Tuesday, January 6, 2015

FLARE - Challenge 4


This is the 4th challenge from FireEye's "FLARE On" challenge (http://flare-on.com/)


In this challenge, the zip file contains a PDF.

After looking around it with Didier Steven's pdf-parser.py (http://blog.didierstevens.com/programs/pdf-tools/), I noticed the 6th object contained JavaScript code that would be used and executed when the PDF was opened. 

I used pdf-parser.py to extract the JavaScript like this:

This led to the following obfuscated JavaScript file:

Doing some basic "find & replace all" in Notepad++ leads to a slightly nicer-looking file:

Hmm, but what does it do?

I took it over to repl.it to run the javascript and take a look at what the unescaped string looks like when printed out:

Hmm... I plugged the following (Japanese?) text into Google Translate, but the translation was only partially successful and missed more words than it got.

After looking through the rest of the PDF file and finding nothing, I realized this must be the exploit code and there might be shellcode somewhere here too.

I took the initial string that gets fed into the unescape() call and put it into the sandsprite.com's Shellcode 2 EXE tool:

This led to an executable!

Running this in Ollydbg led to what was clearly a malicious payload filled with a few XOR loops.

After using breakpoints to skip through the XOR functionality, you can see strings being pushed onto the stack (similar to previous levels).

The strings copied?

"OWNED!!!" and "wa1ch.d3m.spl0its@flare-on.com"

No comments:

Post a Comment