Skip to content

siberas/arpwn

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits

analysis

analysis

 
 

exploitation/sample_exploits

exploitation/sample_exploits

 
 

slidedecks

slidedecks

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

Pwning the Reader with XFA

This git repo contains the material from my Adobe (Acrobat) Reader (10/11/DC) XFA research. The provided material consists of:

  • Idapython analysis scripts for symbol recovery
  • PDBs for Acroform.api of versions AR 10/11/DC to simplify the debugging process
  • Exploit samples to showcase the effectiveness and reliablity of the jfCache flink exploitation method
  • Slidedecks from my SyScan360 and Infiltrate 2016 presentations

The README will be updated during the next days to make the usage of the various scripts easier to understand. Stay tuned!

analysis

  • XFAnalyze_Sol941.py: Idapython script to collect most important symbolic information from Acroform.api (AR for Solaris v9.4.1) -> gives you dictionary 'XFAdb_v941.json' which is needed for script XFAnalyze_funcs.py and XFAnalyze_moScriptTable.py
  • XFAnalyze_funcs.py: Idapython script collecting jfCacheManager functions and a debugging func via reliable heuristics (tested on AR 10/11/DC) and adding them to your IDB
  • XFAnalyze_moScriptTable.py: Idapython script to parse moScriptTable structures of all the objects found via XFAnalyze_Sol941.py (most XFA* and jf* objects). Finds entrypoints for scripting methods as well as for property getters and setters and adds them to your IDB
  • pdb_dump.py: Very crude implementation for dumping the symbols which were found via XFAnalyze_funcs.py and XFAnalyze_moScriptTable.py to PDBs. Useable, but definitely alpha status ;)
  • tpl_XXX.pdb: PDB template files
  • analysis\PDBs: Acroform.api PDB files for all AR 10/11/DC versions (english versions only!)

exploitation/sample_exploits

  • sample_exploit_0write.js: Javascript code exploiting the 0-DWORD write as described @ SyScan360. The exploit needs to be run with ar_buggery_auto.py (winappdbg-based) or ar_buggery_pykd.py (pykd-based)
  • ar_buggery_auto.py: winappdbg script which triggers the vulnerable 0-DWORD write
  • ar_buggery_pykd.py: pykd script which triggers the vulnerable 0-DWORD write
  • Infiltrate_Template.pdf: Sample PDF which contains 'sample_exploit_0write.js' and executes it when the PDF is opened. Use it together with ar_buggery_auto.py
  • xfa_js_helper.pdf: PDF which facilitates the execution of JS within XFA context

slidedecks

  • Infiltrate_2016_-_Pwning_Adobe_Reader_with_XFA.pdf/pptx
  • SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pdf/pptx

About

Analysis tools and exploit sample scripts for Adobe Reader 10/11 and Acrobat Reader DC

Resources

Readme

License

MIT license
Activity

Stars

80 stars

Watchers

11 watching

Forks

30 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages