Just some Acrobat exploits

In this second post I will explain the functions in the javascript code carved out used to exploit the Acrobat vulnerability.

First of all we take a look at the function that acts as a version-check of Acrobat with which the victim opened to read the pdf infected.

This is the function:

the function name is GDUvmppC (). Inside, yVXd variable is declared, and through app.viewerVersion.toString () function is initialized with the respective version number of Acrobat. At last, through Iterations will start the respective exploit depending on the detected version.

If the version is less than 8, then performs the waDmT () function.
If the version is greater than 8, then performs the FdAY () function.
If the version is less than 9.1, then performs the mLU() function.
If the version is less than version 9.2, then performs the breakfast() function.

As you can see there are 4 functions.

The waDmT() function exploits the collectEmailInfo vulnerability
-> collectEmailInfo({ subj:””,msg:mmk })

The FdAY() function exploits the util.printf vulnerability
-> util.printf(“%45000f”,uzpymeSR)

The mLU() function exploits the getIcon vulnerability
-> app.doc.Collab.getIcon(gGsYFcss)

The breakfast() function exploits the util.printd vulnerability
-> util.printd(GDagaCuyNfRSFzaSZLO, new Date())

All functions contain shellcode, and in particular we find them some interesting links:

http://*/yogetheadshot.php?ids=UdPDF
http://*/yogetheadshot.php

From these two links are downloaded same malware. Malware are identical because they are only called from two different links depending on the version of Acrobat πŸ˜‰

In the next post I’ll try to explain what makes the malware downloaded through the PDF.

Bye, see you in the next post. =)

Advertisements

2 Responses to “Just some Acrobat exploits”

  1. VIVEK Says:

    NICE ANALYSIS..

    I FOUND LOTS OF THINGS WITH CLEAR UNDERSTANDIN..

    THANKS FOR SHARING. πŸ™‚

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: