Tuesday, June 3, 2008

SWF Exploit - CVE-2007-0071 Part 1

Last week there were a lot of malware cases that included exploited SWF files.

> Vulnerability

Related blogs written by

> Dancho Danchev
> my former colleague in Trend Micro, Gerald Carsula, who now works in F-secure
> my colleague in PC Tools, Sergei Shevchenko

So here's a guide on how I did it ...

First you have to understand Mark Dowd's research paper on this vulnerability

(I will skip the negative number that will make memory allocation malfunction)

Based from this research the shellcode will be in the DEFINEBITS section.

Excerpt from Mark Dowd's research paper
So, the completed SWF file would look something like this:
[ SWF Header ]
[ Corrupt DefineSceneAndFrameLabelData tag ]
[ DefineBits tag with shellcode ] <--------- here it is
[ DoABC tag with malicious bytecode ]
[ ShowFrame tag ]


So what I did, is used the swfdump tool to give me the DEFINEBITS section.

You can get it here ... and its free ... yeah you read it right ... its free.

from there I got this result
(you need to use the pipe > to redirect the output to a file)

swfdump -atpdu [filename] > logfile

continuation ....

now just one more to show the SHOWFRAME, it needs to be 1

Again excerpt from Mark Dowd's research document
Notice the last tag in this file is a “ShowFrame” tag (tag 0x01).

This is required for the methods in the DoABC tag to be executed.

from there we will know which offsets we are going start extracting the DEFINEBITS section...

so in this one it is in offset 1C to 41B, you can use your favorite hex editor to do this part, in my case I prefer to use the ever powerful hiew (well thats just my opinion).

From there we can save it to a file

Now, the extracted file can now be loaded in your IDA Pro.
Do not forget, it should be disassembled in 32-bit mode.

Well thats just the decryptor code.

I will do the decryption tomorrow ... see yah ...

No comments: