Yesterday, it was reported that an Internet Explorer zero-day threat was actively being exploited in the wild. We did a quick analysis and have some interesting findings.
The exploit contains four parts:
0:008> u 0x77c15ed5
77c15ed5 94 xchg eax,esp
77c15ed6 c3 ret
The ROP payload calls kernel32!VirtualAlloc to change the memory-holding shellcode to RWX.
0c10104c 00000000 0c18fa00 00005500 00001000 kernel32!VirtualAllocEx
0:008> !address eax
0c120000 : 0c18f000 – 00006000
Type 00020000 MEM_PRIVATE
Protect 00000040 PAGE_EXECUTE_READWRITE
State 00001000 MEM_COMMIT
The actual shellcode is XORed with opcode 0xE2, and it also uses a hook-hopping technique when calling APIs like urlmon!URLDownloadToCacheFileW, kernel32!CreateFileW, and kernel32!WinExec. Hook hopping is commonly used to bypass common security protection like AV and HIPS. After successful exploitation, the shellcode will download a Trojan from a remote server.
McAfee NSP will release the UDS “UDS-HTTP: Microsoft Internet Explorer Use-After-Free exCommand Heap Stray Code Execution” to cover the threat.
McAfee HIPS 8.0 P2 can block the zero-day exploit with the following Generic Buffer Overflow Protection signatures:
AV Detection is available in the current Beta DATs as “Exploit-IEexecCommand“
Thanks my colleagues Xiaobo Chen and Hirosh Joseph for the analysis.