Saturday, October 2, 2010

Hiding PDF Exploits by embedding PDF files in streams and Flash ROP heapsprays

Another interesting sample that we came across (a901141662b350cd2c7d91268eddbdce) highlights one of the neat features of our online PDF Examiner. Detection and processing of streams which contain an embedded PDF file - it's quite easy now to put the exploits into an embedded PDF and compress or even encrypt the parent PDF file to avoid many AV products detecting the exploit code:




Object 3 has the embedded PDF file, which was extracted and processed automatically - it's linked to and shown to have the CVE-2010-2883 fontfile SING table description name overflow:




Now one of the very interesting things going on in this sample is that there's no javascript for the heapspray. We do that the parent PDF has embedded Flash files in objects 1 and 2. We can download those two Flash files easily from within PDF examiner by clicking save Obj to File.




Now both Flash files have the CWS magic number that indicates they are compressed. Here's how we expand them using PHP:
function flashExplode ($stream) {
$magic = substr($stream, 0, 3);

if ($magic == "CWS") {
$header = substr($stream, 4, 5);
$content = substr($stream, 10);
$uncompressed = gzinflate($content);
return "FWS".$header.$uncompressed;
} else
return $stream;
}


With the files uncompressed, here's a look at them:



Googling jit-egg.swf or funcXOR1 or Loadzz2 leads us to some PoC code by @asintsov at http://twitter.com/asintsov/status/1950725448
This code is a ROP JIT-egg shellcode heapspray in Flash, so our sample is exploiting CVE-2010-2883 in an embedded PDF file and using Flash to do the heapspray. The shellcode will drop and executable and clean PDF file which is stored in the original PDF between the %%EOF and some tagged on PDF junk streams.

3 comments:

  1. Thanks for the great tool, now it is very easy to compress and encrypt the parent PDF files which results to highly protection and avoiding AV products too. I really need a tool for expanding flash files and now it is easy to expand with your PHP code.

    ReplyDelete
  2. not sure how to use the php code above to uncompress the flash.
    can you give example?

    ReplyDelete
  3. You can use the function in a command line script:
    php script_name.php

    <?PHP



    if (!isset($argv[1])) {
    echo "Specify a file or directory.\n";
    exit(0);
    }


    //accept a file as input
    if (is_file($argv[1])) {
    $result = flashExplode(file_get_contents($argv[1]));
    file_put_contents($argv[1].".unc", $result);
    }

    function flashExplode ($stream) {

    $magic = substr($stream, 0, 3);

    if ($magic == "CWS") {
    $header = substr($stream, 4, 5);
    $content = substr($stream, 10);

    //echo strlen($magic)."\n";
    //echo "magic=$magic\n";
    //echo strlen($header)."\n";
    //echo "header=$header\n";
    $uncompressed = gzinflate($content);
    return "FWS".$header.$uncompressed;
    } else
    return $stream;

    }


    ?>

    ReplyDelete