University of Trento, Italy Feb 20, 2016 Report submitted in Partial Fulfillment of the Course Offensive Technologies Università degli Studi di Trento Master of Science in Computer Science EIT Digital Master of Science in Security and Privacy https://securitylab.disi.unitn.it/doku.php?id=course_on_offensive_technologies Amit Gupta Hacking Team MS Word 2013 exploit Analysis Ali Davanian
23
Embed
Hacking Team MS Word 2013 exploit Analysissecuritylab.disi.unitn.it/lib/exe/fetch.php?media=... · The stairway to understand Hacking Team Word 2013 exploit Introduction In this study,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
U n i v e r s i t y o f T r e n t o , I t a l y F e b 2 0 , 2 0 1 6
Report submitted in Partial Fulfillment of the Course
Offensive Technologies
Università degli Studi di Trento
Master of Science in Computer Science
EIT Digital Master of Science in Security and Privacy https://securitylab.disi.unitn.it/doku.php?id=course_on_offensive_technologies
The stairway to understand Hacking Team Word 2013 exploit Introduction In this study,anexploitofhacking team(Team,2015)affectingMicrosoftoffice2007,2010and2013hasbeen assessed. Theexploit itself leverages the capability ofMicrosoftword to render ShockwaveFlashfilesandexploitsavulnerabilityof InternetExplorerActiveX.Weclaimthatthevulnerability isamemory corruption and the exploit overwrites the adjacent heap to run arbitrary codes downloadedfromachosenwebsource.OurreverseengineeringoftheSWFfile(shellcodecontainer)showsthattothebestofourknowledge,thisexploitisdifferentthanotheranalyzedFlashPlayerexploitsin(Pi,2015)and (Li, 2015). Unfortunately after 3 years in 2016, out of 54 Antivirus just 1 is able to detect themaliciousnessofthedocument(virustotal,2016).InotherwordsifauserreceivesamaliciousMicrosoftwordfile–liketheoneweproduced–andshehasAvira,AVG,ESET-NOD032KasperSkyetc.updatedtothelastversion,shewillnotbeabletodetectthemaliciousnessofthedocumentandsheprobablywillopen it.Furthermoreduringourcourseofexploit testingwe foundout that thisexploitcanstillworkwith2015flashversions(refertoTable1(listofvulnerableflashversionstoHTword2013exploit) forthelistofvulnerableversionswefound)andofficeWord2013,Microsoftpublishedanupdatetopatchthis vulnerability after HT dumpwent public, installed on aWindows Seven 32 bit. This vulnerabilityhowever, is patched on the last published flash player version we tested (refer to Table 1(list ofvulnerableflashversionstoHTword2013exploit)). Intherestofthisreportwefirstreviewourstaticanddynamicanalysisoftheexploitbuilderandtheshellcodesandthenwecombinethesetworesults.Finallywedescribeourtestingenvironmentsandtheconfigurationswemade.
Static AnalysisInthissectionwereviewourassessmentoftheexploitbuilder(ht-2013-002-Word\exploit.py),thebinActiveX file (ht-2013-002-Word\resources\activeX\activeX1.bin), shellcode (ht-2013-002-Word\resources\shellcode) and the final produced swf file1. Because of the coupling between theseresourcesweanalyzethemaltogether.
Embedding ActiveX and ShockWaveFlash exploit ThisexploitembedsanActiveXbinarywhichinturnrunsashockwaveflashfile.TheshellcodeisactuallyintheshockwaveFlashfile.Todothisthebuilderscript loadsthe inputdocxfile,unpacks it,addstherequiredbinfileandthenagainpacksitsimplyusingzip.exe.ThisispossiblebecauseoftheXMLmediafilesstandardthatwordfollows.
Docx format Docxfilesareactuallyapackageofallthemediafilesthatyoumayseeinadocxfile.Ifyouunpackthefile – either by using anunpacker or changing thedocx extension to zip andunzipping it – there areseveralfilesanddirectoriesinasingledocxfile:
Injecting Shellcode The ActiveX bin file will be copied into the media folder finally but in order to load and run it byMicrosoftword the exploit builder updates the [Content_Types].xml (to load the components to runSWF)andrellinksinthe_rel/document.xml.rels:
Preparing the ShockWaveFlash executable The exploit has a verywell-engineered designmeaning that the shellcode itself is separate from theexecutable. Inotherwords theshellcode file is the just the first stage to load the finalpayload (RAT).Duringthebuildingphase,theshellcodewillbeinsertedtotheswffile.Hereishow:
Figure5(exploit.pyandswffile)
Atthe1highlightedpart(Figure5)theshellcodeoffsetintheswffileisreadandthenatthesecondpartthe content of shellcode file is read. Afterwards the shellcode will be written to the swf file. Afterintegration,theswfwillbelikethiswiththehighlightedpartcontainingtheshellcode:
• URL:istheurlthatwillbecalledfromthevictimtodownloadthemaliciousagent• OUTPUT:nameofthezipfiletogeneratewithmaliciousdocument• FILE:inputdocumenttomodify• FILENAME:nameofthemaliciousdocumentforthevictim• AGENT:nameorpathoftheRATorTrojantoinjecttothevictimsystem• OUTPUT_SERVER:zip filegenerated for the server [containsencryptedmalwareandmalicious
Dynamic Analysis Behavior analysis of the Word 2013 exploit Inthissectionwemainlyreflecttheresultswegotbymanualdynamicanalysisoftheexploit(InordertolearnabouttheexploitproductionandourtestingenvironmentpleaserefertoExploitTestingSection.)Inanutshellwhentheuserclicksthedocxfilethiscourseofactionswillhappen:
• The dat file will be renamed to the HEYFINDME.exe (we provided this name for exploitbuilder)
• Itwillbeplacedinthestartup
We first started our analysis by examining the network traffic usingWireshark. Afterwards we usedmemory usage graph and Procmon to analyze the series of filesystem, registry, network and processevents.UsingthedatatakenfromProcmoninconjunctionwithourpreviousresultofstaticanalysisweusedWinDbgtodigmemory.2
Network traffic analysis of the Word 2013 exploit ToanalyzethenetworktrafficweusedWireSharkandtofindtheexploittrafficmucheasierweusedafiltertoshowtheHTTPrequestssincefromourstaticanalysisweknewthattheexploittriestoconnecttoastartinghttp://address.Thefitterwas“httpandip.dst!=239.255.255.250”whichsimplyjustshowshttptrafficsandremovesthosegoingtothemulticastaddress.Afterclickingthedocxfilewecouldspottworequestsforswfanddatfile(Figure11(HTWord2013exploittrafficanalysis)).MoreoverwecouldmatchthesetrafficstoWordprocessusingProcMonTCPoperationfilter
Thefirstrequestwillbeissuedwithnon-vulnerableflashplayersonWindowsXPaswellbutthesecondwill be only issued if the exploitation is successful. Another interesting point that we found is thebehaviorofclickingthedocforthesecondtimeorincasetheswfisnotaccessible.Intheformer,thefilewillnotbedownloadedbecausetheserverreturns304statuscode.Inthelattertherequestwillbesentandtheexploitworksasexpected.
Memory analysis after clicking word 2013 exploit UsingHEYFINDMEtextwhichweknowitwillbethenameofthepayloadfileonthevictimsystemwefoundoutseveraleventsinProcessMonitor(WindowsSysinternals,n.d.)
Figure14
Looking at the sequence of actions it is obvious that the exploit tries to create the Trojan file in thestartupfolder.Thereforeatthetimeofclickingthewordfilenomaliciousactivitywillhappenuntilthenextreboot.Byopeningtheeventwetracedthecallstothiseventandasexpectedsomecallersourcesarenotknown(InsectionHeapMemoryanalysisweanalyzetheseaddressesmore):
Figure15(stacktracesfirsttrial)
OneimportantobservationthatwehadwasthesuccessoftheexploitwithpresenceofASLR.Werantheexploit several timeswith the sameparametersbut the stack addressesweredifferent. Thenextscreenshotprovesthis:
Figure16(Addressfluctuationby32MB)
Whatwerealized is thattheexploithasaprecisemethodofgettingtheshellcodeaddressbecauseinourHeapMemoryanalysiswehaven’tfoundbigNOPsledtomaketherandomredirectionpossible.
Heap Memory analysis After finding the events in ProcMon we used WinDbg to look at the memory more closely. AfterattachingtheWinDbgtoWordProcessweexaminedtheloadedmodules’addresses(Figure17)inordertospeculateaboutthepossibilityofthesourceofsuspectedaddresses.
AsyoucanseeinFigure18(heapallocatedmemoriesbyHackingteam’sexploitword2013)thecalleraddress is near the last allocated heap. This attracted our attention and we more analyzed heapallocationsusing“!heap–scommand”:
By examining the assembly codes in thematched areas and comparing these addresses to ProcMonresult(Figure17(wordexploitloadedmodules))withconfidenceweassertthat0a459100wasthestartaddress of the shellcode – for that specific analysis since because of ASLR addresses change – and0a45a36bwastheend.Usingthesetwoaddresseswedumpedtheshellcodetoafileusing“.writememc:\shellcode.dump0a4591000a45a36b”command.
Mapping dynamic info to shellcode source code AccordingtoProcMon,aseriesofeventstoquerythestartupfoldercontentscanbeseen(Figure22).0x87Ffarfromthestartaddressoftheshellcode(thisaddresscanbeusedtofindthebyteopcodeinfladisassembledfile),youcanfindaportionofcodethatisresponsibleforthis.Thisportionstartsfromline720oftheequivalentasmfile:
This linehasalsobeen calledby the last lineof the shellcode thatproves thepreviousportion is themain flowof theshellcode.Asyoucansee inFigure22afterthisrequestswehaveTCPrequeststhatsuggestherethedownloadof.datfile(RATorTrojanasyouwish)willhappen.Thismeansthisprocesswillhappeninfollowinglinesafterreturnfrom“startupfolderquery”.
Exploit Testing Theexploit,asmentionedinExploitBuildersection,willbebuiltusingthedocxinputfile,serveraddressand the final Trojan (RAT) to be installed – to see the complete parameters refer to Exploit Buildersection.Inordertorunningthebuildersuccessfully,aseriesofpreconfigurationsareneeded;otherwisethebuilderfails.TheseconfigurationsareexplainedinsectionRequirementstobuildtheexploit.Ontheotherhandtoruntheexploitonthevictim,thevulnerableapplicationsshouldbeinstalled.ThiswillbereviewedinsectionRequirementstoruntheexploit.
Requirements to build the exploit Thestepsareasfollows:
1. InstallPythonversionthatsuitsyourhost(2.6or2.7for32bitversionor3.xfor64bithosts)2. Installing python easy-install by downloading ez_setup.py (Python Package Index, 2016) and
Exploit Bug The“Trial1”optionthatweprovidedintheexploitbuilderinputwillbeusedforazipfolderinwhichwillbe the docx exploit. That zip folder is 20 that does not contain the zip extension. If you provide .zipextentioninthebuilder input,thebuilderfailsbecauseinonepartofthecodetheyassumetheinputhas.zipandinanothernot.Twolinesare(314,315inexploit.py):
Requirements to run the exploit There are 3 .yaml files in the ht-2013-002-Word folder that seem giving info about the exploit andvulnerable apps. During our course of analysis we found out those info to be misleading. Theymentioned flash player v11.1.102.55 as the first vulnerable version that is not true! We tested thisversionofflashplayerwithWindowssevenandXP(inconjunctionwithoffice2010and2013)andthisversion was not exploitable. The first vulnerable flash version we found was version 11.5.502.146workingbothonwindowsXP(wetriedoffice2010)andwindowsSeven(office2013)thoughweweremostly using 11.5.502.146 version for our analysis. To run the exploit successfully, one also needs toinstallawebserveranduploadtheshellcodeandthepayload.InourcaseweusedXampponawindowsoperatingsystem.TorecapourworkingenvironmentforWindowsXPx86was:
Conclusion InthisstudyweanalyzedtheHackingTeamExploitDeliveryserviceforword2013exploitbyanalyzingtheexploitbuildertheyusedtousetheproduceexploitforthecustomers.Weanalyzedtheshellcodeanditsexecutionflowusingbothstaticanddynamicanalysis.Additionallywemappedthesourcecodelines to thedynamicdata. Furthermorewe foundoutpossiblevulnerability theexploitacquiresusingour memory analysis data. Finally we reviewed the setting environment, requirements andconfigurationsforthisexploittestingfortwodifferentoperatingsystemsandapplications.
AlthoughthisvulnerabilityispatchedbothonMicrosoftandAdobeside,theantivirusescannotdetectit.Inotherwordsiftheuserusesvulnerableversionshersystemmaystillbeinfected.Thisisprobablebecausewecouldfind2015vulnerableflashplayer(FlashArchive,2015)andpeopledon’tusetoupdatethe office versions regularly. On the other hand to the best of our knowledge a detailed onlineexplanation of the exploit is not available and the root cause of the vulnerability that we claim ismemorycorruptioncanbefurtherassessed.
1. SWFdisassembledfile,seeattachments\HT_word_2013_exploit_swf.fla2. Raw Shellcode (in resource folder of the exploit) assembly, see s
attachments\hellcode_RAW.asm3. ShellcodeMemorydumpduringthecourseofanalysis,seeattachments\shellcode.dump4. Ending-A-and-0-trimmed asm equivalence of Shellcode Memory dump during the course of
analysis,seeattachments\shelldump-trimed.asm5. Screenshotsof the successful and failedexploitationwithdifferent flashplayers, attachments
(2011). Retrieved from Microsoft: https://msdn.microsoft.com/en-us/library/office/gg607163(v=office.14).aspx
Flash Archive. (2015, 3 12). Retrieved from Acrobat Reader:https://fpdownload.macromedia.com/pub/flashplayer/installers/archive/fp_17.0.0.134_archive.zip
Li, B. (2015, 7 7). Hacking Team Flash Zero-Day Integrated Into Exploit Kits. Retrieved fromhttp://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/
Team, H. (2015). Hacking Team ht-2013-002-Word exploit. Retrieved from GitHub:https://github.com/hackedteam/vector-exploit/tree/master/ht-2013-002-Word
virustotal. (2016, 1). Assessment a custom built office 2013 exploit. Retrieved fromhttps://www.virustotal.com/en/file/90e555a92c839cd28488db23846e4b0e89c4d81f84d96c6cf27a9acbfb5ebbf2/analysis/1452957999/
Windows Sysinternals. (n.d.). Retrieved from Microsoft: https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx