adobe reader 9

[wullie19 at ntlworld.com (rogue)]

Thanks for the shove in the right direction nantron
I thought that everyone was just keeping this in their personal
stash :-)

-rogue



> There's a lot of confusion on this PoC.  It's a proof of concept only
> in crashing the application, it does not give code execution.
>
> See this line?
>
> my $factor = "ABCD";
>
> That takes 41424344 and feeds it into the code shown in the VRT post.
> Follow it in a debugger to see what it's doing.
>
> My best guess to turn this into a stable, valid exploit, is that you'll
> need to:
>
> - locate a valid pointer to try to overwrite (you'll add 1 to it)
> - find a way to gain control of the heap so it'll be in a consistent,
> controllable location, then move it into position so that it's at a
> multiple of 20 off of your target pointer
> - do the math to figure out what your $factor should be
>
> Those first 2 items are the hard part.  After all of this, you should
> have control of a pointer that will dump EIP into an address range
> somewhat under you control, where you can divert code execution into
> your heap spray (or whatever your mechanism is).  There's a reason
> there aren't any public, reliable exploit PoC's out there.  This one's
> not a simple exploit.
>
> n
>
> On Tue, Mar 17, 2009 at 10:30 AM, Matt Gardenghi 
<mtgarden at gmail.com> wrote:
> > I thought that this was in metasploit already. ?Using
> > windows/fileformat/adobe_utilf (or something like that).
> >
> > rogue wrote:
> > > http://www.milw0rm.com/exploits/8099
> > >
> > >
> > >
> > > _______________________________________________
> > > http://spool.metasploit.com/mailman/listinfo/framework
> >
> > _______________________________________________
> > http://spool.metasploit.com/mailman/listinfo/framework