Author Topic: Need some help analyzing this jpeg  (Read 3872 times)

0 Members and 1 Guest are viewing this topic.

July 02, 2009, 04:11:54 pm
Read 3872 times

h4h4h4h4

  • Jr. Member

  • Offline
  • **

  • 11
Hey guys hows it going,

I found a jpeg with the Micorosoft GDI exploit in it.  I sent the file to virustotal and its 6/40 for jpeg exploit.  Im trying to see what the exploit is and what its trying to do so I can learn.

I used a program called BinarySplit and split the jpeg into 5 parts to pinpoint the 'bad' area.  I re-sent all 5 files to virustotal and the first 1/5th of the file is where this exploit apparently is, because that file came back the same 6/40.

I have attached this split jpeg section that apparently includes the exploit.   Its zipped with password 'infected'.  It shouldn't even be able to run the file since its not the complete jpeg, but wanted to be safe anyway.

I tried looking in a hex editor, XORSearching for http string incase theres XOR'd shellcode, and no dice. 

If anyone could help me pinpoint some tools or take a look at the file i would appreciate it. :)



Thanks!


July 03, 2009, 10:35:24 am
Reply #1

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
Hi,

First of all, I am not very familar with this exploit.
From what I know, there was a buffer overflow vulnerability in GDI+ when parsing the comment section (marker FFFE) of JPEG files.

Anyway, in this case it seems the JFIF section (marker FFE0) is being crafted for buffer overflow. The two bytes after this marker indicate the length of the section (including itself), so they should be minimum of 2. In this image though, they are set to 0:
00000000  ff d8 ff e0 00 00 00 00  00 00 00 00 00 00 00 00  |................|

This is being detected by (few) AV vendors.
I think the shellcode you are looking for, is somewhere at the end of the image. So if you can share the whole file, it would be greatly appreciated.


Sorry if this wasnt too helpful and/or incorrect!
Regards,
Philipp

ref:
http://www.obrador.com/essentialjpeg/headerinfo.htm

July 14, 2009, 07:26:41 pm
Reply #2

h4h4h4h4

  • Jr. Member

  • Offline
  • **

  • 11
Awesome thanks philipp.  Your post helped a lot.  I wanted to find the shellcode in the exploit to find the phone-home or download location.  Im attaching the whole file so we can pinpoint the shellcode.  password for zip archive is 'infected'

Thanks again,

Hi,

First of all, I am not very familar with this exploit.
From what I know, there was a buffer overflow vulnerability in GDI+ when parsing the comment section (marker FFFE) of JPEG files.

Anyway, in this case it seems the JFIF section (marker FFE0) is being crafted for buffer overflow. The two bytes after this marker indicate the length of the section (including itself), so they should be minimum of 2. In this image though, they are set to 0:
00000000  ff d8 ff e0 00 00 00 00  00 00 00 00 00 00 00 00  |................|

This is being detected by (few) AV vendors.
I think the shellcode you are looking for, is somewhere at the end of the image. So if you can share the whole file, it would be greatly appreciated.


Sorry if this wasnt too helpful and/or incorrect!
Regards,
Philipp

ref:
http://www.obrador.com/essentialjpeg/headerinfo.htm