Shellcode Analysis

Extracting shellcode of Magnitude Exploit KIT

After successful exploitation of CVE-2019–1367, malicious Magnitude Exploit Kit shellcode instructions are executed. First stubs are a simple shellcode loader that ultimately does the following:

  • Allocates memory via a kernel32!VirtualAlloc with PAGE_EXECUTE_WRITECOPY permissions
  • Copies shellcode to the allocated memory using kernel32!RtlMoveMemory()
  • Launches the shellcode via via CreateThread()

We have different…

Photo by Darius Bashar on Unsplash

CVE-2019–1367 background and in-the-wild exploitations

There are some important aspects to know about CVE-2019–1367 before diving into the technical analysis including the intel around it and the series of events following the in-the-wild exploitations and Microsoft patches.

First of all, here is the bug class of this bug based on the Google P0 report:



twitter at @lordx64

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store