Reverse PDF Exploit cleanup JS and build
Hello all, and here is the Mr.ROBOT team with its new story. I recently needed a pdf exploit and decided to take it off the bunch, reverse it, clean it up and use it to my advantage. It’s a bullet and armor war, a new private exploit pdf comes out from one of the bundles, other authors immediately fuck it up and put it in their bundles or sell builds for 1000$ or more on similar forums.
Now everything is available in publika, but if you need something new, then knock to sellers of bundles and builds and ask for a test, and then make pdf for reverse.
Here are the tools on puton: Download: REVERSE Pdf.rar. Pass: nora.biz
The archive contains pdfid_v0_0_11.zip, pdf-parser_V0_3_7.zip, make-pdf_V0_1_1.zip, python.msi (for Win). Put the python interpreter on your OS, then pull JS exploit PDF.
This video shows in detail how to find the right object and remove JS.
If it’s boring to look, here
You just need to find the object reference, in my case 8.
I also found an important thing, I quote from hacker ru
pdftk 1.pdf output uncompressed.pdf uncompress`
After that we get an uncompressed.pdf file with unpacked content, suitable for further analysis. Then we proceed with the above scheme
Another important thing, PDF files are a kind of archives in which infected SWF files can be carried. To extract such a file for analysis, use:
Let’s say you took out a splot and tidied it up:
Now we have a completed exploit, now we just need to figure out the shellcode and re-bind the sprite to our URL, then we’ll encrypt it and enjoy our lives.
Our exploit uses some known vulnerabilities like geticon, collab, nplayer PDF in the example is taken from an old binder and I beat shell codes there, so as not to corrupt other people’s URLs.
Our task is to attach it to our host, to do this we are looking for a string in our exploit
On output we get encoding problems
Define the encoding and read the contents of https://foxtools.ru/Text
Now we have 2 options, in the first one we can put a direct url to the exe, encode it all in unescape and move on to the next steps. In the second option we will use ulr before the pxp script that will distribute the ehe. The plus side is that we can bolt on the stats.
Here is a simple script for distributing EXE files
I suggest a non-standard cleanup option, so I won’t explain what each step is for, just read on.
Next, we process our splot with a pxp script that does code obfuscation. There may be a lot of variants, I came up with the following
What do we have here? Stupidly adding a ZZZ in front of each character, front and back)
Now our sploit is similar to caju and we need to write a loader and try to confuse the avers.
Now all we have to do is to assemble the PDF file, we’ll do that in pxp
That’s all for today! If you have any questions, please ask.
best site to buy cc