Monday, June 7, 2010

Jun 7 Adobe 0 day CVE-2010-1297 11d2f8d754f3e52893c631f0.pdf




 Download  original_11d2f8d754f3e52893c631f0 plus other files from jsunpack (no password this time)


I hear it worked ok on Adobe 9.3.0 with Win XP Sp3, creates C:\-.exe  (thanks, TaPion)


File original_11d2f8d754f3e52893c631f0  received on 2010.06.07 20:55:29 (UTC)Result: 23/41 (56.1%)
http://www.virustotal.com/analisis/bd2776e507cf0284a9cfb7deb9a241d6699243a221c125f9911fa753ca8f01d1-1275928154
Antivirus     Version     Last Update     Result
a-squared    5.0.0.26    2010.06.07    HTML.Malicious!IK
AntiVir    8.2.2.6    2010.06.07    HTML/Malicious.PDF.Gen
Authentium    5.2.0.5    2010.06.07    PDF/Expl.HW
Avast    4.8.1351.0    2010.06.07    JS:Pdfka-gen
Avast5    5.0.332.0    2010.06.07    JS:Pdfka-gen
AVG    9.0.0.787    2010.06.07    Exploit_c.GGK
BitDefender    7.2    2010.06.07    Exploit.SWF.J
ClamAV    0.96.0.3-git    2010.06.07    Exploit.PDF-28487
eTrust-Vet    36.1.7617    2010.06.07    PDF/Pidief.RP
F-Prot    4.6.0.103    2010.06.07    PDF/Expl.HW
F-Secure    9.0.15370.0    2010.06.07    Exploit:W32/Pidief.CPT
GData    21    2010.06.07    Exploit.SWF.J
Ikarus    T3.1.1.84.0    2010.06.07    HTML.Malicious
Kaspersky    7.0.0.125    2010.06.07    Exploit.JS.Pdfka.ckq
Microsoft    1.5802    2010.06.07    Exploit:Win32/Pdfjsc.gen!A
Norman    6.04.12    2010.06.07    JS/Shellcode.IK
nProtect    2010-06-07.01    2010.06.07    Trojan-Exploit/W32.Pidief.268333.EY
PCTools    7.0.3.5    2010.06.07    Trojan.Pidief
Sophos    4.53.0    2010.06.07    Troj/SWFDlr-S
Symantec    20101.1.0.89    2010.06.07    Trojan.Pidief.J
TrendMicro    9.120.0.1004    2010.06.07    TROJ_PIDIEF.WX
TrendMicro-HouseCall    9.120.0.1004    2010.06.07    TROJ_PIDIEF.WX
ViRobot    2010.6.7.2341    2010.06.07    JS.S.EX-Pdfka.268333

Additional information
File size: 268333 bytes
MD5...: 721601bdbec57cb103a9717eeef0bfca
SHA1..: 11d2f8d754f3e52893c631f0201b72c909d52cd8


References  - thanks to Ratsoul for the tip
(you can download it from there too)
http://jsunpack.jeek.org/dec/go?report=7fca0277b807433a437553113bf702160ccb365e 

3 comments:

  1. Vupen said that the exploit works with Adobe Acrobat / Reader 9.3.2 and bypasses DEP http://twitter.com/VUPEN/statuses/15692769161

    ReplyDelete
  2. Yep but did not test with DEP on 9.3.2 yet - let me know if this is one works. Thanks

    ReplyDelete
  3. Wrote about two mass sqls using this: http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html

    ReplyDelete