PDF Attack: A Journey from the Exploit Kit to the Shellcode (Slides)

As I already announced in the last blog post, I was in Las Vegas giving a workshop about how to analyze exploit kits and PDF documents at BlackHat. The part related to exploit kits included some tips to analyze obfuscated Javascript code manually and obtain the exploit URLs or/and shellcodes. The tools needed to accomplish this task were just a text editor, a Javascript engine like Spidermonkey, Rhino or PyV8, and some tool to beautify the code (like peepdf ;p). In a generic way, we can say that the steps to analyze an exploit kit page are the following:
 

  • Removing unnecessary HTML tags
  • Convert HTML elements which are called in the Javascript code to Javascript variables
  • Find and replace eval functions with prints, for example, or hook the eval function if it is possible (PyV8)
  • Execute the Javascript code
  • Beautify the code
  • Find shellcodes and exploit URLs
  • Repeat if necessary

 

 
In the second part of the session I focused on the analysis of PDF files with the help of peepdf, showing the new functionalities, like the new command vtcheck to check hashes of the file, objects, shellcodes, etc. on VirusTotal. As I have mentioned, all the exercises were practical, using real malicious PDF files found in the wild to show and solve the most common problems you can find when you analyze a PDF document.

During the last minutes of the workshop was the time to show the obfuscation capabilities of peepdf. I created some custom PDF files using encryption, compression, encodings and embedding in another PDF file to difficult the analysis and obfuscate documents.

These are the slides of the workshop, you can download them from here:

This time I have not released a new version or package of peepdf yet, because I want to include some more fixes and functionalities, but you can update it with -u to get the new stuff. Remember that I have replaced Spidermonkey with PyV8 as Javascript engine, I hope it works better now ;)

Good Presentation. Thanks for

Good Presentation. Thanks for the details surrounding pdf attack

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.