Metasploit mailing list archives
adobe reader 9
From: natron at invisibledenizen.org (natron)
Date: Tue, 17 Mar 2009 11:00:34 -0500
There's a lot of confusion on this PoC. It's a proof of concept only in crashing the application, it does not give code execution. See this line? my $factor = "ABCD"; That takes 41424344 and feeds it into the code shown in the VRT post. Follow it in a debugger to see what it's doing. My best guess to turn this into a stable, valid exploit, is that you'll need to: - locate a valid pointer to try to overwrite (you'll add 1 to it) - find a way to gain control of the heap so it'll be in a consistent, controllable location, then move it into position so that it's at a multiple of 20 off of your target pointer - do the math to figure out what your $factor should be Those first 2 items are the hard part. After all of this, you should have control of a pointer that will dump EIP into an address range somewhat under you control, where you can divert code execution into your heap spray (or whatever your mechanism is). There's a reason there aren't any public, reliable exploit PoC's out there. This one's not a simple exploit. n On Tue, Mar 17, 2009 at 10:30 AM, Matt Gardenghi <mtgarden at gmail.com> wrote:
I thought that this was in metasploit already. ?Using windows/fileformat/adobe_utilf (or something like that). rogue wrote:http://www.milw0rm.com/exploits/8099 _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework_______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
Current thread:
- adobe reader 9 rogue (Mar 17)
- adobe reader 9 Stephen Reese (Mar 17)
- adobe reader 9 rogue (Mar 17)
- adobe reader 9 Matt Gardenghi (Mar 17)
- adobe reader 9 natron (Mar 17)
- adobe reader 9 rogue (Mar 17)
- adobe reader 9 Pusscat (Mar 17)
- adobe reader 9 Matt Gardenghi (Mar 17)
- adobe reader 9 Pusscat (Mar 17)
- adobe reader 9 rogue (Mar 17)
- adobe reader 9 Stephen Reese (Mar 17)