Wednesday, June 4, 2008

SWF Exploit - CVE-2007-0071 Part 2 (how to decrypt the encrypted part?)

Okay, I need to divide this to 3 parts because I do not have the time right now to explain this all at once. I have my day job which falls around 7am (if I am up too early) up to 9pm (if I am motivated and challenged), then my married life which is so great just had our anniversary 2 months ago which finishes my day up until 1am (well thats already the next day).

Alright lets get started.

Now that we have our DEFINEBITS section and found the decryption part, well how do i know that it is the start of the code? The answer is, the first chunk of the code makes no sense ... meaning the disassembled code reported by IDA in those part does n0t do anything relevant, so most probably the exploit may have pointed the Instruction Pointer (IP sometimes Intellectual Property ehheh) to the decryption part, specifically in the CALL instruction. So that one makes sense for me, if I am wrong I am more than happy if you will correct me.

As you can see in the decryption code it
1. pop ebx -> saves the value of the stack in ebx
2. xor ecx, ecx -> initializes ecx to zero, the counter
3. mov ax, 2943 -> moved 2943 to ax
4. xor [ebx+ecx*2], ax -> now this instruction decrypts the rest of the shellcode using the value in ax as the key
5. inc eax -> increments the key by one
6. inc ecx -> counter plus one
7. cmp cx, 164h -> checks if the counter is already 164h
8. go back to #4

so we will do the same using hiew, i will just change the eax register to edx because in hiew it puts the bytes in eax when doing the cryptset thing [F3 -> Ctrl+F7].

One more thing is we will start decrypting in the instruction after the CALL instruction. The reason for this is after the CALL, the value pushed in the stack is the address of the next instruction, in this case it is the STOSB instruction (offset EC), and that is the value of our EBX.

So this is how it will look.

then after that you can execute the cryptset and you will get this

you can see some readable strings in there and it is a URL ... most likely another malware.
Now save the file [F9], and I will explain the decrypted code ... maybe tomorrow.

I downloaded the file and the result is here

Threat Expert Report

Virustotal Report

Low AV detection 10/32 (31.25%)

Okay tomorrow I will show what the decrypted code do in the system.

Enjoy your day.

Hmnnn.. I also need to construct my resignation letter so I can pass it tomorrow. LOLz.

No comments: