

Interesting analysis of a malicious PDF. - steveklabnik
http://www.corelan.be:8800/index.php/2010/11/18/malicious-pdf-analysis-from-price-zip-to-flashplayer-exe/

======
andre3k1
Worth noting, Adobe launched Reader X two days ago, which they claim has a
"sandbox" design that prevents attacks such as these.

[1]
[http://www.computerworld.com/s/article/9197230/Adobe_launche...](http://www.computerworld.com/s/article/9197230/Adobe_launches_sandboxed_Reader_X)

------
peterwwillis
Google web cache for those who can't get to non-standard ports:
[https://webcache.googleusercontent.com/search?q=cache:E3WJ19...](https://webcache.googleusercontent.com/search?q=cache:E3WJ19z5840J:www.corelan.be:8800/index.php/2010/11/18/malicious-
pdf-analysis-from-price-zip-to-flashplayer-exe/+malicious-pdf-analysis-from-
price-zip-to-flashplayer-exe&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a)

Some more interesting tidbits on how to write exploits:
[http://x9090.blogspot.com/2010/03/tutorial-exploit-
writting-...](http://x9090.blogspot.com/2010/03/tutorial-exploit-writting-
tutorial-from.html)

------
djacobs
Why is this being served over port 8800?

~~~
adulau
Because you can run your HTTP server on any port you want.

~~~
djacobs
That doesn't really answer my question.

~~~
adulau
Maybe the user has an Internet provider with one of those stupid policy where
TCP port 80 is closed as inbound. And he used a TCP high port to be able to
host his/her HTTP server.

