Monday, September 13, 2010

CVE-2010-2883 poc

I received this exploit from Mila

My tests
Windows VersionAdobe Reader Versionexploitable
xp8.1.1yes
vista8.1.1yes
win78.1.1yes
xp9.3.4yes
vista9.3.4yes
win79.3.4yes


video

Decoded JS (click on the picture to enlarge)




Shellcode

The shellcode is very interesting, it compatible for windows 7, drops dll and call function by address from dll.

It get functions by name

SearchMask is dword, where begin data of embeded dll in pdf

and at the end after put in %temp% dir hcp.dll ,
shellcode call loadlibraryA hcp.dll , then call function StartUp by it address 17a0h



to be continued ....

5 comments:

  1. An informative report.As you mentioned that this blog is to be continued.That means you wrote a follow up on this.Please also share the link here as that will help to link these together Moreover its a good way to break up lengthy reports.Thanks

    ReplyDelete
  2. Wonderfully written post ! This is indeed brilliant way if breaking up lengthy report. I have Windows 7 in my note book and I would love to try shellcode as well. I hope that it would work great for me...

    ReplyDelete
  3. How were you able to decode the javascript? I am unable to get past the point for the escape

    ReplyDelete
  4. I will make sure to bookmark it and come back to learn extra of your helpful info. Thank you for the post. I will definitely comeback.
    www.friv2planet.com , www.juegosfrivas.com , www.kizidaily.com

    ReplyDelete
  5. your article so informative and i have cleared all of my doubts.
    your way of explanation is awesome thank you for sharing useful information.

    regards,
    oracle fusion financials training

    ReplyDelete