Reversim PDF Exploit JS cleanup and build” best site to buy cc

Reverse PDF Exploit cleanup JS and build

Hello all, and here is the Mr.ROBOT team with its new story. I recently needed a pdf exploit and decided to take it off the bunch, reverse it, clean it up and use it to my advantage. It’s a bullet and armor war, a new private exploit pdf comes out from one of the bundles, other authors immediately fuck it up and put it in their bundles or sell builds for 1000$ or more on similar forums.

Now everything is available in publika, but if you need something new, then knock to sellers of bundles and builds and ask for a test, and then make pdf for reverse.

Suppose we have a pdf file with an exploit from some bundle, now we need to find and pull the javaScript exploit object from that pdf.

Here are the tools on puton: Download: REVERSE Pdf.rar. Pass: nora.biz

The archive contains pdfid_v0_0_11.zip, pdf-parser_V0_3_7.zip, make-pdf_V0_1_1.zip, python.msi (for Win). Put the python interpreter on your OS, then pull JS exploit PDF.

This video shows in detail how to find the right object and remove JS.

If it’s boring to look, here

You just need to find the object reference, in my case 8.

I also found an important thing, I quote from hacker ru

If you noticed, when we were talking about PDF document structure, we said that Stream object can have /Filter attribute, which defines which method is used to compress stream data. And several filters can be applied to the stream at once (for example, /Filter [/Fl /Ahx]). As for the JavaScript object of interest, it should contain either a function or indirect reference to code to execute. That’s why infected files very often contain JavaScript objects of the following type: /JS (this.Z0pEA5PLzPyyw()). At that, a simple search for the function by name won’t get anything, because it will most probably be located in a compressed stream. To get the unpacked contents of the stream, you can use the PDFtk utility:

pdftk 1.pdf output uncompressed.pdf uncompress`

After that we get an uncompressed.pdf file with unpacked content, suitable for further analysis. Then we proceed with the above scheme

Another important thing, PDF files are a kind of archives in which infected SWF files can be carried. To extract such a file for analysis, use:

Let’s say you took out a splot and tidied it up:

Now we have a completed exploit, now we just need to figure out the shellcode and re-bind the sprite to our URL, then we’ll encrypt it and enjoy our lives.

Shell code

Our exploit uses some known vulnerabilities like geticon, collab, nplayer PDF in the example is taken from an old binder and I beat shell codes there, so as not to corrupt other people’s URLs.

Our task is to attach it to our host, to do this we are looking for a string in our exploit

On output we get encoding problems

[DATENCODE]?????????????????????????? ???????

Define the encoding and read the contents of https://foxtools.ru/Text

Now we have 2 options, in the first one we can put a direct url to the exe, encode it all in unescape and move on to the next steps. In the second option we will use ulr before the pxp script that will distribute the ehe. The plus side is that we can bolt on the stats.

Here is a simple script for distributing EXE files

[DATENCODE]????????????

Cleaning JavaScript Exploita

I suggest a non-standard cleanup option, so I won’t explain what each step is for, just read on.

First we need a javascript compressor, you can use https://www.exlab.net/tools/js-compressor.html, when all the code is compressed to 1 line, we need to replace the double quotes with single quotes. To do this, you can use any editor, such as Dreamweaver. There’s a Replace All button in the search box, I don’t think it’s a problem and you can do it in any language.

Next, we process our splot with a pxp script that does code obfuscation. There may be a lot of variants, I came up with the following

What do we have here? Stupidly adding a ZZZ in front of each character, front and back)

Now our sploit is similar to caju and we need to write a loader and try to confuse the avers.

Now all we have to do is to assemble the PDF file, we’ll do that in pxp

That’s all for today! If you have any questions, please ask.

best site to buy cc

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *