3S Labs Banner

Tuesday, July 8, 2014

Word Exploit Delivery using MIME HTML Web Archive

The creativity and research seen in Anti-virus evasion is interesting, not to consider the "maturing" nature of AV industry :)

We have, multiple times in the past, came across Microsoft Office related exploits packaged and delivered as MIME HTML documents with a .doc extension. Surely Microsoft Word is known to handle and process such documents. Recently we came across a well known exploit for MS12-0158, which is detected by almost all major Anti-virus software in its raw form, however we noticed 100% evasion against the common AV products, when delivered as a MIME HTML package.

MIME HTML Package of MS12-0158 Exploit

Anybody analysing a malicious Word document will be surprised at the first look of the content of the file. During further investigation, it was found that Microsoft Word support what is called a MIME HTML Web Archive. It was identified that the HTML code in turn invokes a known to be vulnerable control with data that triggers a Stack based Buffer Overflow in MSCOMCTL.OCX.


The parameter to the ListView control that exploits the vulnerability is also embedded as a part of the document:

The part is referenced by ActiveX control initialisation earlier in the document.

Even though the sample evaded all AVs we tested at the time of writing, the above document part in its raw form (Base64 decoded) seem to be quite well known among AV products.


The next step was to look into the exploit itself and the shellcode responsible for delivering the payload. A quick look on the decoded bytes gave an idea about the possible nature of the exploit and the start of the shellcode. Multiple NOP (0x90) bytes were identified prepended to a jmp short (0xeb) instruction.

Hexdump of param data passed to ListView control

Here 0x27583c30 is a platform independent address of JMP ESP instruction in MSCOMCTL.OCX used as a RETURN ADDRESS for exploitation of the vulnerability. The JMP ESP return is used for transition to shellcode that follows the return address.



The RETURN ADDRESS in the above dump is immediately followed by the shellcode that starts with a bunch of NOP instruction. Upon closer inspection, the shellcode was found to be XOR encoded. The decoder decodes the actual payload by performing XOR operation on each byte with 0xBF as the key.

XOR decoding of shellcode

The 2nd stage shellcode in turn performs the following:
  • Extracts an embedded executable from the document.
  • Decodes the executable.
  • Drops and runs the executable from the Temporary Directory.
  • The dropped executable in turn runs a VBE payload which is persisted by creating a shortcut in the current user startup directory.

15 comments:

  1. Small correction. Mixed IDs MS12-027 and CVE-2012-0158 in para-2 line-3.

    ReplyDelete
  2. It’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content. psd to email

    ReplyDelete
  3. Your website is really cool and this is a great inspiring article. seo new york

    ReplyDelete
  4. Interactive Voice Response System are An over-simplification would be to say that our cloud platform is a highly complex and tightly integrated IVR system.

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. However, if you want to create a sophisticated online form to collect information from your visitors and respond to their questions, you need to know something about HTML and another programming language called PHP.Web Design Company

    ReplyDelete