新的pdf 0day 在这里 's

admin 2017年5月7日04:13:52评论367 views字数 1928阅读6分25秒阅读模式
摘要

来源:alert7下面这个是老的。
http://insecureweb.com/%20/newish-web-based-pdf-attack-in-the-wild-with-real-exploit-code/

来源:alert7

下面这个是老的。
http://insecureweb.com/%20/newish-web-based-pdf-attack-in-the-wild-with-real-exploit-code/

新的pdf 0day 在这里
http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html

Maybe you read Michael Howard’s twitter feed. If so, you may be wondering why you were asked to turn off Javascript in Adobe Acrobat Reader. Well, I’m here to tell you that if you were to load a PDF file with an embedded JBIG2 image stream:

<< /Type /XObject /Subtype /Image /Width 2550 /Height 3305 /BitsPerComponent 1 /ColorSpace /DeviceGray /Filter /JBIG2Decode/DecodeParms << /jbig2Globals 13 0 R >> /Length 10 0 R /Name /X >> stream

And the 5th byte into the stream (which is the segment header flag byte) were to have the 6th bit set indicating a large page association size:

00 00 00 01 40 00 00 33 33 33

Then the bytes shown as 00 33 33 33 above would be loaded by the following assembly in AcroRd32.dll (ecx+0x1c points to our four bytes):

5d42d889 8b411c          mov     eax,dword ptr [ecx+1Ch] 5d42d88c 85c0            test    eax,eax 5d42d88e 0f84ac020000    je      AcroRd32_5cd80000!PDFLTerm+0x235ad0 (5d42db40) 5d42d894 8b4e10          mov     ecx,dword ptr [esi+10h] 5d42d897 8d0480          lea     eax,[eax+eax*4] 5d42d89a 834481ec01      add     dword ptr [ecx+eax*4-14h],1 ds:0023:07d96648=????????
eax=00ffffff ecx=03d96660

Playing with much smaller (0x9000) or much larger would result in crashes in different areas, but in general you would control within multiples of four where you write. If you were to add to this a quick heap spray with some javascript, I don’t doubt that you could write a rather reliable exploit across multiple versions of Acrobat Reader for XP, and if one were really inclined (or bored), for linux or OS X also! Yes, it crashes on all three, in versions 8 and 9. So to all of you security pros who were looking forward to a nice quiet weekend, I can’t fix it, but hopefully this will make the fire drill a little less long and arduous. Have a good one!

Oh, by the way, I forgot to mention. If you happen to open an explorer window, or a browser window, or anything at all that even has the ICON of the pdf file, you’re owned.

Open Source Snort rules and SEU 203 will be up in a few with coverage. The clam sig is called Exploit.PDF-23

P.S. To adobe: Matt Olney would like to know why javascript is on by default. Thanks.

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2017年5月7日04:13:52
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   新的pdf 0day 在这里 'shttp://cn-sec.com/archives/46121.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息