First information about new zero day in adobe flash player was published 03/11/2010 at
https://www.kidinhisroom.com/?q=content/us-cert-ewin-early-warning-indicator-new-adobe-flash-0-day-exploit
Then after 3 days Adobe confirmed bug and released advisory
http://www.adobe.com/support/security/advisories/apsa11-01.html
Filename: crsenvironscan.xls
Size:126,444 bytes
MD5 Hash: 4BB64C1DA2F73DA11F331A96D55D63E2
My analysis of crsenvironscan.xls
There are no vulnerabilities in MS Office, there is a vulnerability in embeded swf as was described below.
1) There are embeded swf
(target file name f:\sm.swf)
![]()
This swf provide heap spray and then load second swf
view source code
![]()
it allocates memory
NOP Slide =14141414
![]()
then loads second swf.
2) second.swf consist bug
File created possibly by using a fuzzer from
![]()
if point view on this
as for me, that looks like some string and date
C.GB 1989/06/04 - it may mean1989-06-04 Tiananmen, Beijing, China
FucK 1982/04/24 - ?
If you have any ideas, post in comments
![]()
Sample download link
https://sites.google.com/site/villys777/crsenvironscan.zip
password : infected
Other samples you can get from Mila Parkour site:
http://contagiodump.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html
![]()
https://www.kidinhisroom.com/?q=content/us-cert-ewin-early-warning-indicator-new-adobe-flash-0-day-exploit
Then after 3 days Adobe confirmed bug and released advisory
http://www.adobe.com/support/security/advisories/apsa11-01.html
Filename: crsenvironscan.xls
Size:126,444 bytes
MD5 Hash: 4BB64C1DA2F73DA11F331A96D55D63E2
My analysis of crsenvironscan.xls
There are no vulnerabilities in MS Office, there is a vulnerability in embeded swf as was described below.
1) There are embeded swf
(target file name f:\sm.swf)
This swf provide heap spray and then load second swf
view source code
it allocates memory
NOP Slide =14141414
then loads second swf.
2) second.swf consist bug
File created possibly by using a fuzzer from
addLabel.swf
looks like there are bugs exist when flash player attempts to parse a swf file.
Unknown opcode 152.
Unknown opcode 84.
(detailed analysis will be provided soon)
3) Shellcode
this is EmbededExec shellcode,not encrypted.
decompiled shellcode
Shellcode search for exe between
cmp dword ptr [eax], 47422E43h
cmp dword ptr [eax+4], 19890604h
hex code "432e424704068919" and
cmp dword ptr [eax], 4B635546h
cmp dword ptr [eax+4], 19820424h
hex code "4655634b24048219"
if point view on this
as for me, that looks like some string and date
C.GB 1989/06/04 - it may mean1989-06-04 Tiananmen, Beijing, China
FucK 1982/04/24 - ?
If you have any ideas, post in comments
Encryption of exe is interesting.
First 4 bytes of exe header writed from shellcode
then encrypted date decrypts using this algo
where eax - size of exe
decrypt:
xor [ebx], al
inc ebx
dec eax
inc ebx
dec eax
cmp eax, 0
jmp decrypt
This is for the first time I see such encryption in exploits found in the wild.
This is used to bypass scanners, which searches for the exe header.
4) Exea.exe
size 46,048 bytes
MD5: 1e09970c9bf2ca08ee48f8b2e24f6c44
Download Payload File a.exe
pass: infected Virustotal 0/43
Information from PEiD InstallShield AFW [CAB SFX]
Sample download link
https://sites.google.com/site/villys777/crsenvironscan.zip
password : infected
Other samples you can get from Mila Parkour site:
http://contagiodump.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html
