This
PDF exploit arrives as an attachment to an email which claims to be from Wells
Fargo Accounting
Upon
inspection of the PDF objects, we can see that one the the objects contains a
java script which contains the following:
- Image allocation (including a ridiculously large one)
- Array allocation
- Assembly algorithms
Figure 1: Array allocation |
Figure 2: Raw Dump |
Closer
inspection of the said suspicious array gives us a what looks to be a
target url but it is jumbled.
Reconstructing
the given file gives us the following
Figure 3: Fixed Dump |
It
looks that this is the shell code but based from the fixed output, we cannot
verify what the URL is for.
A quick look at the code and we can see that it contains a decryption code
Figure 4: Decryption loop |
Using the key, we now get a more "readable" code.
Figure 5: Decrypted Shell Code |
And now that the Shell code is decrypted, we can now verify the URL.
While harvesting the needed API's, the following API's of interest were loaded:
Figure 6: API Harvest - Winexec |
Figure 7: API Harvest - URLDownloadToCacheA |
This indicates that the shell code is a downloader and sure enough
Figure 8: API Usage - URLDownloadToCacheA |
Figure 9: API Usage - Winexec |
----
But wait, how can this even run when adobe reader runs in a sandbox environment?
Before we continue, we will introduce a couple of terms to avoid confusion:
- Broker Process - Main PDF Process, spawns the Renderer process which loads the target PDF File
- Renderer Process - AKA Sandbox : where the actual PDF is running.
Figure 10: AdobeReader seen in Process Explorer |
The malicious PDF achieves EOP (Escalation Of Privilage) by doing the following:
Allocate space and create heap spray by using the code shown on figure 11
Figure 11: Heap Spray creation |
Figure 12.1 : Heap Spray contents |
Figure 12.2: Heap Spray contents |
Figure 13 : Heap Spraying the Broker process VIA HttpSendRequest |
Figure 14: Memory Map at Broker Process |
Figure 15: Crafted Heap |
Figure 16: RegisterWindowsMessageW Usage |
Figure 17: API Harvest - GetClipboardFormatNameA |
Figure 18 : GetClipboardFormatNameA usage |
Figure 19: Heap Before GetClipboardFormatNameW in Broker Process |
Figure 20: Heap Result after GetClipBoardFormatNameW in Broker Process |
Figure 17: Force back to Renderer process |
Figure 21: SignalObjectAndWait - The final touch |
At this point, the broker process is now running the heap spray code.
Figure 22 : Calling ROP |
Figure 23: ROP back to shell code |