Tools Used

  1. IDA Pro
  2. Ollydbg
  3. remnux


  1. Lab19-03.pdf SHA256: 216a1b095dbcf7099f3b91633d5b663554bda1363d8a6a31323a28d4328c380e


  • Detection Rate: 37/56
  • Analyzed on 2016-06-15
  • Compilation Date:2010:06:11 15:30:10
  • View report here

Lab 19-3
Analyze the file Lab19-03.pdf. If you get stuck and can’t find the shellcode,
just skip that part of the lab and analyze file Lab19-03_sc.bin using

1. What exploit is used in this PDF?

Lets recce the pdf file first to get more insight. We can see that it contains /JS and /JavaScript elements. Which indicates that this pdf might be using javascript to exploit the pdf…

Figure 1. pdfid to recce the pdf file

using pdfextract we can easily extract the javascript contents.

Figure 2. Extract javascript via pdfextract tool

The extracted javascript contains the payload and some pdf version check to filter which pdf reader version can be exploited followed by some standard heapspray and finally the trigger “util.printf“. A google search on this printf exploit surfaced the following article from CORE security. CVE-2008-2992 a Printf buffer overflow exploit.

Figure 3. CVE-2008-2992; Printf buffer overlow

2. How is the shellcode encoded?

Referring to Figure 3, we can easily see that the payload is unicode encoded by the %u symbol. We could convert it using a unicode2raw tool provided in remnux… or you can write your own simple tool to do it.

Figure4. unicode2raw

3. Which functions does the shellcode manually import?

Before jumping straight into analyze the shellcode, we could use sctest to generate a nice little graph of the piece of shellcode we are analyzing.

Figure 5. sctest and dot
Figure 6. Flow Graph

Notice the GetFileSize at the bottom left, this indicates that the shellcode is attempting to open a file and is using GetFileSize to find the correct file handler. Perhaps more payload is in the file.

using shellcode_launcher.exe provided by the book, we could launch the shellcode in ollydbg with a open file handle to the pdf file.

Figure 7. shellcode_launcher

On running the malware, the program will break automatically. Manually set the new origin to the next instruction to resume program flow as shown below.

set new origin
Figure 8. Set new origin to jmp instruction

If we look at the handles, we would see that the pdf file is in it as well.

Figure 9. File Handle open

Tracing the shellcode we will soon come into the following codes. The code here is trying to find the function address from kernel32.dll by using a computed checksum.

Figure 10. imports

The shellcodes then attempts to Load shell32 library followed by a search for ShellExecuteA as shown in Figure 11 to 13.

Figure 11. LoadLibraryA on shell32
Figure 12. finding ShellExecuteA address
Figure 13. ShellExecuteA added to list of imports

The populated functions are:

  1. LoadLibraryA
  2. CreateProcessA
  3. TerminateProcess
  4. GetCurrentProcess
  5. GetTempPathA
  6. SetCurrentDirectryA
  7. CreateFileA
  8. GetFileSize
  9. SetFilePointer
  10. ReadFile
  11. WriteFile
  12. CloseHandle
  13. GlobalAlloc
  14. GlobalFree
  15. ShellExecuteA

4. What filesystem residue does the shellcode leave?

Set breakpoint @ WriteFile and let the shellcode run. As shown in figure 11 and 12, 2 files are dropped on the victim’s machine. They are foo.exe and bar.pdf. Both are located in the temp folder as defined in the env variables of the victim’s machine.

Figure 14. MZ dropped in Temp\foo.exe
Figure 15. PDF dropped in Temp\bar.pdf

5. What does the shellcode do?

The shellcode attempt to import various functions from kernel32.dll and then using its LoadLibraryA function to load shell32 library to import ShellExecuteA function.

The shellcode then attempts to read the pdf file to extract both the executable payload and a pdf file which are both dropped in the temp folder as foo.exe and bar.pdf respectively.

foo.exe is then executed via CreateProcessA as shwon in Figure 16 and 17.

Figure 16. CreateProcessA for foo.exe
Figure 17. foo.exe

Bar.pdf is then opened via ShellExecuteA. ShellExecuteA uses the victim’s default application to open the pdf file.

Figure 18. ShellExecuteA for bar.pdf
Figure 19. bar.pdf pops up



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s