Analysis of the Eleonore exploit pack shellcode

ronjor · Apr 20, 2012

msft-mmpc
20 Apr 2012 12:03 PM

'Eleonore' is a malware package that contains a collection of exploits used to compromise web pages. When the compromised web pages are viewed via vulnerable systems, the exploit payload is run. Eleonore is purchased by an attacker from an underground website. The attacker then gains access to Internet web servers and installs the exploit by modifying webpages, which are then served to the public. The malware pack also contains functionality for the tracking and management of compromised computers.
Click to expand...

https://blogs.technet.com/b/mmpc/ar...e-exploit-pack-shellcode.aspx?Redirected=true

Rmus · Apr 20, 2012

Very revealing!

In the "Everything goes round and round" and "Is there anything new" departments, I quote first from the msft-mmpc analysis:

Analysis of the Eleonore exploit pack shellcode
https://blogs.technet.com/b/mmpc/ar...e-exploit-pack-shellcode.aspx?Redirected=true

Eleonore shellcode locates kernel32.dll in an exploited process space...

With access to these functions, the shellcode creates a file in the temporary files folder (%TEMP%) and calls URLDownloadToFile with a URL that is 0x67 bytes after the shellcode. The shellcode then executes that file.
Click to expand...

And from a threafire blog analysis from 2007:

Shellcode analysis - download n' exec (Analysis of wmf file buffer overflow)
http://blog.threatfire.com/2007/12/shellcode-analysis-download-n-exec.html

Stepping into the instructions with f7 now reveals the code searching for kernel32's location in the process...

It loads urlmon and finds URLDownloadToFileA. These calls all tell us that this shellcode's functionality is download and execute - and we can observe the url strings that the code is communicating with.
Click to expand...

Use of URLDownloadToFileA precedes the WMF exploit. It was noticed as early as 2004 in the ANI cursor exploit:
Code:
[animated cursor exploit] 
animated cursor file (1.ani):

urlmon.dll_URLDownloadToFileA_WinExec_hXXp://kunsthandel-scheider.de/daten/dlle.exe
And beginning in 2008 with the PDF exploits:
Code:
[PDF Wepawet]

URLMON.DLL. URL DownloadToFileA. hXXp://XXXXXX.cn/load.php?
The filename "load" has always been popular, for some reason.

Continuing from the mmpc analysis:

The shellcode ends here as "load.exe" begins, with the affected computer now compromised.
Click to expand...

----
rich

Log in or Sign up

Analysis of the Eleonore exploit pack shellcode

ronjor Global Moderator

Rmus Exploit Analyst

Log in or Sign up

Analysis of the Eleonore exploit pack shellcode

ronjor Global Moderator

Rmus Exploit Analyst

Useful Searches