posted by 블르샤이닝 2016. 8. 11. 12:58
728x90

출처 : http://squa4.tistory.com/9

현재 메일헤더쪽 분석하는데....본문내용을 utf-8로 해놔서 그부분 분석하는방법을 적어둠. 

메일헤더는 다양한 메일서버에서 다양한 형태로 종합 작성되기 때문에 EML 파일을 열어도 잘 못알아보는 경우가 많다.

메일발송 원리는 블로그 내 다른 포스트 글 참조 http://squa4.tistory.com/4

아래는 실제 해킹메일의 헤더를 일부 인용하여 예문으로 만든 것이다. 헤더를 분석해보자.

메일헤더는 아래에서부터 위로 읽는다.위로 갈수록 계속 추가되는 헤더라고 생각하면 된다.


X-라고 붙은 메일헤더는 MIME 형식을 따르지 않는 비표준 형태(임의로 붙인)로 다양한 헤더명이 존재한다. 

* ?UTF-8?B?(BASE64인코딩된값)?=

* ?UTF-8?Q?(UTF-8인코딩된값)?=

  ex) =EA=B2=84=EC=A0=95=EB=B3=B4=EC=95=88=EA=B2=BD=EA=B3=A0 

      =을 %로 치환한 후 UTF-8 디코딩을하면 원하는 값을 얻을 수 있다.

*  스팸 어세신 관련 포스트 http://anyx.tistory.com/28

변환해주는 사이트

http://coderstoolbox.net/string/#!encoding=url&action=decode&charset=utf_8

728x90
posted by 블르샤이닝 2015. 7. 29. 17:17
728x90

요즘 vmprotect때문에 골치아파서 코드 가상화 문서 뒤지면서 보고있음....호오???kisa 자료인듯한데 괜찮음..좋은 내용임.


코드_가상화_기법이_적용된_악성코드_분석_방법_연구_위탁과제_최종보고서 (1).pdf


728x90
posted by 블르샤이닝 2015. 7. 21. 11:26
728x90

이번에 매크로 바이러스 자료 만들면서 제가가진 자료랑 참고자료로 찾은거..


옛날에 만든것같은데 괜찮은것같다. 호오~~~보면 괜찮을듯 


매크로 바이러스의 특징은 기본적으로 문서파일내부의 매크로기능을 토대로 파일의 매크로를 추가하는 형태로 감염시키며, 파일바이러스와 유사하게 특정 파일에 대한 모든 파일을 감염시킬 수 도 있다(실행시 감염되니까)


뭐 요즘은 매크로 바이러스가 뜸하니...뭐 ㅎㅎㅎㅎ 참고용으로 보면 좋을듯 


아참 첨부하는 자료는 인터넷검색으로 찾은건데 어디서 가져왔는지는 모르겠다..(하도돌아다녀서;) 고로 출처는 패스 



ahn_macro2.pdf


-------------------------------

추가 팁 디버거 모드로 오피스 자체에서 분석 가능함. 스택 구조도 표시되게 떠있고 분석하는게 어렵지 않음 .


내가 쓰는 매크로 분법 방법을 알려드릴게요 


1) 오피스를 키고 키보드의 "alt+f11" 을 입력


2) 그럼 비쥬얼 베이직 화면이 뜸. 거기서 보기 부분에 보기 부분에 "직접 실행창", "지역창", "조사식 창" 이리있음. 


3) 악성코드 부분에 올리디버거처럼 브레이크 걸곳에 f9를 입력. 그리고 f8로 진행하면서 코드 확인


그러면 지역창이랑 조사식에서 난독화나 암호화된 코드 진행하면서 확인.


그럼 매크로 바이러스는 분석가능. 끝 


참고로 매크로 바이러스는 디버깅시 매크로가 실행되기때문에 꼭 vm환경이나 테스트 환경에서 하시길~

728x90
posted by 블르샤이닝 2014. 11. 19. 14:38
728x90

혹시 뱅커에 감염되어서 제대로 치료했는데도 인터넷안되면 설정에 들어가서 네트워크 설정부분에서 DNS 자동으로 풀어주어야 한다. 그부분은 백신회사에서 임의로 바꿔줄수없어서 바꿔주지않을겁니다. 참조하세요



http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/


보면 재밌는 내용이 많이 있어서 신기한 취약점...문제는 윈도우에서 ie는 거의다 동작하게 된다는점이다. 크롬이나 다른브라우저는 동작안하지만....뭐 읽어보면 다 대충 내용나온다...호오~?





위에는 확인된 vbs 파일에 대한 정보이며, 해당 코드는 1/10정도....코드 드럽고 어렵게 꼬아놨다..ㅠ 그냥 비슷한 부분의 메모리 할당 부분이있어서 참고용으로 올린다. 파일도 올릴수있으면 참 좋은데;;공개할수없어 저 또한 죄송하군요 ㅠ

---------------------------------------


Microsoft released 16 security updates during its Patch Tuesday release for November 2014, among which includes CVE-2014-6332, or the Windows OLE Automation Array Remote Code Execution Vulnerability (covered in MS14-064). We would like to bring attention to this particular vulnerability for the following reasons:

  1. It impacts almost all Microsoft Windows versions from Windows 95 onward.
  2. A stable exploit exists and works in versions of Internet Explorer from 3 to 11, and can bypass operating system (OS) security utilities and protection such as Enhanced Mitigation Experience Toolkit (EMET), Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR),and Control-Flow Integrity (CFI).
  3. Proof of concept (PoC) exploit code has recently been published by a Chinese researcher namedYuange1975.
  4. Based on the PoC, it’s fairly simple to write malicious VBScript code for attacks.
  5. Attackers may soon utilize the PoC to target unpatched systems.

About the CVE-2014-6332 Vulnerability 

The bug is caused by improper handling resizing an array in the Internet Explorer VBScript engine. VBScript is the default scripting language in ASP (Active Server Pages). Other browsers like Google Chrome do not support VBScript, but Internet Explorer still supports it via a legacy engine to ensure backward compatibility.

An array has the following structure in the VBScript engine:

typedef struct tagSAFEARRAY
{
USHORT cDims;
USHORT fFeatures;
ULONG cbElements;
ULONG cLocks;
PVOID pvData;
SAFEARRAYBOUND rgsabound[ 1 ];
} SAFEARRAY;

typedef struct tagSAFEARRAYBOUND
{
ULONG cElements;
LONG lLbound;
} SAFEARRAYBOUND;

pvData is a pointer to address of the array, and rgsabound [0].cElements stands for the numbers of elements in the array.

Each element is a structure Var, whose size is 0×10:

Var
{
0×00: varType
0×04: padding
0×08: dataHigh
0x0c: dataLow
}

A bug may occur upon redefining an array with new length in VBScript, such as:

redim aa(a0)

redim Preserve aa(a1)
VBScript engine will call function OLEAUT32!SafeArrayRedim(), whose arguments are:
First: ppsaOUT //the safeArray address
Second: psaboundNew //the address of SAFEARRAY, which contains the new
//number of elements: arg_newElementsSize

Fig1-2

Figure 1. Code of function SafeArrayRedim()

The function SafeArrayRedim() does the following steps:

  • Get the size of old array: oldSize= arg_pSafeArray-> cbElements*0×10
  • Set the new number to the array: arg_pSafeArray-> rgsabound[0].cElements = arg_newElementsSize
  • Get the size of new array: newSize = arg_newElementsSize*0×10
  • Get the difference: sub = newSize – oldSize
  • If sub > 0, goto bigger_alloc (this branch has no problem)
  • If sub < 0, goto less_alloc to reallocate memory by function ole32!CRetailMalloc_Realloc()
    In this case, go this branch. Though sub > 0×8000000 as unsigned integer, sub is treated as negative value here because opcode jge works on signed integer.

Here is the problem: integer overflow (singed/unsigned)

  1. cElements is used as unsigned integer; oldsize, newsize, sub is used as unsigned integer
  2. sub is treated as signed integer in opcode jge comparision

The Dangerous PoC Exploit

This critical vulnerability can be triggered in a simple way. For VBScript engine, there is a magic exploitation method called “Godmode”. With “Godmode,” arbitrary code written in VBScript can break the browser sandbox. Attackers do not need to write shellcode and ROP; DEP and ALSR protection is naturally useless here.

Because we can do almost everything by VBScript in “Godmode,” a file infector payload is not necessary in this situation. This makes it easy to evade the detections on heap spray, Return Oriented Programming (ROP), shellcode, or a file infector payload.

Next, we’ll see how the reliable the existing PoC is.

Exploiting the vulnerability

Firstl, the exploit PoC does type confusion using this vulnerability. It defines two arrays: aa and ab, and then resizesaa with a huge number.

       a0=a0+a3
a1=a0+2
a2=a0+&h8000000
redim  Preserve aa(a0)
redim   ab(a0)
redim  Preserve aa(a2)

Because the type of arrays aa and ab are same, and the elements number is equal, it’s possible to have the array memory layout as following:

Figure 2. Expected memory layout of array aa, ab

When redim Preserve aa(a2)” ,a2 = a0+&h8000000, is run, it may trigger the vulnerability. If that happens, the out-of-bound elements of aa are accessible. The PoC then uses it to do type confusion on element of ab.

But the memory layout does not always meet the expectation, and the bug may not be triggered every time. So the PoC tries many times to meet the following condition:

  • The address of ab(b0) is a pointer to the type field (naturally, b0=0 here)
  • The address of aa(a0) is a pointer to the data high field of ab(b0)

Which means: address( aa(a0)) is equal to address( ab(b0)) + 8

Figure 3. Memory layout the conditions meet

Then, modifying the ab(b0) data high field equals to modifying the aa(a0) type field — typeconfusion.

Secondly, the PoC makes any memory readable by the type confusion.

Function readmem(add)
On Error Resume Next
ab(b0)=0           // type of aa(a0) is changed to int
aa(a0)=add+4    // the high data of aa(a0) is set to add+4
ab(b0)=1.69759663316747E-313  // thisis 0×0000000800000008
// now, type of aa(a0) is changed to bstr
readmem=lenb(aa(a0))   // length of bstr stores in pBstrBase-4
// lenb(aa(a0)) = [pBstrBase-4] = [add+4-4]
ab(b0)=0
end function

The abovementioned function can return any [add], which is used to enter “Godmode.”

Enter “Godmode”

We know that VBScript can be used in browsers or the local shell. When used in the browser, its behavior is restricted, but the restriction is controlled by some flags. That means, if the flags are modified, VBScript in HTML can do everything as in the local shell. That way, attackers can write malicious code in VBScript easily, which is known as “Godmode.”

The following function in the PoC exploit is used to enter “Godmode”. The said flags exists in the object COleScript. If the address of COleScript is retrieved, the flags can be modified.

function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i+8) // get address of CScriptEntryPoint which includes pointer to COleScript
i=readmemo(i+16) // get address of COleScript which includes pointer the said safemode flags
j=readmemo(i+&h134)
for k=0 to &h60 step 4  // for compatibility of different IE versions
j=readmemo(i+&h120+k)
if(j=14) then
j=0
redim  Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4)  // change safemode flags
redim  Preserve aa(a0)
j=0
j=readmemo(i+&h120+k)
Exit for
end if
next
ab(2)=1.69759663316747E-313
runmumaa()
end function

Here, function mydata() can return a variable of function object, which includes a pointer to CScriptEntryPoint. Then we raise a question: If the address of a function object is not accessible using VBScript, how does the PoC make it? The following function shows a smart trick in this PoC:

function mydata()
On Error Resume Next
i=testaa
i=null
redim  Preserve aa(a2)
ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314
aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim  Preserve aa(a0)
end function

The key is in the first three lines of the function:

i=testaa

We know that we cannot get the address of a function object in VBScript. This code seems to be nonsense. However, let’s see the call stack when executing it.

Before the above line, the stack is empty. First, the VM translates testaa as a function, and puts its address into the stack. Second, VM translates the address of i, and tries assignment operation. However, the VM finds that the type in stack is function object. So it returns an error and enter error handling. Because “On Error Resume Next” is set in the function mydata(), VM will continue the next sentence even when the error occurs.

i=null

For this line, VM translates “null” first. For “null”, VM will not put a data into stack. Instead, it only changes the type of the last data in stack to 0×1!! Then VM assigns it to i, — that’s just the address of function testaa(), though the type of i is VT_NULL.

The abovementioned lines are used to leak the address of function testaa() from a VT_NULL type.

Conclusion

The “Godmode” of legacy VBScript engine is the most dangerous risk in Internet Explorer. If a suitable vulnerability is found, attackers can develop stable exploits within small effort. CVE-2014-6322 is just one of vulnerabilities the most easily to do that. Fortunately, Microsoft has released patch for that particular CVE, but we still expect Microsoft to provide direct fix for “Godmode,” in the same way Chrome abandoned support for VBScript.

In addition, this vulnerability is fairly simple to exploit and to bypass all protection to enter into VBScript GodMode(), which in turn can make attackers ‘super user’  thus having full control on the system. Attackers do not necessarily need shellcode to compromise their targets.

The scope of affected Windows versions is very broad, with many affected versions (such as Windows 95 and WIndows XP) no longer supported.  This raises the risk for these older OSes in particular, as they are vulnerable to exploits.

This vulnerability is very rare since it affects almost OS versions, and at the same time the exploit is advanced that it bypasses all Microsoft protections including DEP, ASLR, EMET, and CFI. With this killer combination of advanced exploitation technique and wide arrayed of affected platforms, there’s a high possibility that attackers may leverage this in their future attacks.

Solutions and Recommendations

We highly recommend users to implement the following best practices:

  1. Install Microsoft patches immediately. Using any other browser aside from Internet Explorer before patching may also mitigate the risks.
  2. We advise users also to employ newer versions of Windows platforms that are supported by Microsoft.

Trend Micro™ Deep Security and Vulnerability Protection (formerly the Intrusion Defense Firewall plug-in for OfficeScan), part of our Smart Protection Suites, are our recommended solutions for enterprises to defend their systems against these types of attacks and customers with the latest rules are protected against this vulnerability.

Specifically, Trend Micro has released the following Deep Packet Inspection (DPI) rules to protect user systems from threats that may leverage this vulnerability:

  • 1006324 – Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332)
  • 1006290 – Microsoft Windows OLE Remote Code Execution Vulnerability
  • 1006291 – Microsoft Windows OLE Remote Code Execution Vulnerability -1

In addition to the above, we have released Network Content Inspection and Network Content Correlation patterns for Trend Micro Deep Discovery Inspector to provide hosts visibility for either the source or affected hosts of the said vulnerability when an exploit attempt occurs. OfficeScan 11 also detects exploit attempts in this manner.

For more information on the support for all vulnerabilities disclosed in this month’s Patch Tuesday, go to our Threat Encyclopedia page

728x90
posted by 블르샤이닝 2014. 9. 29. 15:26
728x90


유니코드 확장명 조작 사례에 대한 문서


내용이 좋아서 참고하면 좋을것같음.


출처는 죄송하지만 잘모르겠습니다. 혹시 작성자나 출처알게되면 수정하겠습니다. 


U_202E_유니코드_확장명_조작_공격사례_연구_140916.pdf


728x90

'그외 해킹기술' 카테고리의 다른 글

매크로 바이러스 자료  (0) 2015.07.21
CVE-2014-6332  (0) 2014.11.19
구글 크롬 패스워드 크랙방법이라네요  (0) 2014.07.30
WRP 무력화  (0) 2014.07.11
pe에서의 ASLR  (2) 2014.02.20
posted by 블르샤이닝 2014. 7. 30. 14:59
728x90

구글 크롬 패스워드 크랙방법이라네요


http://www.rohitab.com/discuss/topic/40997-google-chrome-password-crack/

728x90

'그외 해킹기술' 카테고리의 다른 글

CVE-2014-6332  (0) 2014.11.19
유니코드_확장명_조작_공격사례_연구  (0) 2014.09.29
WRP 무력화  (0) 2014.07.11
pe에서의 ASLR  (2) 2014.02.20
Free Offensive Security Class  (0) 2013.07.17
posted by 블르샤이닝 2014. 7. 11. 13:28
728x90

전에 대구쪽 지원갔다가 윈도우 7에서 악성코드 감염되었던 부분에서 권한문제로 머리아팠던기억이 있다. 해당 문제를 참조해서 하면될듯하다..


http://ezbeat.tistory.com/388

728x90