Sunday, August 29, 2010

Microsoft Office Property Code Execution exploit (CVE-2006-2389) Analysis!!

The Sample is from Thanks Mila =)

All Files and recreated exploit code are uploaded at for analysis...

Exploit added at :::
This file exploits the vulnerability CVE-2006-2389.The Document size is 292864 bytes. There is an executable and real doc file embedded in this file.

Upon executing this file an executable is dropped which is embedded at offset 0x18200. This executable is XOR’ed with 32 bit key 0x58E5F269 and also the first 512 bytes are flipped using 16 bit byte flip operation. The size of this exe is 90112 bytes.

Additionally This dropped executable also drops an exe named “NAVPInst.exe” of size 28672 bytes

From offset 0x2e200 an genuine DOC file is embedded. Its size is 103936 bytes. The first 4 bytes of doc file which are 0xD0CF11E0 are replaced by 0xCFD0E011.

The shellcode starts from offset 0x16738 and 0x16a08 which writes the executable and the genuine doc file to the disc and executes it.

Saturday, August 21, 2010

XLS FEATHEADER original malware Analysis!!

After getting the comments I decided to post a short comparison and analysis of original malware I had and the recreated file.

The samples can be downloaded from link below for analysis....

The size of file  "original malware.xls" is 109184 bytes as there is an executable attached with it of size 17536 bytes from offset 0x13e00. Also the first 1536 bytes of the executable is XOR'ed with 32 bit key 0x66778899 and byte flip was also used.

A genuine xls file was embedded with the exploit from offset 0x18280 of size 10240 bytes....

        After removing the malware exe and the gnuine file from the exploit the remaining file was of 81408 bytes....

There at offset 0x13408 the shellcode was there which dropped the executable and xls file in %temp% and executed the..... Its size was 0x2552 bytes.....And the shellcode was XOR'ed with b nit key 0x01

The extracted shellcode and decoded shellcode is also in the acrhive above....

Also its requested to first analyze deeply and use google search before claiming for something..

This was a short analysis. More to come Soon .....

NEW MS Excel Malformed FEATHEADER Record Exploit (MS09-067)!!

Got Sample from the wild and recreated it....... =)

Exploit Sample From

Saturday, August 14, 2010

Analyzing malicious PDF malware.

Here We’ll demonstrate analysis of a PDF malware using two vulnerabilities of Acrobat Reader. The sample I got from Mila (thanks Mila) but I don’t remember the link and cant find it again.

Required things
• Python Scripts (zlib decompress), (shellcode2bin)

• HT Editor

• Hex Editor

First of all we open the malware sample in notepad++ and look for javascript streams.

So we see flatedecode is used here. We can decompress this with help of zlib. For this we copy this stream in other text file and save it and then use a python script ( to decompress it.

Now we analyze the malicious javascript in test editor.

The javascript shellcode is obfuscated using replace function (%u is replaced by XX)

So now we copy the shellcode in another file and replace ‘XX’ with ‘%u’. Then we will change shellcode to bin to further analyze its disassembly.

We will use another python script ( to convert the shellcode to binary to analyze in disassembly

Now we can analyze it with HT editor:

We can see that the file have malicious exe XOR’ed with key 0x0f. When we again XOR the file we get the exe headers…at offset 0x4374. The size of the exe is 229475 bytes. At the end of this malicious exe a genuine PDF starts which opens when the exploit is completed. The genuine pdf file is XOR encoded with key 0xFF and starts from offset 0x3c3d7

We select this pdf file from 0x3c3d7 Where we can see %PDF till %%EOF in hex editor and paste it in a new file and save as ‘dropped.pdf’. Now this is the original file which is dropped after exploit is complete.

And to extract the exe We select from 0x4374 till 0x3c3d6 and XOR it with 0x0F..

This way we safely extracted the malicious exe from the PDF exploit as well as the real PDF file embedded in it without even opening the file.

If you want to download the sample file, javascript, Shellcode etc for analysis. Please download from here

The rar password is::  infected


Download HT Editor from:::

Author:: Abhishek Lyall and Abhishek Sahni

Email:: ,  



import sys

import zlib

file = sys.argv[1]

f = open(file,mode='rb')


evilbuff = bytearray(zlib.decompress(buff))

file = sys.argv[2]

f = open(file,mode='wb')


print ("[+] Done")


from binascii import unhexlify

import sys

def writeToStdout(content):


def HexToBin(hex):

res = ''

length = len(hex)

idx = 0

while idx < length:

res += unhexlify(hex[idx:idx+2])

idx += 2

return res

def cArrayToBin(carray):

bytes = carray.split('\\x')

res = ''

for b in bytes:

res += HexToBin(b)

return res

def unicodeToBin(unicode):

bytes = unicode.split('%u')

binary = ''

for uni in bytes:

binary += swapHexToBin(uni)

return binary

def swapHexToBin(bytes):

if(len(bytes) == 0):

return ''

if(len(bytes) != 4):

print "Error swapping bytes! (%s)" % bytes


a = bytes[2:4]

b = bytes[0:2]

return unhexlify(a) + unhexlify(b)

#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -#

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #

#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -#

if len(sys.argv) < 2:

f = sys.stdin


filename = sys.argv[1]

f = file(filename, 'r')

content =

# strip newlines, whitespace, etc..

content = content.replace('\n', '')

content = content.replace(';', '')

content = content.replace('\r', '')

content = content.replace('\t', '')

content = content.replace(' ', '')

content = content.replace('+', '')

content = content.replace('"', '')

content = content.replace("'", '')

if content[0:2] == '%u':

res = unicodeToBin(content)


elif content[0:2] == '\\x':

res = cArrayToBin(content)



res = HexToBin(content)


Thursday, August 5, 2010

BUGS found by us!!

Mediamonkey v. DOS POC

Spider player .m3u playlist DOS POC

Rosoft media player 4.4.4 SEH buffer overflow POC

Quintessential Player 5.0.121 Denial of Service

Our analysis of =>Feb 22 CVE-2006-6456 MS Word Taiwan 2010 from Febr 22, 2010 4:17 AM

"The "taskmgr.exe" embedded from offset 0x24E00. The exe is XOR'ed with 64 bit key 0xCA5039AF00000000. If you XOR the file again with same key you'll find the exe headers at offset 0x24E00." Please see the screenshot below.

To read full analysis and download samples please follow Mila's blog::

Our analysis of => Sept 28. Attack of the Day. Exploit/MSWordAgent!IK Townhall Magazine... from spoofed

" The exploit works on office 2003. Tested on XP SP2-3. The exe is embedded at OFFSET=0x4c00 with key 0x25. The Word document attached is at offset 0x7400 with key 0x25. The shellcode in the exploit drops a binary with name "svchost.exe" and a doc file in %temp% folder. The shellcode in the xls decodes the exe and drops it. The binary and Doc are XOR'ed with key 0x25 except bytes 0x25, 0x00, 0xFF and 0xDA". to be continued..

To download samples, read full report etc follow Mila's blog:::

My Analysis=>Feb 20 CVE-2006-2492 MS Word w Trojan.Buzus.U Mainland Affairs Council list of the week itinerary from

"The exe is attached at offset 0x63A0 and XOR'ed with key 0xB9FEAC13 but only first 564 bytes of the binary file are XOR'ed rest of the file is same. The file is dropped as "WinHttp.exe" in the %temp% directory. There is also one genuine doc file attached with exploit, which starts from offset 0xC010. The size of the file is 45056 bytes. Note the doc headers start from "0xD0CF11E0" but the doc file attached with the exploit has headers starting from "0xCFD0E011". This means when the doc file is dropped in %temp% the shellcode replaces CF D0 E0 11 with D0 CF 11 E0."

Read full analysis and download malware samples from Mila's blog::