Friday, September 17, 2010

Adobe 0-day CVE-2010-2883 Made in Korea!

Lets look at CVE-2010-2883 Adobe 0-Day David Leadbetter's One Point Lesson pdf file from Mila.
One of the files that was dropped was hcp.dll signed with certificate.

File Header


File compiled with visual studio 6.0 at 30/08/2010 23:49:52.
and it was captured by Mila on 07/09/2010. Looks like it was undetected and unknown 0-day only for one week.



In resource system lang
Child Type: VarFileInfo
Translation: 1042/1200

VarFileInfo

Language is Korean Unicode.


File Write on C++ with MFC.

Exported functions are:


and from shellcode called function StartUp.

Decompiled hcp.dll
http://pastebin.com/vEzKptHN


An my opinion :
1. The file loader hcp.dll and the exploit were written by different people because of the difference in the quality of programming. Loader hcp.dll was written by a programmer with much lower skills, 'cos its writen on C++ with MFC and does not use any Firewall bypass Technique.

2. Looks like hcp.dll had digital signature only to bypass AV.

3. If the loader file made on a system with default Korean language (Korean Windows), then it was not from China but from Korea.

4 comments:

  1. I too agree with abhilyall that you did a very keen analysis.As you differentiated in the coding ways and level of the programmer under your view.Nice blog.

    ReplyDelete
  2. Thanks for sharing this useful info. Keep updating same way for Adobe day CQ5.

    Regards,Siddu Corporate Training

    ReplyDelete