Friday, September 17, 2010

Adobe 0-day CVE-2010-2883 Made in Korea!

Lets look at CVE-2010-2883 Adobe 0-Day David Leadbetter's One Point Lesson pdf file from Mila.
One of the files that was dropped was hcp.dll signed with certificate.

File Header

File compiled with visual studio 6.0 at 30/08/2010 23:49:52.
and it was captured by Mila on 07/09/2010. Looks like it was undetected and unknown 0-day only for one week.

In resource system lang
Child Type: VarFileInfo
Translation: 1042/1200


Language is Korean Unicode.

File Write on C++ with MFC.

Exported functions are:

and from shellcode called function StartUp.

Decompiled hcp.dll

An my opinion :
1. The file loader hcp.dll and the exploit were written by different people because of the difference in the quality of programming. Loader hcp.dll was written by a programmer with much lower skills, 'cos its writen on C++ with MFC and does not use any Firewall bypass Technique.

2. Looks like hcp.dll had digital signature only to bypass AV.

3. If the loader file made on a system with default Korean language (Korean Windows), then it was not from China but from Korea.


  1. I too agree with abhilyall that you did a very keen analysis.As you differentiated in the coding ways and level of the programmer under your view.Nice blog.

  2. Thanks for sharing this useful info. Keep updating same way for Adobe day CQ5.

    Regards,Siddu Corporate Training

  3. Nice effort, very informative, this will help me to complete my task. Thanks for sharing it. Have a look at the process blogs to see more.
    Oracle Fusion EBS Training

  4. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work.
    Adobe Helpline Number UK

  5. Nice effort, very informative