Malicious PDF analysis

Part 4

Searching for the creator object in pdf document using pdf-parser showed that object 8 contians the creator info, but in this case instead of the string which identifies the creator, it contains encoded javascript code.(which is the second stage code)
The below screenshot shows the extracted content from the creator object.



Uploaded with ImageShack.us

After extracting this encoded content, i added this encoded content into the first stage javascript (created a variable called this.creator with encoded javascript as value), the below screenshot shows the modified javascript.



Uploaded with ImageShack.us

In this above screeshot, unescape function is used to decode the encoded data, in this case it is replacing “z” from the content of this.creator and replacing with “%” sign and decoding the data, and eval is used to execute the decoded data, so now we need to make sure that instead of executing the data, it has to print the data so that we can see the decoded content.....there are multiple ways to do this, one way is to add “eval=print;” at the beginning to overide the funcionality of eval, After executing the script with spidermonkey we get the decoded javascript as shown below:



Uploaded with ImageShack.us

In the above code you can see that exploit target the vulnerability in the util.printf() (CVE-2008-2992) function by passing a big number as the second parameter to the function and you can also see the buffer being allocated and the heapy spray code prior to exploiting the vulnerability and you can also see the shellcode in the unescape funtion.

Now we know the javascript exploit the vulnerability in the util.printf() function and place the shellcode in the created buffer and executes it after exploiting the vulnerability.

Continued
Malicious PDF analysis Tutorial Part 1
Malicious PDF analysis Tutorial Part 2
Malicious PDF analysis Tutorial Part 3 Extracting Javascript
Malicious PDF analysis Tutorial Part 4
Part 5 Malicious PDF analysis Tutorial Shellcode analysis