Wednesday, December 7, 2011

Adobe Zero Day CVE-2011-2462 - with samples




Update: Adobe Released the patch yesterday and  I posted a few samples below. There were several campaigns with two variants - 
1) unencrypted (some are not working - see explanation below)
2) AESV3 encrypted  (try to use Origami to decrypt these). Each of the posted samples are marked by their 'type"

CVE-2011-2462 the new Adobe Zero files come with the same payload we saw in CVE-2010-3654 Adobe Flash player zero day vulnerability, trojan Sykipot - using the same technique with injecting a DLL file into
iexplore, or firefox.exe, or outlook.exe and communicating with  hXXps://www.prettylikeher.com/asp/kys_allow_get.asp?name=getkys.kys over HTTPS. Brandon Dixon from 9bplus.com posted a great initial analysis of Java script and payload from a file with this exploit, I am just adding a few additional details.