9:31 a.m.
Hello All,
I have published a new blog post analyzing the encrypted shellcode from
the main CVE-2014-0502 attack:
http://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0…
It goes through some functionality of the malicious Flash file followed
by analysis of the shellcode used within the encrypted GIF.
This attack's particular use of a malicious Flash file along with an
"encrypted" GIF shows some of the complexity of modern attacks, and
highlights the diverse set of skills needed to analyze the attacks
(Flash reversing, binary shellcode reversing, and understanding
exploitation techniques, such as ROP, ALSR bypass, etc.). This
particular attack was also noticeable because of how many different
companies published public research on it (I have references in the blog).
I hope that you enjoy the blog post and potentially learn something from
it. I am happy that my anonymous friend allowed me to publish the research.
--
Thanks,
Andrew (@attrc)
9:55 a.m.
Hi Andrew,
Just some comments about the "decompiled" code. Usually, it's easier to
make it more readable as proper standard C code for the reader - using user
defined structures, high-level functions (RtlUshortByteSwap), etc.
I attached an example below for the "stage1" function as an example.
I also name structure as "MYSTRUCT1" when I don't know what they do or
"UCHAR u0C[0x10];" when I know the offset (0xC) but don't know what they do
either, until I figure out and rename them later. It's quite a useful
methodology when working on large project, that's what makes the difference
between a human and Hex-Rays :-)
typedef struct _DECRYPTDATA {
UCHAR DecryptionRoutine[0x1f]; // Contains Stage1 code
USHORT EncodedCode[0x900]; // Contains the "encoded" code to be executed
} DECRYPTDATA, *PDECRYPTDATA;
VOID
DecodeData(
)
{
INT i;
// PDECRYPTDATA Input points to the current address. Or the equivalent of
&Stage1.
for (i = 0; i < sizeof(Input->EncodedCode)); i++)
{
Input->EncodedCode[i] = RtlUshortByteSwap(Input->EncodedCode[i]);
}
//
// What's following the decryption routine is the encoded code
(Input->EncodedCode)
// Soon to be decrypted, by the above routine.
//
_asm _emit 0xEE
_asm _emit 0xD9
_asm _emit 0x74
_asm _emit 0xD9
// [...]
}
Matthieu Suiche
On Tue, Apr 8, 2014 at 2:31 PM, Andrew Case <atcuno(a)gmail.com> wrote:
Hello All,
I have published a new blog post analyzing the encrypted shellcode from
the main CVE-2014-0502 attack:
http://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0…
It goes through some functionality of the malicious Flash file followed
by analysis of the shellcode used within the encrypted GIF.
This attack's particular use of a malicious Flash file along with an
"encrypted" GIF shows some of the complexity of modern attacks, and
highlights the diverse set of skills needed to analyze the attacks
(Flash reversing, binary shellcode reversing, and understanding
exploitation techniques, such as ROP, ALSR bypass, etc.). This
particular attack was also noticeable because of how many different
companies published public research on it (I have references in the blog).
I hope that you enjoy the blog post and potentially learn something from
it. I am happy that my anonymous friend allowed me to publish the research.
--
Thanks,
Andrew (@attrc)
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3873
days inactive
3873
days old
vol-users@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Andrew Case -
Matthieu Suiche