Wilders Security Forums  

Go Back   Wilders Security Forums > Other Security Topics > malware problems & news
Reload this Page Analysis of the Eleonore exploit pack shellcode
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old April 20th, 2012, 03:45 PM
ronjor's Avatar
ronjor ronjor is offline
Global Moderator
  
Join Date: Jul 2003
Location: Texas
Posts: 46,189
Default Analysis of the Eleonore exploit pack shellcode
Quote:
msft-mmpc
20 Apr 2012 12:03 PM

'​Eleonore' is a malware package that contains a collection of exploits used to compromise web pages. When the compromised web pages are viewed via vulnerable systems, the exploit payload is run. Eleonore is purchased by an attacker from an underground website. The attacker then gains access to Internet web servers and installs the exploit by modifying webpages, which are then served to the public. The malware pack also contains functionality for the tracking and management of compromised computers.
https://blogs.technet.com/b/mmpc/arc...edirected=true
  #2  
Old April 20th, 2012, 07:05 PM
Rmus Rmus is offline
Exploit Analyst
  
Join Date: Mar 2005
Posts: 3,624
Default Re: Analysis of the Eleonore exploit pack shellcode
Very revealing!

In the "Everything goes round and round" and "Is there anything new" departments, I quote first from the msft-mmpc analysis:

Analysis of the Eleonore exploit pack shellcode
https://blogs.technet.com/b/mmpc/arc...edirected=true
Quote:
Eleonore shellcode locates kernel32.dll in an exploited process space...

With access to these functions, the shellcode creates a file in the temporary files folder (%TEMP%) and calls URLDownloadToFile with a URL that is 0x67 bytes after the shellcode. The shellcode then executes that file.
And from a threafire blog analysis from 2007:

Shellcode analysis - download n' exec (Analysis of wmf file buffer overflow)
http://blog.threatfire.com/2007/12/s...ad-n-exec.html
Quote:
Stepping into the instructions with f7 now reveals the code searching for kernel32's location in the process...

It loads urlmon and finds URLDownloadToFileA. These calls all tell us that this shellcode's functionality is download and execute - and we can observe the url strings that the code is communicating with.
Use of URLDownloadToFileA precedes the WMF exploit. It was noticed as early as 2004 in the ANI cursor exploit:

Code:
[animated cursor exploit] 
animated cursor file (1.ani):

urlmon.dll_URLDownloadToFileA_WinExec_hXXp://kunsthandel-scheider.de/daten/dlle.exe
And beginning in 2008 with the PDF exploits:

Code:
[PDF Wepawet]

URLMON.DLL. URL DownloadToFileA. hXXp://XXXXXX.cn/load.php?
The filename "load" has always been popular, for some reason.

Continuing from the mmpc analysis:
Quote:
The shellcode ends here as "load.exe" begins, with the affected computer now compromised.

----
rich
 

Wilders Security Forums > Other Security Topics > malware problems & news « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 10:24 AM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums