Analysis of the Eleonore exploit pack shellcode

Discussion in 'malware problems & news' started by ronjor, Apr 20, 2012.

Thread Status:
Not open for further replies.
  1. ronjor
    Offline

    ronjor Global Moderator

    https://blogs.technet.com/b/mmpc/ar...e-exploit-pack-shellcode.aspx?Redirected=true
  2. Rmus
    Offline

    Rmus Exploit Analyst

    Very revealing!

    In the "Everything goes round and round" and "Is there anything new" departments, I quote first from the msft-mmpc analysis:

    Analysis of the Eleonore exploit pack shellcode
    https://blogs.technet.com/b/mmpc/ar...e-exploit-pack-shellcode.aspx?Redirected=true
    And from a threafire blog analysis from 2007:

    Shellcode analysis - download n' exec (Analysis of wmf file buffer overflow)
    http://blog.threatfire.com/2007/12/shellcode-analysis-download-n-exec.html
    Use of URLDownloadToFileA precedes the WMF exploit. It was noticed as early as 2004 in the ANI cursor exploit:

    Code:
    [animated cursor exploit] 
    animated cursor file (1.ani):
    
    urlmon.dll_URLDownloadToFileA_WinExec_hXXp://kunsthandel-scheider.de/daten/dlle.exe
    
    And beginning in 2008 with the PDF exploits:

    Code:
    [PDF Wepawet]
    
    URLMON.DLL. URL DownloadToFileA. hXXp://XXXXXX.cn/load.php?
    
    The filename "load" has always been popular, for some reason.

    Continuing from the mmpc analysis:
    ----
    rich
Thread Status:
Not open for further replies.