Government Security
Network Security Resources

Jump to content

Photo

live pdf exploit

exploit virus shell antivirus
  • Please log in to reply
4 replies to this topic

#1 ssss

ssss

    Private First Class

  • Members
  • 73 posts

Posted 02 June 2009 - 01:36 AM

recently received an email regarding my bank statement in '.pdf' form.
As usual i downloaded it and opened it . my acrobat got crashed and downloaded a .exe file from the net.

Here is a live pdf file not detected by any of antivirus (checked through virustotal.com).
Also the attachment contains an exe file that automatically downloaded and executed by PDF.

Dissecting the exe, I got few important details of sender. Anyway check by yourself. The virus installs as a service and uploads to a ftp.


After the updates of acrobat this exploit donot work.

THe shellcode in pdf is good.

Attached Files



#2 DidierStevens

DidierStevens

    Specialist

  • Sergeant Major
  • 100 posts

Posted 02 June 2009 - 10:30 AM

It exploits the getIcon vulnerability.

shellcode is standard shellcode that downloads file, writes it to system32 and executes it.

PDF is not standard, actually, they used my template. And they appended 100.000 zero bytes to try to bypass AV scanners.
Which didn't help. Detection rate on VT is unchanged.

@ssss Can you disclose the e-mail to which this PDF document was attached?

#3 Zc0bpsz

Zc0bpsz

    Private

  • Members
  • 4 posts

Posted 27 November 2010 - 02:49 PM

Maybe Metasploit PDF exploit generator used.



#4 Ferb

Ferb

    Private

  • Members
  • 2 posts

Posted 27 May 2011 - 05:46 AM

The Moment I downloaded The Pdf, Eset Smart Security Detected it with 3 malware as "PDF.exploit", So It is detected. it also downloads some pdf.part file which were deleted so I could not open the .pdf Will be waiting for the Explaination on this one.

#5 bonarez

bonarez

    Retired GSO Second Lieutenant

  • Sergeant Major
  • 1,252 posts

Posted 27 May 2011 - 09:54 AM

The Moment I downloaded The Pdf, Eset Smart Security Detected it with 3 malware as "PDF.exploit", So It is detected. it also downloads some pdf.part file which were deleted so I could not open the .pdf Will be waiting for the Explaination on this one.

You can use Didier's pdfid tool to see what's inside this oldie..

PdfId is included in the latest Bactrack 5, you can dl a VMware image for that and run it in VMplayer
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"

Read the rules before you post





Also tagged with one or more of these keywords: exploit, virus, shell, antivirus