A pair of “use-after-free” aka “uninitialized memory corruption” vulnerabilities (CVE-2010-0806 and CVE-2010-3962) in Internet Explorer were reported in November 2010 and remain among the favored client-side attack vectors currently seen in the wild. Recently during my research, I have noticed a gradual increase in attacks targeting these vulnerabilities. Often these two vulnerabilities are combined into a single exploit, as both the vulnerabilities target Internet Explorer 6 and 7. Combining exploit code will of course increase the probability of a successful attack.
Lets analyze one sample that I came across recently.
De-obfuscated Code Analysis
De-obfuscation of the above code, shows how the exploitation of the two vulnerabilities is carried out. Lets go through each one of them sequentially.
Both exploits work in following way
Initiate a heap spray
Exploit causes a use-after-free error
Assembly code running at the time of the “use-after-free error” causes the CPU to execute shellcode thanks to the heap spray.
Version check – This is required to initialize the address of the shellcode. The full address is computed when heap spray is carried out.
Shellcode - Common for both the vulnerabilities.
The heap spray is carried out by different functions for the different vulnerabilities.
Further research on the domain “dxcdfghg.com” reveals that the IP address bound to this domain has hosted various other malicous domains carrying out alternate attacks.
Hosting multiple malicious domains on one IP address is common practice for attackers.