Tools Needed
- SWFTools
- Disassembler - IDA Pro for static analysis
- Debugger - OllyDbg for dynamic analysis
- Hackers View (Hiew) for hex view
- UltraEdit for generating the shellcode
The analysis is divided into 2 parts. The first part will explain the decompress the SWF file and extract embedded exploited SWF file. After that it will be followed by how to locate and extract the obfuscated shellcode.
The second part will explain how to deofuscate the shellcode and its payload.
Analysis of SWF
This is the screenshot of the original exploit SWF file to give you an image on how does the file looks like:
It is totally unreadable huh! ;) That is because the SWF file was compressed by looking at the first 3 bytes CWS. We can dump tag by using swfdump.exe from SWFTools:
C:\bin\swftools\swfdump.exe -atpdu flash.$wf > flash.swf.swfdump
Output:
continuation...
Notice that there are a number of pushstring commands, which are the hex code of the exploited SWF files. They will generate the same exploited SWF file. Extract one of the hex string from the pushstring commands into UltraEdit, like this:
Copy and paste the hex string and press a SAPCEBAR (yes, a SPACEBAR!!!) to create a hex code 20. After that press Ctrl + H to switch to hex mode:
Double click 20 and press Ctrl + R to replace the space with hex string:
Click Replace All button and the result would be:
Under Hiew:
It is now more readable right ;)
Now we can use swfdump.exe again to see the tag and we need to find DEFINEBITS section where the shellcode is located:
C:\bin\swftools\swfdump.exe -atpdu exploit_swf > exploit_swf.swfdump
Output:
From the DEFINEBITS section, we can know the starting offset of the shellcode as well as its end offset:
[image continuation]
So we should find offset from aa 02 34 d1 to 11 67 8a 37 using your any hex editors as you like:
continuation:
And the obfuscated shellcode looks like this:
Conclusion
We got the shellcode from the exploited SWF but we still do not know what its payloads. In the next section, I will explain how to deofuscate the shellcode by looking for the "key" in order to deobfuscate it and some common techniques used in shellcode like using PEB to find the kernel32.dll and then looking for the address of LoadLibrary to load the necessary APIs in order to execute its payload.
To be continued...
3 comments:
Nice one
Thanks!
Second part will be coming soon. Stay tuned.... ;)
sure ... i will be waiting ..
Post a Comment