The folloiwng is a quick writeup of an analysis started on a PDF sample for the Adobe7/9 0-day. The exploit starts with an overflow, then attempts to run the javascript to drop a file c:/adobe.exe and execute it.
hexdump -C file.pdf > HEXDUMP_file.pdf.txt
less HEXDUMP_file.pdf.txt
[find the javascript near the end]
0x80301 - 525057 start of javascript exploit
0x821c8 - 532936 end of javascript exploit
=======
7879 - difference in decimal
Carve the javascript out.
dd if=file.pdf of=file.pdf.js.carve bs=1 skip=525086 count=7849
Add some stubs to cover for lack of spidermonkey functions. Not quite there, but gives the idea.
function document(){
this.write=printit;
}
var document=new document();
function address(){
this.length=0;
this.substring="";
}
var address=new address();
function nop(){
this.substring="";
}
var nop=new nop();
function jmp(){
this.length=0;
}
var jmp=new jmp();
function pointers(){
this.length=0;
this.substring="";
}
var pointers=new pointers();
function pointers1(){
this.length=0;
}
var pointers1=new pointers1();
Run and see if it prints the deobfuscated output.
./js 1.js
bt collectedfiles # ../scripts/js.sh 1.js
var address = unescape(r)
var jmp = unescape(r)
var nop = unescape(r)
var nop1 = unescape(r)
var shellcode = unescape(r)
1.js:84: TypeError: nop.substring is not a function
Only a few lines before a function missing. No luck this time, but its close. Keep playing.
