploits packaged and delivered as MIME HTML documents with a .doc extension. Surely Microsoft Word is known to handle and process such documents. Recently we came across a well known exploit for MS12-0158, which is detected by almost all major Anti-virus software in its raw form, however we noticed 100% evasion against the common AV products, when delivered as a MIME HTML package.
Anybody analysing a malicious Word document will be surprised at the first look of the content of the file. During further investigation, it was found that Microsoft Word support what is called a MIME HTML Web Archive. It was identified that the HTML code in turn invokes a known to be vulnerable control with data that triggers a Stack based Buffer Overflow in MSCOMCTL.OCX.
The parameter to the ListView control that exploits the vulnerability is also embedded as a part of the document:
Even though the sample evaded all AVs we tested at the time of writing, the above document part in its raw form (Base64 decoded) seem to be quite well known among AV products.
The next step was to look into the exploit itself and the shellcode responsible for delivering the payload. A quick look on the decoded bytes gave an idea about the possible nature of the exploit and the start of the shellcode. Multiple NOP (0x90) bytes were identified prepended to a jmp short (0xeb) instruction.
Here 0x27583c30 is a platform independent address of JMP ESP instruction in MSCOMCTL.OCX used as a RETURN ADDRESS for exploitation of the vulnerability. The JMP ESP return is used for transition to shellcode that follows the return address.
The RETURN ADDRESS in the above dump is immediately followed by the shellcode that starts with a bunch of NOP instruction. Upon closer inspection, the shellcode was found to be XOR encoded. The decoder decodes the actual payload by performing XOR operation on each byte with 0xBF as the key.
The 2nd stage shellcode in turn performs the following:
We have, multiple times in the past, came across Microsoft Office related exploits packaged and delivered as MIME HTML documents with a .doc extension. Surely Microsoft Word is known to handle and process such documents. Recently we came across a well known exploit for MS12-0158, which is detected by almost all major Anti-virus software in its raw form, however we noticed 100% evasion against the common AV products, when delivered as a MIME HTML package.
MIME HTML Package of MS12-0158 Exploit |
Anybody analysing a malicious Word document will be surprised at the first look of the content of the file. During further investigation, it was found that Microsoft Word support what is called a MIME HTML Web Archive. It was identified that the HTML code in turn invokes a known to be vulnerable control with data that triggers a Stack based Buffer Overflow in MSCOMCTL.OCX.
The parameter to the ListView control that exploits the vulnerability is also embedded as a part of the document:
The part is referenced by ActiveX control initialisation earlier in the document. |
Even though the sample evaded all AVs we tested at the time of writing, the above document part in its raw form (Base64 decoded) seem to be quite well known among AV products.
The next step was to look into the exploit itself and the shellcode responsible for delivering the payload. A quick look on the decoded bytes gave an idea about the possible nature of the exploit and the start of the shellcode. Multiple NOP (0x90) bytes were identified prepended to a jmp short (0xeb) instruction.
Hexdump of param data passed to ListView control |
Here 0x27583c30 is a platform independent address of JMP ESP instruction in MSCOMCTL.OCX used as a RETURN ADDRESS for exploitation of the vulnerability. The JMP ESP return is used for transition to shellcode that follows the return address.
The RETURN ADDRESS in the above dump is immediately followed by the shellcode that starts with a bunch of NOP instruction. Upon closer inspection, the shellcode was found to be XOR encoded. The decoder decodes the actual payload by performing XOR operation on each byte with 0xBF as the key.
XOR decoding of shellcode |
The 2nd stage shellcode in turn performs the following:
- Extracts an embedded executable from the document.
- Decodes the executable.
- Drops and runs the executable from the Temporary Directory.
- The dropped executable in turn runs a VBE payload which is persisted by creating a shortcut in the current user startup directory.
Small correction. Mixed IDs MS12-027 and CVE-2012-0158 in para-2 line-3.
ReplyDeleteIt’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content. psd to email
ReplyDeleteYour website is really cool and this is a great inspiring article. seo new york
ReplyDeleteInteractive Voice Response System are An over-simplification would be to say that our cloud platform is a highly complex and tightly integrated IVR system.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHowever, if you want to create a sophisticated online form to collect information from your visitors and respond to their questions, you need to know something about HTML and another programming language called PHP.Web Design Company
ReplyDeleteĐặt vé máy bay tại Aivivu, tham khảo
ReplyDeletemua ve may bay di my
vé máy bay từ mỹ về việt nam bao nhiêu tiền
khi nào có chuyến bay từ anh về việt nam
lịch bay từ pháp về việt nam
perde modelleri
ReplyDeletesms onay
Mobil Ödeme Bozdurma
nft nasıl alınır
ANKARA EVDEN EVE NAKLİYAT
trafik sigortası
DEDEKTOR
Site Kurma
aşk kitapları
Smm panel
ReplyDeleteSmm panel
iş ilanları
İnstagram Takipçi Satın Al
Hirdavatci Burada
beyazesyateknikservisi.com.tr
Servis
Jeton hilesi
Good content. You write beautiful things.
ReplyDeletesportsbet
hacklink
mrbahis
taksi
sportsbet
vbet
hacklink
korsan taksi
mrbahis
betmatik
ReplyDeletekralbet
betpark
tipobet
slot siteleri
kibris bahis siteleri
poker siteleri
bonus veren siteler
mobil ödeme bahis
X00
çeşme
ReplyDeletemardin
başakşehir
bitlis
edremit
C7V6R
bilecik
ReplyDeletegebze
ısparta
şırnak
alsancak
NV6Eİ5
salt likit
ReplyDeletesalt likit
FTN
https://saglamproxy.com
ReplyDeletemetin2 proxy
proxy satın al
knight online proxy
mobil proxy satın al
JMRG