Converting Shellcode into an Executable For Further Analysis
- September 12th, 2009
- Write comment
Exploit Tool kit’s out in the wild often utilize Download and execute shell-code which when run on the end system downloads and executes a file to allow the attacker to control the system. This is commonly used in Drive By Download attacks where a victim visits a malicious web page that in turn attempts to execute the shell-code in order to install software on the victim’s machine.
More often then not the shell-code is buried within obfuscated javascript. Searching theĀ Murls database reveals one such URL (hxxp://rrrxgvdf.6600.org/kuaile/19.htm).
The above image visualizes the series of redirects that occur via Iframe tags after the victim browses to (hxxp://rrrxgvdf.6600.org/kuaile/19.htm). The example below was found at the following URL. (wm.yxnjs.com_x148_of.js) This shows a simple form of obfuscation where they substitute “%u” for “MTV”
Example of Obfuscated Shellcode
Exploits that target browsers commonly encode shellcode in a JavaScript string using Percent-encoding, “%uXXXX”-encoding or entity encoding. Some exploits also obfuscate the encoded shellcode string further to prevent detection by IDS. The example above is one such example of obfuscation because they are substituting the characters MTV with %u and in this case utilizing percent encoding.
Thanks to David Zimmer over at Idefense the following tool can be used to investigate shell-code either by static or dynamic analysis. Before we can do that we have to clean up the code by replacing MTV with %u and eliminating everything so that we have a “%uXXXX” format. Once the code is all cleaned up you can submit it here The script will then return you a file named shecode.exe_ (the underscore is so that you dont execute it by accident). After saving to the desktop you can then submit to Virus Total, open in your debugger/disassembler or submit to Anubis for a behavioral analysis.