Lab 19-3 Solutions
Short Answers
The PDF contains an example of CVE-2008-2992: buffer overflow related to Adobe Reader’s util.printf JavaScript implementation.
The shellcode is encoded using JavaScript’s percent-encoding and is stored along with the JavaScript in the PDF.
The shellcode manually imports the following functions:
LoadLibraryA
CreateProcessA
TerminateProcess
GetCurrentProcess
GetTempPathA
SetCurrentDirectoryA
CreateFileA
GetFileSize
SetFilePointer
ReadFile
WriteFile
CloseHandle
GlobalAlloc
GlobalFree
ShellExecuteA
The shellcode creates the files %TEMP%\foo.exe and %TEMP%\bar.pdf.
The shellcode extracts two files stored encoded within the malicious PDF and writes them to the user’s %TEMP% directory. It executes the foo.exe file and opens the bar.pdf
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.