Saturday, October 2, 2010

Hiding PDF Exploits by embedding PDF files in streams and Flash ROP heapsprays

Another interesting sample that we came across (a901141662b350cd2c7d91268eddbdce) highlights one of the neat features of our online PDF Examiner. Detection and processing of streams which contain an embedded PDF file - it's quite easy now to put the exploits into an embedded PDF and compress or even encrypt the parent PDF file to avoid many AV products detecting the exploit code:




Object 3 has the embedded PDF file, which was extracted and processed automatically - it's linked to and shown to have the CVE-2010-2883 fontfile SING table description name overflow:




Now one of the very interesting things going on in this sample is that there's no javascript for the heapspray. We do that the parent PDF has embedded Flash files in objects 1 and 2. We can download those two Flash files easily from within PDF examiner by clicking save Obj to File.




Now both Flash files have the CWS magic number that indicates they are compressed. Here's how we expand them using PHP:
function flashExplode ($stream) {
$magic = substr($stream, 0, 3);

if ($magic == "CWS") {
$header = substr($stream, 4, 5);
$content = substr($stream, 10);
$uncompressed = gzinflate($content);
return "FWS".$header.$uncompressed;
} else
return $stream;
}


With the files uncompressed, here's a look at them:



Googling jit-egg.swf or funcXOR1 or Loadzz2 leads us to some PoC code by @asintsov at http://twitter.com/asintsov/status/1950725448
This code is a ROP JIT-egg shellcode heapspray in Flash, so our sample is exploiting CVE-2010-2883 in an embedded PDF file and using Flash to do the heapspray. The shellcode will drop and executable and clean PDF file which is stored in the original PDF between the %%EOF and some tagged on PDF junk streams.

Friday, October 1, 2010

PDF Slack Space

Another common way to hide an embedded executable file in a PDF is to include it's content after the end of file marker %%EOF. We're now showing any content after the last %%EOF as "Slack Space" also marked in brown. Check out all the neat features of the PDF Examiner.