Analysis of the Adobe exploit within Neosploit

It appears that currently the toolkit is under active development. Adobe vulnerability which is exploited is one from CVE-2007-5659 disclosure.

We have seen some old exploit being added, removed, then added again. This was the MS06-067 DirectAnimation.PathControl.KeyFrame() vulnerability. More on this one later.

The function which exploits Adobe vulnerability (CVE-2007-5659) will try to load ActiveX controls in the following order:

1. AcroPDF.PDF
2. PDF.PdfCtrl

If successful then it'll identify the version in use and will continue only if it's below 8.1.2, which makes sense since Adobe realeased an unpdate with this version that fixed the issue. Then, the version is inserted into an already embedded URL string to download the actual PDF file.

Returned PDF file is around 10K in size and contains Zlib compressed obfuscated Javascript. Thus, any IDS detection which looks for the vulnerable code will not pick this one up. Obfuscation method is the same as for all other pages. After peeling this layer off one finds the familiar heap spray function to populate memory with the shellcode. Then, once again a version check is performed. Finally, a long string is created (~ 44K) and used as an argument to Collab.collectEmailInfo() method.

If the overflow works, then the shellcode will GET a URL which is the same as the one before except for one changed byte (from 01 -> 02), perhaps to track which stage is requested. That file is an Executable which will be saved in the user's Temp directory as "sxoC.exe".

For those who rely on HIDS/HIPS, AV, nIDS/nIPS chances are nothing will be seen, unless the dropped binary gets picked up by AV (right!).


Neosploit development update

For the past month or so we have been observing more activity in Neosploit's development. Exploits are being removed then added and new ones introduced. To be fair in relation to the previous post we can now confirm that Adobe exploit IS being used by this toolkit.

Another interesting change is less obvious and not so important to Incident Responders but more so for Intrusion Detection folks. The main Javascript deobfuscation function has seen some changes recently. So, those of you who depend on IDS to detect the script should probably review their traffic, honeypots, hids, etc... for new changes.


Neosploit update and changes

Some interesting changes we have observed:

- URL scheme changed
- Javascript deobfuscation updated
- Vulnerabilities exploited changed

Javascript deobfuscation code has changed a bit. Previously, to get to the actual exploit code one had to go through two decryption stages, this time an additional stage is added to the very first layer. This additional layer does not make a request out to the server.

Basically, upon first visit to the Neosploit site a browser gets one big obfuscated Javascript page. It executes the decryption function which results in another obfuscated javascript layer. This second layer decrypts itself and then runs real javascript of the first stage. This stage adds some encoded parameters to the URL for the second stage.

URL scheme for requests to exploits and binaries has been updated. It appears that a full structure is passed as a parameter to the main script. This struct is hex encoded as a string and uses various flags and variables to track victims and statistics.

Javascript decryption function utilizes the "arguments.callee" trick to convert itself into an uppercase string and use offsets within this string to decrypt the payload. This is the main deobfuscation characteristic of Neosploit. Several changes have been made previously which break down the methods into seperate variables instead of using them directly.

An interesting addition has been included recently, which appends Neosploit's web address to the decoding offset string. Thus, to successfully decrypt the payload the original full address of the script must be known. Also, at the exploit stage there's a function which sets a unique cookie ("ID") with a specific value for a given exploit.

Stage 1

First stage is the initial visit (iframe, redirect, ...) to Neosploit page. At this point a structure is created based on public variables such as the User Agent string and IP address. Then the server returns obfuscated Javascript page, which is dynamically generated with random variables, and contains the first part of the URL for the next stage.

Stage 2

This stage is obfuscated with two layers and then attempts to identify the victim's Service Pack level, and system's language then builds a request string with these parameters to get the second stage. This request URL has a specific argument to the main script. First part is added by the server upon initial visit and consists of various hashed parameters then SP level and language string is appended.

Stage 3
Deobfuscation yields the exploit code for the following vulnerabilities (in exploit order):

- CVE-2006-0003 ; MS06-014 ; MDAC (BD96C556-65A3-11D0-983A-00C04FC29E36)
- CVE-2006-5820 ; "Sb.SuperBuddy.LinkSBIcons()" ; Cookie ID = 9
- CVE-2007-5779 ; "GomWebCtrl.GomManager.1.OpenURL()" ; Cookie ID = 13
- CVE-2008-1472 ; CA BrightStor ArcServe Backup AddColumn() (BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3) ; Cookie ID = 21
- CVE-????-???? ; "QuickTime.QuickTime.4" ; Cookie ID = 6

PS: Symantec stated that recent Adobe vulnerability was being exploited by this toolkit, however the instance which was analyzed for this post did not include any Adobe exploits.