Analysis of the Eleonore exploit pack shellcode

Discussion in 'malware problems & news' started by ronjor, Apr 20, 2012.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    69,482
    Location:
    Texas
    https://blogs.technet.com/b/mmpc/ar...e-exploit-pack-shellcode.aspx?Redirected=true
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    Very revealing!

    In the "Everything goes round and round" and "Is there anything new" departments, I quote first from the msft-mmpc analysis:

    Analysis of the Eleonore exploit pack shellcode
    https://blogs.technet.com/b/mmpc/ar...e-exploit-pack-shellcode.aspx?Redirected=true
    And from a threafire blog analysis from 2007:

    Shellcode analysis - download n' exec (Analysis of wmf file buffer overflow)
    http://blog.threatfire.com/2007/12/shellcode-analysis-download-n-exec.html
    Use of URLDownloadToFileA precedes the WMF exploit. It was noticed as early as 2004 in the ANI cursor exploit:

    Code:
    [animated cursor exploit] 
    animated cursor file (1.ani):
    
    urlmon.dll_URLDownloadToFileA_WinExec_hXXp://kunsthandel-scheider.de/daten/dlle.exe
    
    And beginning in 2008 with the PDF exploits:

    Code:
    [PDF Wepawet]
    
    URLMON.DLL. URL DownloadToFileA. hXXp://XXXXXX.cn/load.php?
    
    The filename "load" has always been popular, for some reason.

    Continuing from the mmpc analysis:
    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.