Thursday, June 5, 2008

Just a quick one on SWF Exploit - CVE-2007-0071

This will be a quick one ...

You can trace the exploit code dynamically by injecting it to an EXE file.

In this case I use calc.exe.

In hiew open calc.exe, then highlight starting from entry point up to the number of bytes you want to inject into it. (Highlight in hiew press * then select the bytes).

I just showed above highlighting the correct number of bytes. (Just make the EP = 0 and highlight up to 314h bytes)

Then you can press PutBlk - F2 to insert the exploit code which in my case starts in offset EC or with this instruction

000000EC: E965020000 jmp 000000356 --- (4)

It will look like this in calc.exe

The code starting from the entry point of calc.exe has been replaced with the exploit code.

<... insert update here...>

From here we can start our analysis.

No comments: