My tests
| Windows Version | Adobe Reader Version | exploitable |
| xp | 8.1.1 | yes |
| vista | 8.1.1 | yes |
| win7 | 8.1.1 | yes |
| xp | 9.3.4 | yes |
| vista | 9.3.4 | yes |
| win7 | 9.3.4 | yes |
Decoded JS (click on the picture to enlarge)
Shellcode
The shellcode is very interesting, it compatible for windows 7, drops dll and call function by address from dll.
It get functions by name
SearchMask is dword, where begin data of embeded dll in pdfand at the end after put in %temp% dir hcp.dll ,
shellcode call loadlibraryA hcp.dll , then call function StartUp by it address 17a0h
to be continued ....
An informative report.As you mentioned that this blog is to be continued.That means you wrote a follow up on this.Please also share the link here as that will help to link these together Moreover its a good way to break up lengthy reports.Thanks
ReplyDeleteWonderfully written post ! This is indeed brilliant way if breaking up lengthy report. I have Windows 7 in my note book and I would love to try shellcode as well. I hope that it would work great for me...
ReplyDelete