This exploit framework is nicely designed and has a somwhat object oriented approach.
Browser based exploit code is broken down into seperate modules. Its statistics engine logs several important user variables such as IP, Browser and OS version. By default, it performs a check of the visiting IP to determine if it's already been seen and if so then avoids further interaction with that session.
Another interesting aspect is that it uses output stream buffering with a callback function which will obfuscate all data to avoid detection and readability. Specifically, it uses a random ASCII based substitution table to create a Javascript function which will decode the payload and run it.
The people who wrote this framework (IDT Group), or at least that's their header on top of every source file, know what they're doing. Their code layout and some documentation is displayed in a manner often seen in professional programming projects.
2007-10-18
2007-10-17
Interesting "Downloader"
Get it offensivecomputing: "f5c3bf7be349b36983d2a07b917f4bb7"
It uses a rather simple walking XOR decryption with a single byte that decrements at each iteration. This is used to decrypt code and data.
Next, it will setup a Vectored Exception Handler and execute INT 3. So, if you're debugging and don't pass this to the code then nothing happens.
Another interesting aspect is that for every API name which it calls, obtained through PEB structures, is hashed. Thus, to call an API it calls an internal function with a predetermined hash of the API, this function traverses all current exports and hashes each one to compare. Once found, the API's address is returned in EAX, which is followed by "call eax".
Moreover, all data blocks are XORed with a different key and the moment this data is used the decrypted memory is cleared.
It uses a rather simple walking XOR decryption with a single byte that decrements at each iteration. This is used to decrypt code and data.
Next, it will setup a Vectored Exception Handler and execute INT 3. So, if you're debugging and don't pass this to the code then nothing happens.
Another interesting aspect is that for every API name which it calls, obtained through PEB structures, is hashed. Thus, to call an API it calls an internal function with a predetermined hash of the API, this function traverses all current exports and hashes each one to compare. Once found, the API's address is returned in EAX, which is followed by "call eax".
Moreover, all data blocks are XORed with a different key and the moment this data is used the decrypted memory is cleared.
Subscribe to:
Posts (Atom)