Adobe 0-day CVE-2010-2883 Made in Korea!

Lets look at CVE-2010-2883 Adobe 0-Day David Leadbetter's One Point Lesson pdf file from Mila.
One of the files that was dropped was hcp.dll signed with certificate.

File Header


File compiled with visual studio 6.0 at 30/08/2010 23:49:52.
and it was captured by Mila on 07/09/2010. Looks like it was undetected and unknown 0-day only for one week.



In resource system lang
Child Type: VarFileInfo
Translation: 1042/1200

VarFileInfo

Language is Korean Unicode.


File Write on C++ with MFC.

Exported functions are:


and from shellcode called function StartUp.

Decompiled hcp.dll
http://pastebin.com/vEzKptHN


An my opinion :
1. The file loader hcp.dll and the exploit were written by different people because of the difference in the quality of programming. Loader hcp.dll was written by a programmer with much lower skills, 'cos its writen on C++ with MFC and does not use any Firewall bypass Technique.

2. Looks like hcp.dll had digital signature only to bypass AV.

3. If the loader file made on a system with default Korean language (Korean Windows), then it was not from China but from Korea.

CVE-2010-2883 poc

I received this exploit from Mila

My tests

Windows Version	Adobe Reader Version	exploitable
xp	8.1.1	yes
vista	8.1.1	yes
win7	8.1.1	yes
xp	9.3.4	yes
vista	9.3.4	yes
win7	9.3.4	yes

Decoded JS (click on the picture to enlarge)




Shellcode

The shellcode is very interesting, it compatible for windows 7, drops dll and call function by address from dll.

It get functions by name

SearchMask is dword, where begin data of embeded dll in pdf

and at the end after put in %temp% dir hcp.dll ,
shellcode call loadlibraryA hcp.dll , then call function StartUp by it address 17a0h



to be continued ....