After the publication of Flash and IE zero days following the Hacking Team leak, researchers have discovered the use of another zero-day vulnerability by the Tsar Team sometimes referred to as the APT28 and Operation Pawn Storm. iSIGHT Partners discovered Tsar Team leveraging an Office document that included an exploit of a Microsoft Office zero-day vulnerability to execute malicious code remotely. This vulnerability results in a memory corruption of the heap and is known as CVE-2015-2424.
In this post we will provide a brief introduction to how modern shellcode works using this exploit as our example.
Tsar Team used an RTF file (md5=112c64f7c07a959a1cbff6621850a4ad), discussing Iran's nuclear program to lure the victims to open the document resulting in exploitation. Here is a snippet from the document:
Opening the document with a text editor reveals a shellcode about to be executed when the vulnerability (CVE-2015-2424) is triggered:
The first stage of any shellcode is to determine where in memory it is located so it can perform valid calculations and alterations to the code based on its real address in memory. This is achieved with a very simple sequence of instructions: (1) JMP + (2) CALL + (3) POP. The CALL operation will push the current EIP value onto the stack, and the successive POP instruction will place this address into the desired register:
After determining the location of the execution in memory, and thus where the XOR'd shellcode portion is, the shellcode will proceed through two phases of decoding before the execution.
At first it uses a one byte XOR key 0x67 to decode the shellcode:
On the next decoding phase it uses a 21-byte XOR key: 0x703A94849CECD642C65AB66022E4BE08684AAE1018 for the extraction of the actual code:
On this decoding section, the code uses a 0x23D long loop to xor the bytes of the shellcode. On every cycle the AL register is set with another byte from the xor key and then it xors the byte in the memory located in ESI+ECX-1, where ESI points to a constant location in memory (0x40309D) and ECX is the counter, which decreases in each loop. Every 21 loops, AL register starts from the beginning of the xor key.
The next step for the shellcode would be to resolve the base address of kernel32.dll in memory. This can be achieved by parsing the PEB , which is located at FS:[0x30]. Knowing the base address of kernel32.dll will allow the shellcode to further resolve various helpful WinAPI functions, such as finding the addresses of GetProcAddress and LoadLibraryA, which can later be used by the shellcode to proceed with the actual payload execution. A classic example would be to load the library "urlmon.dll" by calling LoadLibraryA (which we already resolved) and later using GerProcAddress to resolve the function URLDownloadToFile to download the payload and eventually call CreateProcess to execute it.
Microsoft was notified about the use of this zero day on June 30. On July 14, Microsoft patched the flaw as part of MS15-070, which affects Office versions 2007 to 2013. For more details about the various vulnerable Office versions read Microsoft's MS15-070 advisory. If you haven't installed the patch yet, we urge you to do so as soon as possible.
Trend Micro also found evidence of Tsar Team using another zero-day vulnerability in Java - CVE-2015-2590 - affecting versions up to 22.214.171.124. Oracle has patched the vulnerability during their July 2015 Critical Patch Update.
Customers of Trustwave's SWG were protected against these two CVEs out of the box.