[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [pdf-devel] LZWEncode Bug Report
From: |
Juan Pedro Bolívar Puente |
Subject: |
Re: [pdf-devel] LZWEncode Bug Report |
Date: |
Thu, 04 Aug 2011 17:01:46 +0200 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110626 Icedove/3.1.11 |
On 28/07/11 14:40, David Stroud wrote:
> Hey there,
>
> After chatting with jemarch in the irc channel, I was advised to submit a
> bug report of this issue I've been having.
>
> I'm trying to compress JavaScript inside PDFs for use in avoiding AVs in
> client side attacks. To begin with I was just encoding this single line in
> pdf-filter:
>
> app.alert({cMsg: 'Hello there', cTitle: 'Testing PDF JavaScript', nIcon:
> 3});
>
> and it worked fine with lzw encoding, rle, ahex and flate (singularly or
> stacked together).
>
> After that, I moved on to the actual exploit itself, which is the
> collectemailinfo heap spray. Here is the code with a payload that spawns
> calculator:
>
> [...]
>
I cannot reproduce your bug. Copied the payload that you placed here
test-lzw then:
$ ./pdf-filter --lzwenc < test-lzw > test-lzw.enc
$ ./pdf-filter --lzwdec < test-lzw.enc > test-lzw.dec
$ diff test-lzw test-lzw.dec
Can you provide further information? How exactly does the filter not
work, what steps are you taking to encode and decode?
Thanks,
JP
PS: I do not believe the trailing 0 is the source of the problem, and
indeed that 0 must be harmless -- appart from wasting 1 byte.