- Jan 19, 2017
- 40
A look at Sundown exploit kit.
So recently a range of things have drawn my personal interest, one of them is understanding EK (exploit kits) more anyone in IT knows the best defense against attack is to understand the attack fully.Understand the attack and thus where or how to break it and render it useless.
Sundown recently drew my interest as I was used to pouring over RIG EK, RIG EK … and look more….RIG EK…Here was something different GREAT! So I got hold of two samples of sundown using flash exploit. Okay Flash .. heaps of exploits there but we will come back to that .. lets see what this little guy does.
Sundown was delivering through a email campaign leading to a gate, landing page and payload delivery.
Here we can see
- 192.168.5.56 (Win7VM my lab machine)
- 192.158.5.1(Kali:MITM proxy&Wireshark capture)
- 204.79.197.200 (Markmonitor)
- 239.255.255.250 (IANA) Internet Assigned Numbers Authority
- Some ipv6 traffic after that.
The EK points to DNS which Looks like the good guys redirected already, nice work.
We then see some TCP packets occurring, no8 we see a favicon.ico been requested which is a small icon file (no12 .PNG type)
We then see a heap of SSDP packets(no14+) which is foundation plug and play (local network discovery)
Further down I see another DNS request for an akamaiedge (conference hosting site) session before the Markmonitor sends a RESET ACK request relating to the ICO file mentioned above.
Beyond that it’s a repeat so to me it looks like the good guys are already blocking the EK from hitting its landing page.
Beyond that I saw some DHCPv6 traffic and the EK still trying to work out the local network
So…. Now what.
Well I asked myself okay the packet capture did not give me a lot. What else can I learn…
We know this EK is using a flash exploit, its using SWF filetype (Shockwave Flash) but what if I actually wanted to know which SWF exploit it was…
Look in the SWF
what you mean “look in the SWF”
I mean open him up
Its not a tin of baked beans! What do you mean “open him up”
You know what I mean
That’s a bit strong ain’t it. I don’t know about this.
So De-compiler in hand I opened it up looking to try identify the particular exploit it was using. I was drawn first to function “Go” and this line (loc_7) which looked like an overflow attack and in general I was getting a feel for a lot of data been written to memory locations.
Go_var1 was set to execute GO and also extend the ByteArrayAsset … interesting..
So this sent me down a path of looking for overflow attacks against byteArrayAssets under the mx core …
OH …. Look a github page showing how CVE-2015-0313 works…
Researching CVE-2015-0313 (Use after free) refers to bytearray been freed from an actionscript worker which can FILL THE MEMORY and notify the main thread to corrupt the new contents. Which then allows for remote code execution.
I concluded at this point that CVE-2015-0313 was been used.
Thankyou
MBYX
No SWF’s were harmed in the making, bonus points for the movie reference