PDF Attack: A Journey from the Exploit Kit to the Shellcode

6,248
-1

Published on

PDF Attack: A journey from the Exploit Kit to the shellcode is a workshop to show how to analyze obfuscated Javascript code from an Exploit Kit page, extract the exploits used, and analyze them. Nowadays it is possible to use automated tools to extract URLs and binaries but it is also important to know how to do it manually to not to miss a detail. We will focus on PDF documents mostly, starting from a simple Javascript Hello World document and ending with a real file used by a fresh Exploit Kit. This workshop will also include exercises to modify malicious PDF files and obfuscate them to try to bypass AV software; very useful in pentesting. The latest version of peepdf (included in REMnux, BackTrack and Kali Linux) will be used to accomplish these tasks, so this presentation covers the latest tricks used by cybercriminals like using new filters and encryption to make analysis more difficult.

Published in: Technology
0 Comments
11 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,248
On Slideshare
0
From Embeds
0
Number of Embeds
26
Actions
Shares
0
Downloads
0
Comments
0
Likes
11
Embeds 0
No embeds

No notes for slide

PDF Attack: A Journey from the Exploit Kit to the Shellcode

  1. 1. PDF ATTACK A Journey from the Exploit Kit to the Shellcode Jose Miguel Esparza @EternalTodo
  2. 2. • Jose Miguel Esparza • Senior Cybercrime Analyst at Fox-IT – Malware, Botnets, C&Cs, Exploit Kits, … • Security Researcher at Home ;p – PDF, NFC, … • http://eternal-todo.com • @EternalTodo on Twitter Who am I
  3. 3. Jose Miguel Esparza @EternalTodo • A Journey from the Exploit Kit to the Shellcode – Exploit Kits: the source of evil – PDF basics – Some basic peepdf commands – Analyzing PDF exploits • Extracting and analyzing shellcodes – Obfuscation of PDF files Agenda
  4. 4. Jose Miguel Esparza @EternalTodo • Linux distribution – Libemu / Pylibemu – V8 / PyV8 • Last peepdf version – Checkout from the repository or update! Requirements
  5. 5. Jose Miguel Esparza @peepdf • Best way to infect a computer • Effective and fresh exploits – IE – Java – PDF – Flash – … • Average of 6-7 exploits Exploit Kits: the source of evil
  6. 6. Jose Miguel Esparza @EternalTodo Exploit Kits: the source of evil
  7. 7. Jose Miguel Esparza @EternalTodo Exploit Kits: the source of evil Java 7u11 Java Byte Verify Java CMM Java < 7u17
  8. 8. • Most used nowadays – BlackHole – Neutrino – RedKit – CoolPack – Styx – Nuclear – … Exploit Kits: the source of evil KahuSecurity
  9. 9. Jose Miguel Esparza @peepdf • Infection steps – Visit injected website / Click SPAM link – Redirection (maybe more than one) – Obfuscated Javascript – Plugin detection – Trying exploits – Done! Exploit Kits: the source of evil
  10. 10. Jose Miguel Esparza @peepdf • Traffic Distribution Systems (TDS) – Country specific attacks – TDS + Exploit Kits = WIN! Exploit Kits: the source of evil
  11. 11. Jose Miguel Esparza @EternalTodo • Analyzing exploit kits – Avoiding researchers • Filtering by User-Agent and/or Referer • Blocking IPs • One-time infections • Country filters Exploit Kits: the source of evil
  12. 12. Jose Miguel Esparza @EternalTodo • Analyzing obfuscated Javascript code – The “easy” way • Automatic tools – Online services » Wepawet » JSUNPACK – Low-interaction honeyclient » Thug • You can miss some info Exploit Kits: the source of evil
  13. 13. Jose Miguel Esparza @EternalTodo • Analyzing obfuscated Javascript code – The traditional way • Executing different stages of JS code – Beautify the code – Looking for the eval function » s/eval/print/ – Hooking the eval function with Javascript engines • Looking for exploits / shellcodes • You cannot miss any detail Exploit Kits: the source of evil
  14. 14. Jose Miguel Esparza @peepdf • Analyzing obfuscated Javascript code – The traditional way • Let’s play ;) Exploit Kits: the source of evil
  15. 15. Jose Miguel Esparza @peepdf • PDF format? • PDF structure? • Objects? • Filters? PDF basics
  16. 16. Jose Miguel Esparza @EternalTodo Header Body Cross reference table Trailer
  17. 17. Jose Miguel Esparza @peepdf • Body – Sequence of objects – Object types • Boolean: true false • Numbers: 123 -98 4. -.002 123.6 • Strings: (hola) <686f6c61> – 68 (h) 6f (o) 6c (l) 61 (a) • Names: /Type /Filter • Dictionaries: << /Type /Catalog /Root 1 0 R >> • Arrays: [ 1.0 (test) <</Length 273>> ] • Streams PDF basics
  18. 18. Jose Miguel Esparza @EternalTodo PDF basics
  19. 19. Jose Miguel Esparza @peepdf • Object types – Indirect objects • Reference: “object_id generation_number R” PDF basics
  20. 20. Jose Miguel Esparza @EternalTodo • Object types – Indirect objects • Reference: “object_id generation_number R” PDF basics
  21. 21. Jose Miguel Esparza @peepdf • Tree structure  References • Root node – /Catalog • If an element isn’t in the downward path from the /Catalog DOES NOT EXIST PDF basics
  22. 22. Jose Miguel Esparza @EternalTodo • You can use just a text editor!! PDF basics
  23. 23. Jose Miguel Esparza @EternalTodo “peepdf sounds like the Swiss army knife of PDF security apps” peepdf http://peepdf.eternal-todo.com
  24. 24. Jose Miguel Esparza @EternalTodo • Characteristics – Python – Command line – Interactive console (colorized) – Included in REMnux and BackTrack / Kali Linux peepdf http://peepdf.eternal-todo.com
  25. 25. Jose Miguel Esparza @EternalTodo peepdf http://peepdf.eternal-todo.com
  26. 26. Jose Miguel Esparza @EternalTodo • Characteristics – Command file option • Batch / Automation – XML output – Easily updated from repository peepdf http://peepdf.eternal-todo.com
  27. 27. Jose Miguel Esparza @peepdf • Why peepdf? – Support for: • Encryption • Object Streams (compressed objects) • Most used filters • FlateDecode / LZWDecode Parameters – Javascript Analysis – Shellcode emulation peepdf
  28. 28. Jose Miguel Esparza @peepdf • Why peepdf? – Shows Suspicious Elements – Shows potential Vulnerabilities – Powerful Interactive Console – Easy extraction of objects / JS code / shellcode – PDF Obfuscation – Alive project!! peepdf
  29. 29. Jose Miguel Esparza @peepdf • Recent commits – s/Spidermonkey/PyV8/g peepdf
  30. 30. Jose Miguel Esparza @peepdf • Recent commits – vtcheck peepdf
  31. 31. Jose Miguel Esparza @peepdf • Commands – Console • help • log • open • reset • quit • exit peepdf
  32. 32. Jose Miguel Esparza @peepdf • Commands – Showing information • Whole document – info – tree – offsets – hash – bytes – metadata – changelog – save_version – errors peepdf
  33. 33. Jose Miguel Esparza @peepdf • Commands – Showing information • Objects – object – rawobject – stream – rawstream – references – hash peepdf
  34. 34. Jose Miguel Esparza @peepdf • Commands – Extracting information • Output redirection is possible – set » set output file path_to_my_file » set output variable myVar peepdf
  35. 35. Jose Miguel Esparza @peepdf • Commands – Extracting information • Shell redirection is easier ;) – Files » stream 6 > stream6_file » js_code 12 >> pdf_js_code_file – Variables » js_unescape variable myVar $> unescaped_sh » rawstream 5 $>> all_my_rawstreams_var peepdf
  36. 36. Jose Miguel Esparza @peepdf • Commands – Javascript functions • js_code • js_eval • js_analyse • js_unescape • js_join peepdf
  37. 37. Jose Miguel Esparza @peepdf • Commands – Shellcode emulation • sctest – pylibemu: libemu wrapper for Python peepdf
  38. 38. Jose Miguel Esparza @peepdf • Commands – Modification / Creation • modify • filters • decode • encode • encode_strings • embed • encrypt • malformed_output • create • save peepdf
  39. 39. Jose Miguel Esparza @peepdf • Commands – Misc • set • search • show • xor • xor_search peepdf
  40. 40. Jose Miguel Esparza @EternalTodo • How to identify malicious files – Suspicious elements • /Action • /OpenAction • /AA • /AcroForm • /Names • /JavaScript • /EmbeddedFile • Known vulnerabilities Analyzing PDF exploits
  41. 41. Jose Miguel Esparza @peepdf • Most used vulnerabilities – LibTiff (TIFF images) – Collab.collectEmailInfo – Collab.getIcon – Doc.media.newPlayer – … Analyzing PDF exploits
  42. 42. Jose Miguel Esparza @peepdf • How to identify malicious files – Obfuscation • Strange codification in objects • Encryption • Malformed objects • Embeded PDFs • Javascript Analyzing PDF exploits
  43. 43. Jose Miguel Esparza @EternalTodo • How to identify malicious files – Patterns • One page without content • Big objects • Gaps between objects (offsets) • Strange structure • Characteristic strings – Metadata – Tools Analyzing PDF exploits
  44. 44. Jose Miguel Esparza @EternalTodo • How to identify malicious files – Malformed documents • Headers • Objects Tags Analyzing PDF exploits
  45. 45. Jose Miguel Esparza @EternalTodo • Practicing all the theory • Not a sample exploit, a real one • Extracting the interesting parts • Extracting the shellcode • Analyzing the shellcode Analyzing real exploits
  46. 46. Jose Miguel Esparza @peepdf • Playing with real exploits Analyzing real exploits
  47. 47. Jose Miguel Esparza @peepdf • Some developments based on peepdf – SWF Mastah (Brandon Dixon) Using peepdf as a library
  48. 48. Jose Miguel Esparza @peepdf • Remove characteristic strings • Split up Javascript code (/Names) • If the code is in: – String octal encoding (143172) – Stream filters (not usual, parameters) • Compress (object streams) • Encrypt (default password) • Malform (endobj, header) • Nest PDFs PDF obfuscation
  49. 49. THANKS!! Jose Miguel Esparza jesparza AT eternal-todo.com http://eternal-todo.com @EternalTodo

×