Wednesday, December 29, 2010
Saturday, October 2, 2010
Thursday, September 30, 2010
Tuesday, September 28, 2010
Digital Music Pad Version 8.2.3.3.4 SEH overflow Metasploit Module
Friday, September 17, 2010
Friday, September 10, 2010
Monday, September 6, 2010
Saturday, September 4, 2010
Recreating exploits from malware samples found in the Wild!!!
This time we are releasing analysis of a malicious OLE document. This Malware exploits vulnerability in MS Word 2003. CVE-2006-6456
The malware sample for analysis is available at Mila’s blog (Greets Mila :)
http://contagiodump.blogspot.com/2010/09/cve-2009-4324-pdf-cmsisixthannualconfer.html
When we analyze with Offviz we see that there in invalid value for sprm.sgc
When we parse the document with OfficeMalScanner from http://www.reconstructer.org/code.html we find embedded OLE file at offset 0xdc00 and embedded executable at 0x4c00 encoded with XOR key 0x95
We remove the malicious executable and the OLE file from the exploits file. Now we are left with the exploit file along with shellcode. We analyze the remaining (clean.doc) exploit file in Hex Workshop we find another XOR’ed section encoded with same key 0x95. This might be the encoded shellcode.
So we extract this section and convert it into exe from http://sandsprite.com/shellcode_2_exe.php to analyze it in debugger. Here we see the shellcode IS actually XOR’ed with 0x95 key
We Decode the shellcode and analyze in HEX again. We see that shellcode writes the exe to disk as SUCHOST.EXE.
So now we got the location of shellcode also. Here we can remove the shellcode of malware and replace it with our shellcode.
The original malware, extracted executable, extracted OLE document, shellcode, decoded shellcode and a reconstructed POC file which calc.exe can be downloaded from::: http://www.mediafire.com/download.php?u55xgb1jpasp8na
There are 2 POC files one executes CMD.exe and other one executed CLAC.exe. Tested on XP SP 2 Office 2003.....
Greetz:: Mila, Villy, Puneet Jain, WEBDevil, ASL IT Sec Team
References::
http://contagiodump.blogspot.com/
http://www.reconstructer.org/
http://sandsprite.com/products.html
The malware sample for analysis is available at Mila’s blog (Greets Mila :)
http://contagiodump.blogspot.com/2010/09/cve-2009-4324-pdf-cmsisixthannualconfer.html
When we analyze with Offviz we see that there in invalid value for sprm.sgc
When we parse the document with OfficeMalScanner from http://www.reconstructer.org/code.html we find embedded OLE file at offset 0xdc00 and embedded executable at 0x4c00 encoded with XOR key 0x95
We remove the malicious executable and the OLE file from the exploits file. Now we are left with the exploit file along with shellcode. We analyze the remaining (clean.doc) exploit file in Hex Workshop we find another XOR’ed section encoded with same key 0x95. This might be the encoded shellcode.
So we extract this section and convert it into exe from http://sandsprite.com/shellcode_2_exe.php to analyze it in debugger. Here we see the shellcode IS actually XOR’ed with 0x95 key
We Decode the shellcode and analyze in HEX again. We see that shellcode writes the exe to disk as SUCHOST.EXE.
So now we got the location of shellcode also. Here we can remove the shellcode of malware and replace it with our shellcode.
The original malware, extracted executable, extracted OLE document, shellcode, decoded shellcode and a reconstructed POC file which calc.exe can be downloaded from::: http://www.mediafire.com/download.php?u55xgb1jpasp8na
There are 2 POC files one executes CMD.exe and other one executed CLAC.exe. Tested on XP SP 2 Office 2003.....
Greetz:: Mila, Villy, Puneet Jain, WEBDevil, ASL IT Sec Team
References::
http://contagiodump.blogspot.com/
http://www.reconstructer.org/
http://sandsprite.com/products.html
Sunday, August 29, 2010
Microsoft Office Property Code Execution exploit (CVE-2006-2389) Analysis!!
The Sample is from http://contagiodump.blogspot.com/ Thanks Mila =)
All Files and recreated exploit code are uploaded at http://www.mediafire.com/download.php?t1ks9dexkxaku87 for analysis...
Exploit added at :::
http://inj3ct0r.com/exploits/13903
http://packetstormsecurity.org/1008-exploits/mop-exec.txt
This file exploits the vulnerability CVE-2006-2389.The Document size is 292864 bytes. There is an executable and real doc file embedded in this file.
Upon executing this file an executable is dropped which is embedded at offset 0x18200. This executable is XOR’ed with 32 bit key 0x58E5F269 and also the first 512 bytes are flipped using 16 bit byte flip operation. The size of this exe is 90112 bytes.
Additionally This dropped executable also drops an exe named “NAVPInst.exe” of size 28672 bytes
From offset 0x2e200 an genuine DOC file is embedded. Its size is 103936 bytes. The first 4 bytes of doc file which are 0xD0CF11E0 are replaced by 0xCFD0E011.
The shellcode starts from offset 0x16738 and 0x16a08 which writes the executable and the genuine doc file to the disc and executes it.
All Files and recreated exploit code are uploaded at http://www.mediafire.com/download.php?t1ks9dexkxaku87 for analysis...
Exploit added at :::
http://inj3ct0r.com/exploits/13903
http://packetstormsecurity.org/1008-exploits/mop-exec.txt
This file exploits the vulnerability CVE-2006-2389.The Document size is 292864 bytes. There is an executable and real doc file embedded in this file.
Upon executing this file an executable is dropped which is embedded at offset 0x18200. This executable is XOR’ed with 32 bit key 0x58E5F269 and also the first 512 bytes are flipped using 16 bit byte flip operation. The size of this exe is 90112 bytes.
Additionally This dropped executable also drops an exe named “NAVPInst.exe” of size 28672 bytes
From offset 0x2e200 an genuine DOC file is embedded. Its size is 103936 bytes. The first 4 bytes of doc file which are 0xD0CF11E0 are replaced by 0xCFD0E011.
The shellcode starts from offset 0x16738 and 0x16a08 which writes the executable and the genuine doc file to the disc and executes it.
Saturday, August 21, 2010
XLS FEATHEADER original malware Analysis!!
After getting the comments I decided to post a short comparison and analysis of original malware I had and the recreated file.
The samples can be downloaded from link below for analysis....
http://www.mediafire.com/download.php?xjmcp9agma1sctl
The size of file "original malware.xls" is 109184 bytes as there is an executable attached with it of size 17536 bytes from offset 0x13e00. Also the first 1536 bytes of the executable is XOR'ed with 32 bit key 0x66778899 and byte flip was also used.
A genuine xls file was embedded with the exploit from offset 0x18280 of size 10240 bytes....
After removing the malware exe and the gnuine file from the exploit the remaining file was of 81408 bytes....
There at offset 0x13408 the shellcode was there which dropped the executable and xls file in %temp% and executed the..... Its size was 0x2552 bytes.....And the shellcode was XOR'ed with b nit key 0x01
The extracted shellcode and decoded shellcode is also in the acrhive above....
Also its requested to first analyze deeply and use google search before claiming for something..
This was a short analysis. More to come Soon .....
The samples can be downloaded from link below for analysis....
http://www.mediafire.com/download.php?xjmcp9agma1sctl
The size of file "original malware.xls" is 109184 bytes as there is an executable attached with it of size 17536 bytes from offset 0x13e00. Also the first 1536 bytes of the executable is XOR'ed with 32 bit key 0x66778899 and byte flip was also used.
A genuine xls file was embedded with the exploit from offset 0x18280 of size 10240 bytes....
After removing the malware exe and the gnuine file from the exploit the remaining file was of 81408 bytes....
There at offset 0x13408 the shellcode was there which dropped the executable and xls file in %temp% and executed the..... Its size was 0x2552 bytes.....And the shellcode was XOR'ed with b nit key 0x01
The extracted shellcode and decoded shellcode is also in the acrhive above....
Also its requested to first analyze deeply and use google search before claiming for something..
This was a short analysis. More to come Soon .....
NEW MS Excel Malformed FEATHEADER Record Exploit (MS09-067)!!
http://inj3ct0r.com/exploits/13891
http://packetstormsecurity.org/1008-exploits/msexcelfeatheader-overflow.txt
Got Sample from the wild and recreated it....... =)
Exploit Sample From
http://contagiodump.blogspot.com/2010/03/mar-24-cve-20085-0081-xls-2010-beauty.html
http://packetstormsecurity.org/1008-exploits/msexcelfeatheader-overflow.txt
Got Sample from the wild and recreated it....... =)
Exploit Sample From
http://contagiodump.blogspot.com/2010/03/mar-24-cve-20085-0081-xls-2010-beauty.html
Friday, August 20, 2010
New exploit by us MS-09-027!
MS Word Record Parsing Buffer Overflow (MS-09-027)
http://packetstormsecurity.org/1008-exploits/mswordparse-overflow.txt
http://downloads.securityfocus.com/vulnerabilities/exploits/35188.py
http://packetstormsecurity.org/1008-exploits/mswordparse-overflow.txt
http://downloads.securityfocus.com/vulnerabilities/exploits/35188.py
Saturday, August 14, 2010
Analyzing malicious PDF malware.
Here We’ll demonstrate analysis of a PDF malware using two vulnerabilities of Acrobat Reader. The sample I got from Mila (thanks Mila) but I don’t remember the link and cant find it again.
Required things
• Python Scripts (zlib decompress), (shellcode2bin)
• HT Editor
• Hex Editor
First of all we open the malware sample in notepad++ and look for javascript streams.
So we see flatedecode is used here. We can decompress this with help of zlib. For this we copy this stream in other text file and save it and then use a python script (zlibd.py) to decompress it.
Now we analyze the malicious javascript in test editor.
The javascript shellcode is obfuscated using replace function (%u is replaced by XX)
So now we copy the shellcode in another file and replace ‘XX’ with ‘%u’. Then we will change shellcode to bin to further analyze its disassembly.
Now we can analyze it with HT editor:
We can see that the file have malicious exe XOR’ed with key 0x0f. When we again XOR the file we get the exe headers…at offset 0x4374. The size of the exe is 229475 bytes. At the end of this malicious exe a genuine PDF starts which opens when the exploit is completed. The genuine pdf file is XOR encoded with key 0xFF and starts from offset 0x3c3d7
We select this pdf file from 0x3c3d7 Where we can see %PDF till %%EOF in hex editor and paste it in a new file and save as ‘dropped.pdf’. Now this is the original file which is dropped after exploit is complete.
And to extract the exe We select from 0x4374 till 0x3c3d6 and XOR it with 0x0F..
This way we safely extracted the malicious exe from the PDF exploit as well as the real PDF file embedded in it without even opening the file.
If you want to download the sample file, javascript, Shellcode etc for analysis. Please download from here
http://rapidshare.com/files/412983633/analysis.rar
http://www.megaupload.com/?d=IDC87YJT
The rar password is:: infected
References::
http://contagiodump.blogspot.com/
http://www.honeynor.no/
Download HT Editor from::: http://hte.sourceforge.net/downloads.html
Author:: Abhishek Lyall and Abhishek Sahni
Email:: asl.itsec@gmail.com , info@aslitsecurity.com
Web:: http://aslitsecurity.com
Blog:: http://aslitsecurity.blogspot.com
zlibd.py
import sys
import zlib
file = sys.argv[1]
f = open(file,mode='rb')
buff=f.read()
f.close()
evilbuff = bytearray(zlib.decompress(buff))
file = sys.argv[2]
f = open(file,mode='wb')
f.write(evilbuff)
print ("[+] Done")
Shellcode2bin.py
#!/usr/bin/python
from binascii import unhexlify
import sys
def writeToStdout(content):
sys.stdout.write(content)
def HexToBin(hex):
res = ''
length = len(hex)
idx = 0
while idx < length:
res += unhexlify(hex[idx:idx+2])
idx += 2
return res
def cArrayToBin(carray):
bytes = carray.split('\\x')
res = ''
for b in bytes:
res += HexToBin(b)
return res
def unicodeToBin(unicode):
bytes = unicode.split('%u')
binary = ''
for uni in bytes:
binary += swapHexToBin(uni)
return binary
def swapHexToBin(bytes):
if(len(bytes) == 0):
return ''
if(len(bytes) != 4):
print "Error swapping bytes! (%s)" % bytes
sys.exit(1)
a = bytes[2:4]
b = bytes[0:2]
return unhexlify(a) + unhexlify(b)
#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #
#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -#
if len(sys.argv) < 2:
f = sys.stdin
else:
filename = sys.argv[1]
f = file(filename, 'r')
content = f.read()
# strip newlines, whitespace, etc..
content = content.replace('\n', '')
content = content.replace(';', '')
content = content.replace('\r', '')
content = content.replace('\t', '')
content = content.replace(' ', '')
content = content.replace('+', '')
content = content.replace('"', '')
content = content.replace("'", '')
if content[0:2] == '%u':
res = unicodeToBin(content)
writeToStdout(res)
elif content[0:2] == '\\x':
res = cArrayToBin(content)
writeToStdout(res)
else:
res = HexToBin(content)
writeToStdout(res)
Here We’ll demonstrate analysis of a PDF malware using two vulnerabilities of Acrobat Reader. The sample I got from Mila (thanks Mila) but I don’t remember the link and cant find it again.
Required things
• Python Scripts (zlib decompress), (shellcode2bin)
• HT Editor
• Hex Editor
First of all we open the malware sample in notepad++ and look for javascript streams.
So we see flatedecode is used here. We can decompress this with help of zlib. For this we copy this stream in other text file and save it and then use a python script (zlibd.py) to decompress it.
Now we analyze the malicious javascript in test editor.
The javascript shellcode is obfuscated using replace function (%u is replaced by XX)
So now we copy the shellcode in another file and replace ‘XX’ with ‘%u’. Then we will change shellcode to bin to further analyze its disassembly.
We will use another python script (shellcode2bin.py) to convert the shellcode to binary to analyze in disassembly
Now we can analyze it with HT editor:
We can see that the file have malicious exe XOR’ed with key 0x0f. When we again XOR the file we get the exe headers…at offset 0x4374. The size of the exe is 229475 bytes. At the end of this malicious exe a genuine PDF starts which opens when the exploit is completed. The genuine pdf file is XOR encoded with key 0xFF and starts from offset 0x3c3d7
We select this pdf file from 0x3c3d7 Where we can see %PDF till %%EOF in hex editor and paste it in a new file and save as ‘dropped.pdf’. Now this is the original file which is dropped after exploit is complete.
And to extract the exe We select from 0x4374 till 0x3c3d6 and XOR it with 0x0F..
This way we safely extracted the malicious exe from the PDF exploit as well as the real PDF file embedded in it without even opening the file.
If you want to download the sample file, javascript, Shellcode etc for analysis. Please download from here
http://rapidshare.com/files/412983633/analysis.rar
http://www.megaupload.com/?d=IDC87YJT
The rar password is:: infected
References::
http://contagiodump.blogspot.com/
http://www.honeynor.no/
Download HT Editor from::: http://hte.sourceforge.net/downloads.html
Author:: Abhishek Lyall and Abhishek Sahni
Email:: asl.itsec@gmail.com , info@aslitsecurity.com
Web:: http://aslitsecurity.com
Blog:: http://aslitsecurity.blogspot.com
zlibd.py
import sys
import zlib
file = sys.argv[1]
f = open(file,mode='rb')
buff=f.read()
f.close()
evilbuff = bytearray(zlib.decompress(buff))
file = sys.argv[2]
f = open(file,mode='wb')
f.write(evilbuff)
print ("[+] Done")
Shellcode2bin.py
#!/usr/bin/python
from binascii import unhexlify
import sys
def writeToStdout(content):
sys.stdout.write(content)
def HexToBin(hex):
res = ''
length = len(hex)
idx = 0
while idx < length:
res += unhexlify(hex[idx:idx+2])
idx += 2
return res
def cArrayToBin(carray):
bytes = carray.split('\\x')
res = ''
for b in bytes:
res += HexToBin(b)
return res
def unicodeToBin(unicode):
bytes = unicode.split('%u')
binary = ''
for uni in bytes:
binary += swapHexToBin(uni)
return binary
def swapHexToBin(bytes):
if(len(bytes) == 0):
return ''
if(len(bytes) != 4):
print "Error swapping bytes! (%s)" % bytes
sys.exit(1)
a = bytes[2:4]
b = bytes[0:2]
return unhexlify(a) + unhexlify(b)
#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #
#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -#
if len(sys.argv) < 2:
f = sys.stdin
else:
filename = sys.argv[1]
f = file(filename, 'r')
content = f.read()
# strip newlines, whitespace, etc..
content = content.replace('\n', '')
content = content.replace(';', '')
content = content.replace('\r', '')
content = content.replace('\t', '')
content = content.replace(' ', '')
content = content.replace('+', '')
content = content.replace('"', '')
content = content.replace("'", '')
if content[0:2] == '%u':
res = unicodeToBin(content)
writeToStdout(res)
elif content[0:2] == '\\x':
res = cArrayToBin(content)
writeToStdout(res)
else:
res = HexToBin(content)
writeToStdout(res)
Wednesday, August 11, 2010
Thursday, August 5, 2010
BUGS found by us!!
Mediamonkey v. 3.2.1.1297 DOS POC
http://inj3ct0r.com/exploits/13579
Spider player .m3u playlist DOS POC
http://inj3ct0r.com/exploits/13578
Rosoft media player 4.4.4 SEH buffer overflow POC
http://inj3ct0r.com/exploits/13643
Quintessential Player 5.0.121 Denial of Service
http://inj3ct0r.com/exploits/13629
http://inj3ct0r.com/exploits/13579
Spider player .m3u playlist DOS POC
http://inj3ct0r.com/exploits/13578
Rosoft media player 4.4.4 SEH buffer overflow POC
http://inj3ct0r.com/exploits/13643
Quintessential Player 5.0.121 Denial of Service
http://inj3ct0r.com/exploits/13629
Our analysis of =>Feb 22 CVE-2006-6456 MS Word Taiwan 2010 from diguapinggao@gmail.com Febr 22, 2010 4:17 AM
"The "taskmgr.exe" embedded from offset 0x24E00. The exe is XOR'ed with 64 bit key 0xCA5039AF00000000. If you XOR the file again with same key you'll find the exe headers at offset 0x24E00." Please see the screenshot below.
To read full analysis and download samples please follow Mila's blog:: http://contagiodump.blogspot.com/2010/02/feb-22-ms-word-taiwan-2010-from.html
To read full analysis and download samples please follow Mila's blog:: http://contagiodump.blogspot.com/2010/02/feb-22-ms-word-taiwan-2010-from.html
Our analysis of => Sept 28. Attack of the Day. Exploit/MSWordAgent!IK Townhall Magazine... from spoofed xxxx@heritage.org
" The exploit works on office 2003. Tested on XP SP2-3. The exe is embedded at OFFSET=0x4c00 with key 0x25. The Word document attached is at offset 0x7400 with key 0x25. The shellcode in the exploit drops a binary with name "svchost.exe" and a doc file in %temp% folder. The shellcode in the xls decodes the exe and drops it. The binary and Doc are XOR'ed with key 0x25 except bytes 0x25, 0x00, 0xFF and 0xDA". to be continued..
To download samples, read full report etc follow Mila's blog::: http://contagiodump.blogspot.com/2009/12/attack-of-day-exploitmswordagentik.html
To download samples, read full report etc follow Mila's blog::: http://contagiodump.blogspot.com/2009/12/attack-of-day-exploitmswordagentik.html
My Analysis=>Feb 20 CVE-2006-2492 MS Word w Trojan.Buzus.U Mainland Affairs Council list of the week itinerary from macnews@mac.gov.tw
"The exe is attached at offset 0x63A0 and XOR'ed with key 0xB9FEAC13 but only first 564 bytes of the binary file are XOR'ed rest of the file is same. The file is dropped as "WinHttp.exe" in the %temp% directory. There is also one genuine doc file attached with exploit, which starts from offset 0xC010. The size of the file is 45056 bytes. Note the doc headers start from "0xD0CF11E0" but the doc file attached with the exploit has headers starting from "0xCFD0E011". This means when the doc file is dropped in %temp% the shellcode replaces CF D0 E0 11 with D0 CF 11 E0."
Read full analysis and download malware samples from Mila's blog:: http://contagiodump.blogspot.com/2010/02/feb-20-mainland-affairs-council-list-of.html
Read full analysis and download malware samples from Mila's blog:: http://contagiodump.blogspot.com/2010/02/feb-20-mainland-affairs-council-list-of.html
Subscribe to:
Posts (Atom)