My tests
| Windows Version | Adobe Reader Version | exploitable |
| xp | 8.1.1 | yes |
| vista | 8.1.1 | yes |
| win7 | 8.1.1 | yes |
| xp | 9.3.4 | yes |
| vista | 9.3.4 | yes |
| win7 | 9.3.4 | yes |
Decoded JS (click on the picture to enlarge)
Shellcode
The shellcode is very interesting, it compatible for windows 7, drops dll and call function by address from dll.
It get functions by name
SearchMask is dword, where begin data of embeded dll in pdfand at the end after put in %temp% dir hcp.dll ,
shellcode call loadlibraryA hcp.dll , then call function StartUp by it address 17a0h
to be continued ....
No comments:
Post a Comment