Nytro Posted November 30, 2014 Report Posted November 30, 2014 Extract PDF streams and decompress SWF objectsViper is intended to be used to analyze a wide variety of file types. To achieve this, we're working on introducing and expanding modules to dissect as many file formats as possible. In this blog post we'll have a glance over two modules used to parse and manipulate PDF documents and Flash objects. You can view an example use of such modules in the following cast analyzing a CVE-2011-0611 document exploit: As you can see, we first search for all stored PDF documents, we open the first one and retrieve some basic details. At 00:21 we launch the pdf module to retrieve some information ont he structure of the document: viper CVE-2011-0611_2.pdf > pdf id[*] General Info:+---------------------+------------------------+| Desc | Value |+---------------------+------------------------+| PDF Header | %PDF-1.7 || Total Entropy | 5.145172 || Entropy In Streams | 7.266171 || Entropy Out Streams | 4.852048 || Count %% EOF | 5 || Data After EOF | 0 || /LastModified | D:20100310101134+08'00 || /ModDate | D:20100707144530+08'00 || /CreationDate | D:20100712164212+08'00 || /CreationDate | D:20110418152020+08'00 || /LastModified | D:20110418152041+08'00 |+---------------------+------------------------+[*] Streams & Count:+----------------+-------+| Name | Count |+----------------+-------+| obj | 37 || endobj | 37 || stream | 24 || endstream | 24 || xref | 1 || trailer | 1 || startxref | 5 || /Page | 3 || /Encrypt | 0 || /ObjStm | 8 || /JS | 0 || /JavaScript | 0 || /AA | 0 || /OpenAction | 1 || /AcroForm | 0 || /JBIG2Decode | 0 || /RichMedia | 0 || /Launch | 0 || /EmbeddedFile | 0 || /XFA | 0 || /Colors > 2^24 | 0 |+----------------+-------+Nothing particularly revealing here, but we can see at least that there are no JavaScript objects, so that would likely rule out vulnerabilities in Adobe Reader itself. At 00:28 we retrieve the list of streams in the PDF document: viper CVE-2011-0611_2.pdf > pdf streams+----+----+--------+-------+------------------------------------------------------------------------------------------------------+| # | ID | Offset | Size | Type |+----+----+--------+-------+------------------------------------------------------------------------------------------------------+| 1 | 28 | 116 | 313 | data || 2 | 1 | 10702 | 177 | ASCII text, with no line terminators || 3 | 2 | 10880 | 11480 | Macromedia Flash data (compressed), version 9 || 4 | 3 | 22361 | 3578 | UTF-8 Unicode text || 5 | 4 | 25940 | 326 | ASCII text, with very long lines, with no line terminators || 6 | 5 | 26267 | 243 | data || 7 | 6 | 26511 | 284 | data || 8 | 23 | 1072 | 510 | ASCII text || 9 | 24 | 1583 | 8121 | AIX core file fulldump 32-bit, \377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\ || 10 | 25 | 9705 | 61 | ASCII text || 11 | 26 | 9767 | 706 | data || 12 | 27 | 10474 | 227 | empty || 13 | 50 | 463 | 179 | data || 14 | 2 | 403837 | 111 | ASCII text || 15 | 25 | 378733 | 305 | data || 16 | 1 | 1492 | 177 | ASCII text, with no line terminators || 17 | 2 | 1670 | 3578 | UTF-8 Unicode text || 18 | 3 | 5249 | 327 | ASCII text, with very long lines, with no line terminators || 19 | 4 | 5577 | 241 | data || 20 | 5 | 5819 | 281 | data || 21 | 22 | 951 | 61 | ASCII text || 22 | 23 | 1013 | 250 | ASCII text, with no line terminators || 23 | 24 | 1264 | 227 | empty || 24 | 35 | 452 | 142 | X11 SNF font data, MSB first |+----+----+--------+-------+------------------------------------------------------------------------------------------------------+As you can see, there is a compressed Flash object at offset 10702, which in this case is the payload that delivers the exploit to Flash Player instead. We can then open that specific stream using the command pdf streams --open 3. We'll then have a Viper session open on the specific stream which has been dumped and automatically opened: viper 2368a8f55ee78d844896f05f94866b07_3_pdf_stream.bin > info+--------+----------------------------------------------------------------------------------------------------------------------------------+| Key | Value |+--------+----------------------------------------------------------------------------------------------------------------------------------+| Name | 2368a8f55ee78d844896f05f94866b07_3_pdf_stream.bin || Tags | || Path | /tmp/2368a8f55ee78d844896f05f94866b07_3_pdf_stream.bin || Size | 11244 || Type | Macromedia Flash data (compressed), version 9 || Mime | application/x-shockwave-flash || MD5 | 7e9e040ee9bd1ab5aeb953a01fd1c689 || SHA1 | 002865adf42fda4bae04d0a29453c6c87e788989 || SHA256 | a47020cc3bb129442c6cebd5793098b76f33531ed5312dadc90026f54a78804c || SHA512 | a8b13ebb99fce3d8746c6c60ab40f245a685d098a3aacacbe7305ed60ab2a3c97f2cbed4138043b90a37c082857bf1c5f5adce4113b73537d864d995db2fdf7f || SSdeep | 192:9Kb8rzjI44nrHmffVmErxVUbW2gqd2ELLOCbpLpGA9bkLhNUPdqb9sbbFvkRg+KF:9KbC/I446fIE9VnhcDB9yUJvkq+KSYvD || CRC32 | 63A7555E |+--------+----------------------------------------------------------------------------------------------------------------------------------+From the info command we can see that we do in fact have a session open on a Flash object, which however is compressed. We can try to decompress and extract the clear SWF Flash object. This is shown at 00:54 of the screen cast: viper 2368a8f55ee78d844896f05f94866b07_3_pdf_stream.bin > swf decompress --dump[*] The opened file appears to be compressed with Zlib[...][*] Flash object dumped at /tmp/7dc0a1f1e35ea71eaeafec897afa8dfe.swf[*] Session opened on /tmp/7dc0a1f1e35ea71eaeafec897afa8dfe.swfviper 7dc0a1f1e35ea71eaeafec897afa8dfe.swf >Now you can save the decompressed object and further analyze it perhaps by trying to decompile it. This is just a very brief example of the versatility and capability of Viper through the use of two of the modules currently available. Both the PDF and the SWF modules are very primitive and they need a lot of work in order to expand them and provide additional analysis functionality. published on 2014-08-27 10:00:00 by nexSursa: Viper Blog Quote
