1. Introduction
In recent years, exploit kits(EK/Exploit Kit)market amidst the winds of change。 2016 early June, once rampant in the Angler EK disappeared, the Neutrino EK quickly filled the void. Then just less than 3 months time, the Neutrino EK and go for the underground, the RIG EK and then become the most popular exploit kits. This year 3 beginning of the month, RIG and fade out of sight, and ushered in a new Nebula EK.
Nebula EK package for CVE-2016-0189 exploits, than other exploit kits of exploit the top with some improvements here and conduct some in-depth analysis.
The tools used:
• IE11(for debugging Javascript)
• windbg
Nebula EK homepage, as shown below.
! [](/Article/UploadPic/2017-4/2017417191740599. jpg? www. myhack58. com)
Not difficult to see, the page contains a confusion of Javascript code. Further analysis of these codes, is there a sense of deja vu? By the way, the code to confuse the method with the sunset exploit kits(Sundown EK)are very similar.
Page total 2 segment of Javascript code that confused the same way. The first paragraph of the Javascript code, removing the confusion, the code is as follows, is not difficult to see that this code is CVE-2016-0189 of exploits.
! [](/Article/UploadPic/2017-4/2017417191740159. jpg? www. myhack58. com)
About CVE-2016-0189, online there has been some analysis of the report, such as Theori analysis[1]. Fig. However, these analysis reports do not provide in-memory level of technical details, so that readers always kind of known it, of course, know why feel. This paper attempts to use windbg to analyze the exploitability of the vulnerability when the memory layout, so that the reader of the exploits have a deeper understanding.
2. CVE-2016-0189 of the key knowledge point
CVE-2016-0189 is a VBScript vulnerability. VBScript 脚本引擎代码在vbscript.dll .
2.1. VBScript variables
VBScript memory variables take up 0×10 bytes, the first two bytes specify the variable type VARTYPE in. Common type definitions shown in the following table[2]。
! [](/Article/UploadPic/2017-4/2017417191740973. jpg? www. myhack58. com)
We can be in VBScript code inserted into the IsEmpty()function, and then in windbg vbscript! The IsEmpty() function to set a breakpoint to observe the memory[3]. Fig.
! [](/Article/UploadPic/2017-4/2017417191740850. jpg? www. myhack58. com)
Figure 1 debugging VBScript code
! [](/Article/UploadPic/2017-4/2017417191740851. jpg? www. myhack58. com)
Here, 0a560198 is a str object, here 0008 two bytes indicates the VARTYPE, according to the table above, the value is exactly vbString(VT_BSTR = 8) and the offset 0×8 storage is string address,
! [](/Article/UploadPic/2017-4/2017417191740214. jpg? www. myhack58. com)
Here also can be seen that the string is Unicode stored.
2.2. VBScript array
VBScript array is defined as follows
! [](/Article/UploadPic/2017-4/2017417191740622. jpg? www. myhack58. com)
When accessing the array elements, the VBScript engine will call AccessArray function to calculate the elements of the stored address.
Try to use windbg to debug the following code, in vbscript! AccessArray at the following breakpoints:
! [](/Article/UploadPic/2017-4/2017417191740745. jpg? www. myhack58. com)
! [](/Article/UploadPic/2017-4/2017417191740615. jpg? www. myhack58. com)
Stack 0ab04380 is the array A Address
! [](/Article/UploadPic/2017-4/2017417191740553. jpg? www. myhack58. com)
The array elements stored in the pvData (0x7dfd130) starting place
In the vbscript! AccessArray+0x9d: at the instruction of the stop (a different version of this offset value may differ)
! [](/Article/UploadPic/2017-4/2017417191740754. jpg? www. myhack58. com)
This instruction is very crucial, it calculates the element A(1,2) address. Here esi is the SAFEARRAY address, and the esi+0c is pvData address. eax value is the element with respect to the pvData of the offset. View the eax value
! [](/Article/UploadPic/2017-4/2017417191741274. jpg? www. myhack58. com)
Why A(1,2)the offset will be 0×50. VBScript array memory layout and C language some not too same. A array of the memory layout of A(0,0) A(1,0) A(0, 1), A(1,1), A(0, 2), A(1,2), and each element size is 0×10 bytes(cbElements)。 Therefore A(1,2) offset 0×50 in.
2.3. CVE-2016-0189 vulnerability of the principle of the century
CVE-2016-0189 vulnerability in AccessArray function code. We look at this function logic:
! [](/Article/UploadPic/2017-4/2017417191741689. jpg? www. myhack58. com)