Friday, December 18, 2009

Adobe CVE-2009-4324 in the wild - (0day) - part 0.2 - shellcode and site down

It seem that the spreading infrastructure it's down (or may be the admins has change domains or paths as well ). Anyway the following screenshots shown the shell code embedded in one of the well know PDFs (thank you contagiodump.blogspot.com) . For inflating deflate PDF stream it's been used PDF_streams_inflater tool (not more available from malzilla site)

http://www.mc-antivirus-test.com/modules/PDdownloads/singlefile.php?cid=6&lid=25

The dissected PDF has the following MD5: 35e8eeee2b94cbe87e3d3f843ec857f6 but it seem that also
61baabd6fc12e01ff73ceacc07c84f9a use the same shell code


so.. the first step for retrieve usefull code is a simple override of eval javascript method:




the following screenshot shown some clear string within the shellcode:



may be a check for Kasperksky tools at runtime and check for Kingoft security tools. And the evidence for the user agent AdobeUpdate (as well documentend in the F-secure post about subject) used for HTTP request.

For obtain,quickly, a PE binary from shell code it's been used:
http://sandsprite.com/shellcode_2_exe.php

The check above during runtime:



The XML code that define an embedded RAR file discovered inside 35e8eeee2b94cbe87e3d3f843ec857f6:




The Anubis analysis of the RAR (in the form of exe RAR compressed archive) extracted from the pdf above:
http://anubis.iseclab.org/?action=result&task_id=106dc12f361a9afd4156862d5f34f1c77&format=html


The RAR contents:



The RAR compressed exe file it's runned by shell code under certain conditions.


No comments:

Post a Comment