Starting again with a pile of Shellcode, one that the bad guys were even friendly enough to label as such in JavaScript: Using the same method as before, we take a look at what's inside: $ cat bad.js | perl -pe 's/\%u(..)(..)/chr(hex($2)).chr(hex($1))/ge' | hexdump -C | more 00000000 20 20 20 20 76 61 72 20 53 68 65 6c 6c 63 6f 64 | var Shellcod| 000000c0 3e e6 12 c1 1b 43 fd 77 13 cc d6 10 0e e5 4b f6 |>æ.Á.Cýw.ÌÖ..åKö| Hmm. No URL to be seen. One can GUESS though that there is an URL in there, at the end of the block. URLs have a tell-tale pattern as most start with "http://www", so if we see a character sequence that has "abbcdeefff", with the same characters repeated, this is most often the start of an encoded URL. In our case above, sww{E22zzz meets this pattern. The most basic obfuscation used is a simple XOR operation. Finding those is easy enough, you can use a tool like XORSearch that we have covered in an earlier diary . Doesn't work here though. This ain't XOR. So what's next? Two ways. Either we run the exploit on a vulnerable system and find out what it does (so-called "dynamic analysis"), or we try to take things one step further with what the Unix command line has to offer, and continue with "static analysis". I'm all for command line! First, we need to turn the shellcode into something that a Unix disassembler can understand. To do so, we take the above code block starting with the 90 90 90 90 sequence, and turn it into a C arrary: $ cat bad.bin | perl -ne 's/(.)/printf "0x%02x,",ord($1)/ge' > bad.c leaves us with 0x90,0x90,0x90,0x90,0x90,0x33,0xc0,0x33,0xc9,0xeb,0x12,0x5e,0x66 .... which is in a nice format to turn it into int main() { which compiles nicely by using $ gcc -O0 -fno-inline bad.c -o bad.bin which in turn can be disassembled by using $ objdump --disassembler-options=intel -D bad.bin The result of this operation is Intel assembly code. If you are used to reverse engineering malware in, say, OllyDbg, this will be quite readable for you. If not, then .. well, not :). A stretch down the assembly pile, we find the following code block
This is the byte sequence that we imported from the shell code. And lookie, it appears as if someone is looping over the block and subtracting 7 from every byte before XORing it with 4. Let's try: cat bad.bin | perl -pe 's/(.)/chr((ord($1)-7)^4)/ge' | hexdump -C 00000000 c2 8d c2 8d c2 8d c2 8d c2 8d 28 c2 bd 28 c3 86 |Â.Â.Â.Â.Â.(½(Ã.| 000001b0 bf bf bf bf bf bf bf bf bf c2 8e 4e 0e c3 ac c3 |¿¿¿¿¿¿¿¿¿Â.N.ìÃ| And here is the URL of our next stage in all its questionable glory! Before you start sinking hours after hours into trying to find URLs in Shellcode, here's the caveat: Not all shellcode contains URLs, and it is kinda hard to find something that isn't there. But if there IS an URL in the shell code, the above should help you find it, without actually having to run the evil code.
|
Daniel 385 Posts ISC Handler Sep 3rd 2008 |
Thread locked Subscribe |
Sep 3rd 2008 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!