The Microsoft Malware Protection Center (MMPC) has recently seen an exploit targeting the Adobe Flash Player vulnerability CVE-2014-0569. This exploit is being integrated into the Fiesta exploit kit.
The vulnerability related to this malware was addressed with a patch released by Adobe on 14 October 2014. Adobe Flash Player desktop runtime for Windows versions 220.127.116.11 and earlier are vulnerable. If you're using a vulnerable Adobe Flash Player version you should update now to help protect your PC.
We analyzed how these attacks work and found the following details.
The exploit successfully bypasses the validation of memory range and is able to access an arbitrary location. It attempts to corrupt the VTABLE entry for the virtual function toString( ) of sound object. Later, the ActionScript calls the Sound.toString() method and control is transferred to the controlled address, as shown in Figure 1.
Figure 1: Transfer control via a corrupted VTABLE Sound.toString()
At the controlled address, it starts the ROP gadgets built from the Flash Player DLL, as shown in Figure 2.
Figure 2: Control transferred to ROP gadgets
These ROP gadgets are a bit convoluted, but they can be summarized in following steps:
- The gadgets prepare the data on the stack using a loop of the following gadgets:
dec eax // decrement the address to build code
pop ecx // store the code bytes in ECX
mov dword ptr [eax],ecx // store the code to the address specified by EAX
- The control is passed to (via a ret instruction) API VirtualAlloc() to allocate a 0x1000 byte buffer.
- It uses gadget:
mov dword ptr [eax],ecx // store the code
to build some new gadgets at the start of the allocated buffer, for example:
mov dword ptr [eax+0Ch],ecx
- These new gadgets build up a small piece of two-layer decryption code to decrypt the shellcode:
- Control is passed over to the fully decrypted shellcode.
The shellcode downloads a file from the remote server and executes it. The downloaded file is detected as TrojanDropper:Win32/Ropest.A.