Saturday, June 7, 2008

Analysis of the shellcode of SWF Exploit CVE-2007-0071


After the decryption code, it will search for the base address of kernel32.dll to get the addresses of the APIs that it will need.

As shown in the illustration it uses the Process Environment Block (PEB) to get the kernel32.dll's base address.

Here is a great explanation on PEB.

It goes to fs:[30] as its entry point to the PEB.

Here is a very good reference where the values in fs points to. Basically it is more of the Thread Information Block (TIB).




Once it gets the base address of kernel32.dll in memory, it will get all the API addresses it needs in the export address table.

kernel32.dll base address in XP is 77E60000.
(I reckon it depends on the version of XP, I will double check on this in a few days.)

So below is a list of APIs that it gets

kernel32.LoadLibraryA
kernel32.GetTempPathA
kernel32.DeleteFileA
kernel32.CreateProcessInternalA
kernel32.CreateProcessInternalW
kernel32.ExitThread
kernel32.VirtualProtect
kernel32.CompareFileTime
kernel32.GetSystemTimeAsFileTime

<.....>

It will also get the import table address. In this case it gets API addresses from the imported DLL of kernel32.dll, which is ntdll.dll.




It gets the addresses of the following APIs

NtCreateProcessEx - ntdll.ZwCreateProcessEx
NtWriteVirtualMemory - ntdll.ZwWriteVirtualMemory







Below you can see that it calls kernel32.LoadLibraryA API to load the urlmon.dll.
It used the JMP instruction instead of a direct CALL instruction to the API.



When this is debugged and you go inside kernel32.dll, you will see this in the stack.



It finds the address of the API urlmon.URLDownloadToFileA in urlmon.dll.

Then it changes the memory protection on the address of ntdll.ZwCreateProcessEx, ntdll.ZwWriteVirtualMemory and kernel32.CreateProcessInternalW to PAGE_EXECUTE_READ.

Then it gets the temporary path of the system and deletes the file orz.exe in the temporary path of the system to make sure the file will be the latest version.


In the figure below you can see that it calls the API urlmon.URLDownloadToFileA with the following parameters

Format
HRESULT URLDownloadToFile(
LPUNKNOWN pCaller,
LPCTSTR szURL,
LPCTSTR szFileName,
DWORD dwReserved,
LPBINDSTATUSCALLBACK lpfnCB
);
Relevant values

szURL = hxxp://mmlan . com . cn / mm . exe
szFileName = C:\DOCUME~1\username\LOCALS~1\Temp\ orz.exe




Then it executes the file using the kernel32.CreateProcessInternalA API.

That's it.

Enjoy your weekend.


No comments: