Vulnerability exploit found in ukpornblog.net/wp-content/uploads/2009/04/uk-gangbang_1.bmp
Full investigation report could be found here
======== Payload investigation statistics ======== Suspicios payload offset: 201798 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 13 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 1 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 93 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 1 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 2 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 0 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 0 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 1 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 30 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 55 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 22 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 91 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 17 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here
======== Detection disassembly ======== PUSH ESI (0x00000000) INC EBX (0x00000000) INC ESP (0x0A26352B) PUSH ESI (0x00000000) INC EBP (0x00000000) INC ESP (0x0A263528) PUSH ESI (0x00000000) INC EBP (0x00000001) INC ESP (0x0A263525) PUSH ESI (0x00000000) DEC EBX (0x00000001) INC ESI (0x00000000) POP EBX (0x00000000) PUSH ESP (0x0A263526) DEC EDI (0x00000000) PUSH EBP (0x00000002) PUSH EAX (0x00000000) DEC SI (0x0001) DEC ECX (0x00000000) POP EDI (0xFFFFFFFF) DEC ESP (0x0A26351E) DEC EAX (0x00000000) POP EBX (0x00000000) DEC EDX (0x00000000) INC ESI (0x00000001) POP EAX (0xFFFFFFFF) DEC EAX (0x26352600) INC EDX (0xFFFFFFFF) PUSH EBP (0x00000002) DEC EBX (0x00000200) INC ESP (0x0A263521) PUSH EDI (0x00000000) DEC EDX (0x00000000) INC ESI (0x00000002) PUSH EDI (0x00000000) DEC EDX (0xFFFFFFFF) INC ESI (0x00000003) PUSH EDI (0x00000000) DEC ESP (0x0A263516) INC ESI (0x00000004) PUSH EDI (0x00000000) DEC ESP (0x0A263511) INC ESI (0x00000005) PUSH EDI (0x00000000) INC EDI (0x00000000) INC EBP (0x00000002) PUSH EBX (0x000001FF) DEC ESP (0x0A263508) DEC EDX (0xFFFFFFFE) POP EAX (0x263525FF) DEC EDI (0x00000001) DEC EBP (0x00000003) POP EBX (0x000001FF) PUSH ESP (0x0A26350F) PUSH EDX (0xFFFFFFFD) PUSHAD PUSH EBX (0x00000000) PUSH ECX (0xFFFFFFFF) POP EBP (0x00000002) PUSH EBX (0x00000000) PUSH ECX (0xFFFFFFFF) POP EBP (0xFFFFFFFF) PUSH EBX (0x00000000) PUSH ECX (0xFFFFFFFF) POP EBP (0xFFFFFFFF) PUSH EBX (0x00000000) PUSH ECX (0xFFFFFFFF) POP EBP (0xFFFFFFFF) POP EBP (0xFFFFFFFF) PUSH EDX (0xFFFFFFFD) POP EDI (0x00000000) PUSHAD PUSH ESP (0x0A2634BB) BOUND ESP (0x0A2634B7),DS:[EDX + 0x54] (0x00000051),[0x00000055] (0x00000055) ;random read instruction BOUND EBX (0x00000000),DS:[EDI + 0x52] (0x0000004F),[0x00000053] (0x00000053) ;random read instruction POP EDI (0xFFFFFFFD) POP EBX (0x00000000) PUSH ECX (0xFFFFFFFF) POP EBX (0xFFFFFFFD) POP ESP (0x0A2634BF) XCHG DS:[BP - 0x7E] (0xFFFFFF82),DH (0xFF) ;random write instruction LAHF NOP LAHF XCHG ECX (0xFFFFFFFF),EAX (0x00010200) CALL 837c:8c918796 (0x8FFD8796) PUSH ESI (0x00000006) INC EBX (0xFFFFFFFF) INC ESP (0x0A260006) PUSH ESI (0x00000006) INC EBP (0x00000000) INC ESP (0x0A260007) PUSH ESI (0x00000006) INC EBP (0x00000001) INC ESP (0x0A260008) PUSH ESI (0x00000006) DEC EBX (0x00000000) INC ESI (0x00000006) POP EBX (0xFFFFFFFF) PUSH ESP (0x0A260009)
No comments:
Post a Comment