shellcode analysis - basic and concept
TRANSCRIPT
[email protected] 鄭毓芹 成大電通所
Page § 2
Vulnerability, exploit code, shellcode
§ Vulnerability is a weakness which allows an attacker to reduce a system's Information Assurance
§ Vulnerability is also known as the attack surface, an attacker must have at least one applicable tool or technique that can connect to a system weakness.
§ An exploit is a piece of software, a chunk of data, or sequence of commands in order to cause unintended or unanticipated behavior to gain control according to vulnerabilities.
§ a shellcode is a small piece of code used as the payload in the exploit code. "shellcode” starts a command shell from which the attacker can control the compromised machine.
Page § 3
MS09002 Internet Explorer Remote Code Execution Vulnerability
§ Published Day: 2009-02-10 § CVE(CAN) ID: CVE-2009-0075
§ Classification: Critical (Windows XP Service Pack 2 and Windows XP Service Pack 3 + IE7)
§ Patch: Cumulative Security Update for Internet Explorer (kb961260) § Description: 已成為最受歡迎的網頁掛馬所使用的弱點。IE7與IE8的CFunctionPoint函數沒有正確的檢查DOM所夾帶的參數內容,進而可以使用特殊的字串迫壞記憶體保護機制,導致攻擊者能夠用當時使用者登入的權限執行”任何程式”,MS09002 Exploit code 使用JavaScripts Heap Spray,導致使用者無法正常瀏覽網頁,執行惡意程式碼。
Page § 4
Web Page
HTML Content
MS09002 Exploit
ShellCode
HTML Content . . .
0C 0C 0C 0C 0C 0C 0C
HTML Content
0C0C0C1C
0B1B0270 0C 0C 0C 0C 0C 0C 0C
0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C
Shellcode content
0C0C0C2C 0C0C0C3C
……
HTML Content
0B1B0280 (Heap Spray)
Browsing Exploit Code Attack IE
Execute Shell Code
Page § 5
Fragus Exploit Code:
1.觀察MS09002的Exploit Code
Page § 6
Shellcode Encode 1: Alpha2
§ Alpha2是Realplayer漏洞多採用此種加密方法。 § 特徵:TYIIIIIIIIIIIIIIII 開頭
Page § 7
Shellcode Encode 2: Base64
§ Step 1: 將每個字元先行轉成2進位表示的碼表, § Step 2: 以四個~六個字元為單位加以切割成區段,
§ Step 3: 每個區段補位成為8位, § Step 4: 對應碼表轉換
0 -------------------------- --------25 26--------------------------51 52 -----------------------61 62 63
ABCDEFG------------XYZ abcd ---------------xyz 0 1 2 3 4 5 6 7 8 9 + /
01100001 01100010 01100011
011000 | 010110 | 001001 | 100011
00011000 | 00010110 | 00001001 | 00100011
分成四個
碼表轉換
補足位數
24 (Y) 22(W) 9(J) 35(j) 編碼結果
a b c
Page § 8
Shellcode Encode 2: Base64 (Cont.)
§ 編碼特徵: 英文字母大小寫混排,末尾可能包含有等號
Page § 9
Shellcode Encode 3: %u
§ 特徵:以相同分隔符號 (⼀一般為%u)分隔,4個字元為⼀一組,以16進位表示
Page § 10
Shellcode Encode 4: US-ASCII 編碼
§ 特徵:類似中國文字,並且含有 <meta http-equiv=“Content-Type” content=“text/html; charset=US-ASCII” />
[email protected] 鄭毓芹 成大電通所
Page § 12
PDF Introduction
§ PDF : Portable Document Format (可攜式文件)
§ PDF 特性: • 跨平台 (Cross Platform)
• 保留原始文件格式 ( Page Layout) • 開放標準 (Open Standard)
§ 2007年12月,PDF format成為標準
§ PDF Reader : Adobe Reader, Foxit Reader, Sumatra PDF
§ ASCII – based document
Page § 13
PDF Format
PDF Start (Version)
PDF Object Cross Reference Table Trailer
End of File
obj
endobj
/JS
• Object (obj … endobj) : stream data element • JavaScript object starts with /JS
Understand more PDF format: http://www.4xpdf.com/2008/10/download-iso-32000-1-document-for-free-from-adobecom/
Page § 14
PDF Format -- PDF Objects
Object Name: Description: /OpenAction /AA (Additional Action) Run automatically the scripts or actions
/Names /AcroForm /Action
Run and launch scripts or actions
/JavaScript /JS Run Javascripts
/GoTo* Change view to a specified destination within PDF or another PDF /Launch Launch a program or open a document /URI Access URL /SubmitForm /GoToR Send data to URL
/RichMedia Embed Flash in PDF
/Filter Compression or Encoding format for binary stream
/ObjStm Hide objects inside an Object stream
Page § 15
Malicious PDF attacking: How it works!!!
Hackers crafted malicious PDF
Distribute via email attachments
Embed into malicious web page
other means: upload,usb,p2p
Open the file with vulnerable pdf reader or browser PDF plugin
Payloads
Execute malicious payloads
Page § 16
Malicious PDF attacking: why PDF is targeted
§ PDF is widely used in the IT
§ Popular PDF readers and creators have bugs (Acrobat Reader 8.1.1 has several vulnerabilities)
§ Easy to combine with spam mails.
§ Easy to combine with client-side attack (PDF plungin on web browsers)
Page § 17
Malicious PDF Analysis Methodology
Observe PDF structure
Extract code segments
Disassemble malicious code
Find next steps
Decrypt, locate and extract suspicious embedded code segments
Observe PDF structure and content such as shellcode, VBA macros, or JavaScript.
Disassemble, deobfuscate and examine JavaScript, ActionScript or VB macro code
Understand the next infected step
Observe PDF structure
Page § 18
Malicious PDF Analysis -- Tool Requirements
§ Analysis Platform: Linux-based (Ubuntu recommend)
§ Text Editors: – McAfee FileInsight:
http://download.nai.com/products/mcafee-avert/fileinsight.zip
– Pyew: http://code.google.com/p/pyew/ – Others: vim, geditor, emeditor
Page § 19
Malicious PDF Analysis -- Tools
§ Wepawet: Analysis web-based malware – http://wepawet.iseclab.org/
§ Jsunpack: A Generic JavaScript Unpacker – http://jsunpack.jeek.org/dec/go
§ PDFTK : PDF stream decoder
§ SpiderMokey: JavaScript Emulator
§ Sctest of Libemu: shellcode analysis
§ PDF StructAzer: displays structure and raw contents of the PDF file
§ PDFiD: identify strings with scripts and actions in PDF files
§ PDF-parser: identify key elements of PDF file without rendering it
Page § 20
Malicious PDF Analysis -- Tools (Cont.)
§ Origami Walker: examine the structure of PDF files.
§ Origami pdfscan: identify strings with scripts and actions
§ Origami extractjs: extract JavaScript from PDF files
§ Jsunpack-n’s pdf.py: extract JavaScript from PDF files.
§ Malzilla: help deobfuscate JavaScript
Page § 21
Buildup PDF Analysis Lab
§ Step 1: choose text editor, vim.tiny or gedit § Step 2: apt-get install python
§ Step 3: apt-get install pdftk § Step 4: Install libemu
– wget http://ncu.dl.sourceforge.net/project/nepenthes/libemu%20development/0.2.0/libemu-0.2.0.tar.gz
– tar zxvf libemu*.tar.gz – cd libemu-0.2.0 – ./configure –prefix=/opt/libemu/ – make && make install
Page § 22
Buildup PDF Analysis Lab (Cont.)
§ Step 5: – wget http://www.didierstevens.com/files/software/js-1.7.0-mod.tar.gz
– tar zxvf js-1.7.0-mod.tar.gz – cd js/src – export CFLAGS=“-DJS_C_STRINGS_ARE_UTF8” – make –f Makefile.ref – JS_DIST=/opt/js make –f Makefile.ref export
Page § 23
Before we start …..
1. 打開文件觀察,找出 /JS or /Javascripts 2. 確認是否有壓縮,利用PDFTK解壓縮 3. 觀察是否為 obfuscated javascript,利用JS (SpiderMonkey)
4. 分析Shellcode,利用 Sctest (Libemu)
Page § 24
Analysis Sample 1 : Observe /JS
§ $vim.tiny sample1.pdf To find /JS or /Javascripts
§ Look Object 7 (including heap spray code)
§ util.printf ( ) trigger malicious exploit code
§ This is Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability ( http://www.securityfocus.com/bid/30035)
Page § 25
Shellcode
Heap spay Exploit
util.printf function exploit
Page § 26
Analysis Sample1 : Shellcode Inspection
§ This is a malicious PDF file
§ Copy the var payload to the end and save into shellcode.txt
§ Remove chars using vim.tiny – 移除+符號 : %s/[\”+\.]//g
– 移除段行符號: %j
§ Reform uniform using perl code to format – cat shellcode.txt | perl –pe ‘s/\%u(..)(..)/chr(hex($2)).chr(hex($1))/ge’ |
hexdump –C
– cat shellcode.txt | perl –pe ‘s/\%u(..)(..)/chr(hex($2)).chr(hex($1))/ge’ > shellcode.bin
Page § 27
Analysis Sample1: Shellcode Analysis
§ Feed the shellcode.bin to sctest – /opt/libemu/bin/sctest -Ss 100000 < shellcode.bin
A reverse shell to ip 202.190.85.36 to port 7777
Page § 28
Analysis Sample2: Observe /JS
§ $vim.tiny sample2.pdf To find /JS or /Javascripts § Look Object 1 and search ‘Z0pEA5PLzPyyw()’ function
§ Found /Filter : This PDF is decompressed.
FilterDecode + ASCIIHexDeCode Stream Length
Stream Objects
• FlateDecode : use standard zlib compression • ASCIIHexDeCode :hex chars conversion
Page § 29
Analysis Sample2: Decompression
§ Decompression: use PDFTK – pdftk sample2.pdf output dc-sample2.pdf uncompres
§ Observe /JS again in decompressed PDF
Page § 30
Analysis Sample3: Obfuscated JavaScript Analysis
§ PDF readers have their own javascript engine and bugs
§ Malicious PDF could execute javascript to trigger exploit codes to attack bugs
§ Use JS emulator to analyze javascript
Page § 31
Analysis Sample3: Observe and decompress
§ Decompress – pdftk sample3.pdf output dc-sample3.pdf uncompress
§ Look for /JS and find Object 13
§ Object 13 contains JavaScript code
§ Copy the JavaScript to sample3.js
§ Remove (^M) that generated by PDFTK
%s/\^M//g using vi
Page § 32
Analysis Sample3: JavaScript Analysis
§ JavaScript Emulator – /opt/js/bin/js sample3.js
§ Analysis on the eval.001.log file
Page § 33
Analysis Sample3: Shellcode Reform and Analysis
§ Unicode reform: – cat shellcode.txt | perl –pe ‘s/\%u(..)(..)/chr(hex($2)).chr(hex($1))/ge’ |
hexdump –C – cat shellcode.txt | perl –pe ‘s/\%u(..)(..)/chr(hex($2)).chr(hex($1))/ge’ >
shellcode.bin
§ Shellcode Analysis – /opt/libemu/bin/sctest –Ss 100000 < shellcode.bin
Page § 34
Analysis Sample3: Shellcode Explanation
Page § 35
Analyze sample 4 : PDF syntax ObfuscaMon
§ PDF use syntax for document handling – This.Info.Title – getPageNum
Analysis Steps: – Observe and decompress – Extract Javascript – JS analysis – Shellcode execute and analysis
How many exploits ? List the downloading URL and malware
Julia Cheng [email protected]