Monday, March 18, 2013

Vulnerability exploit found in ukpornblog.net/wp-content/uploads/2009/04/uk-gangbang_1.bmp


Vulnerability exploit found in ukpornblog.net/wp-content/uploads/2009/04/uk-gangbang_1.bmp


Full investigation report could be found here

======== Payload investigation statistics ========
Suspicios payload offset: 201798 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 13 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 1 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 93 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 1 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 2 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 0 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 1 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 30 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 55 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 22 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 91 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 17 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here


 ======== Detection disassembly ======== 

PUSH ESI (0x00000000)                                                           
INC EBX (0x00000000)                                                            
INC ESP (0x0A26352B)                                                            
PUSH ESI (0x00000000)                                                           
INC EBP (0x00000000)                                                            
INC ESP (0x0A263528)                                                            
PUSH ESI (0x00000000)                                                           
INC EBP (0x00000001)                                                            
INC ESP (0x0A263525)                                                            
PUSH ESI (0x00000000)                                                           
DEC EBX (0x00000001)                                                            
INC ESI (0x00000000)                                                            
POP EBX (0x00000000)                                                            
PUSH ESP (0x0A263526)                                                           
DEC EDI (0x00000000)                                                            
PUSH EBP (0x00000002)                                                           
PUSH EAX (0x00000000)                                                           
DEC SI (0x0001)                                                                 
DEC ECX (0x00000000)                                                            
POP EDI (0xFFFFFFFF)                                                            
DEC ESP (0x0A26351E)                                                            
DEC EAX (0x00000000)                                                            
POP EBX (0x00000000)                                                            
DEC EDX (0x00000000)                                                            
INC ESI (0x00000001)                                                            
POP EAX (0xFFFFFFFF)                                                            
DEC EAX (0x26352600)                                                            
INC EDX (0xFFFFFFFF)                                                            
PUSH EBP (0x00000002)                                                           
DEC EBX (0x00000200)                                                            
INC ESP (0x0A263521)                                                            
PUSH EDI (0x00000000)                                                           
DEC EDX (0x00000000)                                                            
INC ESI (0x00000002)                                                            
PUSH EDI (0x00000000)                                                           
DEC EDX (0xFFFFFFFF)                                                            
INC ESI (0x00000003)                                                            
PUSH EDI (0x00000000)                                                           
DEC ESP (0x0A263516)                                                            
INC ESI (0x00000004)                                                            
PUSH EDI (0x00000000)                                                           
DEC ESP (0x0A263511)                                                            
INC ESI (0x00000005)                                                            
PUSH EDI (0x00000000)                                                           
INC EDI (0x00000000)                                                            
INC EBP (0x00000002)                                                            
PUSH EBX (0x000001FF)                                                           
DEC ESP (0x0A263508)                                                            
DEC EDX (0xFFFFFFFE)                                                            
POP EAX (0x263525FF)                                                            
DEC EDI (0x00000001)                                                            
DEC EBP (0x00000003)                                                            
POP EBX (0x000001FF)                                                            
PUSH ESP (0x0A26350F)                                                           
PUSH EDX (0xFFFFFFFD)                                                           
PUSHAD                                                                          
PUSH EBX (0x00000000)                                                           
PUSH ECX (0xFFFFFFFF)                                                           
POP EBP (0x00000002)                                                            
PUSH EBX (0x00000000)                                                           
PUSH ECX (0xFFFFFFFF)                                                           
POP EBP (0xFFFFFFFF)                                                            
PUSH EBX (0x00000000)                                                           
PUSH ECX (0xFFFFFFFF)                                                           
POP EBP (0xFFFFFFFF)                                                            
PUSH EBX (0x00000000)                                                           
PUSH ECX (0xFFFFFFFF)                                                           
POP EBP (0xFFFFFFFF)                                                            
POP EBP (0xFFFFFFFF)                                                            
PUSH EDX (0xFFFFFFFD)                                                           
POP EDI (0x00000000)                                                            
PUSHAD                                                                          
PUSH ESP (0x0A2634BB)                                                           
BOUND ESP (0x0A2634B7),DS:[EDX + 0x54] (0x00000051),[0x00000055] (0x00000055)  ;random read instruction
BOUND EBX (0x00000000),DS:[EDI + 0x52] (0x0000004F),[0x00000053] (0x00000053)  ;random read instruction
POP EDI (0xFFFFFFFD)                                                            
POP EBX (0x00000000)                                                            
PUSH ECX (0xFFFFFFFF)                                                           
POP EBX (0xFFFFFFFD)                                                            
POP ESP (0x0A2634BF)                                                            
XCHG DS:[BP - 0x7E] (0xFFFFFF82),DH (0xFF)                                     ;random write instruction
LAHF                                                                            
NOP                                                                             
LAHF                                                                            
XCHG ECX (0xFFFFFFFF),EAX (0x00010200)                                          
CALL 837c:8c918796 (0x8FFD8796)                                                 
PUSH ESI (0x00000006)                                                           
INC EBX (0xFFFFFFFF)                                                            
INC ESP (0x0A260006)                                                            
PUSH ESI (0x00000006)                                                           
INC EBP (0x00000000)                                                            
INC ESP (0x0A260007)                                                            
PUSH ESI (0x00000006)                                                           
INC EBP (0x00000001)                                                            
INC ESP (0x0A260008)                                                            
PUSH ESI (0x00000006)                                                           
DEC EBX (0x00000000)                                                            
INC ESI (0x00000006)                                                            
POP EBX (0xFFFFFFFF)                                                            
PUSH ESP (0x0A260009)