Author Topic: FlateDecode  (Read 11047 times)

0 Members and 1 Guest are viewing this topic.

October 21, 2009, 01:32:49 pm
Read 11047 times

binary

  • Jr. Member

  • Offline
  • **

  • 15
Hi Guys

Was running thro a malicious PDF and found that there was a stream that I believe was FlateDecode 'd. Pls can you indicate on how to decode them. I've already run that malicious pdf against wepawet and it reported to be malicious (Adobe util.printf overflow   Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf)

Edit: Attached the sample stream that I was able to fetch from the malicious pdf file.

Thanks

Binary
There are only 10 kinds of people in this world, those who understand binary and those who don't

October 21, 2009, 05:06:15 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I need the complete pdf to look at it.

Have you already tried the usual tools for decoding ?

www.accesspdf.com/pdftk/
pdftk mydoc.pdf output mydoc.txt uncompress


http://blog.didierstevens.com/programs/pdf-tools/
pdf-parser.py -f mydoc.pdf
Ruining the bad guy's day

October 22, 2009, 12:49:14 am
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Just a note, PDFTK doesn't seem to work on Vista :( (I used FileInsight instead)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

October 22, 2009, 06:23:15 am
Reply #3

binary

  • Jr. Member

  • Offline
  • **

  • 15
Here it goes....

password - infected
There are only 10 kinds of people in this world, those who understand binary and those who don't

October 22, 2009, 07:19:07 am
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Just a note, PDFTK doesn't seem to work on Vista :( (I used FileInsight instead)

pdftk works on Vista. Believe me.  ;)
Ruining the bad guy's day

October 22, 2009, 07:21:46 am
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Here it goes....

password - infected

pdftk failed to decode the stream. pdf-parser.py works.

url in shellcode is
Code: [Select]
http://vk-mastersoft.cn/load.php?a=a&st=Internet&e=2
Ruining the bad guy's day

October 22, 2009, 07:34:06 am
Reply #6

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Just a note, PDFTK doesn't seem to work on Vista :( (I used FileInsight instead)

pdftk works on Vista. Believe me.  ;)

It always seems to fail for me lately?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

October 22, 2009, 08:08:57 am
Reply #7

binary

  • Jr. Member

  • Offline
  • **

  • 15
Thanks for your replies guys,

I'm still not able to decode the stream, Please can you advise what switches did you use to decode this stuff with pdf-parser.py?
There are only 10 kinds of people in this world, those who understand binary and those who don't

October 22, 2009, 09:08:21 am
Reply #8

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks for your replies guys,

I'm still not able to decode the stream, Please can you advise what switches did you use to decode this stuff with pdf-parser.py?

Don't you read my messages ?  ;)

http://www.malwaredomainlist.com/forums/index.php?topic=3473.msg12744#msg12744
Ruining the bad guy's day

October 22, 2009, 09:39:24 am
Reply #9

binary

  • Jr. Member

  • Offline
  • **

  • 15
I did exactly the same but it didn't work :S

pdf-parser -f malicious.pf > out.txt

Attached is the output
There are only 10 kinds of people in this world, those who understand binary and those who don't

October 22, 2009, 09:47:14 am
Reply #10

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I did exactly the same but it didn't work :S

pdf-parser -f malicious.pf > out.txt

Attached is the output

Hmm, that's strange. It should look like my output.
Ruining the bad guy's day

October 22, 2009, 09:49:18 am
Reply #11

binary

  • Jr. Member

  • Offline
  • **

  • 15
Would it be possible to attach your version of pdf-parser?

Thanks
There are only 10 kinds of people in this world, those who understand binary and those who don't

October 22, 2009, 10:03:08 am
Reply #12

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Would it be possible to attach your version of pdf-parser?


Send by PM. What python version do you use ? When I started pdf-parser on python v3.0, I got some errors.
So have installed python v2.6.
Ruining the bad guy's day

October 22, 2009, 10:19:36 am
Reply #13

binary

  • Jr. Member

  • Offline
  • **

  • 15
I  use a cygwin version - Python 2.5.2
There are only 10 kinds of people in this world, those who understand binary and those who don't

October 26, 2009, 09:16:08 am
Reply #14

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Just a note, PDFTK doesn't seem to work on Vista :( (I used FileInsight instead)

pdftk works on Vista. Believe me.  ;)

forgot to mention, I found out why .... I was using an outdated version.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net