SlideShare uma empresa Scribd logo

PDF Attack: A Journey from the Exploit Kit to the Shellcode

J
Jose Miguel Esparza

PDF Attack: A journey from the Exploit Kit to the shellcode is a workshop to show how to analyze obfuscated Javascript code from an Exploit Kit page, extract the exploits used, and analyze them. Nowadays it is possible to use automated tools to extract URLs and binaries but it is also important to know how to do it manually to not to miss a detail. We will focus on PDF documents mostly, starting from a simple Javascript Hello World document and ending with a real file used by a fresh Exploit Kit. This workshop will also include exercises to modify malicious PDF files and obfuscate them to try to bypass AV software; very useful in pentesting. The latest version of peepdf (included in REMnux, BackTrack and Kali Linux) will be used to accomplish these tasks, so this presentation covers the latest tricks used by cybercriminals like using new filters and encryption to make analysis more difficult.

Tecnologia
1 de 49
PDF ATTACK A Journey from the Exploit Kit to the Shellcode Jose Miguel Esparza @EternalTodo
• Jose Miguel Esparza • Senior Cybercrime Analyst at Fox-IT – Malware, Botnets, C&Cs, Exploit Kits, … • Security Researcher at Home ;p – PDF, NFC, … • http://eternal-todo.com • @EternalTodo on Twitter Who am I
Jose Miguel Esparza @EternalTodo • A Journey from the Exploit Kit to the Shellcode – Exploit Kits: the source of evil – PDF basics – Some basic peepdf commands – Analyzing PDF exploits • Extracting and analyzing shellcodes – Obfuscation of PDF files Agenda
Jose Miguel Esparza @EternalTodo • Linux distribution – Libemu / Pylibemu – V8 / PyV8 • Last peepdf version – Checkout from the repository or update! Requirements
Jose Miguel Esparza @peepdf • Best way to infect a computer • Effective and fresh exploits – IE – Java – PDF – Flash – … • Average of 6-7 exploits Exploit Kits: the source of evil
Jose Miguel Esparza @EternalTodo Exploit Kits: the source of evil
Jose Miguel Esparza @EternalTodo Exploit Kits: the source of evil Java 7u11 Java Byte Verify Java CMM Java < 7u17
• Most used nowadays – BlackHole – Neutrino – RedKit – CoolPack – Styx – Nuclear – … Exploit Kits: the source of evil KahuSecurity
Jose Miguel Esparza @peepdf • Infection steps – Visit injected website / Click SPAM link – Redirection (maybe more than one) – Obfuscated Javascript – Plugin detection – Trying exploits – Done! Exploit Kits: the source of evil
Jose Miguel Esparza @peepdf • Traffic Distribution Systems (TDS) – Country specific attacks – TDS + Exploit Kits = WIN! Exploit Kits: the source of evil
Jose Miguel Esparza @EternalTodo • Analyzing exploit kits – Avoiding researchers • Filtering by User-Agent and/or Referer • Blocking IPs • One-time infections • Country filters Exploit Kits: the source of evil
Jose Miguel Esparza @EternalTodo • Analyzing obfuscated Javascript code – The “easy” way • Automatic tools – Online services » Wepawet » JSUNPACK – Low-interaction honeyclient » Thug • You can miss some info Exploit Kits: the source of evil
Jose Miguel Esparza @EternalTodo • Analyzing obfuscated Javascript code – The traditional way • Executing different stages of JS code – Beautify the code – Looking for the eval function » s/eval/print/ – Hooking the eval function with Javascript engines • Looking for exploits / shellcodes • You cannot miss any detail Exploit Kits: the source of evil
Jose Miguel Esparza @peepdf • Analyzing obfuscated Javascript code – The traditional way • Let’s play ;) Exploit Kits: the source of evil
Jose Miguel Esparza @peepdf • PDF format? • PDF structure? • Objects? • Filters? PDF basics
Jose Miguel Esparza @EternalTodo Header Body Cross reference table Trailer
Jose Miguel Esparza @peepdf • Body – Sequence of objects – Object types • Boolean: true false • Numbers: 123 -98 4. -.002 123.6 • Strings: (hola) <686f6c61> – 68 (h) 6f (o) 6c (l) 61 (a) • Names: /Type /Filter • Dictionaries: << /Type /Catalog /Root 1 0 R >> • Arrays: [ 1.0 (test) <</Length 273>> ] • Streams PDF basics
Jose Miguel Esparza @EternalTodo PDF basics
Jose Miguel Esparza @peepdf • Object types – Indirect objects • Reference: “object_id generation_number R” PDF basics
Jose Miguel Esparza @EternalTodo • Object types – Indirect objects • Reference: “object_id generation_number R” PDF basics
Jose Miguel Esparza @peepdf • Tree structure  References • Root node – /Catalog • If an element isn’t in the downward path from the /Catalog DOES NOT EXIST PDF basics
Jose Miguel Esparza @EternalTodo • You can use just a text editor!! PDF basics
Jose Miguel Esparza @EternalTodo “peepdf sounds like the Swiss army knife of PDF security apps” peepdf http://peepdf.eternal-todo.com
Jose Miguel Esparza @EternalTodo • Characteristics – Python – Command line – Interactive console (colorized) – Included in REMnux and BackTrack / Kali Linux peepdf http://peepdf.eternal-todo.com
Jose Miguel Esparza @EternalTodo peepdf http://peepdf.eternal-todo.com
Jose Miguel Esparza @EternalTodo • Characteristics – Command file option • Batch / Automation – XML output – Easily updated from repository peepdf http://peepdf.eternal-todo.com
Jose Miguel Esparza @peepdf • Why peepdf? – Support for: • Encryption • Object Streams (compressed objects) • Most used filters • FlateDecode / LZWDecode Parameters – Javascript Analysis – Shellcode emulation peepdf
Jose Miguel Esparza @peepdf • Why peepdf? – Shows Suspicious Elements – Shows potential Vulnerabilities – Powerful Interactive Console – Easy extraction of objects / JS code / shellcode – PDF Obfuscation – Alive project!! peepdf
Jose Miguel Esparza @peepdf • Recent commits – s/Spidermonkey/PyV8/g peepdf
Jose Miguel Esparza @peepdf • Recent commits – vtcheck peepdf
Jose Miguel Esparza @peepdf • Commands – Console • help • log • open • reset • quit • exit peepdf
Jose Miguel Esparza @peepdf • Commands – Showing information • Whole document – info – tree – offsets – hash – bytes – metadata – changelog – save_version – errors peepdf
Jose Miguel Esparza @peepdf • Commands – Showing information • Objects – object – rawobject – stream – rawstream – references – hash peepdf
Jose Miguel Esparza @peepdf • Commands – Extracting information • Output redirection is possible – set » set output file path_to_my_file » set output variable myVar peepdf
Jose Miguel Esparza @peepdf • Commands – Extracting information • Shell redirection is easier ;) – Files » stream 6 > stream6_file » js_code 12 >> pdf_js_code_file – Variables » js_unescape variable myVar $> unescaped_sh » rawstream 5 $>> all_my_rawstreams_var peepdf
Jose Miguel Esparza @peepdf • Commands – Javascript functions • js_code • js_eval • js_analyse • js_unescape • js_join peepdf
Jose Miguel Esparza @peepdf • Commands – Shellcode emulation • sctest – pylibemu: libemu wrapper for Python peepdf
Jose Miguel Esparza @peepdf • Commands – Modification / Creation • modify • filters • decode • encode • encode_strings • embed • encrypt • malformed_output • create • save peepdf
Jose Miguel Esparza @peepdf • Commands – Misc • set • search • show • xor • xor_search peepdf
Jose Miguel Esparza @EternalTodo • How to identify malicious files – Suspicious elements • /Action • /OpenAction • /AA • /AcroForm • /Names • /JavaScript • /EmbeddedFile • Known vulnerabilities Analyzing PDF exploits
Jose Miguel Esparza @peepdf • Most used vulnerabilities – LibTiff (TIFF images) – Collab.collectEmailInfo – Collab.getIcon – Doc.media.newPlayer – … Analyzing PDF exploits
Jose Miguel Esparza @peepdf • How to identify malicious files – Obfuscation • Strange codification in objects • Encryption • Malformed objects • Embeded PDFs • Javascript Analyzing PDF exploits
Jose Miguel Esparza @EternalTodo • How to identify malicious files – Patterns • One page without content • Big objects • Gaps between objects (offsets) • Strange structure • Characteristic strings – Metadata – Tools Analyzing PDF exploits
Jose Miguel Esparza @EternalTodo • How to identify malicious files – Malformed documents • Headers • Objects Tags Analyzing PDF exploits
Jose Miguel Esparza @EternalTodo • Practicing all the theory • Not a sample exploit, a real one • Extracting the interesting parts • Extracting the shellcode • Analyzing the shellcode Analyzing real exploits
Jose Miguel Esparza @peepdf • Playing with real exploits Analyzing real exploits
Jose Miguel Esparza @peepdf • Some developments based on peepdf – SWF Mastah (Brandon Dixon) Using peepdf as a library
Jose Miguel Esparza @peepdf • Remove characteristic strings • Split up Javascript code (/Names) • If the code is in: – String octal encoding (143172) – Stream filters (not usual, parameters) • Compress (object streams) • Encrypt (default password) • Malform (endobj, header) • Nest PDFs PDF obfuscation
THANKS!! Jose Miguel Esparza jesparza AT eternal-todo.com http://eternal-todo.com @EternalTodo

Recomendados

2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of AndromedaJose Miguel Esparza
 
Banking Fraud Evolution - New techniques in real fraud cases
Banking Fraud Evolution - New techniques in real fraud casesBanking Fraud Evolution - New techniques in real fraud cases
Banking Fraud Evolution - New techniques in real fraud casesJose Miguel Esparza
 
Social Engineering in Banking Trojans: attacking the weakest link
Social Engineering in Banking Trojans: attacking the weakest linkSocial Engineering in Banking Trojans: attacking the weakest link
Social Engineering in Banking Trojans: attacking the weakest linkJose Miguel Esparza
 
Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?Jose Miguel Esparza
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 

Recomendados

2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of AndromedaJose Miguel Esparza
 
Banking Fraud Evolution - New techniques in real fraud cases
Banking Fraud Evolution - New techniques in real fraud casesBanking Fraud Evolution - New techniques in real fraud cases
Banking Fraud Evolution - New techniques in real fraud casesJose Miguel Esparza
 
Social Engineering in Banking Trojans: attacking the weakest link
Social Engineering in Banking Trojans: attacking the weakest linkSocial Engineering in Banking Trojans: attacking the weakest link
Social Engineering in Banking Trojans: attacking the weakest linkJose Miguel Esparza
 
Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?Jose Miguel Esparza
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 

Mais conteúdo relacionado

Último

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Destaque

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

Destaque (20)

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 

PDF Attack: A Journey from the Exploit Kit to the Shellcode

  • 1. PDF ATTACK A Journey from the Exploit Kit to the Shellcode Jose Miguel Esparza @EternalTodo
  • 2. • Jose Miguel Esparza • Senior Cybercrime Analyst at Fox-IT – Malware, Botnets, C&Cs, Exploit Kits, … • Security Researcher at Home ;p – PDF, NFC, … • http://eternal-todo.com • @EternalTodo on Twitter Who am I
  • 3. Jose Miguel Esparza @EternalTodo • A Journey from the Exploit Kit to the Shellcode – Exploit Kits: the source of evil – PDF basics – Some basic peepdf commands – Analyzing PDF exploits • Extracting and analyzing shellcodes – Obfuscation of PDF files Agenda
  • 4. Jose Miguel Esparza @EternalTodo • Linux distribution – Libemu / Pylibemu – V8 / PyV8 • Last peepdf version – Checkout from the repository or update! Requirements
  • 5. Jose Miguel Esparza @peepdf • Best way to infect a computer • Effective and fresh exploits – IE – Java – PDF – Flash – … • Average of 6-7 exploits Exploit Kits: the source of evil
  • 6. Jose Miguel Esparza @EternalTodo Exploit Kits: the source of evil
  • 7. Jose Miguel Esparza @EternalTodo Exploit Kits: the source of evil Java 7u11 Java Byte Verify Java CMM Java < 7u17
  • 8. • Most used nowadays – BlackHole – Neutrino – RedKit – CoolPack – Styx – Nuclear – … Exploit Kits: the source of evil KahuSecurity
  • 9. Jose Miguel Esparza @peepdf • Infection steps – Visit injected website / Click SPAM link – Redirection (maybe more than one) – Obfuscated Javascript – Plugin detection – Trying exploits – Done! Exploit Kits: the source of evil
  • 10. Jose Miguel Esparza @peepdf • Traffic Distribution Systems (TDS) – Country specific attacks – TDS + Exploit Kits = WIN! Exploit Kits: the source of evil
  • 11. Jose Miguel Esparza @EternalTodo • Analyzing exploit kits – Avoiding researchers • Filtering by User-Agent and/or Referer • Blocking IPs • One-time infections • Country filters Exploit Kits: the source of evil
  • 12. Jose Miguel Esparza @EternalTodo • Analyzing obfuscated Javascript code – The “easy” way • Automatic tools – Online services » Wepawet » JSUNPACK – Low-interaction honeyclient » Thug • You can miss some info Exploit Kits: the source of evil
  • 13. Jose Miguel Esparza @EternalTodo • Analyzing obfuscated Javascript code – The traditional way • Executing different stages of JS code – Beautify the code – Looking for the eval function » s/eval/print/ – Hooking the eval function with Javascript engines • Looking for exploits / shellcodes • You cannot miss any detail Exploit Kits: the source of evil
  • 14. Jose Miguel Esparza @peepdf • Analyzing obfuscated Javascript code – The traditional way • Let’s play ;) Exploit Kits: the source of evil
  • 15. Jose Miguel Esparza @peepdf • PDF format? • PDF structure? • Objects? • Filters? PDF basics
  • 16. Jose Miguel Esparza @EternalTodo Header Body Cross reference table Trailer
  • 17. Jose Miguel Esparza @peepdf • Body – Sequence of objects – Object types • Boolean: true false • Numbers: 123 -98 4. -.002 123.6 • Strings: (hola) <686f6c61> – 68 (h) 6f (o) 6c (l) 61 (a) • Names: /Type /Filter • Dictionaries: << /Type /Catalog /Root 1 0 R >> • Arrays: [ 1.0 (test) <</Length 273>> ] • Streams PDF basics
  • 18. Jose Miguel Esparza @EternalTodo PDF basics
  • 19. Jose Miguel Esparza @peepdf • Object types – Indirect objects • Reference: “object_id generation_number R” PDF basics
  • 20. Jose Miguel Esparza @EternalTodo • Object types – Indirect objects • Reference: “object_id generation_number R” PDF basics
  • 21. Jose Miguel Esparza @peepdf • Tree structure  References • Root node – /Catalog • If an element isn’t in the downward path from the /Catalog DOES NOT EXIST PDF basics
  • 22. Jose Miguel Esparza @EternalTodo • You can use just a text editor!! PDF basics
  • 23. Jose Miguel Esparza @EternalTodo “peepdf sounds like the Swiss army knife of PDF security apps” peepdf http://peepdf.eternal-todo.com
  • 24. Jose Miguel Esparza @EternalTodo • Characteristics – Python – Command line – Interactive console (colorized) – Included in REMnux and BackTrack / Kali Linux peepdf http://peepdf.eternal-todo.com
  • 25. Jose Miguel Esparza @EternalTodo peepdf http://peepdf.eternal-todo.com
  • 26. Jose Miguel Esparza @EternalTodo • Characteristics – Command file option • Batch / Automation – XML output – Easily updated from repository peepdf http://peepdf.eternal-todo.com
  • 27. Jose Miguel Esparza @peepdf • Why peepdf? – Support for: • Encryption • Object Streams (compressed objects) • Most used filters • FlateDecode / LZWDecode Parameters – Javascript Analysis – Shellcode emulation peepdf
  • 28. Jose Miguel Esparza @peepdf • Why peepdf? – Shows Suspicious Elements – Shows potential Vulnerabilities – Powerful Interactive Console – Easy extraction of objects / JS code / shellcode – PDF Obfuscation – Alive project!! peepdf
  • 29. Jose Miguel Esparza @peepdf • Recent commits – s/Spidermonkey/PyV8/g peepdf
  • 30. Jose Miguel Esparza @peepdf • Recent commits – vtcheck peepdf
  • 31. Jose Miguel Esparza @peepdf • Commands – Console • help • log • open • reset • quit • exit peepdf
  • 32. Jose Miguel Esparza @peepdf • Commands – Showing information • Whole document – info – tree – offsets – hash – bytes – metadata – changelog – save_version – errors peepdf
  • 33. Jose Miguel Esparza @peepdf • Commands – Showing information • Objects – object – rawobject – stream – rawstream – references – hash peepdf
  • 34. Jose Miguel Esparza @peepdf • Commands – Extracting information • Output redirection is possible – set » set output file path_to_my_file » set output variable myVar peepdf
  • 35. Jose Miguel Esparza @peepdf • Commands – Extracting information • Shell redirection is easier ;) – Files » stream 6 > stream6_file » js_code 12 >> pdf_js_code_file – Variables » js_unescape variable myVar $> unescaped_sh » rawstream 5 $>> all_my_rawstreams_var peepdf
  • 36. Jose Miguel Esparza @peepdf • Commands – Javascript functions • js_code • js_eval • js_analyse • js_unescape • js_join peepdf
  • 37. Jose Miguel Esparza @peepdf • Commands – Shellcode emulation • sctest – pylibemu: libemu wrapper for Python peepdf
  • 38. Jose Miguel Esparza @peepdf • Commands – Modification / Creation • modify • filters • decode • encode • encode_strings • embed • encrypt • malformed_output • create • save peepdf
  • 39. Jose Miguel Esparza @peepdf • Commands – Misc • set • search • show • xor • xor_search peepdf
  • 40. Jose Miguel Esparza @EternalTodo • How to identify malicious files – Suspicious elements • /Action • /OpenAction • /AA • /AcroForm • /Names • /JavaScript • /EmbeddedFile • Known vulnerabilities Analyzing PDF exploits
  • 41. Jose Miguel Esparza @peepdf • Most used vulnerabilities – LibTiff (TIFF images) – Collab.collectEmailInfo – Collab.getIcon – Doc.media.newPlayer – … Analyzing PDF exploits
  • 42. Jose Miguel Esparza @peepdf • How to identify malicious files – Obfuscation • Strange codification in objects • Encryption • Malformed objects • Embeded PDFs • Javascript Analyzing PDF exploits
  • 43. Jose Miguel Esparza @EternalTodo • How to identify malicious files – Patterns • One page without content • Big objects • Gaps between objects (offsets) • Strange structure • Characteristic strings – Metadata – Tools Analyzing PDF exploits
  • 44. Jose Miguel Esparza @EternalTodo • How to identify malicious files – Malformed documents • Headers • Objects Tags Analyzing PDF exploits
  • 45. Jose Miguel Esparza @EternalTodo • Practicing all the theory • Not a sample exploit, a real one • Extracting the interesting parts • Extracting the shellcode • Analyzing the shellcode Analyzing real exploits
  • 46. Jose Miguel Esparza @peepdf • Playing with real exploits Analyzing real exploits
  • 47. Jose Miguel Esparza @peepdf • Some developments based on peepdf – SWF Mastah (Brandon Dixon) Using peepdf as a library
  • 48. Jose Miguel Esparza @peepdf • Remove characteristic strings • Split up Javascript code (/Names) • If the code is in: – String octal encoding (143172) – Stream filters (not usual, parameters) • Compress (object streams) • Encrypt (default password) • Malform (endobj, header) • Nest PDFs PDF obfuscation
  • 49. THANKS!! Jose Miguel Esparza jesparza AT eternal-todo.com http://eternal-todo.com @EternalTodo