Fishing kit EK support CVE-2 0 1 5-2 4 1 9 vulnerability-a vulnerability warning-the black bar safety net

ID MYHACK58:62201565695
Type myhack58
Reporter 佚名
Modified 2015-08-13T00:00:00


Fishing kit(EK)recently added for Internet Explorer CVE-2 0 1 5-2 4 1 9 the vulnerability of the support,the vulnerability is just in July this year to get repaired. Quickly use just to fix the vulnerability,has been fishing kit EK the author's usual practice,but since the 2 0 1 4 in the second half of the beginning,his target has always been Adobe Flash Player. CVE-2 0 1 5-2 4 1 9 vulnerability is fishing kits come in the use of a second non-Flash vulnerabilities,the first one is in Silverlight CVE-2 0 1 5-1 6 7 1 vulnerability. This may be Adobe in Flash Player using a new vulnerability mitigation techniques as a result,the technology can prevent the attacker using a Vector(or similar)object to control is the destruction of the Flash process. So far,the fishing kit has been able to according to the target's specific environment,to use its Flash, IE and Silverlight vulnerabilities. In addition,fishing kits back to it IE the use code to add a new obfuscation encryption technology. Landing page every time it runs,must be obtained from the server key and the portion of the data to be able to perform vulnerabilities. This information will only be sent to the victim party,i.e., a vulnerability of the browser,and by self-encoding of Diffie-Hellman to provide XTEA protection.

The use of Diffie-Hellman key exchange Protocol to protect the IE exploit code in the delivery process

Fishing kit landing page has to use HTML and Javascript for the obfuscation process. Removing the first layer of Confusion,the landing page will try to learn about the platform environment,choose to use the exploit program and launch it. For the IE vulnerability used to say,it was twice the obfuscation process,and using a shared key(Diffie-Hellman(D-H)encrypted system for each of the victim's machine to use the code for a different treatment. This encryption system is to use jsbn. js libraries,this library with cryptico. js is quite similar.

The victim's browser will use the POST to the attacker's server sends the following shown in the JSON. As used herein, the naming rules follow the Diffie–Hellman Protocol of naming rules,wherein g is the base,p is the modulus,A is(g**a_) mod p is the remainder,wherein a_ is the victim of the secret index,must not be compromised. However,the system for these values of the safety concern or not enough,because these values through the Math. random selected,and the function from the Cryptography sense is unsafe,in addition,values are also too small,and not through the primality test. The value v derived from the ScriptEngineBuildNumber(),IE jscript9 of the version identifier.


d526","p":"3a5d2e4d0b5a2d2a6b7e2d4e3a8e3c5d","v":"1 7 8 4 0"}

The attacker used as shown in the base64-encoded version. B is the attacker of the D-H response(i.e., (gb_) mod p,where b_ is the attacker of the secret index,the index is not through the network transmission). K is to decipher the B the required key of the encrypted version. The attacker through the XTEA using the D-H shared key(s = (AAb_) mod p)to encrypt a random key. Victims of the use of XTEA decryption k,then decrypt b.


B used to save the exploit Code of the other part(the complete code see Appendix section)with some constants. These constants need by two times a redirect to be able to access,the attacker did so,probably in order to prevent someone else for the entire use of the code for static analysis. Because of this,static analysis can understand the code flow,but can not understand these constants, for example ur0pqm8kx is decoded shellcode password,stringify is from the JSON call to the method name.



:"By the scriptenginemajorversion","IIl":"ScriptEngineMinorVersion","Ill":"setInterval","III


In addition,due to the lack of D-H key,so can't reproduce these with code file. In this case,D-H, g, A and p are randomly generated,so talk to the attacker of the original response cannot match. Therefore,out of the D-H shared key is also wrong,because k and b is wrong,so this exploit code simply cannot run. Obviously,you want to observe the attack process,the need to:

1)crack the code 2)crack PRNG3)do body experimental

Currently we are also unclear why the attacker only for constant values to be protected,rather than for the entire exploit code. Preliminary judgment,they may be in order to avoid unnecessary trouble.

CVE-2 0 1 5-2 4 1 9 vulnerability details

CVE-2 0 1 5-2 4 1 9 jscript9 local JSON API in a double release(double free)vulnerabilities,the vulnerability has been in this year 7 month to be repaired. Specifically,the vulnerability in the JSON. stringify parsing deeply nested JSON data. The attacker provides to JSON. stringify complete the parameters as described in Appendix shown. Il1I4['prototype']. yc =

function(a) {

if (! a. ma(! 1)) throw new Error(3);

a. kb(! 1);

a. ib(! 1);


a. ob(! 1);



Verify the browser version

This use of the code depends on the jscript9. dll of a particular version. In the above decoding of the JSON response,we can see a different version of jscript9. dll corresponds to a different key pair.

"llIlII:{"1 7 4 1 6":4 0 8 0 6 3 6,"1 7 4 9 6":4 0 8 0 6 3 6,"1 7 6 3 1":4 0 8 4 7 4 8,"1 7 6 4 0":4 0 8 4 7 4 8,"1

7 6 8 9":4 0 8 0 6 5 2,"1 7 7 2 8":4 0 8 8 8 4 4,"1 7 8 0 1":4 0 8 8 8 4 4,"1 7 8 4 0":4 0 8 8 8 4 0,"1 7 9 0 5":4 0

[1] [2] [3] [4] [5] next